Nmap Development mailing list archives
Another SCADA/ICS NMAP NSE script - Rockwell MicroLogix Series 1400 enumeration script
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Mon, 06 Dec 2010 21:28:38 -0600
This is one of several enumeration scripts that I have written for the SCADA/industrial control systems community. This checks/validates the SNMP traffic for the Allen-Bradley/Rockwell MicroLogix Series 1400 PLC controller. The same script is shown below; if you wish to download the script, the script may be accessed here: http://www.infracritical.com/enum-scripts/micrologix1400.nse =============================================== description = "Confirms/verifies that target device is Rockwell MicroLogix." author = "Bob Radvanovsky <rsradvan at infracritical dot com>" license = "Refer to: http://nmap.org/book/man-legal.html for license." categories = {"default", "discovery", "safe"} dependencies= {"snmp-brute"} -- -- Filename: micrologix1400.nse -- -- Purpose: Checks for the following elements confirming said device: -- -- 1. PHASE I - SNMP verification. -- a. STEP 1: Performs verification through 'snmpwalk'. -- b. STEP 2: Acquires specific details from SNMP 'sysDescr.0'. -- -- 2. PHASE II - Documentation. -- -- ========================================================================== -- -- Version(s): 4.0, 5.0 -- -- Usage: nmap --script=./micrologix1400.nse <IP> -- (continued) --script-args='dox=1' -PN -sU -p161 -v -- -- Author(s): Bob Radvanovsky - Infracritical -- <rsradvan at infracritical dot com> -- -- Initwritten: September 2010 -- -- DATE---- INIT DESCRIPTION------------------------------------------------ -- 10.05.09 rsr Inital development - VERSION 001. -- 10.05.09 rsr Included URL links for related reference documentation. -- -- NOTE: Script is a derived work from Thomas Buchanan's "snmp-sysdescr.nse" -- NSE script, and has been modified to work specifically on/for the -- Allen-Bradley/Rockwell Automation MicroLogix Series 1400 devices. -- -- NOTE: We try and verify, running tests on as many versions of this device -- as possible. If you encounter an "UNKNOWN", this may mean that you -- have scanned a device version/variant that was not tested. -- -- Since we are providing this script free-of-charge to everyone, -- would help us - and the community - if you would report the variance -- to us. Submit your findings to "report () infracritical com". Thanks! -- require("nmap") require("nsedebug") require("datafiles") require("stdnse") require("shortport") require("snmp") require("http") require("url") require("strbuf") portrule = shortport.portnumber({80,161}, "udp", {"open", "open|filtered"}) action = function(host, port) -- create the socket used for our connection local socket = nmap.new_socket() -- set a reasonable timeout value socket:set_timeout(5000) -- do some exception handling / cleanup local catch = function() socket:close() end -- connect to the potential SNMP system local try = nmap.new_try(catch) try(socket:connect(host.ip, port.number, "udp")) -- If you want to perform a test verifiication/validation of another OID, -- here are some values (as shown below): -- get value: 1.3.6.1.2.1.1.1 (SNMPv2-MIB::sysDescr.0) -- get value: 1.3.6.1.2.1.1.2 (SNMPv2-MIB::sysObjectID.0) -- get value: 1.3.6.1.2.1.1.3 (SNMPv2-MIB::sysUpTime.0) -- get value: 1.3.6.1.2.1.1.4 (SNMPv2-MIB::sysContact.0) -- get value: 1.3.6.1.2.1.1.5 (SNMPv2-MIB::sysName.0) -- get value: 1.3.6.1.2.1.1.6 (SNMPv2-MIB::sysLocation.0) -- get value: 1.3.6.1.2.1.1.7 (SNMPv2-MIB::sysServices.0) local payload; local options = {}; options.reqId = 28428 -- unnecessary? payload = snmp.encode(snmp.buildPacket(snmp.buildGetRequest(options, "1.3.6.1.2.1.1.1.0"))) try(socket:send(payload)) local status, response -- read in any response we might get status, response = socket:receive_bytes(1) if (not status) or (response == "TIMEOUT") then return; end -- since we got something back, the port is definitely open nmap.set_port_state(host, port, "open") local confirm = tostring(snmp.fetchFirst(response)) -- print(confirm) result = "CONFIRM DEVICE AS ALLEN-BRADLEY/ROCKWELL MICROLOGIX" local split = stdnse.strsplit(" ",confirm) local split2 = stdnse.strsplit("-",split[1]) if (string.match(split2[1], "Allen") and string.match(split2[2], "Bradley")) or string.match(confirm, "Rockwell") then if string.match(confirm, "MicroLogix1400") then if nmap.verbosity() > 1 then result = result .. "\n** PHASE 1: SNMP verification" result = result .. "\n....Step 1: MicroLogix device info : CONFIRMED" else result = result .. "\n** IF YOU REQUIRE MORE INFO, USE THE \"-v\" OPTION" end end local split = stdnse.strsplit(" ",confirm) if string.match(split2[1], "Allen") then name = string.sub(split[1],1,15) end if string.match(confirm, "Rockwell") then name1 = string.sub(split[1],1,15) name2 = string.sub(split[2],1,15) name = name1 .. " " .. name2 end modelnum = string.sub(split[2],1,14) version = string.sub(split[3],3,6) fullversion = string.sub(split[3],1,6) modeltype = string.sub(split[4],1,10) .. " " .. string.sub(split[4],11,14) series = string.sub(split[6],1,1) revision = string.sub(split[8],1,4) if nmap.verbosity() > 1 then result = result .. "\n............Version S/W : " .. fullversion else result = result .. "\n............MicroLogix device info : CONFIRMED" result = result .. "\n............Version S/W : " .. version end if nmap.verbosity() > 1 then result = result .. "\n....Step 2: SNMP device detailed information" result = result .. "\n............Manufacturer name : " .. name result = result .. "\n............Model number : " .. modelnum result = result .. "\n............Type/model type : " .. modeltype result = result .. "\n............Series type : " .. series result = result .. "\n............Revision number : " .. revision result = result .. "\n** PHASE 2: Documentation" result = result .. "\n....Step 1: Documentation exist? : YES" result = result .. "\n" result = result .. "\n............ninja.infracritical.com/dox/1766-in001_-en-p.pdf" result = result .. "\n............ninja.infracritical.com/dox/1766-um002_-en-p.pdf" end else if nmap.verbosity() > 1 then result = "Fingerprint not found."; end end if nmap.verbosity() > 1 then result = result .. "\n"; end return result end =============================================== Same output was conducted on four (4) Internet-connected PLC devices "in the wild", and will look similar to something shown below. NOTE: "xxx.xxx.xxx.xxx" represents a sanitized IP address of the device taken from "in the wild" (thank you SHODAN). [root@server nmap]# nmap --script=./micrologix1400.nse xxx.xxx.xxx.xxx -PN -sU -p161 -vv Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-12-06 21:08 CST NSE: Loaded 1 scripts for scanning. Initiating Parallel DNS resolution of 1 host. at 21:08 Completed Parallel DNS resolution of 1 host. at 21:08, 0.15s elapsed Initiating UDP Scan at 21:08 Scanning xxx.domain.com (xxx.xxx.xxx.xxx) [1 port] Discovered open port 161/udp on xxx.xxx.xxx.xxx Completed UDP Scan at 21:08, 2.01s elapsed (1 total ports) NSE: Script scanning xxx.xxx.xxx.xxx. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 21:08 Completed NSE at 21:08, 0.14s elapsed Nmap scan report for xxx.domain.com (xxx.xxx.xxx.xxx) Host is up (1.8s latency). Scanned at 2010-12-06 21:08:34 CST for 2s PORT STATE SERVICE 161/udp open snmp | micrologix1400: CONFIRM DEVICE AS ALLEN-BRADLEY/ROCKWELL MICROLOGIX | ** PHASE 1: SNMP verification | ....Step 1: MicroLogix device info : CONFIRMED | ............Version S/W : A/5.00 | ....Step 2: SNMP device detailed information | ............Manufacturer name : Allen-Bradley | ............Model number : 1766-L32AWAA | ............Type/model type : MicroLogix 1400 | ............Series type : A | ............Revision number : 5.0 | ** PHASE 2: Documentation | ....Step 1: Documentation exist? : YES | ............ninja.infracritical.com/dox/1766-in001_-en-p.pdf |_............ninja.infracritical.com/dox/1766-um002_-en-p.pdf Read data files from: /usr/local/share/nmap Nmap done: 1 IP address (1 host up) scanned in 2.58 seconds Raw packets sent: 2 (176B) | Rcvd: 2 (160B) _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Another SCADA/ICS NMAP NSE script - Rockwell MicroLogix Series 1400 enumeration script Bob Radvanovsky (Dec 06)