Nmap Development mailing list archives
Re: [NSE] modbus-enum.nse, modbus discovery script
From: Александр Рудаков <freekoder () gmail com>
Date: Mon, 29 Nov 2010 23:43:35 -0800
Hi, Bob. Hi, David. Thanks for your attention to this script. Bob said quite rigth, that 08 is diagnostic function. Defcon presentation says that diagnostic function has diagnostic code 00 00 just returning query data, so 00 00 AA BB is query to return data AA BB. I just took it from query examples at presentations. Past week I tried to test my script on real modbus devices. Code 08 works well, but devices I have seems don't understand return data queries. I will test this script with 17 function code. May be it would be better to use this value. Also, I noticed that some timeout required (about 2 seconds) between queries. 29 ноября 2010 г. 13:33 пользователь Bob Radvanovsky <rsradvan () unixworks net
написал:
Code 8 is used for diagnostics. Go here: http://en.wikipedia.org/wiki/Modbus and here: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf(section 6.9 on page 25/51) "The event counter can be reset by means of the Diagnostics function (code 08), with a subfunction of Restart Communications Option (code 00 01) or Clear Counters and Diagnostic Register (code 00 0A)." and here: http://www.modbus.org/docs/PI_MBUS_300.pdf (page 74) "Description Returns a status word and an event count from the slave's communications event counter. By fetching the current count before and after a series of messages, a master can determine whether the messages were handled normally by the slave. Broadcast is not supported. The controller's event counter is incremented once for each successful message completion. It is not incremented for exception responses, poll commands, or fetch event counter commands. The event counter can be reset by means of the Diagnostics function (code 08), with a subfunction of Restart Communications Option (code 00 01) or Clear Counters and Diagnostic Register (code 00 0A)." -r ----- Original Message ----- From: David Fifield [mailto:david () bamsoftware com] To: Александр Рудаков [mailto:freekoder () gmail com] Cc: nmap-dev () insecure org Subject: Re: [NSE] modbus-enum.nse, modbus discovery scriptOn Mon, Nov 22, 2010 at 08:57:51PM +0300, Александр Рудаков wrote:> > Hi all,> > > > I realised the script that duplicates functionalofMark Bristow's modscan> > utility.> > Modscan utility finds MODBUS (oneof thepopular SCADA protocols) devices in> > IP range and determines slave id (SID).> > It tries to find legal SID of tcp modbus server bybruteforcing.> >I just rewrote python code on lua and implemented it as nmap script. Here is> > output of the script:> > > > PORT STATE SERVICE> > 502/tcp open modbus> > | modbus-enum:> > | Positive response for sid = 0x64> > | Positive error response for sid = 0x96> > |_ Positive response for sid = 0xc8> > > > Also, I wrote small modbus server mock on python for test purposes.> > In the future, this script can be extended to test specifict modbus devices> > and disclosure sensitive information.> > This is myfirstexpirience in nmap script development so I would be pleased> > to hearnotesand advises, and I hope it may be useful for someone.> > > > Modscanprojectcan be found here: http://code.google.com/p/modscan/> > PDF Presentation about MODBUS proto and modscan utility from Defcon 16:> >https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf>NSE script and modbus server mock are in attachments and at googlecode:> > https://code.google.com/p/nmap-modscan/.> > I think the scriptlooksgood. What is the reason for using function> code 8 instead of thedefault 17that modscan.py uses?> >http://code.google.com/p/modscan/source/browse/trunk/modscan.py#43> > Thispage defines "Report slave ID" for code 17 but doesn't mention code> 8.> > http://www.lammertbies.nl/comm/info/modbus.html#func> > Istheresignificance to the "00 00 AA BB" data?> > David Fifield> _______________________________________________> Sent throughthenmap-dev mailing list> http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Nov 22)
- Re: [NSE] modbus-enum.nse, modbus discovery script David Fifield (Nov 29)
- <Possible follow-ups>
- Re: [NSE] modbus-enum.nse, modbus discovery script Bob Radvanovsky (Nov 29)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Nov 29)
- Re: [NSE] modbus-enum.nse, modbus discovery script Bob Radvanovsky (Nov 30)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Nov 30)
- Re: [NSE] modbus-enum.nse, modbus discovery script Bob Radvanovsky (Nov 30)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Dec 03)
- Re: [NSE] modbus-enum.nse, modbus discovery script Alexander Rudakov (Dec 12)
- Re: [NSE] modbus-enum.nse, modbus discovery script David Fifield (Dec 12)
- Re: [NSE] modbus-enum.nse, modbus discovery script Alexander Rudakov (Dec 13)
- Re: [NSE] modbus-enum.nse, modbus discovery script David Fifield (Dec 16)
- Re: [NSE] modbus-enum.nse, modbus discovery script Alexander Rudakov (Dec 17)
- Re: [NSE] modbus-enum.nse, modbus discovery script Александр Рудаков (Dec 03)