lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 11 Jan 2008 12:12:47 -0500
From: gmaggro <gmaggro@...ers.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: scada/plc gear

Anyone one done any poking around with DNP3, ICCP, OPC, Ethernet/IP, etc.?

OK, some more results are in.

> - i.Board i.CanDoIt embedded webserver
> (http://www.csimn.com/CSI_pages/iboard.html) which is built similar to
> the Kohler in that it uses an embedded ethernet module, but this time
> from Digi (http://www.digi.com/products/embeddedsolutions/digiconnectme.jsp)

The Digiboard 'Connect ME' module has MAC prefix 00:40:9D and what 
appears to be P/N: (1P) 50000878-03 M. At heart specs say it's an ARM 
NS7520 MCU.

The iBoard is the most configurable device of the bunch so far and the 
web interface is quite substantial. A very cool little box.

Stuff open on 21, 23, 80, 161, 502. sysDescr indicates "Control 
Solutions i.CanDoIt BAS-700 ReMOTE I/O". HTTP is 
Allegro-Software-RomPager/4.01, FTP says NET+OS 6.3.

Same basic tests on hammering 502 gave up nothing. Days pounding this 
thing with crud and it never drops a connection or chokes. Can't wait to 
start poking around inside of the modbus protocol instead of this cheese.

> - ADAM-4572 (http://www.ucs.co.uk/index.php?pid=948)

MAC prefix 00:D0:C9 "Advantech Co.".

Now this is an interesting box. The only thing open on it is 502. It's 
not as robust as the iBoard, as hammering the ADAM-4572 on 502 with crud 
caused it to stop responding within seconds. However, it came back 
online within 10 seconds. It feels like this thing has a watchdog 
built-in so when something throws an exception it reloads itself.

Opening it up, it's built of a great deal more discrete parts than the 
other devices. The main parts are a couple QFPs (ARM MCU 
S3C4510B01-QE80, Cortina Systems ethernet EGLXT970) and a PLCC 
(am29f040b flash). I like the PLCC, that's easy to yank out, drop in a 
programmer (I always liked the Needhams Electronics stuff) and dump.

-----------------------------

Handy utility in the same vein (but this one can perform writes) as the 
modpoll utility mentioned earlier in the thread, is the mbread utility 
contained in the following: 
http://www.tuxplc.net/index.php?page=modbus-tcp-protocol

Commercial SCADA security testing platfom/service which looks to be 
setting itself up as some kind of standard: 
http://www.wurldtech.com/achilles/index.php

An amusing, and somewhat inflammatory, article about the state of SCADA 
related blackhattery: 
http://www.digitalbond.com/index.php/2008/01/03/chaos-computer-club-ccc-scada-presentation-report/






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ