Nmap Development mailing list archives
Re: Another SCADA/ICS NMAP NSE script - Rockwell MicroLogix Series 1400 enumeration script
From: David Fifield <david () bamsoftware com>
Date: Tue, 1 Feb 2011 22:15:07 -0800
On Mon, Dec 06, 2010 at 09:28:38PM -0600, Bob Radvanovsky wrote:
This is one of several enumeration scripts that I have written for the SCADA/industrial control systems community. This checks/validates the SNMP traffic for the Allen-Bradley/Rockwell MicroLogix Series 1400 PLC controller. The same script is shown below; if you wish to download the script, the script may be accessed here: http://www.infracritical.com/enum-scripts/micrologix1400.nse PORT STATE SERVICE 161/udp open snmp | micrologix1400: CONFIRM DEVICE AS ALLEN-BRADLEY/ROCKWELL MICROLOGIX | ** PHASE 1: SNMP verification | ....Step 1: MicroLogix device info : CONFIRMED | ............Version S/W : A/5.00 | ....Step 2: SNMP device detailed information | ............Manufacturer name : Allen-Bradley | ............Model number : 1766-L32AWAA | ............Type/model type : MicroLogix 1400 | ............Series type : A | ............Revision number : 5.0 | ** PHASE 2: Documentation | ....Step 1: Documentation exist? : YES | ............ninja.infracritical.com/dox/1766-in001_-en-p.pdf |_............ninja.infracritical.com/dox/1766-um002_-en-p.pdf
I'm looking over your SCADA scripts now, Bob. Thanks for taking the time to write and submit them. I think that what you have created has value. In general, though, I think the special-purpose detection mechanisms would be better built into general-purpose mechanisms that can classify a larger number of devices. As an example of what I mean, look at http-enum and the nselib/data/http-fingerprints.lua file. That has fingerprints like "/images/rails.png" => "Ruby on Rails" and "/gfx/logout_24.png" => "Secunia NSI". One could imaging ruby-on-rails.nse and secunia-nsi.nse scripts that did these checks individually, but it's better to use a common detection mechanism that is extended through a database of fingerprints. Back to micrologix1400.nse. As I understand it, this script does a sysDescr query and then parses some details out of it. The documenation says: -- 1. PHASE I - SNMP verification. -- a. STEP 1: Performs verification through 'snmpwalk'. -- b. STEP 2: Acquires specific details from SNMP 'sysDescr.0'. -- 2. PHASE II - Documentation. However I don't see the (a. STEP 1) part in the code, and phase II just seems to print a constant string. What is the output of snmp-sysdescr against this device? In line with my comments above, if snmp-sysdescr is missing information that this script can provide, I would rather see effort put into improving snmp-sysdescr than into a new script. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Another SCADA/ICS NMAP NSE script - Rockwell MicroLogix Series 1400 enumeration script David Fifield (Feb 01)
- <Possible follow-ups>
- Re: Another SCADA/ICS NMAP NSE script - Rockwell MicroLogix Series 1400 enumeration script Bob Radvanovsky (Feb 01)
- Re: Another SCADA/ICS NMAP NSE script - Rockwell MicroLogix Series 1400 enumeration script David Fifield (Feb 03)
- Re: Another SCADA/ICS NMAP NSE script - Rockwell MicroLogix Series 1400 enumeration script Verde Denim (Feb 02)