Nmap Development mailing list archives
Re: [NSE] modbus-enum.nse, modbus discovery script
From: Александр Рудаков <freekoder () gmail com>
Date: Fri, 3 Dec 2010 22:01:53 +0300
Hi again. Last week I spent improving modbus-enum script. I implemented next features: 1) It tries to find valid sid by sending request report slave id (function code = 17). 2) If error response returned, it translate error code to error description string. 3) If positive reponse returned, it records slave id data from response and shows it in script output. 4) If legal sid is founded, it tries to get more info about modbus device by sending read device identification request (function id = 0x2B) and record device identification strings. Script output now looks like this: PORT STATE SERVICE 502/tcp open modbus | modbus-enum: | Positive response for sid = 0x64 | SLAVE ID DATA: \xFA\xFFPM710PowerMeter | DEVICE IDENTIFICATION: Schneider Electric PM710 v03.110 | Positive error response for sid = 0x96 (GATEWAY TARGET DEVICE FAILED TO RESPONSE) |_ Positive response for sid = 0xc8 I test script on several devices and seems it works. But there are lack of error checks in script, for example checking of array bounds. I'm going to fix some potential errors and prettify script content. 2010/12/1, Bob Radvanovsky <rsradvan () unixworks net>:
That's a great idea, Mr. Rudakov! I would be happy to test your script in our environment, too, and look forward to your update. Спасибо! -r ----- Original Message ----- From: Александр Рудаков [mailto:freekoder () gmail com] To: Bob Radvanovsky [mailto:rsradvan () unixworks net] Cc: nmap-dev () insecure org Subject: Re: [NSE] modbus-enum.nse, modbus discovery scriptBob, I read Modbus Application Protocol V1.1, and have next ideas how to improve script: 1) Use 17 function code to find legal sid values. This function does not require payload data, so the data variable does not need to be redefined. 2) If error response returns, script can show error description according to the exception code. 3) After legal sid detected, we can descover device vendor and version by using read device identification function (0x2B). I wrote test script to get vendor identificator and test it on my devices. It works well. But I need more time for cleanup. What do you think about it? With best regards, Alexander. 2010/11/30 Bob Radvanovsky <rsradvan () unixworks net>I will be evaluating/validating this on several MODBUS devices that wehavein our lab. If there need to be any modifications, I will provide a modification to Mr. Rudakov's modbus-enum.nse, and resubmit it to Mr. Rudakov (and this mailing list) for review. Based on the MODBUS protocol definition, there are other functionalities that can be performed, some of which can perform some dangerous stuff, such as shutting down a MODBUS device. When we get started on the evaluation/validation testing, I will list the manufacturers, series and product number that we performed the tests against. This will be made available to the general public via our web site. -r ----- Original Message ----- From: Александр Рудаков [mailto:freekoder () gmail com] To: Bob Radvanovsky [mailto:rsradvan () unixworks net], David Fifield [mailto:david () bamsoftware com] Cc: nmap-dev () insecure org Subject: Re: [NSE] modbus-enum.nse, modbus discovery scriptHi, Bob. Hi, David. Thanks for your attention to this script. Bob said quite rigth, that 08 is diagnostic function. Defconpresentationsays that diagnostic function has diagnostic code 00 00 just returningquerydata, so 00 00 AA BB is query to return data AA BB. I just took it from query examples at presentations. Past week I tried to test my script on real modbus devices. Code 08workswell, but devices I have seems don't understand return data queries. I will test this script with 17 function code. May be it would be bettertouse this value. Also, I noticed that some timeout required (about 2 seconds) between queries. 29 ноября 2010 г. 13:33 пользователь Bob Radvanovsky <rsradvan () unixworks netнаписал:Code 8 is used for diagnostics. Go here: http://en.wikipedia.org/wiki/Modbus and here:http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf(section6.9on page 25/51)"The event counter can be reset by means of the Diagnostics function(code08), with a subfunction of Restart Communications Option (code 00 01) or Clear Counters and Diagnostic Register (code 00 0A)." and here: http://www.modbus.org/docs/PI_MBUS_300.pdf (page 74) "Description Returns a status word and an event count from the slave'scommunicationsevent counter. By fetching the current count before and after a series of messages, a master can determine whether the messages were handled normally by the slave. Broadcast is not supported. The controller's event counter is incremented once for each successful message completion. It is not incremented for exception responses, pollcommands,or fetch event counter commands. The event counter can be reset by means of the Diagnostics function(code08), with a subfunction of Restart Communications Option (code 00 01) orClearCounters and Diagnostic Register (code 00 0A)." -r ----- Original Message ----- From: David Fifield [mailto:david () bamsoftware com] To: Александр Рудаков [mailto:freekoder () gmail com] Cc: nmap-dev () insecure org Subject: Re: [NSE] modbus-enum.nse, modbus discovery scriptOn Mon, Nov 22, 2010 at 08:57:51PM +0300, АлександрРудаковwrote:> > Hi all,> > > > I realised the script that duplicatesfunctionalofMark Bristow's modscan> > utility.> > Modscan utility finds MODBUS(oneof thepopular SCADA protocols) devices in> > IP range and determines slaveid(SID).> > It tries to find legal SID of tcp modbus server bybruteforcing.> >I just rewrote python code on lua and implemented it as nmap script.Hereis> > output of the script:> > > > PORT STATE SERVICE> > 502/tcpopenmodbus> > | modbus-enum:> > | Positive response for sid = 0x64>|Positive error response for sid = 0x96> > |_ Positive response forsid=0xc8> > > > Also, I wrote small modbus server mock on python fortestpurposes.> > In the future, this script can be extended to testspecifictmodbus devices> > and disclosure sensitive information.> > This ismyfirstexpirience in nmap script development so I would be pleased> > tohearnotesand advises, and I hope it may be useful for someone.> > > > Modscanprojectcan be found here: http://code.google.com/p/modscan/> > PDFPresentationabout MODBUS proto and modscan utility from Defcon 16:> >https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdfNSE script and modbus server mock are in attachments and atcode:> > https://code.google.com/p/nmap-modscan/.> > I think thescriptlooksgood. What is the reason for using function> code 8 instead of thedefault 17that modscan.py uses?> >http://code.google.com/p/modscan/source/browse/trunk/modscan.py#43>Thispage defines "Report slave ID" for code 17 but doesn't mention code> 8.> > http://www.lammertbies.nl/comm/info/modbus.html#func>Istheresignificance to the "00 00 AA BB" data?> > David Fifield> _______________________________________________> Sentthroughthenmap-dev mailing list> http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Attachment:
modbus-discover.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Nov 22)
- Re: [NSE] modbus-enum.nse, modbus discovery script David Fifield (Nov 29)
- <Possible follow-ups>
- Re: [NSE] modbus-enum.nse, modbus discovery script Bob Radvanovsky (Nov 29)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Nov 29)
- Re: [NSE] modbus-enum.nse, modbus discovery script Bob Radvanovsky (Nov 30)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Nov 30)
- Re: [NSE] modbus-enum.nse, modbus discovery script Bob Radvanovsky (Nov 30)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Dec 03)
- Re: [NSE] modbus-enum.nse, modbus discovery script Alexander Rudakov (Dec 12)
- Re: [NSE] modbus-enum.nse, modbus discovery script David Fifield (Dec 12)
- Re: [NSE] modbus-enum.nse, modbus discovery script Alexander Rudakov (Dec 13)
- Re: [NSE] modbus-enum.nse, modbus discovery script David Fifield (Dec 16)
- Re: [NSE] modbus-enum.nse, modbus discovery script Alexander Rudakov (Dec 17)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Dec 03)
- Re: [NSE] modbus-enum.nse, modbus discovery script David Fifield (Dec 17)