Re: [NSE] modbus-enum.nse, modbus discovery script

[Alexander Rudakov <freekoder () gmail com>]

Hi, all. It's me again.
I cleaned modbus-discover.nse script. I refactored code, it's became cleaner
and simplier (I hope).
I threw away data and function code script arguments, and saved only
aggressive mode arg of slave id detection.
I tested script on real devices with next cases:
1) Neither the slave id (0x11) function nor read device
identification (0x2B) function supported (just error string printed)
2) Report slave Id function not supported by device, but read device
identification  function supported.
3) Both function supported (maximum information shows)

The main achievement for me is that I could find modbus device in the wild
using this script and get vendor information about it.


3 декабря 2010 г. 22:01 пользователь Александр Рудаков
<freekoder () gmail com>написал:

> Hi again.
>
> Last week I spent improving modbus-enum script. I implemented next
> features:
> 1) It tries to find valid sid by sending request report slave id
> (function code = 17).
> 2) If error response returned, it translate error code to error
> description string.
> 3) If positive reponse returned, it records slave id data from
> response and shows it in script output.
> 4) If legal sid is founded, it tries to get more info about modbus
> device by sending read device identification request (function id =
> 0x2B)  and record device identification strings.
>
> Script output now looks like this:
>
>  PORT    STATE SERVICE
>  502/tcp open  modbus
>  | modbus-enum:
>  |   Positive response for sid = 0x64
>  |     SLAVE ID DATA: \xFA\xFFPM710PowerMeter
>  |     DEVICE IDENTIFICATION: Schneider Electric PM710 v03.110
>  |   Positive error response for sid = 0x96 (GATEWAY TARGET DEVICE
> FAILED TO RESPONSE)
>  |_  Positive response for sid = 0xc8
>
> I test script on several devices and seems it works. But there are
> lack of error checks in script, for example checking of array bounds.
> I'm going to fix some potential errors and prettify script content.
>
> 2010/12/1, Bob Radvanovsky <rsradvan () unixworks net>:
> > That's a great idea, Mr. Rudakov!  I would be happy to test your script
> in
> > our environment, too, and look forward to your update.
> >
> > Спасибо!
> >
> > -r
> >
> > ----- Original Message -----
> > From: Александр Рудаков [mailto:freekoder () gmail com]
> > To: Bob Radvanovsky [mailto:rsradvan () unixworks net]
> > Cc: nmap-dev () insecure org
> > Subject: Re: [NSE] modbus-enum.nse, modbus discovery script
> >
> >
> > > Bob, I read Modbus Application Protocol V1.1, and have next ideas how to
> > > improve script:
> > >
> > > 1) Use 17 function code to find legal sid values. This function does not
> > > require payload data, so the data variable does not need to be
> redefined.
> > > 2) If error response returns, script can show error description
> according
> > > to
> > > the exception code.
> > > 3) After legal sid detected, we can descover device vendor and version
> by
> > > using read device identification function (0x2B).
> > >
> > > I wrote test script to get vendor identificator and test it on my
> devices.
> > > It works well. But I need more time for cleanup.
> > > What do you think about it?
> > >
> > > With best regards, Alexander.
> > >
> > > 2010/11/30 Bob Radvanovsky <rsradvan () unixworks net>
> > >
> > > > I will be evaluating/validating this on several MODBUS devices that we
> > > have
> > > > in our lab.  If there need to be any modifications, I will provide a
> > > > modification to Mr. Rudakov's modbus-enum.nse, and resubmit it to Mr.
> > > > Rudakov (and this mailing list) for review.  Based on the MODBUS
> > > > protocol
> > > > definition, there are other functionalities that can be performed,
> some
> > > > of
> > > > which can perform some dangerous stuff, such as shutting down a MODBUS
> > > > device.
> > > >
> > > > When we get started on the evaluation/validation testing, I will list
> > > > the
> > > > manufacturers, series and product number that we performed the tests
> > > > against.  This will be made available to the general public via our
> web
> > > > site.
> > > >
> > > > -r
> > > >
> > > > ----- Original Message -----
> > > > From: Александр Рудаков [mailto:freekoder () gmail com]
> > > > To: Bob Radvanovsky [mailto:rsradvan () unixworks net], David Fifield
> > > > [mailto:david () bamsoftware com]
> > > > Cc: nmap-dev () insecure org
> > > > Subject: Re: [NSE] modbus-enum.nse, modbus discovery script
> > > >
> > > >
> > > > > Hi, Bob. Hi, David.
> > > > > Thanks for your attention to this script.
> > > > > Bob said quite rigth, that 08 is diagnostic function. Defcon
> > > presentation
> > > > > says that diagnostic function has diagnostic code 00 00 just
> returning
> > > > query
> > > > > data, so 00 00 AA BB is query to return data AA BB. I just took it
> > > > > from
> > > > > query examples at presentations.
> > > > >
> > > > > Past week I tried to test my script on real modbus devices. Code 08
> > > works
> > > > > well, but devices I have seems don't understand return data queries.
> > > > > I will test this script with 17 function code. May be it would be
> > > > > better
> > > > to
> > > > > use this value.
> > > > > Also, I noticed that some timeout required (about 2 seconds) between
> > > > > queries.
> > > > >
> > > > > 29 ноября 2010 г. 13:33 пользователь Bob Radvanovsky
> > > > > <rsradvan () unixworks net
> > > > > > написал:
> > > > >
> > > > > > Code 8 is used for diagnostics.
> > > > > >
> > > > > > Go here: http://en.wikipedia.org/wiki/Modbus
> > > > > > and here:
> http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf(section6.9
> > > > > on page 25/51)
> > > > > > "The event counter can be reset by means of the Diagnostics
> function
> > > > (code
> > > > > > 08), with a subfunction
> > > > > > of Restart Communications Option (code 00 01) or Clear Counters
> and
> > > > > > Diagnostic
> > > > > > Register (code 00 0A)."
> > > > > >
> > > > > > and here: http://www.modbus.org/docs/PI_MBUS_300.pdf (page 74)
> > > > > >
> > > > > > "Description
> > > > > >
> > > > > > Returns a status word and an event count from the slave's
> > > > communications
> > > > > > event
> > > > > > counter. By fetching the current count before and after a series
> of
> > > > > > messages, a
> > > > > > master can determine whether the messages were handled normally by
> > > > > > the
> > > > > > slave.
> > > > > > Broadcast is not supported.
> > > > > >
> > > > > > The controller's event counter is incremented once for each
> > > > > > successful
> > > > > > message
> > > > > > completion. It is not incremented for exception responses, poll
> > > > commands,
> > > > > > or
> > > > > > fetch event counter commands.
> > > > > >
> > > > > > The event counter can be reset by means of the Diagnostics
> function
> > > > (code
> > > > > > 08),
> > > > > > with a subfunction of Restart Communications Option (code 00 01)
> or
> > > > Clear
> > > > > > Counters and Diagnostic Register (code 00 0A)."
> > > > > >
> > > > > > -r
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: David Fifield [mailto:david () bamsoftware com]
> > > > > > To: Александр Рудаков [mailto:freekoder () gmail com]
> > > > > > Cc: nmap-dev () insecure org
> > > > > > Subject: Re: [NSE] modbus-enum.nse, modbus discovery script
> > > > > >
> > > > > >
> > > > > > > On Mon, Nov 22, 2010 at 08:57:51PM +0300, Александр
> > > > > Рудаков
> > > > > > > wrote:> > Hi all,> > > > I realised the script that duplicates
> > > > > functional
> > > > > > of
> > > > > > > Mark Bristow's modscan> > utility.> > Modscan utility finds
> MODBUS
> > > > (one
> > > > > > of the
> > > > > > > popular SCADA protocols) devices in> > IP range and determines
> > > > > > > slave
> > > > id
> > > > > > > (SID).> > It tries to find legal SID of tcp modbus server by
> > > > > > bruteforcing.> >
> > > > > > > I just rewrote python code on lua and implemented it as nmap
> > > > > > > script.
> > > > > Here
> > > > > > > is> > output of the script:> > > > PORT    STATE SERVICE> >
> > > > > > > 502/tcp
> > > > open
> > > > > > > modbus> > | modbus-enum:> > |   Positive response for sid =
> 0x64>
> > > > > > > >
> > > |
> > > > > > > Positive error response for sid = 0x96> > |_  Positive response
> > > > > > > for
> > > > sid
> > > > > =
> > > > > > > 0xc8> > > >  Also, I wrote small modbus server mock on python
> for
> > > > test
> > > > > > > purposes.> > In the future, this script can be extended to test
> > > > > specifict
> > > > > > > modbus devices> > and disclosure sensitive information.> > This
> is
> > > my
> > > > > > first
> > > > > > > expirience in nmap script development so I would be pleased> >
> to
> > > > hear
> > > > > > notes
> > > > > > > and advises, and I hope it may be useful for someone.> > > >
> > > > > > > Modscan
> > > > > > project
> > > > > > > can be found here: http://code.google.com/p/modscan/> > PDF
> > > > Presentation
> > > > > > > about MODBUS proto and modscan utility from Defcon 16:> >
> https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf
> > > > > > > > > NSE script and modbus server mock are in attachments and at
> > > > google
> > > > > > > code:> > https://code.google.com/p/nmap-modscan/.> > I think
> the
> > > > script
> > > > > > looks
> > > > > > > good. What is the reason for using function> code 8 instead of
> the
> > > > > > default 17
> > > > > > > that modscan.py
> > > > > > > uses?> >
> http://code.google.com/p/modscan/source/browse/trunk/modscan.py#43>
> > > > > > >
> > > > This
> > > > > > > page defines "Report slave ID" for code 17 but doesn't mention
> > > > > > > code> 8.> >
> http://www.lammertbies.nl/comm/info/modbus.html#func>
> > > > > > > >
> > > > Is
> > > > > > there
> > > > > > > significance to the "00 00 AA BB" data?> > David
> > > > > > > Fifield> _______________________________________________> Sent
> > > > through
> > > > > > the
> > > > > > > nmap-dev mailing
> > > > > > > list> http://cgi.insecure.org/mailman/listinfo/nmap-dev>
> Archived
> > > > > > > at
> > > > > > > http://seclists.org/nmap-dev/
> > > > _______________________________________________
> > > > Sent through the nmap-dev mailing list
> > > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > > Archived at http://seclists.org/nmap-dev/

Attachment: modbus-discover.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/