PrinterReaper
Complete printer penetration testing toolkit with 109 commands across PJL, PostScript & PCL. 4 network protocols, automated discovery, file exfiltration, NVRAM access, attack payloads. Modern Python 3.8+ offensive security tool.
Install / Use
/learn @mrhenrike/PrinterReaperREADME
PrinterReaper
Advanced Printer Penetration Testing Toolkit
Discover · Fingerprint · Exploit · Pivot · Report
"Is your printer safe from the void? Find out before someone else does."
Wiki (en-us) · Wiki (pt-br) · Issues · Releases
</div>PrinterReaper is a complete, modular framework for security assessment of network printers. It covers all major printer languages (PJL, PostScript, PCL, ESC/P), all common protocols (RAW, IPP, LPD, SMB, HTTP, SNMP, FTP, Telnet), 39+ exploit modules, an external wordlist-driven credential engine with zero hardcoded passwords, ML-assisted fingerprinting, NVD/CVE integration, automated lateral movement, firmware analysis, and Cross-Site Printing payloads.
Architecture — Printer Attack Surface
Operational Workflow
Flow source files (editable in draw.io):
diagrams/printerreaper_workflow.drawio·diagrams/credential_flow.drawio·diagrams/attack_matrix.drawio
Attack Coverage Matrix
Credential Architecture — Zero Hardcoded Passwords
PrinterReaper vs PRET — Benchmark
PRET (Printer Exploitation Toolkit) is the reference tool from the BlackHat 2017 research by Müller et al. PrinterReaper was initially forked from it and has since been rewritten and massively extended.
| Feature | PRET | PrinterReaper v3.7.0 | |---------|------|----------------------| | Languages | PJL, PS, PCL | PJL, PS, PCL, ESC/P, auto | | Protocols | RAW, LPD, IPP, USB | RAW, LPD, IPP, SMB, HTTP, SNMP, FTP, Telnet | | CVE Database | None | 50+ CVEs built-in + NVD API live lookup | | Exploit Library | None | 39+ modules (ExploitDB, Metasploit, Research) | | Brute-Force | None | HTTP, FTP, SNMP, Telnet — wordlist-driven, 0 hardcoded creds | | Credential Engine | None | External wordlists, vendor sections, token expansion, variations | | Network Discovery | None | SNMP sweep, Shodan, Censys, WSD, installed printers | | Fingerprinting | Basic banner | Multi-protocol banner grab + ML classifier | | CVE Scan | None | NVD API + offline fallback + auto exploit matching | | ML Engine | None | scikit-learn fingerprinting + attack scoring | | Lateral Movement | None | SSRF via IPP/WSD, network map, LDAP NTLM hash capture | | Firmware Analysis | None | Version extraction, upload endpoint check, NVRAM r/w | | Storage Audit | None | FTP, web file manager, SNMP MIB dump, saved jobs | | Cross-Site Printing | None | XSP + CORS spoofing payload generator (5 attack types) | | Attack Matrix | None | Full BlackHat 2017 campaign + 2024-2025 CVEs | | Send Print Job | Partial | Any format: .ps/.pcl/.pdf/.txt/.png/.jpg/.doc + raw | | Interactive Menu | None | Full guided TUI with next-steps and hints | | Config / API Keys | None | config.json with Shodan, Censys, NVD, ML flags | | Python Version | 2.7 (legacy) | 3.8+ (typed, async-capable) | | Windows Support | Limited | Full (PowerShell launchers, EDR-safe venv) | | IPv6 | No | Yes | | SMB | No | Yes (pysmb) | | Wiki / Docs | Basic README | Full GitHub wiki + draw.io diagrams |
Summary: PrinterReaper covers the same core PJL/PS/PCL shell as PRET plus a complete post-exploitation, discovery, brute-force, CVE, and lateral movement framework on top.
Installation
git clone https://github.com/mrhenrike/PrinterReaper.git
cd PrinterReaper
python -m venv .venv
source .venv/bin/activate # Linux / macOS
.venv\Scripts\activate # Windows PowerShell
pip install -r requirements.txt
python printer-reaper.py --version
# → printerreaper Version 3.7.0 (2026-03-25)
Requirements: Python 3.8+ · Windows / Linux / macOS · 80 MB disk
Entry Point
python printer-reaper.py [target] [mode] [options]
| Example | What it does |
|---------|-------------|
| python printer-reaper.py | Interactive guided menu |
| python printer-reaper.py --help | Full flag reference |
| python printer-reaper.py 192.168.1.100 --scan | Passive fingerprint + CVE scan |
| python printer-reaper.py 192.168.1.100 pjl | PJL interactive shell |
| python printer-reaper.py 192.168.1.100 --bruteforce --bf-vendor epson | Credential brute-force |
| python printer-reaper.py 192.168.1.100 --auto-exploit | Auto exploit selection + execution |
| python printer-reaper.py 192.168.1.100 --attack-matrix | Full attack campaign |
| python printer-reaper.py --discover-online --shodan --dork-vendor hp --dork-country BR | Dork discovery via Shodan only |
| python printer-reaper.py --discover-online --dork-engine shodan,netlas --dork-vendor hp,epson --dork-country BR,AR | Multi-engine, multi-vendor CSV |
| python printer-reaper.py --discover-online --dork-vendor hp --dork-country BR | Dork discovery via all configured engines |
Custom Port Overrides
By default PrinterReaper uses standard printer port numbers for each protocol. When the target printer listens on non-standard ports, override them globally via CLI flags — all modules automatically pick up the new ports:
# Printer with RAW on 3910 instead of 9100
python printer-reaper.py 192.168.1.100 pjl --port-raw 3910
# Full scan on a printer with non-standard ports
python printer-reaper.py 192.168.1.100 --scan \
--port-raw 3910 \
--port-ipp 8631 \
--port-snmp 1161
# Add extra ports to banner scan sweep
python printer-reaper.py 192.168.1.100 --scan \
--extra-ports 9200 --extra-ports 7100
# Brute-force with custom HTTP and FTP ports
python printer-reaper.py 192.168.1.100 --bruteforce \
--port-http 8080 --port-ftp 2121 --port-telnet 2323
# Attack campaign respects all overrides
python printer-reaper.py 192.168.1.100 --attack-matrix --port-raw 3910
Port override flags:
| Flag | Protocol | Default |
|------|----------|---------|
| --port-raw PORT | RAW/PJL/JetDirect | 9100 |
| --port-ipp PORT | IPP | 631 |
| --port-lpd PORT | LPD/LPR | 515 |
| --port-snmp PORT | SNMP | 161 |
| --port-ftp PORT | FTP management | 21 |
| --port-http PORT | HTTP (EWS) | 80 |
| --port-https PORT | HTTPS (EWS) | 443 |
| --port-smb PORT | SMB/CIFS | 445 |
| --port-telnet PORT | Telnet management | 23 |
| --extra-ports PORT | Extra scan port (repeatable) | — |
Overrides are applied globally at startup — every module (banner scan, PJL, firmware, SNMP, FTP, brute-force, attack orchestrator, XSP payload) reads from PortConfig instead of using hardcoded constants.
1. Discovery
Local
# SNMP sweep + installed printers on this host
python printer-reaper.py --discover-local
# Passive OSINT check for a specific IP
python printer-reaper.py 192.168.1.100 --osint
# Detect supported languages without connecting
python printer-reaper.py 192.168.1.100 --auto-detect
Online — Structured Dork Discovery (v3.12.0+)
--discover-online supports 5 search engines: Shodan, Censys, FOFA, ZoomEye, Netlas.
Printer context is always implicit — no need to specify "printer" in searches.
At least one --dork-* filter is required — unfiltered global sweeps are blocked.
No engine runs without credentials — configure keys in config.json.
# All Epson + Ricoh printers in Latin America, port 515 — all engines
python printer-reaper.py --discover-online \
--dork-vendor epson,ricoh \
--dork-region latin_america \
--dork-port 515
# HP DeskJet Pro 5500 in Brazil — Shodan only (single engine flag)
python printer-reaper.py --discover-online --shodan \
--dork-vendor hp \
--dork-model "deskjet pro 5500" \
--dork-country BR
# All printers in São Paulo port 9100 (CSV + single-country city filter)
python printer-reaper.py --discover-online \
--dork-country BR \
--dork-city "Sao Paulo","Rio de Janeiro" \
--dork-port 9100
# Kyocera in Europe, 200 results — Netlas only
python printer-reaper.py --discover-online --netlas \
--dork-vendor kyocera \
--dork-region europe \
--dork-limit 200
# Multiple vendors and countries via CSV — Shodan + ZoomEye (multi-engine)
python printer-reaper.py --discover-online \
--dork-engine shodan,zoomeye \
--dork-vendor hp,canon \
--dork-country BR,AR \
--dork-port 9100,631
# Five engines at once
python printer-reaper.py --discover-online \
--dork-engine shodan,censys,fofa,zoomeye,netlas \
--dork-vendor epson --dork-port 9100
Engine selection rules:
| Goal | How |
|------|-----|
| ONE engine | --shodan / --censys / --fofa / --zoomeye / --netlas |
| MULTIPLE engines | --dork-engine shodan,netlas (comma-separated — the only multi-engine way) |
| ALL configured | Omit all engine flags |
| Forbidden | --shodan --fofa (two individual flags) or --shodan --dork-engine fofa (mix) → error |
Dork filter flags — all accept CSV or repeated flags:
| Flag
