Full Disclosure mailing list archives
Re: scada/plc gear
From: gmaggro <gmaggro () rogers com>
Date: Thu, 24 Jan 2008 09:38:21 -0500
One more device arrived, a Lantronix MSS485-T, an interesting and what would appear to be older piece - it also supports IPX and LAT: http://www.lantronix.com/device-networking/external-device-servers/mss485-t.html All kinds of ports open on this thing according to nmap, but a little odd... only TCP 23, 79, 513, 514, 2001, 2100, 2101, 3001, 7000, 13001, 14001. There's no modbus (502) but I wasn't after that with this particular device. Mac prefix is 00:80:A3 (Lantronix) and the OS guess is Lantronix MSSlite device server. snmpwalking yields a sysDescr of "Lantronix MSS485 Version V3.6/4(000712)", a sysLocation "Micro Serial Server", a sysName "MSS_1DF552" and an ifDescr "Lantronix Ethernet 802.3". According to snmp it also says it has UDP 13, 37, 53, 123, 137, 161 and 520 open but it lies. A Nessus scan choked this thing up pretty good, and it would appear a few aggresive nmap scans with scripting and versioning enabled caused it to behave oddly. Oddly meaning some ports going filtered, others dropping off, services still up running slow, etc. Perhaps a co-incidence, but this device too has a reset button on it :) I love cracking open the boxes on older gear; it tends to be built of alot more discrete parts and glue, instead of single chip solutions. Often this results in them being more hackable. Significantly easier to rework or piggyback a QFP with a clip than a P/BGA, yes? Backdoor the firmware before selling it to the target you want to penetrate... or just put it on ebay, have someone buy it, and wait for it to call home or spit creds to an IRC channel. I have seen this demonstrated in a controlled environment, but I often wonder how feasible it would be in real life for a small group of individuals to carry out. In any case, the main parts are a 68EC000 10MHz CPU, a Nat Semi DP83902AVLJ NIC, an AMD flash, some NEC DRAM, and a Lantronix ASIC that I cannot seem to dig much up on. This is because the graphics are a little strangely printed, but it looks to say "AIM I 0044LHU LANTRONIX SAL-10/20MHz 220-170". I'm guessing it's something to do with the serial (rs485) protocols, but I'd appreciate being told what it actually is. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: scada/plc gear, (continued)
- Re: scada/plc gear b9u4ea (Jan 07)
- Re: scada/plc gear gmaggro (Jan 07)
- Re: scada/plc gear b9u4ea (Jan 08)
- Re: scada/plc gear gmaggro (Jan 09)
- Re: scada/plc gear gmaggro (Jan 07)
- Re: scada/plc gear b9u4ea (Jan 07)
- Re: scada/plc gear full disclosure (Jan 07)
- Re: scada/plc gear Worthless Email (Jan 09)
- Re: scada/plc gear b9u4ea (Jan 10)
- Re: scada/plc gear gmaggro (Jan 11)
- Re: scada/plc gear b9u4ea (Jan 10)
- Re: scada/plc gear gmaggro (Jan 15)
- Re: scada/plc gear gmaggro (Jan 15)
- Re: scada/plc gear gmaggro (Jan 24)