1. This article simply analyzes and verifies the tools used in industrial control asset sniffing. The address of industrial control assets can be collected through websites such as shodan, fofa, zoomeye, etc.
2. Use Nmap tool to scan and detect PLC devices of S7 and modbus
The Nmap 6.4 script directory is located at: /usr/share/nmap/scripts, there are 448 scripts in total, as shown below:
The scripts are classified as follows:
Script parameters:
-sC: equivalent to –script=default, use the script of the default category to scan.
–script=<Lua scripts>: <
Lua scripts> use a certain script or a certain type of script to scan, support wildcard description
–script-args=<n1=v1,[n2=v2,…]>: Provide default parameters for the script
–script-args-file=filename: Use file to provide parameters for script
–script-trace: Display the data sent and received during script execution
–script-updatedb: update script database
–script-help=<Lua scripts>: Display the help information of the script, where the <Luascripts> part can be a comma-separated file or
script category.
Script usage:
Execute a single script: nmap –script /path/to/script.nse <target>
Execute multiple scripts: nmap –script /path/to/script.nse,/another/path/script2.nse <target>
Execute all scripts contained i
n the folder: nmap –script/path/to/folder/ <target>
Description: detect modbus protocol equipment
Input: nmap -sV –script modbus-discover 166.169.57.136 -p 502
Output:
Description: Device for detecting EthernetIP protocol
Input: nmap -p 44818 –script enip-enumerate.nse 221.206.153.114
Output:
Description: Device for detecting CoDeSyS protocol
Input: nmap -p 1200,2455 –script codesys-v2-discover 178.242.1.44
Output:
Description: Device for detecting NiagaraFox protocol
Input: nmap -p 1911 –script fox-info 67.176.19.167
Output:
Description: Device for detecting S7 protocol
Input: nmap -p 102 –script s7-enumerate.nse 79.135.33.188
Output:
Other industrial control components are as follows, use reference: https://github.com/digitalbond/Redpoint#bacnet-discover-enumeratense
3. Use plcscan tool to scan and detect PLC devices of S7 and modbus
S7 protocol plc device detection
Step 1: Create a new ip.list, write the ip to be scanned into it
Step 2: Enter python plcscan.py –hosts-list=ip.list –ports=102 in the plcscan directory to scan and observe the results
Note: You can also enter python plcscan.py 178.139.130.34 –ports=102 to perform a specified ip scan, as shown in the figure below
Modbus protocol device detection
Step 1: Create a new ip.list, write the ip to be scanned into it
Step 2: Enter python plcscan.py –hosts-list=ip.list –ports=502 in the plcscan directory to scan and observe the results
Note: You can also enter python plcscan.py 178.139.130.34 –ports=502 to perform a specified ip scan, as shown in the figure below
nS7 and modbus protocol device detection
Step 1: Create a new ip.list and write the ip to be scanned into it
Step 2: Enter python plcscan.py –hosts-list=ip.list in the plcscan directory to scan and observe the results
4. Use ISF tools to perform asset detection on s7, cip, enip, and profine-dcp protocol industrial control equipment
First execute the following command in the isf directory and enter the python environment, as shown in the following figure:
S7
Goal: Scan S7-300/S7-400 devices (open port 102)
The first step: enter scanners/s7comm_scan to select the S7 scan plugin
Step 2: Enter show info to view plug-in description information
Step 3: Enter show options to view plug-in usage information
Step 4: Set the target such as set target ip
Step 5: Execute the run command to start scanning and view the scanning results
The operation process is shown in the figure below:
Vxworks6
Goal: Scan vxworks 6.x devices and wdbrpc v2 protocol (open port 17185)
Goal: Scan Vxworks6 equipment
Step 1: Enter scanners/vxworks_6_scan and select vxworks scan plugin
Step 2: Enter show info to view plug-in description information
Step 3: Enter show options to view plug-in usage information
Step 4: Set the target such as set target ip
Step 5: Execute the run command to start scanning and view the scanning results
The operation process is shown in the figure below:
EnthernetIP
Goal: scan ethernetIP protocol equipment (open port 44818)
Step 1: Input scanners/cip_scan and select cip_scan scan plugin
Step 2: Enter show info to view plug-in description information
Step 3: Enter show options to view plug-in usage information
Step 4: Set the target such as set target ip
Step 5: Execute the run command to start scanning and view the scanning results
The operation process is shown in the figure below:
Reviews
There are no reviews yet.