lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 05 Jan 2008 14:01:23 -0500
From: gmaggro <gmaggro@...ers.com>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: scada/plc gear

OK, having done some digging a decent little chunk of industrial 
automation gear has started coming my way; 1 of 6 pieces. All totaled, 
roughly under $1000. Small standalone stuff for now; the shipping on 
populated PLC chassis like SLC-500 stuff is problematic.

If people have specific technical questions, want a script run against a 
piece of gear or a custom protocol capture done I will entertain such 
requests. I am also willing to open the cases and pick up the soldering 
iron, attempt rom/firmware dumps, etc.

Are there any particular tests or tools someone would like me to work 
into my routine right from the start?

Hardware piece #1 is a Kohler Power Systems modbus/ethernet converter, 
pn# GM40165.

So far, nmap (4.52) has been detecting the modbus running on port 
502/tcp as asa-appl-proto. There is not a great deal of information out 
there about this protocol. The email contact associated with the port in 
some /etc/services files (ddube@...icon.com) is disabled, and the domain 
redirects to an industrial automation company (telemecanique.com). 
Running/OS details indicate Enerdis or Lantronix embedded. MAC prefix is 
00:20:4A (Pronet Gmbh). I suppose I could have just posted the nmap 
output, but figured that might annoy people unduly.

Perhaps it would be worth renaming 'asa-appl-proto' on 502 to 'modbus' 
or something related? Just a suggestion to make it clearer for some 
people. In any case, this is mitigated by scanning with the -C option 
which grabs info from 80 and 161 clearly identifying it as being a 
modbus related device, the sysDescr stating "Modbus/TCP to RTU Bridge". 
And oh yeah, it has a wide open text configuration interface on 9999.

Handy/Interesting modbus tcp/udp links:

http://jamod.sourceforge.net/development/tcp_master_howto.html
http://jamod.sourceforge.net/kbase/protocol.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ