Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Another SCADA/ICS NMAP NSE script - Rockwell MicroLogix Series 1400 enumeration script
From: David Fifield <david () bamsoftware com>
Date: Tue, 1 Feb 2011 22:15:07 -0800

On Mon, Dec 06, 2010 at 09:28:38PM -0600, Bob Radvanovsky wrote:
This is one of several enumeration scripts that I have written for the
SCADA/industrial control systems community.  This checks/validates the
SNMP traffic for the Allen-Bradley/Rockwell MicroLogix Series 1400 PLC
controller. 

The same script is shown below; if you wish to download the script,
the script may be accessed here: 
http://www.infracritical.com/enum-scripts/micrologix1400.nse

PORT    STATE SERVICE
161/udp open  snmp
| micrologix1400: CONFIRM DEVICE AS ALLEN-BRADLEY/ROCKWELL MICROLOGIX
| ** PHASE 1: SNMP verification
| ....Step 1: MicroLogix device info : CONFIRMED
| ............Version S/W            : A/5.00
| ....Step 2: SNMP device detailed information
| ............Manufacturer name      : Allen-Bradley
| ............Model number           : 1766-L32AWAA
| ............Type/model type        : MicroLogix 1400
| ............Series type            : A
| ............Revision number        : 5.0
| ** PHASE 2: Documentation
| ....Step 1: Documentation exist?   : YES
| ............ninja.infracritical.com/dox/1766-in001_-en-p.pdf
|_............ninja.infracritical.com/dox/1766-um002_-en-p.pdf

I'm looking over your SCADA scripts now, Bob. Thanks for taking the time
to write and submit them. I think that what you have created has value.
In general, though, I think the special-purpose detection mechanisms
would be better built into general-purpose mechanisms that can classify
a larger number of devices.

As an example of what I mean, look at http-enum and the
nselib/data/http-fingerprints.lua file. That has fingerprints like
"/images/rails.png" => "Ruby on Rails" and "/gfx/logout_24.png" =>
"Secunia NSI". One could imaging ruby-on-rails.nse and secunia-nsi.nse
scripts that did these checks individually, but it's better to use a
common detection mechanism that is extended through a database of
fingerprints.

Back to micrologix1400.nse. As I understand it, this script does a
sysDescr query and then parses some details out of it. The documenation
says:

--  1.  PHASE I - SNMP verification.
--      a.  STEP 1:  Performs verification through 'snmpwalk'.
--      b.  STEP 2:  Acquires specific details from SNMP 'sysDescr.0'.
--  2.  PHASE II - Documentation.

However I don't see the (a. STEP 1) part in the code, and phase II just
seems to print a constant string.

What is the output of snmp-sysdescr against this device? In line with my
comments above, if snmp-sysdescr is missing information that this script
can provide, I would rather see effort put into improving snmp-sysdescr
than into a new script.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]