PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-12 18:59:03 +00:00
Code Issues Projects Releases Wiki Activity

Add modbus-discover.nse from Alexander Rudakov.

Browse Source
This commit is contained in:
david
2010-12-16 08:59:16 +00:00
parent dd7f04aebc
commit ad40df2c9b
3 changed files with 177 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG
View File

@@ -1,5 +1,9 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o [NSE] Added modbus-discover.nse by Alexander Rudakov. This script
enumerates Modbus slave ids and then tries to find device
information about each of them.
o [NSE] Added scripts by Toni Ruotto communicating with the NetBus o [NSE] Added scripts by Toni Ruotto communicating with the NetBus
remote administration/backdoor program. remote administration/backdoor program.
- netbus-info: gets configuration information. - netbus-info: gets configuration information.

172
scripts/modbus-discover.nse Normal file
View File

@@ -0,0 +1,172 @@
description = [[
Attempts to find valid sid for tcp modbus server and try to get device info.
]]
---
-- @usage
-- nmap --script modbus-discover.nse --script-args='modbus-discover.aggressive=true' -p 502 <host>
--
-- @args aggressive - boolean value defines find all or just first sid
--
-- @output
-- PORT STATE SERVICE
-- 502/tcp open modbus
-- | modbus-discover:
-- | Positive response for sid = 0x64
-- | SLAVE ID DATA: \xFA\xFFPM710PowerMeter
-- | DEVICE IDENTIFICATION: Schneider Electric PM710 v03.110
-- |_ Positive error response for sid = 0x96 (GATEWAY TARGET DEVICE FAILED TO RESPONSE)
--
-- Version 0.2 - /12.12.10/ - script cleanup
-- Version 0.3 - /13.12.10/ - several bugfixes
--
-- MODBUS is one of the popular SCADA protocols.
-- This script intended for modbus device information disclosure.
-- It tries to find legal sid (slave id) of modbus device(s) and
-- if success try to get additional information about vendor and firmware.
-- This script is improvement of modscan python utility written by
-- Mark Bristow.
--
-- Information about MODBUS protocol and security issues:
-- * MODBUS application protocol specification: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
-- * Defcon 16 Modscan presentation: https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf
-- * Modscan utility is hosted at google code: http://code.google.com/p/modscan/
---
author = "Alexander Rudakov"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive"}
require "bin"
require "comm"
require "stdnse"
require "shortport"
portrule = shortport.portnumber(502, "tcp")
local form_rsid = function(sid, functionId, data)
local payload_len = 2
if ( #data > 0 ) then
payload_len = payload_len + #data
end
return bin.pack('CCCCC', 0x00, 0x00, 0x00, 0x00, 0x00) .. bin.pack('C', payload_len) .. bin.pack('C', sid) .. bin.pack('C', functionId) .. data
end
discover_device_id_recursive = function(host, port, sid, start_id)
local rsid = form_rsid(sid, 0x2B, bin.pack('H', "0E 01")..bin.pack('C', start_id))
local status, result = comm.exchange(host, port, rsid)
local objects_table = {}
if ( status and (#result >= 8)) then
local ret_code = string.byte(result, 8)
if ( ret_code == 0x2B and #result >= 15 ) then
local more_follows = string.byte(result, 12)
local next_object_id = string.byte(result, 13)
local number_of_objects = string.byte(result, 14)
stdnse.print_debug(1, ("more = 0x%x, next_id = 0x%x, obj_number = 0x%x"):format(more_follows, next_object_id, number_of_objects))
local offset = 15
for i = start_id, (number_of_objects - 1) do
local object_id = string.byte(result, offset)
local object_len = string.byte(result, offset + 1)
-- error data format --
if object_len == nil then break end
local object_value = string.sub(result, offset + 2, offset + 1 + object_len)
stdnse.print_debug(1, ("Object id = 0x%x, value = %s"):format(object_id, object_value))
table.insert(objects_table, object_id + 1, object_value)
offset = offset + 2 + object_len
end
if ( more_follows == 0xFF and next_object_id ~= 0x00 ) then
stdnse.print_debug(1, "Has more objects")
local recursive_table = discover_device_id_recursive(host, port, sid, next_object_id)
for k,v in pairs(recursive_table) do
table.insert(objects_table, k, v)
end
end
end
end
return objects_table
end
local discover_device_id = function(host, port, sid)
return discover_device_id_recursive(host, port, sid, 0x0)
end
local form_device_id_string = function(device_table)
local ret_string = "DEVICE IDENTIFICATION: "
for i = 1, #device_table do
if ( device_table[i] ~= nil ) then
ret_string = ret_string..device_table[i]
if ( i < #device_table ) then ret_string = ret_string.." " end
end
end
return ret_string
end
local extract_slave_id = function(response)
local byte_count = string.byte(response, 9)
if ( byte_count == nil or byte_count == 0) then return nil end
offset, slave_id = bin.unpack("A"..byte_count, response, 10)
return slave_id
end
modbus_exception_codes = {
[1] = "ILLEGAL FUNCTION",
[2] = "ILLEGAL DATA ADDRESS",
[3] = "ILLEGAL DATA VALUE",
[4] = "SLAVE DEVICE FAILURE",
[5] = "ACKNOWLEDGE",
[6] = "SLAVE DEVICE BUSY",
[8] = "MEMORY PARITY ERROR",
[10] = "GATEWAY PATH UNAVAILABLE",
[11] = "GATEWAY TARGET DEVICE FAILED TO RESPOND"
}
action = function(host, port)
local aggressive = false -- stop on first founded sid
if (nmap.registry.args['modbus-discover.aggressive']) then
aggressive = nmap.registry.args['modbus-discover.aggressive']
end
local opts = {timeout=2000}
local results = {}
for sid = 1, 246 do
stdnse.print_debug(3, "Sending command with sid = %d", sid)
rsid = form_rsid(sid, 0x11, "")
local status, result = comm.exchange(host, port, rsid, opts)
if ( status and (#result >= 8) ) then
local ret_code = string.byte(result, 8)
if ( ret_code == (0x11) or ret_code == (0x11 + 128) ) then
local sid_table = {}
if ret_code == (0x11) then
table.insert(results, ("Positive response for sid = 0x%x"):format(sid))
local slave_id = extract_slave_id(result)
if ( slave_id ~= nil ) then table.insert(sid_table, "SLAVE ID DATA: "..slave_id) end
elseif ret_code == (0x11 + 128) then
local exception_code = string.byte(result, 9)
local exception_string = modbus_exception_codes[exception_code]
if ( exception_string == nil ) then exception_string = "UNKNOWN EXCEPTION" end
table.insert(results, ("Positive error response for sid = 0x%x (%s)"):format(sid, exception_string))
end
local device_table = discover_device_id(host, port, sid)
if ( #device_table > 0 ) then
table.insert(sid_table, form_device_id_string(device_table))
end
if ( #sid_table > 0 ) then
table.insert(results, sid_table)
end
if ( not aggressive ) then break end
end
end
end
if ( #results > 0 ) then
port.state = "open"
port.version.name = "modbus"
nmap.set_port_version(host, port, "hardmatched")
end
return stdnse.format_output(true, results)
end

1
scripts/script.db
View File

@@ -79,6 +79,7 @@ Entry { filename = "ldap-brute.nse", categories = { "auth", "intrusive", } }
Entry { filename = "ldap-rootdse.nse", categories = { "discovery", "safe", } } Entry { filename = "ldap-rootdse.nse", categories = { "discovery", "safe", } }
Entry { filename = "ldap-search.nse", categories = { "discovery", "safe", } } Entry { filename = "ldap-search.nse", categories = { "discovery", "safe", } }
Entry { filename = "lexmark-config.nse", categories = { "discovery", "safe", } } Entry { filename = "lexmark-config.nse", categories = { "discovery", "safe", } }
Entry { filename = "modbus-discover.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "mongodb-databases.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "mongodb-databases.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "mongodb-info.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "mongodb-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "ms-sql-brute.nse", categories = { "auth", "intrusive", } } Entry { filename = "ms-sql-brute.nse", categories = { "auth", "intrusive", } }