Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

IPP, CUPS and JetDirect

Default Ports: 631 (IPP/CUPS), 9100 (JetDirect/raw printing)

IPP, CUPS, and JetDirect are printing protocols and services used by printers, print servers, and Linux/macOS print systems. In pentests, exposed print services can leak device info, jobs, usernames, internal names, and sometimes allow unauthenticated print or admin actions.

Connect

Using Browser

CUPS often exposes a web interface on port 631.

http://target.com:631/
https://target.com:631/

Using curl

HTTP checks identify CUPS, IPP, and admin paths.

curl -I http://target.com:631/
curl -I http://target.com:631/admin
curl -I http://target.com:631/printers/

Using lpstat

lpstat lists printers and queues from CUPS.

lpstat -h target.com:631 -v
lpstat -h target.com:631 -p
lpstat -h target.com:631 -o

Using ipptool

ipptool queries IPP attributes.

ipptool -tv ipp://target.com:631/printers/printer get-printer-attributes.test
ipptool -tv ipp://target.com:631/printers/printer get-jobs.test

Using Netcat for JetDirect

JetDirect accepts raw print data on port 9100.

echo "authorized print test" | nc target.com 9100
printf "\033%-12345X@PJL INFO ID\r\n\033%-12345X" | nc target.com 9100

Recon

Service Detection with Nmap

Scan print ports and nearby web interfaces.

nmap -p 631,9100,515,80,443 -sV target.com
nmap -p 631 --script http-title,http-headers target.com
nmap -p 9100 --script pjl-ready-message target.com

IPP Enumeration

IPP attributes reveal printer names, locations, models, and supported operations.

ipptool -tv ipp://target.com:631/ipp/print get-printer-attributes.test
ipptool -tv ipp://target.com:631/printers/printer get-printer-attributes.test

CUPS Fingerprinting

CUPS pages reveal version and queue names.

curl -s http://target.com:631/ | grep -Ei 'cups|printer|admin|version'
curl -s http://target.com:631/printers/ | grep -Ei 'printer|queue|class'

JetDirect Fingerprinting

PJL commands may return device model and status.

printf "\033%-12345X@PJL INFO ID\r\n\033%-12345X" | nc target.com 9100
printf "\033%-12345X@PJL INFO STATUS\r\n\033%-12345X" | nc target.com 9100

Enumeration

Queue Enumeration

Queues reveal printer names, locations, and job status.

lpstat -h target.com:631 -v
lpstat -h target.com:631 -p
lpstat -h target.com:631 -o

Job Enumeration

Print jobs may leak usernames, filenames, or document titles.

ipptool -tv ipp://target.com:631/printers/printer get-jobs.test
curl -s http://target.com:631/jobs/

Device Attribute Enumeration

Attributes expose model, firmware, location, and supported operations.

ipptool -tv ipp://target.com:631/printers/printer get-printer-attributes.test
printf "\033%-12345X@PJL INFO VARIABLES\r\n\033%-12345X" | nc target.com 9100

Admin Path Enumeration

Check whether CUPS admin pages require authentication.

curl -i http://target.com:631/admin
curl -i http://target.com:631/admin/conf/cupsd.conf

Attack Vectors

Unauthenticated Printing

Open queues may allow anyone to submit jobs.

lp -h target.com:631 -d printer test.txt
echo "authorized print test" | nc target.com 9100

Job Information Disclosure

Jobs and history can reveal users, filenames, and departments.

lpstat -h target.com:631 -o
curl -s http://target.com:631/jobs/

CUPS Admin Exposure

Exposed admin endpoints may allow configuration changes if auth is weak.

curl -i http://target.com:631/admin
curl -i http://target.com:631/admin/log/error_log

PJL Information Leakage

PJL can disclose device information on raw print ports.

printf "\033%-12345X@PJL INFO ID\r\n\033%-12345X" | nc target.com 9100
printf "\033%-12345X@PJL INFO CONFIG\r\n\033%-12345X" | nc target.com 9100

Printer Abuse

Printing tests should use a small controlled page to avoid disruption.

echo "Authorized pentest print check" | nc target.com 9100

Post-Exploitation

Printer Inventory

Collect queues, models, and locations for the report.

lpstat -h target.com:631 -v > printers.txt
ipptool -tv ipp://target.com:631/printers/printer get-printer-attributes.test > printer-attributes.txt

User and Document Review

Review job metadata only; avoid retrieving document content unless scoped.

lpstat -h target.com:631 -o > print-jobs.txt
grep -Ei 'user|owner|job|document|title' print-jobs.txt

Logging Check

Submit one controlled job and confirm it is logged.

echo "Authorized pentest print check" | nc target.com 9100

Useful Tools

Tool	Purpose
`nmap`	Port and service detection
`curl`	CUPS web checks
`lpstat`	Queue and job enumeration
`lp`	Controlled print submission
`ipptool`	IPP attribute queries
`nc`	JetDirect/PJL testing
`PRET`	Printer exploitation framework

Security Misconfigurations

Misconfiguration	Risk
CUPS exposed broadly	Printer and queue disclosure
Unauthenticated printing	Abuse and disruption
Job history visible	User and document metadata leakage
CUPS admin exposed	Configuration risk
JetDirect exposed	Raw print and PJL information leakage
Weak printer credentials	Device administration
No network segmentation	Printer attack surface exposure

Want to Practice These Techniques?

IPP, CUPS and JetDirect

Connect​

Using Browser​

Using curl​

Using lpstat​

Using ipptool​

Using Netcat for JetDirect​

Recon​

Service Detection with Nmap​

IPP Enumeration​

CUPS Fingerprinting​

JetDirect Fingerprinting​

Enumeration​

Queue Enumeration​

Job Enumeration​

Device Attribute Enumeration​

Admin Path Enumeration​

Attack Vectors​

Unauthenticated Printing​

Job Information Disclosure​

CUPS Admin Exposure​

PJL Information Leakage​

Printer Abuse​

Post-Exploitation​

Printer Inventory​

User and Document Review​

Logging Check​

Useful Tools​

Security Misconfigurations​