Re: [NSE] modbus-enum.nse, modbus discovery script

[Александр Рудаков <freekoder () gmail com>]

Hi, Bob. Hi, David.
Thanks for your attention to this script.
Bob said quite rigth, that 08 is diagnostic function. Defcon presentation
says that diagnostic function has diagnostic code 00 00 just returning query
data, so 00 00 AA BB is query to return data AA BB. I just took it from
query examples at presentations.

Past week I tried to test my script on real modbus devices. Code 08 works
well, but devices I have seems don't understand return data queries.
I will test this script with 17 function code. May be it would be better to
use this value.
Also, I noticed that some timeout required (about 2 seconds) between
queries.

29 ноября 2010 г. 13:33 пользователь Bob Radvanovsky <rsradvan () unixworks net
> написал:

> Code 8 is used for diagnostics.
>
> Go here: http://en.wikipedia.org/wiki/Modbus
> and here: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf(section 6.9 on page 25/51)
>
> "The event counter can be reset by means of the Diagnostics function (code
> 08), with a subfunction
> of Restart Communications Option (code 00 01) or Clear Counters and
> Diagnostic
> Register (code 00 0A)."
>
> and here: http://www.modbus.org/docs/PI_MBUS_300.pdf (page 74)
>
> "Description
>
> Returns a status word and an event count from the slave's communications
> event
> counter. By fetching the current count before and after a series of
> messages, a
> master can determine whether the messages were handled normally by the
> slave.
> Broadcast is not supported.
>
> The controller's event counter is incremented once for each successful
> message
> completion. It is not incremented for exception responses, poll commands,
> or
> fetch event counter commands.
>
> The event counter can be reset by means of the Diagnostics function (code
> 08),
> with a subfunction of Restart Communications Option (code 00 01) or Clear
> Counters and Diagnostic Register (code 00 0A)."
>
> -r
>
> ----- Original Message -----
> From: David Fifield [mailto:david () bamsoftware com]
> To: Александр Рудаков [mailto:freekoder () gmail com]
> Cc: nmap-dev () insecure org
> Subject: Re: [NSE] modbus-enum.nse, modbus discovery script
>
>
> > On Mon, Nov 22, 2010 at 08:57:51PM +0300, Александр Рудаков
> > wrote:> > Hi all,> > > > I realised the script that duplicates functional
> of
> > Mark Bristow's modscan> > utility.> > Modscan utility finds MODBUS (one
> of the
> > popular SCADA protocols) devices in> > IP range and determines slave id
> > (SID).> > It tries to find legal SID of tcp modbus server by
> bruteforcing.> >
> > I just rewrote python code on lua and implemented it as nmap script. Here
> > is> > output of the script:> > > > PORT    STATE SERVICE> > 502/tcp open
> > modbus> > | modbus-enum:> > |   Positive response for sid = 0x64> > |
> > Positive error response for sid = 0x96> > |_  Positive response for sid =
> > 0xc8> > > >  Also, I wrote small modbus server mock on python for test
> > purposes.> > In the future, this script can be extended to test specifict
> > modbus devices> > and disclosure sensitive information.> > This is my
> first
> > expirience in nmap script development so I would be pleased> > to hear
> notes
> > and advises, and I hope it may be useful for someone.> > > > Modscan
> project
> > can be found here: http://code.google.com/p/modscan/> > PDF Presentation
> > about MODBUS proto and modscan utility from Defcon 16:> >
> https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf>
> > > > NSE script and modbus server mock are in attachments and at google
> > code:> > https://code.google.com/p/nmap-modscan/.> > I think the script
> looks
> > good. What is the reason for using function> code 8 instead of the
> default 17
> > that modscan.py
> > uses?> >
> http://code.google.com/p/modscan/source/browse/trunk/modscan.py#43> > This
> > page defines "Report slave ID" for code 17 but doesn't mention
> > code> 8.> > http://www.lammertbies.nl/comm/info/modbus.html#func> > Is
> there
> > significance to the "00 00 AA BB" data?> > David
> > Fifield> _______________________________________________> Sent through
> the
> > nmap-dev mailing
> > list> http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at
> > http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/