Re: Another SCADA/ICS NMAP NSE script - Lantronix Universal Device Server (UDS) enumeration script

[David Fifield <david () bamsoftware com>]

On Wed, Dec 08, 2010 at 02:54:47PM -0600, Bob Radvanovsky wrote:
> This is one of several enumeration scripts that I have written for the
> SCADA/industrial control systems community.  This checks/validates the
> web-based traffic for the Lantronix Universal Device Server (UDS)
> device.  NOTE: This has been ONLY tested with one model, the Lantronix
> XPress DR-IAP, with the most recent firmware level (Version 5.2).
>
> The web interface is optional, and runs entirely using a Java servlet,
> making it difficult to enumerate using NMAP.  However, if SNMP is
> ENABLED, the device can provide some rather useful information,
> including firmware release level, serial number, and revision level.
>
> Here is sample output from the modified NMAP NSE script (execute it as
> "nmap --script=./lantronix.nse <IP address> -PN -sU -p161 -v"; use the
> "-PN" flag needs to be used on older TCP/IP device stacks, as NMAP has
> a tendency to lock up the TCP/IP stack).
>
> The same script is shown below; if you wish to download the script,
> the script may be accessed here:
> http://www.infracritical.com/enum-scripts/lantronix.nse
>
> PORT    STATE SERVICE
> 161/udp open  snmp
> | lantronix: CONFIRM DEVICE AS LANTRONIX
> | ** PHASE 1: SNMP verification
> | ....Step 1: Lantronix device info  : CONFIRMED
> | ............Version S/W            : 05.2
> | ....Step 2: SNMP device detailed information
> | ............Manufacturer name      : Lantronix
> | ............Type/model type        : UDS
> | ............Serial number          : 0000000
> | ............Revision number        : (000000)
> | ** PHASE 2: Documentation
> | ....Step 1: Documentation exist?   : YES
> |_............ninja.infracritical.com/dox/xpress.pdf

This script is almost the same as micrologix1400.nse from
http://seclists.org/nmap-dev/2010/q4/612, so my comments from
http://seclists.org/nmap-dev/2011/q1/365 apply equally.

The similarity of these scripts could be an opportunity. I've been
talking about how it's better to have one block of code that can work on
multiple sources of data. I think these two scripts could be unified
without too much difficulty. And from that point we can see if they
should be further unified into snmp-sysdescr, or kept separate as a
special SNMP-identification script. (With the idea that it can be easily
extended to match more types of systems in the future.)

I'll take your word for it that there are too many SCADA/ICS devices to
be comprehensively identified now. But I'm not against a system that can
identify only a handful of them as long as 1) it's not too big, 2)
people fund it useful, and 3) it's easy to extend and maintain in the
future (e.g., add a few lines to a data file, not a whole new script).

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/