PaulDotCom mailing list archives

Re: NMAP for SCADA

From: Kevin Shaw <kevin.lee.shaw () gmail com>
Date: Tue, 27 Nov 2012 14:33:46 -0500

(Caveat: I do NERC CIP work and we use a command line script to look at
netstat, lsof, etc. rather than using nmap and potentially knocking over
PLCs, etc.)

Having said that, look at specifying the packet timing rather than using
the regular T options.  Also, specify UDP ports to known services like ntp
and your basic Windows services - I do that for non-SCADA port mapping
already given time limits on engagements.  I don't think you'll have a big
issue with syn over connect scans but that idea doesn't hurt.  Use -sV and
grab your banners especially taking the time for full connect.  You may
even want to spend a couple minutes going through the scripts and tuning a
couple to grab more information.
On Nov 27, 2012 1:48 PM, "Bruce Barnett" <grymoire () gmail com> wrote:

I'm going to have a short-time access to a SCADA test lab, and I want
to run a port map to characterize the services available.

There are about 7 networks (virtual and real), with 6 physical
Ethernet ports. I want to discover all services, on all networks. I
don't need stealth, and I want to avoid scans that might crash older
devices. I also don't want to get half-done and realize that I made
the wrong choices, and have to do it again.

I was thinking of using -sS, but I am concerned some devices might
crash if there are too many half-open connections .
So should I use -sT instead - I think.
And -r would make the scan more "repeatable" if some device crashes.
So any comments on using these options:

    nmap  -r -v -sT -sU 10.1.1.0/24 10.2.0.0/24 -oX scan1.xml -oG
scan1.txt
repeat for next interface....., etc.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

NMAP for SCADA Bruce Barnett (Nov 27)
- Re: NMAP for SCADA Kevin Shaw (Nov 27)
- Re: NMAP for SCADA Ron Gula (Nov 27)
- <Possible follow-ups>
- Re: NMAP for SCADA Michael Wilson (Nov 27)