PaulDotCom mailing list archives
Re: NMAP for SCADA
From: Michael Wilson <pauldotcom () siteshadow com>
Date: Tue, 27 Nov 2012 14:48:17 -0600
Hi Bruce, Please see http://www.digitalbond.com/tools/bandolier/nerc-cip-scan-policies/nerc-cip-007-r8-information/for good thoughts on ports and services for NERC/CIP. As seen there, " Only ports listening on the interface that was scanned with a port scanner would be in the network scan results. Multihomed systems, and systems that have ports listening only on localhost (i.e. 127.0.0.1), will not be represented accurately if every interface is not scanned." I would add that systems that have ports open, but are blocked somewhere between your scan source and the destination endpoint would also be missed. In other words, nmap is not the ideal way to scan for CIP-005/007 open ports. Additionally, nmap gives you nothing more than circumstantial information about network-facing "services" and zero about services that are not network-facing. Netstat -abn is your friend here. Only use nmap as a last ditch resort for due-diligence brownie points. Also see the above link for what I consider an appropriate definition for "services". I am really hoping that NERC defines that word officially soon! As for ports, write a simple script to run netstat on a list of remote systems and output the results to a text file(s). The tricky part (assuming you're doing a CVA) is verifying that these ports are needed, dealing with MS ephemeral ranges, etc. Thanks, Michael (another NERC CIP person) ---------------------------------------- (Caveat: I do NERC CIP work and we use a command line script to look at netstat, lsof, etc. rather than using nmap and potentially knocking over PLCs, etc.) Having said that, look at specifying the packet timing rather than using the regular T options. Also, specify UDP ports to known services like ntp and your basic Windows services - I do that for non-SCADA port mapping already given time limits on engagements. I don't think you'll have a big issue with syn over connect scans but that idea doesn't hurt. Use -sV and grab your banners especially taking the time for full connect. You may even want to spend a couple minutes going through the scripts and tuning a couple to grab more information. On Nov 27, 2012 1:48 PM, "Bruce Barnett" <grymoire () gmail com> wrote: I'm going to have a short-time access to a SCADA test lab, and I want to run a port map to characterize the services available. There are about 7 networks (virtual and real), with 6 physical Ethernet ports. I want to discover all services, on all networks. I don't need stealth, and I want to avoid scans that might crash older devices. I also don't want to get half-done and realize that I made the wrong choices, and have to do it again. I was thinking of using -sS, but I am concerned some devices might crash if there are too many half-open connections . So should I use -sT instead - I think. And -r would make the scan more "repeatable" if some device crashes. So any comments on using these options: nmap -r -v -sT -sU 10.1.1.0/24 10.2.0.0/24 -oX scan1.xml -oG scan1.txt repeat for next interface....., etc. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- NMAP for SCADA Bruce Barnett (Nov 27)
- Re: NMAP for SCADA Kevin Shaw (Nov 27)
- Re: NMAP for SCADA Ron Gula (Nov 27)
- <Possible follow-ups>
- Re: NMAP for SCADA Michael Wilson (Nov 27)