Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: scada/plc gear

From: gmaggro <gmaggro () rogers com>
Date: Thu, 24 Jan 2008 09:38:21 -0500
One more device arrived, a Lantronix MSS485-T, an interesting and what 
would appear to be older piece - it also supports IPX and LAT: 
http://www.lantronix.com/device-networking/external-device-servers/mss485-t.html

All kinds of ports open on this thing according to nmap, but a little 
odd... only TCP 23, 79, 513, 514, 2001, 2100, 2101, 3001, 7000, 13001, 
14001.

There's no modbus (502) but I wasn't after that with this particular device.

Mac prefix is 00:80:A3 (Lantronix) and the OS guess is Lantronix MSSlite 
device server.

snmpwalking yields a sysDescr of "Lantronix MSS485 Version 
V3.6/4(000712)", a sysLocation "Micro Serial Server", a sysName 
"MSS_1DF552" and an ifDescr "Lantronix Ethernet 802.3". According to 
snmp it also says it has UDP 13, 37, 53, 123, 137, 161 and 520 open but 
it lies.

A Nessus scan choked this thing up pretty good, and it would appear a 
few aggresive nmap scans with scripting and versioning enabled caused it 
to behave oddly. Oddly meaning some ports going filtered, others 
dropping off, services still up running slow, etc. Perhaps a 
co-incidence, but this device too has a reset button on it :)

I love cracking open the boxes on older gear; it tends to be built of 
alot more discrete parts and glue, instead of single chip solutions. 
Often this results in them being more hackable. Significantly easier to 
rework or piggyback a QFP with a clip than a P/BGA, yes? Backdoor the 
firmware before selling it to the target you want to penetrate... or 
just put it on ebay, have someone buy it, and wait for it to call home 
or spit creds to an IRC channel. I have seen this demonstrated in a 
controlled environment, but I often wonder how feasible it would be in 
real life for a small group of individuals to carry out.

In any case, the main parts are a 68EC000 10MHz CPU, a Nat Semi 
DP83902AVLJ NIC, an AMD flash, some NEC DRAM, and a Lantronix ASIC that 
I cannot seem to dig much up on. This is because the graphics are a 
little strangely printed, but it looks to say "AIM I 0044LHU LANTRONIX 
SAL-10/20MHz 220-170". I'm guessing it's something to do with the serial 
(rs485) protocols, but I'd appreciate being told what it actually is.







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: