Full Disclosure mailing list archives
Re: scada/plc gear
From: gmaggro <gmaggro () rogers com>
Date: Fri, 11 Jan 2008 12:12:47 -0500
Anyone one done any poking around with DNP3, ICCP, OPC, Ethernet/IP, etc.? OK, some more results are in.
- i.Board i.CanDoIt embedded webserver (http://www.csimn.com/CSI_pages/iboard.html) which is built similar to the Kohler in that it uses an embedded ethernet module, but this time from Digi (http://www.digi.com/products/embeddedsolutions/digiconnectme.jsp)
The Digiboard 'Connect ME' module has MAC prefix 00:40:9D and what appears to be P/N: (1P) 50000878-03 M. At heart specs say it's an ARM NS7520 MCU. The iBoard is the most configurable device of the bunch so far and the web interface is quite substantial. A very cool little box. Stuff open on 21, 23, 80, 161, 502. sysDescr indicates "Control Solutions i.CanDoIt BAS-700 ReMOTE I/O". HTTP is Allegro-Software-RomPager/4.01, FTP says NET+OS 6.3. Same basic tests on hammering 502 gave up nothing. Days pounding this thing with crud and it never drops a connection or chokes. Can't wait to start poking around inside of the modbus protocol instead of this cheese.
- ADAM-4572 (http://www.ucs.co.uk/index.php?pid=948)
MAC prefix 00:D0:C9 "Advantech Co.". Now this is an interesting box. The only thing open on it is 502. It's not as robust as the iBoard, as hammering the ADAM-4572 on 502 with crud caused it to stop responding within seconds. However, it came back online within 10 seconds. It feels like this thing has a watchdog built-in so when something throws an exception it reloads itself. Opening it up, it's built of a great deal more discrete parts than the other devices. The main parts are a couple QFPs (ARM MCU S3C4510B01-QE80, Cortina Systems ethernet EGLXT970) and a PLCC (am29f040b flash). I like the PLCC, that's easy to yank out, drop in a programmer (I always liked the Needhams Electronics stuff) and dump. ----------------------------- Handy utility in the same vein (but this one can perform writes) as the modpoll utility mentioned earlier in the thread, is the mbread utility contained in the following: http://www.tuxplc.net/index.php?page=modbus-tcp-protocol Commercial SCADA security testing platfom/service which looks to be setting itself up as some kind of standard: http://www.wurldtech.com/achilles/index.php An amusing, and somewhat inflammatory, article about the state of SCADA related blackhattery: http://www.digitalbond.com/index.php/2008/01/03/chaos-computer-club-ccc-scada-presentation-report/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- scada/plc gear gmaggro (Jan 05)
- Re: scada/plc gear b9u4ea (Jan 07)
- Re: scada/plc gear gmaggro (Jan 07)
- Re: scada/plc gear b9u4ea (Jan 08)
- Re: scada/plc gear gmaggro (Jan 09)
- Re: scada/plc gear gmaggro (Jan 07)
- Re: scada/plc gear b9u4ea (Jan 07)
- Re: scada/plc gear full disclosure (Jan 07)
- <Possible follow-ups>
- Re: scada/plc gear Worthless Email (Jan 09)
- Re: scada/plc gear b9u4ea (Jan 10)
- Re: scada/plc gear gmaggro (Jan 11)
- Re: scada/plc gear b9u4ea (Jan 10)
- Re: scada/plc gear gmaggro (Jan 15)
- Re: scada/plc gear gmaggro (Jan 15)
- Re: scada/plc gear gmaggro (Jan 24)