Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Another SCADA/ICS NMAP NSE script - Lantronix Universal Device Server (UDS) enumeration script

From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Wed, 08 Dec 2010 15:03:14 -0600
Just an FYI with this and the previously released SCADA/ICS enumeration scripts...

*IF* you want ALL of the detailed information (shown below from the sample output), you will need to use the "-v" 
(verbose) option.  If you do not use the "-v" option, the following sample output will be shown, and will simply show 
the firmware level and that it is in fact a "Lantronix" device.

[root@server nmap]# nmap --script=./lantronix.nse xxx.xxx.xxx.xxx -PN -sU -p161

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-12-08 15:00 CST
Nmap scan report for xxx.domain.com (xxx.xxx.xxx.xxx)
Host is up.
PORT    STATE SERVICE
161/udp open  snmp
| lantronix: CONFIRM DEVICE AS LANTRONIX
| ** IF YOU REQUIRE MORE INFO, USE THE "-v" OPTION
| ............Lantronix device info  : CONFIRMED
|_............Version S/W            : 05.2

Nmap done: 1 IP address (1 host up) scanned in 2.28 seconds

-r

----- Original Message -----
From: Bob Radvanovsky [mailto:rsradvan () unixworks net]
To: nmap-dev () insecure org
Subject: Another SCADA/ICS NMAP NSE script - Lantronix Universal Device Server (UDS) enumeration script



This is one of several enumeration scripts that I have written for the
SCADA/industrial control systems community.  This checks/validates the
web-based traffic for the Lantronix Universal Device Server (UDS) device. 
NOTE: This has been ONLY tested with one model, the Lantronix XPress DR-IAP,
with the most recent firmware level (Version 5.2).

The web interface is optional, and runs entirely using a Java servlet,
making it difficult to enumerate using NMAP.  However, if SNMP is ENABLED,
the device can provide some rather useful information, including firmware
release level, serial number, and revision level.

Here is sample output from the modified NMAP NSE script (execute it as "nmap
--script=./lantronix.nse <IP address> -PN -sU -p161 -v"; use the "-PN" flag
needs to be used on older TCP/IP device stacks, as NMAP has a tendency to
lock up the TCP/IP stack).

** THIS DEVICE HAS BEEN CONFIGURED AND TESTED ON OUR OWN NETWORK.
** THE DEVICE WILL REMAIN OPERATIONAL ON OUR NETWORK
** FOR APPROX. ONE (1) WEEK FROM TODAY (8-Dec-2010/Wednesday).

** IP ADDRESS IS "64.32.214.213" to validate the enumeration script.

The same script is shown below; if you wish to download the script, the
script may be accessed here:
http://www.infracritical.com/enum-scripts/lantronix.nse

===============================================

description = "Confirms/verifies that target device is a Lantronix UDS
Serial-Ethernet server."
author      = "Bob Radvanovsky <rsradvan at infracritical dot com>"
license     = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories  = {"default", "discovery", "safe"}
dependencies= {"snmp-brute"}

--
--  Filename:      lantronix.nse
--
--  Purpose:       Checks for the following elements confirming said device:
--
--  1.  PHASE I - SNMP verification.
--      a.  STEP 1:  Performs verification through 'snmpwalk'.
--      b.  STEP 2:  Acquires specific details from SNMP 'sysDescr.0'.
--
--  2.  PHASE II - Documentation.
--
-- 
==========================================================================
--
--  Version(s):    5.2
--
--  Usage:         nmap --script=./lantronix.nse <IP>
--                 (continued) --script-args='dox=1' -PN -sU -p161 -v
--
--  Author(s):     Bob Radvanovsky - Infracritical
--                 <rsradvan at infracritical dot com>
--
--  Initwritten:   Decemmber 2010
--
--  DATE----  INIT
DESCRIPTION------------------------------------------------
--  10.08.12  rsr  Inital development - VERSION 001.
--  10.08.12  rsr  Included URL links for related reference documentation.
--
--  NOTE: Script is a derived work from Thomas Buchanan's
"snmp-sysdescr.nse"
--        NSE script, and has been modified to work specifically on/for the
--        Lantronix Universal Device Server (UDS) devices.
--
--  NOTE: We try and verify, running tests on as many versions of this
device
--        as possible.  If you encounter an "UNKNOWN", this may mean that
you
--        have scanned a device version/variant that was not tested.
--
--        Since we are providing this script free-of-charge to everyone,
--        would help us - and the community - if you would report the
variance
--        to us.  Submit your findings to "report () infracritical com". 
Thanks!
--

require("nmap")
require("nsedebug")
require("datafiles")
require("stdnse")
require("shortport")
require("snmp")
require("http")
require("url")
require("strbuf")

portrule = shortport.portnumber({80,161}, "udp", {"open", "open|filtered"})

action = function(host, port)

  -- create the socket used for our connection
  local socket = nmap.new_socket()
        
  -- set a reasonable timeout value
  socket:set_timeout(5000)
        
  -- do some exception handling / cleanup
  local catch = function()
    socket:close()
  end
        
  -- connect to the potential SNMP system
  local try = nmap.new_try(catch)
  try(socket:connect(host.ip, port.number, "udp"))
        
  -- If you want to perform a test verifiication/validation of another OID,
  -- here are some values (as shown below):
  -- get value: 1.3.6.1.2.1.1.1 (SNMPv2-MIB::sysDescr.0)
  -- get value: 1.3.6.1.2.1.1.2 (SNMPv2-MIB::sysObjectID.0)
  -- get value: 1.3.6.1.2.1.1.3 (SNMPv2-MIB::sysUpTime.0)
  -- get value: 1.3.6.1.2.1.1.4 (SNMPv2-MIB::sysContact.0)
  -- get value: 1.3.6.1.2.1.1.5 (SNMPv2-MIB::sysName.0)
  -- get value: 1.3.6.1.2.1.1.6 (SNMPv2-MIB::sysLocation.0)
  -- get value: 1.3.6.1.2.1.1.7 (SNMPv2-MIB::sysServices.0)
  local payload; local options = {}; options.reqId = 28428 -- unnecessary?
  payload = snmp.encode(snmp.buildPacket(snmp.buildGetRequest(options,
"1.3.6.1.2.1.1.1.0")))
  try(socket:send(payload))
  local status, response
        
  -- read in any response we might get
  status, response = socket:receive_bytes(1)
  if (not status) or (response == "TIMEOUT") then return; end
        
  -- since we got something back, the port is definitely open
  nmap.set_port_state(host, port, "open")

  local confirm = tostring(snmp.fetchFirst(response))
  -- print(confirm)
  result = "CONFIRM DEVICE AS LANTRONIX"

  local split = stdnse.strsplit(" ",confirm)
  local modelname = split[1]
  local modeltype = split[2]
  local serial = split[3]
  local fwlevel = split[4]
  local revision = split[5]

  if string.match(modelname, "Lantronix") then
    if nmap.verbosity() > 1 then
      result = result .. "\n** PHASE 1: SNMP verification"
      result = result .. "\n....Step 1: Lantronix device info  : CONFIRMED"
    else
      result = result .. "\n** IF YOU REQUIRE MORE INFO, USE THE \"-v\"
OPTION"
    end
    if nmap.verbosity() > 1 then
      result = result .. "\n............Version S/W            : " ..
fwlevel
    else
      result = result .. "\n............Lantronix device info  : CONFIRMED"
      result = result .. "\n............Version S/W            : " ..
fwlevel
    end
    if nmap.verbosity() > 1 then
      result = result .. "\n....Step 2: SNMP device detailed information"
      result = result .. "\n............Manufacturer name      : " ..
modelname
      result = result .. "\n............Type/model type        : " ..
modeltype
      result = result .. "\n............Serial number          : " .. serial
      result = result .. "\n............Revision number        : " ..
revision
      result = result .. "\n** PHASE 2: Documentation"
      result = result .. "\n....Step 1: Documentation exist?   : YES"
      result = result .. "\n"
      result = result ..
"\n............ninja.infracritical.com/dox/xpress.pdf"
    end
  else
    if nmap.verbosity() > 1 then result = "Fingerprint not found."; end
  end
  if nmap.verbosity() > 1 then result = result .. "\n"; end
  return result
end

===============================================

Sample output from the NSE script.  NOTE: The IP address, serial number, and
revision number for this sample output has been sanitized.

[root@server nmap]# nmap --script=./lantronix.nse xxx.xxx.xxx.xxx -PN -sU
-p161 -v

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-12-08 12:45 CST
NSE: Loaded 1 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 12:45
Completed Parallel DNS resolution of 1 host. at 12:45, 0.00s elapsed
Initiating System CNAME DNS resolution of 1 host. at 12:45
Completed System CNAME DNS resolution of 1 host. at 12:45, 0.00s elapsed
Initiating UDP Scan at 12:45
Scanning xxx.domain.com (xxx.xxx.xxx.xxx) [1 port]
Completed UDP Scan at 12:45, 2.02s elapsed (1 total ports)
NSE: Script scanning xxx.xxx.xxx.xxx.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 12:45
Discovered open port 161/udp on xxx.xxx.xxx.xxx
Completed NSE at 12:45, 0.00s elapsed
Nmap scan report for xxx.domain.com (xxx.xxx.xxx.xxx)
Host is up.
PORT    STATE SERVICE
161/udp open  snmp
| lantronix: CONFIRM DEVICE AS LANTRONIX
| ** PHASE 1: SNMP verification
| ....Step 1: Lantronix device info  : CONFIRMED
| ............Version S/W            : 05.2
| ....Step 2: SNMP device detailed information
| ............Manufacturer name      : Lantronix
| ............Type/model type        : UDS
| ............Serial number          : 0000000
| ............Revision number        : (000000)
| ** PHASE 2: Documentation
| ....Step 1: Documentation exist?   : YES
|_............ninja.infracritical.com/dox/xpress.pdf

Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds
           Raw packets sent: 2 (176B) | Rcvd: 0 (0B)
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: