Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Another SCADA/ICS NMAP NSE script - Hirschmann/Innominate Security Technologies 'mGuard' firewall enumeration script
From: David Fifield <david () bamsoftware com>
Date: Tue, 1 Feb 2011 22:33:22 -0800

On Mon, Dec 06, 2010 at 09:56:19PM -0600, Bob Radvanovsky wrote:
This is one of several enumeration scripts that I have written for the
SCADA/industrial control systems community.  This checks/validates the
web-based traffic for the Hirschmann/Innominate Security
Technologies/Phoenix Contacts 'mGuard' firewall.  NOTE: This has ONLY
tested with the Hirschmann OEM of the Innominate's software, as well
as Innominate's software (direct), and has NOT been tested on the
newer Phoenix Contacts 'mGuard' firewall (even though it continues to
be an OEM'd version of Innominate's software).

As the firewall has been rendered inoperative through our various
enumeration and validation tests, there is currently NO sample output
from the NMAP NSE script...sorry

The same script is shown below; if you wish to download the script,
the script may be accessed here:
http://www.infracritical.com/enum-scripts/mguard-10091201.nse

Not shown: 996 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
53/tcp   open     domain
443/tcp  open     https
| mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE
| ** PHASE 1: TLS/SSL certificate verification
| ....Step 1: SSL certificate info   : CONFIRMED
| ....Step 2: SSL certificate MD5 hash information
| ............Flash ID               : 420401db459c83e7
| ............Organization name      : Hirschmann Automation and Control GmbH
| ............SSL certificate MD5    : c93063872150383b879a69f65ab6d7e5
| ............SSL certificate version: 4.2.1 or newer
| ** PHASE 2: File presence verification
| ....Step 1: Existence of "/favicon.ico"
| ............File favicon.ico MD5   : 7449c1f67008cc3bfabbc8f885712207
| ............Server type/version    : 4.2.1 or newer
| ....Step 2: Existence of "/gai.js"
| ............File gai.js MD5        : e7696a86648dcdb6efb2e497e5a8616b
| ............Server type/version    : 4.2.1
| ....Step 3: Existence of "/style.css"
| ............File style.css MD5     : d71581409253d54902bea82107a1abb2
| ............Server type/version    : 4.2.1
| ** PHASE 3: HTML pattern matching verification
| ....Step 1: Confirmation of HTML code per version
| ............HTML code verified     : CONFIRMED
| ............HTML code variant      : Hirschmann
| ....Step 2: Confirmation web server verification
| ............Web server verified    : CONFIRMED
| ............Web server name/type   : fnord
| ............Web server version     : 1.6
| ** PHASE 4: Documentation
| ....Step 1: Documentation exist?   : YES
| ............ninja.infracritical.com/dox/hirschmann/UM_BAT54_SW_Rel754_en.pdf
|_............ninja.infracritical.com/dox/hirschmann/UM_EAGLE_401_EN.pdf

Step 2 where you examine the contents of the SSL certificate is a good
idea. What do you think about building a database of known devices (of
which this device would be a part) in ssl-cert.nse? Another option is
the ssl-known-key script that's under discussion:
http://seclists.org/nmap-dev/2010/q4/733.

Overall this script looks like a combination of ssl-cert, http-enum,
http-favicon, and version detection. What is the output of version
detection against this system? Do you think that the gai.js and
style.css checks could be moved into http-enum?

About your hash lookups: Instead of structuring your tables like this:
        {md5="089e6c5d1eb61af201b8cbb024d98d00", name="3.1.1"},
do it like this:
        {["089e6c5d1eb61af201b8cbb024d98d00"] = "3.1.1"},
Then you can just look up sslcerts[md5] instead of having to use a loop.

The script produces a few lines of output even when the result is
completely negative:

$ ./nmap -p443 --script=mguard-10091201 --datadir . mail.google.com -d2
PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack
| mguard-10091201:
| ............File style.css         : FAIL
| ** PHASE 3: HTML pattern matching verification
| ....Step 1: Confirmation of HTML code per version
| ............HTML code version      : UNKNOWN
|
| ....Step 2: Confirmation web server verification
| ............Web server name/type   : UNKNOWN
|
| ** PHASE 4: Documentation
|_....Step 1: Documentation exist?   : YES

The script seems to be written from the point of view that someone
suspects they have an mGuard device, and want to confirm their belief.
It's more helpful if the script can run against a variety of devices and
report about whatever it finds; that answers the first use case too and
is probably even more common.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
  • Re: Another SCADA/ICS NMAP NSE script - Hirschmann/Innominate Security Technologies 'mGuard' firewall enumeration script David Fifield (Feb 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault