Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] KNX Gateway Discover Script

From: Niklaus Schiess <nschiess () adversec com>
Date: Fri, 7 Aug 2015 21:16:43 +0200
Hi,

thanks for the suggestion. I got two KNX gateways from different vendors
where I've tested the script. Sending a search request directly to those
showed that indeed one of the devices responded properly. However, the
other one does only respond to multicast packets.

So discover gateways according to the specification seems to be the more
reliable way. Thats because I think the script is fine like it is right
now. It's actually a rather non-intrusive discovery because it just
needs one packet to discover multiple gateways.

However, I think it's a good idea to implement a second script for the
default category with a port rule for UDP port 3671 as it would enable
discovering such gateways on the Internet.

Regards,
Niklaus

On 07.08.2015 20:23, Michael T wrote:

As an FYI, when Stephen Hilt and I were developing the
bacnet-discover-enumerate (
https://github.com/digitalbond/Redpoint/blob/master/BACnet-discover-enumerate.nse)
script at Digital Bond, we found something interesting...

While many times the specification 'said' we had to send a request to a
broadcast or multicast address, the devices themselves would ALSO respond
when we sent it directly to the IP Address of the device.  Basically, they
were dumb devices that were listening on all their interfaces; broadcast,
multicast, and unicast, and responding anyway. You might want to test your
script with a direct IP Address argument as well to see if you get a
response from the device.

The success of our bacnet-discover-enumerate against direct ip addresses is
verifiable in Shodan. 10,000 devices worldwide accessible over the internet
via the BACNET protocol.

Mike Toecker
@mtoecker

On Fri, Aug 7, 2015 at 11:19 AM, Niklaus Schiess <nschiess () adversec com>
wrote:


Howdy,

KNX is "...the worldwide STANDARD for all applications in home and
building control, ranging from lighting and shutter control to various
security systems, ...building control with a single, manufacturer
independent design and commissioning tool (ETS), with a complete set of
supported communication media (TP, PL, RF and IP) as well as a complete set
of supported configuration modes..."[1].

This script discovers KNX gateways which are be used to communicate and
configure bus devices over IP driven networks. It sends a multicast IP
packet where all gateways should respond with various information about
themselves.

It is based on the llmnr-response.nse script as it technically does the
same thing. This script is also available on GitHub [2].

Regards,
Niklaus

[1] http://www.knx.org/knx-en/index.php
[2] https://github.com/takeshixx/knx-gateway-discover

--
PGP FP: CB84 8C68 ADDB 6C50 7DF1 4227 F2A6 056A A799 76DA


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/




_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


-- 
PGP FP: CB84 8C68 ADDB 6C50 7DF1 4227 F2A6 056A A799 76DA


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: