Re: [NSE] modbus-enum.nse, modbus discovery script

[Bob Radvanovsky <rsradvan () unixworks net>]

Code 8 is used for diagnostics.

Go here: http://en.wikipedia.org/wiki/Modbus
and here: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf (section 6.9 on page 25/51)

"The event counter can be reset by means of the Diagnostics function (code 08), with a subfunction
of Restart Communications Option (code 00 01) or Clear Counters and Diagnostic
Register (code 00 0A)."

and here: http://www.modbus.org/docs/PI_MBUS_300.pdf (page 74)

"Description

Returns a status word and an event count from the slave’s communications event
counter. By fetching the current count before and after a series of messages, a
master can determine whether the messages were handled normally by the slave.
Broadcast is not supported.

The controller’s event counter is incremented once for each successful message
completion. It is not incremented for exception responses, poll commands, or
fetch event counter commands.

The event counter can be reset by means of the Diagnostics function (code 08),
with a subfunction of Restart Communications Option (code 00 01) or Clear
Counters and Diagnostic Register (code 00 0A)."

-r

----- Original Message -----
From: David Fifield [mailto:david () bamsoftware com]
To: Александр Рудаков [mailto:freekoder () gmail com]
Cc: nmap-dev () insecure org
Subject: Re: [NSE] modbus-enum.nse, modbus discovery script


> On Mon, Nov 22, 2010 at 08:57:51PM +0300, Александр Рудаков
> wrote:> > Hi all,> > > > I realised the script that duplicates functional of
> Mark Bristow's modscan> > utility.> > Modscan utility finds MODBUS (one of the
> popular SCADA protocols) devices in> > IP range and determines slave id
> (SID).> > It tries to find legal SID of tcp modbus server by bruteforcing.> >
> I just rewrote python code on lua and implemented it as nmap script. Here
> is> > output of the script:> > > > PORT    STATE SERVICE> > 502/tcp open 
> modbus> > | modbus-enum:> > |   Positive response for sid = 0x64> > |  
> Positive error response for sid = 0x96> > |_  Positive response for sid =
> 0xc8> > > >  Also, I wrote small modbus server mock on python for test
> purposes.> > In the future, this script can be extended to test specifict
> modbus devices> > and disclosure sensitive information.> > This is my first
> expirience in nmap script development so I would be pleased> > to hear notes
> and advises, and I hope it may be useful for someone.> > > > Modscan project
> can be found here: http://code.google.com/p/modscan/> > PDF Presentation
> about MODBUS proto and modscan utility from Defcon 16:> >
> https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf> >
> > > NSE script and modbus server mock are in attachments and at google
> code:> > https://code.google.com/p/nmap-modscan/.> > I think the script looks
> good. What is the reason for using function> code 8 instead of the default 17
> that modscan.py
> uses?> > http://code.google.com/p/modscan/source/browse/trunk/modscan.py#43> > This
> page defines "Report slave ID" for code 17 but doesn't mention
> code> 8.> > http://www.lammertbies.nl/comm/info/modbus.html#func> > Is there
> significance to the "00 00 AA BB" data?> > David
> Fifield> _______________________________________________> Sent through the
> nmap-dev mailing
> list> http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at
> http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/