[NSE] modbus-enum.nse, modbus discovery script

[Александр Рудаков <freekoder () gmail com>]

Hi all,

I realised the script that duplicates functional of Mark Bristow's modscan
utility.
Modscan utility finds MODBUS (one of the popular SCADA protocols) devices in
IP range and determines slave id (SID).
It tries to find legal SID of tcp modbus server by bruteforcing.
I just rewrote python code on lua and implemented it as nmap script. Here is
output of the script:

PORT    STATE SERVICE
502/tcp open  modbus
| modbus-enum:
|   Positive response for sid = 0x64
|   Positive error response for sid = 0x96
|_  Positive response for sid = 0xc8

 Also, I wrote small modbus server mock on python for test purposes.
In the future, this script can be extended to test specifict modbus devices
and disclosure sensitive information.
This is my first expirience in nmap script development so I would be pleased
to hear notes and advises, and I hope it may be useful for someone.

Modscan project can be found here: http://code.google.com/p/modscan/
PDF Presentation about MODBUS proto and modscan utility from Defcon 16:
https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf

NSE script and modbus server mock are in attachments and at google code:
https://code.google.com/p/nmap-modscan/.

With best regards, Alexander Rudakov.

Attachment: modbus-enum.nse
Description:

Attachment: modbus-emul.py
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/