Nmap Development mailing list archives
Re: Another SCADA/ICS NMAP NSE script - Lantronix Universal Device Server (UDS) enumeration script
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Wed, 08 Dec 2010 15:03:14 -0600
Just an FYI with this and the previously released SCADA/ICS enumeration scripts... *IF* you want ALL of the detailed information (shown below from the sample output), you will need to use the "-v" (verbose) option. If you do not use the "-v" option, the following sample output will be shown, and will simply show the firmware level and that it is in fact a "Lantronix" device. [root@server nmap]# nmap --script=./lantronix.nse xxx.xxx.xxx.xxx -PN -sU -p161 Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-12-08 15:00 CST Nmap scan report for xxx.domain.com (xxx.xxx.xxx.xxx) Host is up. PORT STATE SERVICE 161/udp open snmp | lantronix: CONFIRM DEVICE AS LANTRONIX | ** IF YOU REQUIRE MORE INFO, USE THE "-v" OPTION | ............Lantronix device info : CONFIRMED |_............Version S/W : 05.2 Nmap done: 1 IP address (1 host up) scanned in 2.28 seconds -r ----- Original Message ----- From: Bob Radvanovsky [mailto:rsradvan () unixworks net] To: nmap-dev () insecure org Subject: Another SCADA/ICS NMAP NSE script - Lantronix Universal Device Server (UDS) enumeration script
This is one of several enumeration scripts that I have written for the SCADA/industrial control systems community. This checks/validates the web-based traffic for the Lantronix Universal Device Server (UDS) device. NOTE: This has been ONLY tested with one model, the Lantronix XPress DR-IAP, with the most recent firmware level (Version 5.2). The web interface is optional, and runs entirely using a Java servlet, making it difficult to enumerate using NMAP. However, if SNMP is ENABLED, the device can provide some rather useful information, including firmware release level, serial number, and revision level. Here is sample output from the modified NMAP NSE script (execute it as "nmap --script=./lantronix.nse <IP address> -PN -sU -p161 -v"; use the "-PN" flag needs to be used on older TCP/IP device stacks, as NMAP has a tendency to lock up the TCP/IP stack). ** THIS DEVICE HAS BEEN CONFIGURED AND TESTED ON OUR OWN NETWORK. ** THE DEVICE WILL REMAIN OPERATIONAL ON OUR NETWORK ** FOR APPROX. ONE (1) WEEK FROM TODAY (8-Dec-2010/Wednesday). ** IP ADDRESS IS "64.32.214.213" to validate the enumeration script. The same script is shown below; if you wish to download the script, the script may be accessed here: http://www.infracritical.com/enum-scripts/lantronix.nse =============================================== description = "Confirms/verifies that target device is a Lantronix UDS Serial-Ethernet server." author = "Bob Radvanovsky <rsradvan at infracritical dot com>" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default", "discovery", "safe"} dependencies= {"snmp-brute"} -- -- Filename: lantronix.nse -- -- Purpose: Checks for the following elements confirming said device: -- -- 1. PHASE I - SNMP verification. -- a. STEP 1: Performs verification through 'snmpwalk'. -- b. STEP 2: Acquires specific details from SNMP 'sysDescr.0'. -- -- 2. PHASE II - Documentation. -- -- ========================================================================== -- -- Version(s): 5.2 -- -- Usage: nmap --script=./lantronix.nse <IP> -- (continued) --script-args='dox=1' -PN -sU -p161 -v -- -- Author(s): Bob Radvanovsky - Infracritical -- <rsradvan at infracritical dot com> -- -- Initwritten: Decemmber 2010 -- -- DATE---- INIT DESCRIPTION------------------------------------------------ -- 10.08.12 rsr Inital development - VERSION 001. -- 10.08.12 rsr Included URL links for related reference documentation. -- -- NOTE: Script is a derived work from Thomas Buchanan's "snmp-sysdescr.nse" -- NSE script, and has been modified to work specifically on/for the -- Lantronix Universal Device Server (UDS) devices. -- -- NOTE: We try and verify, running tests on as many versions of this device -- as possible. If you encounter an "UNKNOWN", this may mean that you -- have scanned a device version/variant that was not tested. -- -- Since we are providing this script free-of-charge to everyone, -- would help us - and the community - if you would report the variance -- to us. Submit your findings to "report () infracritical com". Thanks! -- require("nmap") require("nsedebug") require("datafiles") require("stdnse") require("shortport") require("snmp") require("http") require("url") require("strbuf") portrule = shortport.portnumber({80,161}, "udp", {"open", "open|filtered"}) action = function(host, port) -- create the socket used for our connection local socket = nmap.new_socket() -- set a reasonable timeout value socket:set_timeout(5000) -- do some exception handling / cleanup local catch = function() socket:close() end -- connect to the potential SNMP system local try = nmap.new_try(catch) try(socket:connect(host.ip, port.number, "udp")) -- If you want to perform a test verifiication/validation of another OID, -- here are some values (as shown below): -- get value: 1.3.6.1.2.1.1.1 (SNMPv2-MIB::sysDescr.0) -- get value: 1.3.6.1.2.1.1.2 (SNMPv2-MIB::sysObjectID.0) -- get value: 1.3.6.1.2.1.1.3 (SNMPv2-MIB::sysUpTime.0) -- get value: 1.3.6.1.2.1.1.4 (SNMPv2-MIB::sysContact.0) -- get value: 1.3.6.1.2.1.1.5 (SNMPv2-MIB::sysName.0) -- get value: 1.3.6.1.2.1.1.6 (SNMPv2-MIB::sysLocation.0) -- get value: 1.3.6.1.2.1.1.7 (SNMPv2-MIB::sysServices.0) local payload; local options = {}; options.reqId = 28428 -- unnecessary? payload = snmp.encode(snmp.buildPacket(snmp.buildGetRequest(options, "1.3.6.1.2.1.1.1.0"))) try(socket:send(payload)) local status, response -- read in any response we might get status, response = socket:receive_bytes(1) if (not status) or (response == "TIMEOUT") then return; end -- since we got something back, the port is definitely open nmap.set_port_state(host, port, "open") local confirm = tostring(snmp.fetchFirst(response)) -- print(confirm) result = "CONFIRM DEVICE AS LANTRONIX" local split = stdnse.strsplit(" ",confirm) local modelname = split[1] local modeltype = split[2] local serial = split[3] local fwlevel = split[4] local revision = split[5] if string.match(modelname, "Lantronix") then if nmap.verbosity() > 1 then result = result .. "\n** PHASE 1: SNMP verification" result = result .. "\n....Step 1: Lantronix device info : CONFIRMED" else result = result .. "\n** IF YOU REQUIRE MORE INFO, USE THE \"-v\" OPTION" end if nmap.verbosity() > 1 then result = result .. "\n............Version S/W : " .. fwlevel else result = result .. "\n............Lantronix device info : CONFIRMED" result = result .. "\n............Version S/W : " .. fwlevel end if nmap.verbosity() > 1 then result = result .. "\n....Step 2: SNMP device detailed information" result = result .. "\n............Manufacturer name : " .. modelname result = result .. "\n............Type/model type : " .. modeltype result = result .. "\n............Serial number : " .. serial result = result .. "\n............Revision number : " .. revision result = result .. "\n** PHASE 2: Documentation" result = result .. "\n....Step 1: Documentation exist? : YES" result = result .. "\n" result = result .. "\n............ninja.infracritical.com/dox/xpress.pdf" end else if nmap.verbosity() > 1 then result = "Fingerprint not found."; end end if nmap.verbosity() > 1 then result = result .. "\n"; end return result end =============================================== Sample output from the NSE script. NOTE: The IP address, serial number, and revision number for this sample output has been sanitized. [root@server nmap]# nmap --script=./lantronix.nse xxx.xxx.xxx.xxx -PN -sU -p161 -v Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-12-08 12:45 CST NSE: Loaded 1 scripts for scanning. Initiating Parallel DNS resolution of 1 host. at 12:45 Completed Parallel DNS resolution of 1 host. at 12:45, 0.00s elapsed Initiating System CNAME DNS resolution of 1 host. at 12:45 Completed System CNAME DNS resolution of 1 host. at 12:45, 0.00s elapsed Initiating UDP Scan at 12:45 Scanning xxx.domain.com (xxx.xxx.xxx.xxx) [1 port] Completed UDP Scan at 12:45, 2.02s elapsed (1 total ports) NSE: Script scanning xxx.xxx.xxx.xxx. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 12:45 Discovered open port 161/udp on xxx.xxx.xxx.xxx Completed NSE at 12:45, 0.00s elapsed Nmap scan report for xxx.domain.com (xxx.xxx.xxx.xxx) Host is up. PORT STATE SERVICE 161/udp open snmp | lantronix: CONFIRM DEVICE AS LANTRONIX | ** PHASE 1: SNMP verification | ....Step 1: Lantronix device info : CONFIRMED | ............Version S/W : 05.2 | ....Step 2: SNMP device detailed information | ............Manufacturer name : Lantronix | ............Type/model type : UDS | ............Serial number : 0000000 | ............Revision number : (000000) | ** PHASE 2: Documentation | ....Step 1: Documentation exist? : YES |_............ninja.infracritical.com/dox/xpress.pdf Read data files from: /usr/local/share/nmap Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds Raw packets sent: 2 (176B) | Rcvd: 0 (0B) _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Another SCADA/ICS NMAP NSE script - Lantronix Universal Device Server (UDS) enumeration script Bob Radvanovsky (Dec 08)