Nmap Development mailing list archives
Re: Another SCADA/ICS NMAP NSE script - Electro Industries / Guagetech 'Nexus' smart meter enumeration script
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Wed, 02 Feb 2011 01:04:52 -0600
OK...some truths? Ever heard of "SHODAN"? Look it up... I am doing 'testing' on live systems that aren't password-protected, are considered 'open', and connected (most likely) *directly* to the Internet. I am delving into some dangerous waters here, and do not wish to make any further statements at this time... -rad ----- Original Message ----- From: David Fifield [mailto:david () bamsoftware com] To: Bob Radvanovsky [mailto:rsradvan () unixworks net] Cc: nmap-dev () insecure org Subject: Re: Another SCADA/ICS NMAP NSE script - Electro Industries / Guagetech 'Nexus' smart meter enumeration script
On Tue, Dec 07, 2010 at 03:19:47PM -0600, Bob Radvanovsky wrote:This is one of several enumeration scripts that I have written for the SCADA/industrial control systems community. This checks/validates the web-based traffic for the Electro Industries / Guagetech 'Nexus' smart meter device. NOTE: This has been ONLY tested with a limited number of models from the 'Nexus' series, and I am still adding more models (such as the Shark 100S). All of these devices utilize an Ethernet connection to 'talk back' to a (probably) centralized controller. All devices are capable of running both Modbus TCP and DNP3. The Shark 100S and Shark 200S provide wireless (via WiFi) capabilities to poll these devices. All devices that have web server capabilities DO NOT utilize any "secured web servers" (port 443), ONLY UN-secured web servers (port 80). If I encounter any 'Nexus' devices that do provide/offer "secured web servers", that will be incorporated into the NSE enumeration script. The same script is shown below; if you wish to download the script, the script may be accessed here: http://www.infracritical.com/enum-scripts/eig.nse PORT STATE SERVICE 80/tcp open http | eig: CONFIRM DEVICE AS ELECTRO INDUSTRIES GAUGETECH | ** PHASE 1: HTML verification | ....Step 1: EIG device info : CONFIRMED | ............Version S/W : 1.0 (Build 34) | ............Boot Version S/W : 1.0 (Build 50) | ....Step 2: HTML device detailed information | ............Manufacturer name : Electro Industries/GaugeTech | ............Boot ID model number : Boot 100 Base-T | ............Run ID model number : Run 100 Base-T | ............Device type : 0107 Nexus 1252 | ............Serial number : 00000000 | ............Network MAC Address : 00-00-00-00-00-00 | ............Modbus TCP server : ENABLED | ............DNP TCP Server : DISABLED | ** PHASE 2: Documentation | ....Step 1: Documentation exist? : YES |_............ninja.infracritical.com/dox/gaugetech/nexus1252.pdfAs I read it, this script makes several HTTP requests: / /diag_firmware.htm /meter_information.htm /diag_modbus_tcp_server.htm /diag_dnp_lan_wan.htm It then runs pattern matching against the HTML to get the device configuration. Bob, I'm curious about how you use these scripts. I think it will help me understand your perspective. Do you run them against large netblocks to enumerate devices of a certain type? Do you only run them when you think you have a certain type of device on your hands? If so, how do you get that knowledge, from Nmap or otherwise? It's pretty easy for me to imagine someone scanning an address and saying "Oh, version detection / NSE says that I have a Nexus smart meter here." It's hard to imagine someone saying, "A Nexus smart meter? I have a script to run to get lots of details from that particular device." Do you see what I mean? If this knowledge can be had from version detection or a general-purpose script, that is preferable to isolating the knowledge where it is less likely to be used. I think you have some good ideas here and I hope I'm not being too brusque. I think the checks implemented by this script are good candidates to be moved to http-enum. The large number of data fields you're able to retrieve may strain the pattern replacement (I don't know if you can have a replacement higher than \9), but that's a worthwhile thing to test too. David Fifield
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Another SCADA/ICS NMAP NSE script - Electro Industries / Guagetech 'Nexus' smart meter enumeration script Bob Radvanovsky (Feb 01)