Skip to content
PortsDB

Port reference

Port 9100 (TCP) – Printer JetDirect / node_exporter

Raw TCP printing (HP JetDirect/PDL) on printers; also Prometheus node_exporter host metrics.

tcpRegisteredCommonly attacked

Default state

Open on networked printers for raw printing, and on hosts running node_exporter. Both are frequently left unauthenticated on the LAN.

Common attacks

  • Raw print job injection and printer DoS
  • PJL/PostScript abuse to read or write the printer file system (PRET)
  • Stealing queued documents and changing device settings
  • Exposed node_exporter metrics revealing host details for recon

Hardening

  • Restrict 9100 to print servers / management VLAN; block at the perimeter
  • Disable PJL/PostScript file access and update printer firmware
  • Require authentication for printer admin and disable raw 9100 if unused
  • Bind node_exporter to localhost or scrape over a private network
  • Front node_exporter with auth/TLS and IP-allowlist scrapers

nmap snippet

nmap -p9100 --script banner,pjl-ready-message <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 9100?

Port 9100 has two common occupants. On printers it is the raw TCP printing port (HP JetDirect / PDL): the device listens for print jobs sent directly as a byte stream, with no protocol negotiation. On servers, the same port number is used by Prometheus node_exporter to expose host metrics for scraping.

Why it matters for security

Raw printing has no authentication — anything that connects can print, and printer page-description languages like PJL and PostScript can read and write the device file system, change settings, and access queued documents. When node_exporter sits on 9100, its metrics leak OS, hardware, and process details useful for reconnaissance.

How it's attacked

Attackers inject raw print jobs, cause DoS, and use tools like PRET to abuse PJL/PostScript for file system access and document theft on the printer. Against node_exporter they scrape exposed host metrics to fingerprint the system, enumerate filesystems and services, and plan further attacks.

Hardening checklist

Restrict 9100 to dedicated print servers or a management VLAN and block it at the perimeter. Disable PJL/PostScript file access, update printer firmware, and require authentication for printer admin (disable raw 9100 if unused). For node_exporter, bind it to localhost or scrape over a private network, front it with auth/TLS, and IP-allowlist scrapers. Use the nmap snippet to check exposure on systems you are authorized to test. </content>

Related ports

Port 9090Port 631Port 515Port 9117

Frequently asked questions

What is port 9100 used for?
It is the raw TCP printing port (HP JetDirect/PDL) that printers listen on to receive print jobs directly. The same port number is also used by Prometheus node_exporter to expose host metrics.
Why is port 9100 risky?
Raw printing has no authentication, so tools like PRET can abuse PJL/PostScript to read queued documents or the printer file system. If node_exporter runs here, exposed metrics leak host details. Restrict 9100 to trusted networks.