PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NMAP for SCADA

From: Michael Wilson <pauldotcom () siteshadow com>
Date: Tue, 27 Nov 2012 14:48:17 -0600
Hi Bruce,

Please see
http://www.digitalbond.com/tools/bandolier/nerc-cip-scan-policies/nerc-cip-007-r8-information/for
good thoughts on ports and services for NERC/CIP.
As seen there, " Only ports listening on the interface that was scanned
with a port scanner would be in the network scan results.  Multihomed
systems, and systems that have ports listening only on localhost (i.e.
127.0.0.1), will not be represented accurately if every interface is not
scanned." I would add that systems that have ports open, but are blocked
somewhere between your scan source and the destination endpoint would also
be missed.

In other words, nmap is not the ideal way to scan for CIP-005/007 open
ports. Additionally, nmap gives you nothing more than circumstantial
information about network-facing "services" and zero about services that
are not network-facing. Netstat -abn is your friend here. Only use nmap as
a last ditch resort for due-diligence brownie points.

Also see the above link for what I consider an appropriate definition for
"services". I am really hoping that NERC defines that word officially soon!
As for ports, write a simple script to run netstat on a list of remote
systems and output the results to a text file(s). The tricky part (assuming
you're doing a CVA) is verifying that these ports are needed, dealing with
MS ephemeral ranges, etc.

Thanks,
Michael (another NERC CIP person)


----------------------------------------
(Caveat: I do NERC CIP work and we use a command line script to look at
netstat, lsof, etc. rather than using nmap and potentially knocking over
PLCs, etc.)
Having said that, look at specifying the packet timing rather than using
the regular T options.  Also, specify UDP ports to known services like ntp
and your basic Windows services - I do that for non-SCADA port mapping
already given time limits on engagements.  I don't think you'll have a big
issue with syn over connect scans but that idea doesn't hurt.  Use -sV and
grab your banners especially taking the time for full connect.  You may
even want to spend a couple minutes going through the scripts and tuning a
couple to grab more information.

On Nov 27, 2012 1:48 PM, "Bruce Barnett" <grymoire () gmail com> wrote:
I'm going to have a short-time access to a SCADA test lab, and I want
to run a port map to characterize the services available.

There are about 7 networks (virtual and real), with 6 physical
Ethernet ports. I want to discover all services, on all networks. I
don't need stealth, and I want to avoid scans that might crash older
devices. I also don't want to get half-done and realize that I made
the wrong choices, and have to do it again.

I was thinking of using -sS, but I am concerned some devices might
crash if there are too many half-open connections .
So should I use -sT instead - I think.
And -r would make the scan more "repeatable" if some device crashes.
So any comments on using these options:

    nmap  -r -v -sT -sU 10.1.1.0/24 10.2.0.0/24 -oX scan1.xml -oG scan1.txt
repeat for next interface....., etc.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: