Re: [NSE] modbus-enum.nse, modbus discovery script

[David Fifield <david () bamsoftware com>]

On Mon, Nov 22, 2010 at 08:57:51PM +0300, Александр Рудаков wrote:
> Hi all,
>
> I realised the script that duplicates functional of Mark Bristow's modscan
> utility.
> Modscan utility finds MODBUS (one of the popular SCADA protocols) devices in
> IP range and determines slave id (SID).
> It tries to find legal SID of tcp modbus server by bruteforcing.
> I just rewrote python code on lua and implemented it as nmap script. Here is
> output of the script:
>
> PORT    STATE SERVICE
> 502/tcp open  modbus
> | modbus-enum:
> |   Positive response for sid = 0x64
> |   Positive error response for sid = 0x96
> |_  Positive response for sid = 0xc8
>
>  Also, I wrote small modbus server mock on python for test purposes.
> In the future, this script can be extended to test specifict modbus devices
> and disclosure sensitive information.
> This is my first expirience in nmap script development so I would be pleased
> to hear notes and advises, and I hope it may be useful for someone.
>
> Modscan project can be found here: http://code.google.com/p/modscan/
> PDF Presentation about MODBUS proto and modscan utility from Defcon 16:
> https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf
>
> NSE script and modbus server mock are in attachments and at google code:
> https://code.google.com/p/nmap-modscan/.

I think the script looks good. What is the reason for using function
code 8 instead of the default 17 that modscan.py uses?

http://code.google.com/p/modscan/source/browse/trunk/modscan.py#43

This page defines "Report slave ID" for code 17 but doesn't mention code
8.

http://www.lammertbies.nl/comm/info/modbus.html#func

Is there significance to the "00 00 AA BB" data?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/