mailing list archives
Re: Another SCADA/ICS NMAP NSE script - Rockwell MicroLogix Series 1400 enumeration script
From: David Fifield <david () bamsoftware com>
Date: Tue, 1 Feb 2011 22:15:07 -0800
On Mon, Dec 06, 2010 at 09:28:38PM -0600, Bob Radvanovsky wrote:
This is one of several enumeration scripts that I have written for the
SCADA/industrial control systems community. This checks/validates the
SNMP traffic for the Allen-Bradley/Rockwell MicroLogix Series 1400 PLC
The same script is shown below; if you wish to download the script,
the script may be accessed here:
PORT STATE SERVICE
161/udp open snmp
| micrologix1400: CONFIRM DEVICE AS ALLEN-BRADLEY/ROCKWELL MICROLOGIX
| ** PHASE 1: SNMP verification
| ....Step 1: MicroLogix device info : CONFIRMED
| ............Version S/W : A/5.00
| ....Step 2: SNMP device detailed information
| ............Manufacturer name : Allen-Bradley
| ............Model number : 1766-L32AWAA
| ............Type/model type : MicroLogix 1400
| ............Series type : A
| ............Revision number : 5.0
| ** PHASE 2: Documentation
| ....Step 1: Documentation exist? : YES
I'm looking over your SCADA scripts now, Bob. Thanks for taking the time
to write and submit them. I think that what you have created has value.
In general, though, I think the special-purpose detection mechanisms
would be better built into general-purpose mechanisms that can classify
a larger number of devices.
As an example of what I mean, look at http-enum and the
nselib/data/http-fingerprints.lua file. That has fingerprints like
"/images/rails.png" => "Ruby on Rails" and "/gfx/logout_24.png" =>
"Secunia NSI". One could imaging ruby-on-rails.nse and secunia-nsi.nse
scripts that did these checks individually, but it's better to use a
common detection mechanism that is extended through a database of
Back to micrologix1400.nse. As I understand it, this script does a
sysDescr query and then parses some details out of it. The documenation
-- 1. PHASE I - SNMP verification.
-- a. STEP 1: Performs verification through 'snmpwalk'.
-- b. STEP 2: Acquires specific details from SNMP 'sysDescr.0'.
-- 2. PHASE II - Documentation.
However I don't see the (a. STEP 1) part in the code, and phase II just
seems to print a constant string.
What is the output of snmp-sysdescr against this device? In line with my
comments above, if snmp-sysdescr is missing information that this script
can provide, I would rather see effort put into improving snmp-sysdescr
than into a new script.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/
- Re: Another SCADA/ICS NMAP NSE script - Rockwell MicroLogix Series 1400 enumeration script David Fifield (Feb 02)