How to Discover Network Printers Using Nmap and Export IPs to a File


1 views

Nmap is an incredibly powerful tool for network reconnaissance. When it comes to finding printers, we can leverage several scanning techniques:

nmap -p 9100,515,631 --open 192.168.1.0/24 -oG - | grep "open" > printers.txt

Printers typically listen on specific ports that we can target:

  • 9100 (JetDirect)
  • 515 (LPD)
  • 631 (IPP)
  • 161 (SNMP)

For more detailed printer information, combine service detection with OS detection:

nmap -sV -O -p9100,515,631 --script=printer-info 192.168.1.0/24

To save printer IPs to a file, you can use these methods:

# Method 1: Grepable output
nmap -p9100,515,631 --open 192.168.1.0/24 -oG - | awk '/open/{print $2}' > printer_ips.txt

# Method 2: XML output parsing
nmap -p9100,515,631 --open -oX printers.xml 192.168.1.0/24
grep -oP '(?<=
 printer_ips.txt

For regular scanning, create a bash script:

#!/bin/bash
DATE=$(date +%Y-%m-%d)
OUTPUT_FILE="printers_$DATE.txt"

nmap -p9100,515,631 --open 192.168.1.0/24 -oG - | \
awk '/open/{print $2}' > $OUTPUT_FILE

echo "Found $(wc -l $OUTPUT_FILE | awk '{print $1}') printers"

Remember that scanning networks may require authorization:

  • Always get proper permissions
  • Consider network bandwidth impact
  • Use appropriate timing options (-T3 or -T4)

When dealing with network administration or penetration testing, identifying printers is often crucial. Printers typically expose several unique services that make them distinguishable from other devices:

# Common printer ports to scan
PRINTER_PORTS="9100,515,631,80,443"

This Nmap command combines service detection with OS fingerprinting for comprehensive results:

nmap -Pn -sS -p $PRINTER_PORTS --open -O --script=printer-info -n 192.168.1.0/24

Key flags explanation:

  • -Pn: Treat all hosts as online
  • -sS: TCP SYN scan (stealthy)
  • --open: Only show open ports
  • -O: Enable OS detection
  • --script=printer-info: Runs printer-specific NSE script

To extract only printer IPs and save them to a file:

nmap -Pn -sS -p $PRINTER_PORTS -n 192.168.1.0/24 -oG - | \
awk '/open\/tcp\/(9100|515|631)/ {print $2}' > printers.txt

For more detailed output including printer models:

nmap --script=printer-info -p 9100,515,631 192.168.1.0/24 -oX printer_scan.xml
xsltproc printer_scan.xml -o printer_report.html

For enterprise environments, consider these optimizations:

# Parallel scanning with 50 hosts at once
nmap -T4 -Pn -sS -p $PRINTER_PORTS -n -iL network_ranges.txt \
--min-hostgroup 50 -oG nmap_printer_scan.gnmap

# Post-processing with grep
grep -E "9100/open|515/open|631/open" nmap_printer_scan.gnmap | \
cut -d' ' -f2 | sort -u > active_printers.txt

Always ensure you have proper authorization before scanning. Many printers run vulnerable services and proper discovery helps with:

  • Firmware updates
  • Security hardening
  • Network segmentation planning