Re: [NSE] modbus-enum.nse, modbus discovery script

[Bob Radvanovsky <rsradvan () unixworks net>]

That's a great idea, Mr. Rudakov!  I would be happy to test your script in our environment, too, and look forward to 
your update.

Спасибо!

-r

----- Original Message -----
From: Александр Рудаков [mailto:freekoder () gmail com]
To: Bob Radvanovsky [mailto:rsradvan () unixworks net]
Cc: nmap-dev () insecure org
Subject: Re: [NSE] modbus-enum.nse, modbus discovery script


> Bob, I read Modbus Application Protocol V1.1, and have next ideas how to
> improve script:
>
> 1) Use 17 function code to find legal sid values. This function does not
> require payload data, so the data variable does not need to be redefined.
> 2) If error response returns, script can show error description according to
> the exception code.
> 3) After legal sid detected, we can descover device vendor and version by
> using read device identification function (0x2B).
>
> I wrote test script to get vendor identificator and test it on my devices.
> It works well. But I need more time for cleanup.
> What do you think about it?
>
> With best regards, Alexander.
>
> 2010/11/30 Bob Radvanovsky <rsradvan () unixworks net>
>
> > I will be evaluating/validating this on several MODBUS devices that we
> have
> > in our lab.  If there need to be any modifications, I will provide a
> > modification to Mr. Rudakov's modbus-enum.nse, and resubmit it to Mr.
> > Rudakov (and this mailing list) for review.  Based on the MODBUS protocol
> > definition, there are other functionalities that can be performed, some of
> > which can perform some dangerous stuff, such as shutting down a MODBUS
> > device.
> >
> > When we get started on the evaluation/validation testing, I will list the
> > manufacturers, series and product number that we performed the tests
> > against.  This will be made available to the general public via our web
> > site.
> >
> > -r
> >
> > ----- Original Message -----
> > From: Александр Рудаков [mailto:freekoder () gmail com]
> > To: Bob Radvanovsky [mailto:rsradvan () unixworks net], David Fifield
> > [mailto:david () bamsoftware com]
> > Cc: nmap-dev () insecure org
> > Subject: Re: [NSE] modbus-enum.nse, modbus discovery script
> >
> >
> > > Hi, Bob. Hi, David.
> > > Thanks for your attention to this script.
> > > Bob said quite rigth, that 08 is diagnostic function. Defcon
> presentation
> > > says that diagnostic function has diagnostic code 00 00 just returning
> > query
> > > data, so 00 00 AA BB is query to return data AA BB. I just took it from
> > > query examples at presentations.
> > >
> > > Past week I tried to test my script on real modbus devices. Code 08
> works
> > > well, but devices I have seems don't understand return data queries.
> > > I will test this script with 17 function code. May be it would be better
> > to
> > > use this value.
> > > Also, I noticed that some timeout required (about 2 seconds) between
> > > queries.
> > >
> > > 29 ноября 2010 г. 13:33 пользователь Bob Radvanovsky
> > > <rsradvan () unixworks net
> > > > написал:
> > >
> > > > Code 8 is used for diagnostics.
> > > >
> > > > Go here: http://en.wikipedia.org/wiki/Modbus
> > > > and here:
> http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf(section6.9
> > > on page 25/51)
> > > > "The event counter can be reset by means of the Diagnostics function
> > (code
> > > > 08), with a subfunction
> > > > of Restart Communications Option (code 00 01) or Clear Counters and
> > > > Diagnostic
> > > > Register (code 00 0A)."
> > > >
> > > > and here: http://www.modbus.org/docs/PI_MBUS_300.pdf (page 74)
> > > >
> > > > "Description
> > > >
> > > > Returns a status word and an event count from the slave's
> > communications
> > > > event
> > > > counter. By fetching the current count before and after a series of
> > > > messages, a
> > > > master can determine whether the messages were handled normally by the
> > > > slave.
> > > > Broadcast is not supported.
> > > >
> > > > The controller's event counter is incremented once for each successful
> > > > message
> > > > completion. It is not incremented for exception responses, poll
> > commands,
> > > > or
> > > > fetch event counter commands.
> > > >
> > > > The event counter can be reset by means of the Diagnostics function
> > (code
> > > > 08),
> > > > with a subfunction of Restart Communications Option (code 00 01) or
> > Clear
> > > > Counters and Diagnostic Register (code 00 0A)."
> > > >
> > > > -r
> > > >
> > > > ----- Original Message -----
> > > > From: David Fifield [mailto:david () bamsoftware com]
> > > > To: Александр Рудаков [mailto:freekoder () gmail com]
> > > > Cc: nmap-dev () insecure org
> > > > Subject: Re: [NSE] modbus-enum.nse, modbus discovery script
> > > >
> > > >
> > > > > On Mon, Nov 22, 2010 at 08:57:51PM +0300, Александр
> > > Рудаков
> > > > > wrote:> > Hi all,> > > > I realised the script that duplicates
> > > functional
> > > > of
> > > > > Mark Bristow's modscan> > utility.> > Modscan utility finds MODBUS
> > (one
> > > > of the
> > > > > popular SCADA protocols) devices in> > IP range and determines slave
> > id
> > > > > (SID).> > It tries to find legal SID of tcp modbus server by
> > > > bruteforcing.> >
> > > > > I just rewrote python code on lua and implemented it as nmap script.
> > > Here
> > > > > is> > output of the script:> > > > PORT    STATE SERVICE> > 502/tcp
> > open
> > > > > modbus> > | modbus-enum:> > |   Positive response for sid = 0x64> >
> |
> > > > > Positive error response for sid = 0x96> > |_  Positive response for
> > sid
> > > =
> > > > > 0xc8> > > >  Also, I wrote small modbus server mock on python for
> > test
> > > > > purposes.> > In the future, this script can be extended to test
> > > specifict
> > > > > modbus devices> > and disclosure sensitive information.> > This is
> my
> > > > first
> > > > > expirience in nmap script development so I would be pleased> > to
> > hear
> > > > notes
> > > > > and advises, and I hope it may be useful for someone.> > > > Modscan
> > > > project
> > > > > can be found here: http://code.google.com/p/modscan/> > PDF
> > Presentation
> > > > > about MODBUS proto and modscan utility from Defcon 16:> >
> https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf
> > > > > > > NSE script and modbus server mock are in attachments and at
> > google
> > > > > code:> > https://code.google.com/p/nmap-modscan/.> > I think the
> > script
> > > > looks
> > > > > good. What is the reason for using function> code 8 instead of the
> > > > default 17
> > > > > that modscan.py
> > > > > uses?> >
> > > > http://code.google.com/p/modscan/source/browse/trunk/modscan.py#43> >
> > This
> > > > > page defines "Report slave ID" for code 17 but doesn't mention
> > > > > code> 8.> > http://www.lammertbies.nl/comm/info/modbus.html#func> >
> > Is
> > > > there
> > > > > significance to the "00 00 AA BB" data?> > David
> > > > > Fifield> _______________________________________________> Sent
> > through
> > > > the
> > > > > nmap-dev mailing
> > > > > list> http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at
> > > > > http://seclists.org/nmap-dev/
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/