Re: Another SCADA/ICS NMAP NSE script - Hirschmann/Innominate Security Technologies 'mGuard' firewall enumeration script

[Bob Radvanovsky <rsradvan () unixworks net>]

WOW!!!  It's nice to have a critique form you (and Fyodor) on this matter - thank you (bowing, Asian-style).  This was 
my *first* script written using LUA/NSE.  Yes, much of what you see was taken from other scripts, and hopefully, I 
outline credentials to the original authors (give credit where credit is due...my motto).

In defense of producing 'negative output', remember who the target audience is: an engineer.

Lemme paint a picture for you (and those reading this email message)...

This script was *not* designed for an "IT person" - it was designed for a "plant engineer" or an "operations engineer". 
 The question that you (and many others on this list) would ask is: what is a "plant engineer"?  Simple.  These are 
electrical or mechnical or chemical or civil engineers put into a plant production environment, such as a food 
processing plant, a power generation plant, a water distillation plant, etc.  These are the guys who 'make the magic 
happen', and are often the ones who make sure that the processing (or 'operations') continues to perform, without any 
flaws, without any interruptions, whatsoever.  Welcome to the "World of Process Control Engineers".  This is stuff that 
deals with what is called "ladder logic" (ref: http://en.wikipedia.org/wiki/Ladder_logic, realize that it's Wikipedia, 
but it was the easiest to provide some sort of proof); "ladder logic" is also called "railroad logic" as it has a 
resemblance to a railroad switchyard.  This is simplist
 ic 'machine logic' - very simple ON/OFF scenarios.  Many of these systems, including such security devices (such as 
the Hirschmann) rely on this processing capability.

Thus, to most IT folk, comes this level of confusion.

Not only does it exist, but it is alive and thriving all over the World!

So...these scripts (such as this script) were written for the explicitly-minded engineer who only knows true/false 
scenarios.  The output, regardless of whether it did, or did not, pass, is irrelevant.  Engineers want to see output 
regardless of the scenario.  The fact that you saw something (regardless of what shown) is proof that the script worked 
(at least, in the mind of an engineer).  My scripts attempted to provide that level of detail, as engineers often make 
such demands to detail (of which I cannot blame them).

So...in a long and 'roung-about way, does this make sense?

-rad

P.S.  Please bear with me....approaching 21 hours of no sleep with some sense of sanity in me....time....for....bed)

----- Original Message -----
From: David Fifield [mailto:david () bamsoftware com]
To: Bob Radvanovsky [mailto:rsradvan () unixworks net]
Cc: nmap-dev () insecure org
Subject: Re: Another SCADA/ICS NMAP NSE script - Hirschmann/Innominate Security Technologies 'mGuard' firewall 
enumeration script


> On Mon, Dec 06, 2010 at 09:56:19PM -0600, Bob Radvanovsky wrote:
> > This is one of several enumeration scripts that I have written for the
> > SCADA/industrial control systems community.  This checks/validates the
> > web-based traffic for the Hirschmann/Innominate Security
> > Technologies/Phoenix Contacts 'mGuard' firewall.  NOTE: This has ONLY
> > tested with the Hirschmann OEM of the Innominate's software, as well
> > as Innominate's software (direct), and has NOT been tested on the
> > newer Phoenix Contacts 'mGuard' firewall (even though it continues to
> > be an OEM'd version of Innominate's software).
> >
> > As the firewall has been rendered inoperative through our various
> > enumeration and validation tests, there is currently NO sample output
> > from the NMAP NSE script...sorry
> >
> > The same script is shown below; if you wish to download the script,
> > the script may be accessed here:
> > http://www.infracritical.com/enum-scripts/mguard-10091201.nse
> >
> > Not shown: 996 closed ports
> > PORT     STATE    SERVICE
> > 22/tcp   open     ssh
> > 53/tcp   open     domain
> > 443/tcp  open     https
> > | mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE
> > | ** PHASE 1: TLS/SSL certificate verification
> > | ....Step 1: SSL certificate info   : CONFIRMED
> > | ....Step 2: SSL certificate MD5 hash information
> > | ............Flash ID               : 420401db459c83e7
> > | ............Organization name      : Hirschmann Automation and Control
> GmbH
> > | ............SSL certificate MD5    : c93063872150383b879a69f65ab6d7e5
> > | ............SSL certificate version: 4.2.1 or newer
> > | ** PHASE 2: File presence verification
> > | ....Step 1: Existence of "/favicon.ico"
> > | ............File favicon.ico MD5   : 7449c1f67008cc3bfabbc8f885712207
> > | ............Server type/version    : 4.2.1 or newer
> > | ....Step 2: Existence of "/gai.js"
> > | ............File gai.js MD5        : e7696a86648dcdb6efb2e497e5a8616b
> > | ............Server type/version    : 4.2.1
> > | ....Step 3: Existence of "/style.css"
> > | ............File style.css MD5     : d71581409253d54902bea82107a1abb2
> > | ............Server type/version    : 4.2.1
> > | ** PHASE 3: HTML pattern matching verification
> > | ....Step 1: Confirmation of HTML code per version
> > | ............HTML code verified     : CONFIRMED
> > | ............HTML code variant      : Hirschmann
> > | ....Step 2: Confirmation web server verification
> > | ............Web server verified    : CONFIRMED
> > | ............Web server name/type   : fnord
> > | ............Web server version     : 1.6
> > | ** PHASE 4: Documentation
> > | ....Step 1: Documentation exist?   : YES
> > |
> ............ninja.infracritical.com/dox/hirschmann/UM_BAT54_SW_Rel754_en.pdf
> > |_............ninja.infracritical.com/dox/hirschmann/UM_EAGLE_401_EN.pdf
>
> Step 2 where you examine the contents of the SSL certificate is a good
> idea. What do you think about building a database of known devices (of
> which this device would be a part) in ssl-cert.nse? Another option is
> the ssl-known-key script that's under discussion:
> http://seclists.org/nmap-dev/2010/q4/733.
>
> Overall this script looks like a combination of ssl-cert, http-enum,
> http-favicon, and version detection. What is the output of version
> detection against this system? Do you think that the gai.js and
> style.css checks could be moved into http-enum?
>
> About your hash lookups: Instead of structuring your tables like this:
> >         {md5="089e6c5d1eb61af201b8cbb024d98d00", name="3.1.1"},
> do it like this:
> >         {["089e6c5d1eb61af201b8cbb024d98d00"] = "3.1.1"},
> Then you can just look up sslcerts[md5] instead of having to use a loop.
>
> The script produces a few lines of output even when the result is
> completely negative:
>
> $ ./nmap -p443 --script=mguard-10091201 --datadir . mail.google.com -d2
> PORT    STATE SERVICE REASON
> 443/tcp open  https   syn-ack
> | mguard-10091201:
> | ............File style.css         : FAIL
> | ** PHASE 3: HTML pattern matching verification
> | ....Step 1: Confirmation of HTML code per version
> | ............HTML code version      : UNKNOWN
> |
> | ....Step 2: Confirmation web server verification
> | ............Web server name/type   : UNKNOWN
> |
> | ** PHASE 4: Documentation
> |_....Step 1: Documentation exist?   : YES
>
> The script seems to be written from the point of view that someone
> suspects they have an mGuard device, and want to confirm their belief.
> It's more helpful if the script can run against a variety of devices and
> report about whatever it finds; that answers the first use case too and
> is probably even more common.
>
> David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/