Nmap Development mailing list archives
Re: [NSE] modbus-enum.nse, modbus discovery script
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Mon, 29 Nov 2010 15:33:02 -0600
Code 8 is used for diagnostics. Go here: http://en.wikipedia.org/wiki/Modbus and here: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf (section 6.9 on page 25/51) "The event counter can be reset by means of the Diagnostics function (code 08), with a subfunction of Restart Communications Option (code 00 01) or Clear Counters and Diagnostic Register (code 00 0A)." and here: http://www.modbus.org/docs/PI_MBUS_300.pdf (page 74) "Description Returns a status word and an event count from the slave’s communications event counter. By fetching the current count before and after a series of messages, a master can determine whether the messages were handled normally by the slave. Broadcast is not supported. The controller’s event counter is incremented once for each successful message completion. It is not incremented for exception responses, poll commands, or fetch event counter commands. The event counter can be reset by means of the Diagnostics function (code 08), with a subfunction of Restart Communications Option (code 00 01) or Clear Counters and Diagnostic Register (code 00 0A)." -r ----- Original Message ----- From: David Fifield [mailto:david () bamsoftware com] To: Александр Рудаков [mailto:freekoder () gmail com] Cc: nmap-dev () insecure org Subject: Re: [NSE] modbus-enum.nse, modbus discovery script
On Mon, Nov 22, 2010 at 08:57:51PM +0300, Александр Рудаков wrote:> > Hi all,> > > > I realised the script that duplicates functional of Mark Bristow's modscan> > utility.> > Modscan utility finds MODBUS (one of the popular SCADA protocols) devices in> > IP range and determines slave id (SID).> > It tries to find legal SID of tcp modbus server by bruteforcing.> > I just rewrote python code on lua and implemented it as nmap script. Here is> > output of the script:> > > > PORT STATE SERVICE> > 502/tcp open modbus> > | modbus-enum:> > | Positive response for sid = 0x64> > | Positive error response for sid = 0x96> > |_ Positive response for sid = 0xc8> > > > Also, I wrote small modbus server mock on python for test purposes.> > In the future, this script can be extended to test specifict modbus devices> > and disclosure sensitive information.> > This is my first expirience in nmap script development so I would be pleased> > to hear notes and advises, and I hope it may be useful for someone.> > > > Modscan project can be found here: http://code.google.com/p/modscan/> > PDF Presentation about MODBUS proto and modscan utility from Defcon 16:> > https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf> >NSE script and modbus server mock are in attachments and at googlecode:> > https://code.google.com/p/nmap-modscan/.> > I think the script looks good. What is the reason for using function> code 8 instead of the default 17 that modscan.py uses?> > http://code.google.com/p/modscan/source/browse/trunk/modscan.py#43> > This page defines "Report slave ID" for code 17 but doesn't mention code> 8.> > http://www.lammertbies.nl/comm/info/modbus.html#func> > Is there significance to the "00 00 AA BB" data?> > David Fifield> _______________________________________________> Sent through the nmap-dev mailing list> http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Nov 22)
- Re: [NSE] modbus-enum.nse, modbus discovery script David Fifield (Nov 29)
- <Possible follow-ups>
- Re: [NSE] modbus-enum.nse, modbus discovery script Bob Radvanovsky (Nov 29)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Nov 29)
- Re: [NSE] modbus-enum.nse, modbus discovery script Bob Radvanovsky (Nov 30)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Nov 30)
- Re: [NSE] modbus-enum.nse, modbus discovery script Bob Radvanovsky (Nov 30)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Dec 03)
- Re: [NSE] modbus-enum.nse, modbus discovery script Alexander Rudakov (Dec 12)
- Re: [NSE] modbus-enum.nse, modbus discovery script David Fifield (Dec 12)
- Re: [NSE] modbus-enum.nse, modbus discovery script Alexander Rudakov (Dec 13)
- Re: [NSE] modbus-enum.nse, modbus discovery script David Fifield (Dec 16)
- Re: [NSE] modbus-enum.nse, modbus discovery script Alexander Rudakov (Dec 17)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Dec 03)