| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Jan 2008 13:04:49 -0500 From: gmaggro <gmaggro@...ers.com> To: Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: scada/plc gear The Phoenix Contact 'FL IL 24 BK-PAC' arrived the other day. It is a wonderfully German piece of DIN rail (http://www3.telus.net/public/dt0116/items/dinrails.jpg) gear: http://eshop.phoenixcontact.com/phoenix/images/productimages/large/20260_1000_int_04.jpg http://eshop.phoenixcontact.com/phoenix/treeViewClick.do?UID=2862314 There is a two digit LED display on it, with a reset button underneath. As soon as I saw that, I figured stability would be an issue. This turned out to be a correct assumption. While the most agressive of nmap scans did not lock it up for me, Nessus (with everything enabled) did every time. Normally the display reads '82' but when it goes south it reads '88'. In any case, nmap -TUVRC -p1-65535 shows TCP 80, 502, 1962 open along with UDP 7, 161, 199, 1059, and 5500. Very interesting stuff. I've had many dealings with networks of hundreds of thousands to millions of nodes, and though the reasonable explanation is that I've forgotten it, I don't ever recall seeing 1962/tcp and 5500/udp open. MAC prefix is 00:A0:45 (Phoenix Contact Gmbh & CO.). OS details, well... I severely doubt this is a 3COM lan modem or Dell laser printer. Hitting just 502 with crud caused it to stop responding within 10-30 seconds, but after a similarly short interval, 502 started responding again. snmpwalking it gives a sysDescr of "Ethernet bus terminal", a sysName of "FL IL 24 BK" and the ifDescr say "NET+ARM 10/100 Megabit Ethernet Driver by NETSilicon" and "pNA+ Loopback Driver". 80 says "NET+ARM Web Server/1.00", and feels pretty snappy. The web page, in addition to configuration options, also supplies a wiring diagram and a mock-up the faceplate with status LEDs, and other reference information (status codes, etc). Reading through the manual/PDFs for this device indicates that it uses Interbus protocol, which has since been subsumed into something called Profinet. Awesome - something new to explore. I'd recommend picking up a FLIL24BK since it runs quite the profile of interesting stuff in addition to modbus. I don't get why echo is there, unless the developers thought it would serve as some kind of diagnostic facility. It also responds quite differently to the mbread (from the modbus-0.9 package) command. ----------------------------- I was made aware of an interesting and easy-to-use fuzzing program that contains modbus testing functionality: http://www.beyondsecurity.com/bestorm_overview.html Now it's too expensive for individual purchase (it appears to be geared towards businesses) but they have a 30 minute time limited demo that is quite functional. It's windows only. Someone might find it valuable to fire it up against a modbus target, along with a sniffer to see what's going on. For beginners or GUI only folks, it would make a great introduction. Scapy (http://www.secdev.org/projects/scapy/) is proving a nice & powerful framework for mucking around. It has a 'fuzz' command which, though simple, ought to be enough to construct some very handy stuff. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists