Industrial control assets sniffing and analysis practice

Category: Tag:

1. This article simply analyzes and verifies the tools used in industrial control asset sniffing. The address of industrial control assets can be collected through websites such as shodan, fofa, zoomeye, etc.

2. Use Nmap tool to scan and detect PLC devices of S7 and modbus

The Nmap 6.4 script directory is located at: /usr/share/nmap/scripts, there are 448 scripts in total, as shown below:

The scripts are classified as follows:

Script parameters:

-sC: equivalent to –script=default, use the script of the default category to scan.

–script=<Lua scripts>: <

Lua scripts> use a certain script or a certain type of script to scan, support wildcard description

–script-args=<n1=v1,[n2=v2,…]>: Provide default parameters for the script

–script-args-file=filename: Use file to provide parameters for script

–script-trace: Display the data sent and received during script execution

–script-updatedb: update script database

–script-help=<Lua scripts>: Display the help information of the script, where the <Luascripts> part can be a comma-separated file or

script category.

Script usage:

Execute a single script: nmap –script /path/to/script.nse <target>

Execute multiple scripts: nmap –script /path/to/script.nse,/another/path/script2.nse <target>

Execute all scripts contained i

 

n the folder: nmap –script/path/to/folder/ <target>

Description: detect modbus protocol equipment

Input: nmap -sV –script modbus-discover 166.169.57.136 -p 502

Output:

 

Description: Device for detecting EthernetIP protocol

Input: nmap -p 44818 –script enip-enumerate.nse 221.206.153.114

Output:

Description: Device for detecting CoDeSyS protocol

Input: nmap -p 1200,2455 –script codesys-v2-discover 178.242.1.44

Output:

Description: Device for detecting NiagaraFox protocol

Input: nmap -p 1911 –script fox-info 67.176.19.167

Output:

Description: Device for detecting S7 protocol

Input: nmap -p 102 –script s7-enumerate.nse 79.135.33.188

Output:

 

Other industrial control components are as follows, use reference: https://github.com/digitalbond/Redpoint#bacnet-discover-enumeratense

3. Use plcscan tool to scan and detect PLC devices of S7 and modbus

S7 protocol plc device detection

Step 1: Create a new ip.list, write the ip to be scanned into it

Step 2: Enter python plcscan.py –hosts-list=ip.list –ports=102 in the plcscan directory to scan and observe the results

 

Note: You can also enter python plcscan.py 178.139.130.34 –ports=102 to perform a specified ip scan, as shown in the figure below

 

Modbus protocol device detection

Step 1: Create a new ip.list, write the ip to be scanned into it

Step 2: Enter python plcscan.py –hosts-list=ip.list –ports=502 in the plcscan directory to scan and observe the results

 

Note: You can also enter python plcscan.py 178.139.130.34 –ports=502 to perform a specified ip scan, as shown in the figure below

 

nS7 and modbus protocol device detection

Step 1: Create a new ip.list and write the ip to be scanned into it

Step 2: Enter python plcscan.py –hosts-list=ip.list in the plcscan directory to scan and observe the results

4. Use ISF tools to perform asset detection on s7, cip, enip, and profine-dcp protocol industrial control equipment

First execute the following command in the isf directory and enter the python environment, as shown in the following figure:

S7

Goal: Scan S7-300/S7-400 devices (open port 102)

The first step: enter scanners/s7comm_scan to select the S7 scan plugin

Step 2: Enter show info to view plug-in description information

Step 3: Enter show options to view plug-in usage information

Step 4: Set the target such as set target ip

Step 5: Execute the run command to start scanning and view the scanning results

The operation process is shown in the figure below:

 

Vxworks6

Goal: Scan vxworks 6.x devices and wdbrpc v2 protocol (open port 17185)

Goal: Scan Vxworks6 equipment

Step 1: Enter scanners/vxworks_6_scan and select vxworks scan plugin

Step 2: Enter show info to view plug-in description information

Step 3: Enter show options to view plug-in usage information

Step 4: Set the target such as set target ip

Step 5: Execute the run command to start scanning and view the scanning results

The operation process is shown in the figure below:

 

EnthernetIP

Goal: scan ethernetIP protocol equipment (open port 44818)

Step 1: Input scanners/cip_scan and select cip_scan scan plugin

Step 2: Enter show info to view plug-in description information

Step 3: Enter show options to view plug-in usage information

Step 4: Set the target such as set target ip

Step 5: Execute the run command to start scanning and view the scanning results

The operation process is shown in the figure below:

 

Reviews

There are no reviews yet.

Be the first to review “Industrial control assets sniffing and analysis practice”

Your email address will not be published. Required fields are marked *