Mailing List Archive: Full Disclosure: Full-Disclosure

scada/plc gear

Full Disclosure full-disclosure RSS feed

Index | Next | Previous | View Threaded

gmaggro at rogers

Jan 5, 2008, 11:01 AM

Post #1 of 12 (1444 views)
Permalink

scada/plc gear

OK, having done some digging a decent little chunk of industrial
automation gear has started coming my way; 1 of 6 pieces. All totaled,
roughly under $1000. Small standalone stuff for now; the shipping on
populated PLC chassis like SLC-500 stuff is problematic.

If people have specific technical questions, want a script run against a
piece of gear or a custom protocol capture done I will entertain such
requests. I am also willing to open the cases and pick up the soldering
iron, attempt rom/firmware dumps, etc.

Are there any particular tests or tools someone would like me to work
into my routine right from the start?

Hardware piece #1 is a Kohler Power Systems modbus/ethernet converter,
pn# GM40165.

So far, nmap (4.52) has been detecting the modbus running on port
502/tcp as asa-appl-proto. There is not a great deal of information out
there about this protocol. The email contact associated with the port in
some /etc/services files (ddube[at]modicon.com) is disabled, and the domain
redirects to an industrial automation company (telemecanique.com).
Running/OS details indicate Enerdis or Lantronix embedded. MAC prefix is
00:20:4A (Pronet Gmbh). I suppose I could have just posted the nmap
output, but figured that might annoy people unduly.

Perhaps it would be worth renaming 'asa-appl-proto' on 502 to 'modbus'
or something related? Just a suggestion to make it clearer for some
people. In any case, this is mitigated by scanning with the -C option
which grabs info from 80 and 161 clearly identifying it as being a
modbus related device, the sysDescr stating "Modbus/TCP to RTU Bridge".
And oh yeah, it has a wide open text configuration interface on 9999.

Handy/Interesting modbus tcp/udp links:

http://jamod.sourceforge.net/development/tcp_master_howto.html
http://jamod.sourceforge.net/kbase/protocol.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

fdlist at gmail

Jan 7, 2008, 9:27 AM

Post #2 of 12 (1390 views)
Permalink

Re: scada/plc gear [In reply to]

There's a ton of information on the Internet for Schneider/Modicon's modbus
protocol, including modbus+., modbusrtu, and modbustcp... Specs are freely
available http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf.
If you spend 2 minutes with google you'll find more then you'll need. For
example: http://www.modbus.pl/download/zxy66/v19/modbus_perl_client.zip.
Anyways, enjoy your research...

On Jan 5, 2008 1:01 PM, gmaggro <gmaggro[at]rogers.com> wrote:

> OK, having done some digging a decent little chunk of industrial
> automation gear has started coming my way; 1 of 6 pieces. All totaled,
> roughly under $1000. Small standalone stuff for now; the shipping on
> populated PLC chassis like SLC-500 stuff is problematic.
>
> If people have specific technical questions, want a script run against a
> piece of gear or a custom protocol capture done I will entertain such
> requests. I am also willing to open the cases and pick up the soldering
> iron, attempt rom/firmware dumps, etc.
>
> Are there any particular tests or tools someone would like me to work
> into my routine right from the start?
>
> Hardware piece #1 is a Kohler Power Systems modbus/ethernet converter,
> pn# GM40165.
>
> So far, nmap (4.52) has been detecting the modbus running on port
> 502/tcp as asa-appl-proto. There is not a great deal of information out
> there about this protocol. The email contact associated with the port in
> some /etc/services files (ddube[at]modicon.com) is disabled, and the domain
> redirects to an industrial automation company (telemecanique.com).
> Running/OS details indicate Enerdis or Lantronix embedded. MAC prefix is
> 00:20:4A (Pronet Gmbh). I suppose I could have just posted the nmap
> output, but figured that might annoy people unduly.
>
> Perhaps it would be worth renaming 'asa-appl-proto' on 502 to 'modbus'
> or something related? Just a suggestion to make it clearer for some
> people. In any case, this is mitigated by scanning with the -C option
> which grabs info from 80 and 161 clearly identifying it as being a
> modbus related device, the sysDescr stating "Modbus/TCP to RTU Bridge".
> And oh yeah, it has a wide open text configuration interface on 9999.
>
> Handy/Interesting modbus tcp/udp links:
>
> http://jamod.sourceforge.net/development/tcp_master_howto.html
> http://jamod.sourceforge.net/kbase/protocol.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

b9u4ea at gmail

Jan 7, 2008, 9:37 AM

Post #3 of 12 (1392 views)
Permalink

Re: scada/plc gear [In reply to]

There's a ton of information on the Internet for Schneider/Modicon's
modbus protocol, including modbus+., modbusrtu, and modbustcp...
Specs are freely available
http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf. If
you spend 2 minutes with google you'll find more then you'll need.
For example: http://www.modbus.pl/download/zxy66/v19/modbus_perl_client.zip.
Anyways, enjoy your research...

On Jan 5, 2008 1:01 PM, gmaggro <gmaggro[at]rogers.com> wrote:
> OK, having done some digging a decent little chunk of industrial
> automation gear has started coming my way; 1 of 6 pieces. All totaled,
> roughly under $1000. Small standalone stuff for now; the shipping on
> populated PLC chassis like SLC-500 stuff is problematic.
>
> If people have specific technical questions, want a script run against a
> piece of gear or a custom protocol capture done I will entertain such
> requests. I am also willing to open the cases and pick up the soldering
> iron, attempt rom/firmware dumps, etc.
>
> Are there any particular tests or tools someone would like me to work
> into my routine right from the start?
>
> Hardware piece #1 is a Kohler Power Systems modbus/ethernet converter,
> pn# GM40165.
>
> So far, nmap (4.52) has been detecting the modbus running on port
> 502/tcp as asa-appl-proto. There is not a great deal of information out
> there about this protocol. The email contact associated with the port in
> some /etc/services files (ddube[at]modicon.com) is disabled, and the domain
> redirects to an industrial automation company (telemecanique.com).
> Running/OS details indicate Enerdis or Lantronix embedded. MAC prefix is
> 00:20:4A (Pronet Gmbh). I suppose I could have just posted the nmap
> output, but figured that might annoy people unduly.
>
> Perhaps it would be worth renaming 'asa-appl-proto' on 502 to 'modbus'
> or something related? Just a suggestion to make it clearer for some
> people. In any case, this is mitigated by scanning with the -C option
> which grabs info from 80 and 161 clearly identifying it as being a
> modbus related device, the sysDescr stating "Modbus/TCP to RTU Bridge".
> And oh yeah, it has a wide open text configuration interface on 9999.
>
> Handy/Interesting modbus tcp/udp links:
>
> http://jamod.sourceforge.net/development/tcp_master_howto.html
> http://jamod.sourceforge.net/kbase/protocol.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

gmaggro at rogers

Jan 7, 2008, 4:47 PM

Post #4 of 12 (1391 views)
Permalink

Re: scada/plc gear [In reply to]

> http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf.
> For example: http://www.modbus.pl/download/zxy66/v19/modbus_perl_client.zip

Thank you for the links.

I like the following: http://www.modbusdriver.com/modpoll.html

"modpoll is a command line based Modbus master simulator and test
utility". There's binaries for a few different platforms. Enough to get
someone speaking modbus/tcp over the wire and the ability to read device
registers, coils, what have you.

> you spend 2 minutes with google you'll find more then you'll need.

Agreed, but part of what I want to help accomplish is a weeding of the
crud, saving folks some time. Hopefully not annoy people with too much
'cocking stupid' crap.

> Anyways, enjoy your research...

Oh, I am! That Kohler Power systems box, turns out, wasn't as robust as
I hoped. It was built around a Lantronix Xport embedded ethernet device
server, I think an Xport-485
(http://www.lantronix.com/pdf/XPort-485_DS.pdf and/or
http://www.lantronix.com/pdf/XPort_PB.pdf).

At first it held up a couple days, but after pounding it with random
crud (on various ports) 502/tcp stopped showing up. Attempts to get 502
to show up again, by multiple power cyclings and leaving it off for
extended periods, made no difference. The only things that continued to
show up reliably were 69, 9999, 80 and 161.

Tried to find a way to reset it, either by the configuration menus or
hardware (I took the case off) but had no luck. Attempted a reset via
upgrading its firmware with the 'Device Installer' util (came with it on
CD), but wound up bricking it so I couldn't continue. Now I can't play
with it anymore and tell if 502 dropping off was some kind of a fluke or
what the story is. I'm going to ignore it as an anomaly since I can't
repeat it.

So I ripped open the Xport module. That thing is quite the little
marvel, a couple BGAs (an Atmel and a Lantronix DSTni-EX) and assorted
glue crammed in behind an RJ45. Wonder how commonly used they are.
Written on the small metal case was "GM42501 Rev 2.0 (Modbus)" and
"XP1001000-03-GC, Rev. A11" among other things.

1 piece of gear down, 5 more to go :)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

b9u4ea at gmail

Jan 8, 2008, 9:16 PM

Post #5 of 12 (1387 views)
Permalink

Re: scada/plc gear [In reply to]

Looks like a fantastic and robust little tool :) That is certainly
some rather odd behaviour... The fact that the other ports remained
makes it likely an application (modbus) problem. Was it an ethernet
to rs232 converter? (I obviously didn't look up the part number).
Did you happen to catalogue the 'crud' which you sent prior to
failure? I know particular header options have unexpected results a
great deal of control systems. I also know particular vendor's ip
stack implementations have been known to be produced some very things,
eg, odd ip options (off the top of my head the AB series of PLCs).
Now I'm curious, what other devices are you testing?

On Jan 7, 2008 6:47 PM, gmaggro <gmaggro[at]rogers.com> wrote:
> > http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf.
> > For example: http://www.modbus.pl/download/zxy66/v19/modbus_perl_client.zip
>
> Thank you for the links.
>
> I like the following: http://www.modbusdriver.com/modpoll.html
>
> "modpoll is a command line based Modbus master simulator and test
> utility". There's binaries for a few different platforms. Enough to get
> someone speaking modbus/tcp over the wire and the ability to read device
> registers, coils, what have you.
>
> > you spend 2 minutes with google you'll find more then you'll need.
>
> Agreed, but part of what I want to help accomplish is a weeding of the
> crud, saving folks some time. Hopefully not annoy people with too much
> 'cocking stupid' crap.
>
> > Anyways, enjoy your research...
>
> Oh, I am! That Kohler Power systems box, turns out, wasn't as robust as
> I hoped. It was built around a Lantronix Xport embedded ethernet device
> server, I think an Xport-485
> (http://www.lantronix.com/pdf/XPort-485_DS.pdf and/or
> http://www.lantronix.com/pdf/XPort_PB.pdf).
>
> At first it held up a couple days, but after pounding it with random
> crud (on various ports) 502/tcp stopped showing up. Attempts to get 502
> to show up again, by multiple power cyclings and leaving it off for
> extended periods, made no difference. The only things that continued to
> show up reliably were 69, 9999, 80 and 161.
>
> Tried to find a way to reset it, either by the configuration menus or
> hardware (I took the case off) but had no luck. Attempted a reset via
> upgrading its firmware with the 'Device Installer' util (came with it on
> CD), but wound up bricking it so I couldn't continue. Now I can't play
> with it anymore and tell if 502 dropping off was some kind of a fluke or
> what the story is. I'm going to ignore it as an anomaly since I can't
> repeat it.
>
> So I ripped open the Xport module. That thing is quite the little
> marvel, a couple BGAs (an Atmel and a Lantronix DSTni-EX) and assorted
> glue crammed in behind an RJ45. Wonder how commonly used they are.
> Written on the small metal case was "GM42501 Rev 2.0 (Modbus)" and
> "XP1001000-03-GC, Rev. A11" among other things.
>
> 1 piece of gear down, 5 more to go :)
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

gmaggro at rogers

Jan 9, 2008, 5:45 AM

Post #6 of 12 (1389 views)
Permalink

Re: scada/plc gear [In reply to]

> That is certainly
> some rather odd behaviour... The fact that the other ports remained
> makes it likely an application (modbus) problem.

Yes, I thought it was interesting. I really wish I didn't fry the thing
as I'd like to have eliminated the possibility it was something funny on
my end.

So far, not a great record - these things seems about as robust as
network printers, which is to say, not very.

> Was it an ethernet
> to rs232 converter? (I obviously didn't look up the part number).

RS-485 to Ethernet.

> Did you happen to catalogue the 'crud' which you sent prior to
> failure?

I wish I had; but it was nothing unusual. I like to start out by
scanning and hammering these devices with common tools, so I used nmap,
nessus and amap. If I had to pick something, it would be setting amap on
502/tcp overnight that did it.

> I know particular header options have unexpected results a
> great deal of control systems. I also know particular vendor's ip
> stack implementations have been known to be produced some very things,
> eg, odd ip options (off the top of my head the AB series of PLCs).

Yes indeed, I can not wait to get my hands on some real PLCs, and not
just these little converters or more modern pieces.

> Now I'm curious, what other devices are you testing?

2 more devices arrived yesterday:

- i.Board i.CanDoIt embedded webserver
(http://www.csimn.com/CSI_pages/iboard.html) which is built similar to
the Kohler in that it uses an embedded ethernet module, but this time
from Digi (http://www.digi.com/products/embeddedsolutions/digiconnectme.jsp)

- ADAM-4572 (http://www.ucs.co.uk/index.php?pid=948)

- Lantronix MSS485-T
(http://www.lantronix.com/device-networking/external-device-servers/mss485-t.html)

- Phoenix Contact FL IL 24 BK-PAC (http://tinyurl.com/2c6x96)

- DLI Ethernet DIN Relay (http://www.digital-loggers.com/din.html)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

junk.account88 at yahoo

Jan 9, 2008, 4:27 PM

Post #7 of 12 (1387 views)
Permalink

Re: scada/plc gear [In reply to]

Hello,

First of all, the tests you are doing sound very, very cool. Thank you for posting your results in a public forum. I am going through your other SCADA posts on full disclosure right now, and they are very informative.

What are the remaining 5 SCADA devices you have lined up for testing? Specifically, do you have any Telvent SAGE RTU's? I would like to see all the output you received from nmap, and possibly any logs of experiments you conducted on the Kohler Power Systems modbus/ethernet converter, as well as anything relating to future test. However, I am very new to this list (first post) and I understand that we can take this off list if you believe it would annoy people. Since I am thinking this, perhaps others have the same sentiments?

Mostly, I am interested in RTU's, but if you were able to purchase everything for under 1k, it seems to me that a complete RTU might be a bit more expensive. Since this is "full disclosure", would you mind posting the 6 items you purchased and what you paid for them?

Thanks!

____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

b9u4ea at gmail

Jan 10, 2008, 5:25 PM

Post #8 of 12 (1383 views)
Permalink

Re: scada/plc gear [In reply to]

I believe the list of what is being tested was included in the
pervious post to the list.

2 more devices arrived yesterday:

- i.Board i.CanDoIt embedded webserver
(http://www.csimn.com/CSI_pages/iboard.html) which is built similar to
the Kohler in that it uses an embedded ethernet module, but this time
from Digi (http://www.digi.com/products/embeddedsolutions/digiconnectme.jsp)

- ADAM-4572 (http://www.ucs.co.uk/index.php?pid=948)

- Lantronix MSS485-T
(http://www.lantronix.com/device-networking/external-device-servers/mss485-t.html)

- Phoenix Contact FL IL 24 BK-PAC (http://tinyurl.com/2c6x96)

- DLI Ethernet DIN Relay (http://www.digital-loggers.com/din.html)

On Jan 9, 2008 6:27 PM, Worthless Email <junk.account88[at]yahoo.com> wrote:
>
> Hello,
>
> First of all, the tests you are doing sound very, very cool. Thank you for
> posting your results in a public forum. I am going through your other SCADA
> posts on full disclosure right now, and they are very informative.
>
> What are the remaining 5 SCADA devices you have lined up for testing?
> Specifically, do you have any Telvent SAGE RTU's? I would like to see all
> the output you received from nmap, and possibly any logs of experiments you
> conducted on the Kohler Power Systems modbus/ethernet converter, as well as
> anything relating to future test. However, I am very new to this list (first
> post) and I understand that we can take this off list if you believe it
> would annoy people. Since I am thinking this, perhaps others have the same
> sentiments?
>
> Mostly, I am interested in RTU's, but if you were able to purchase
> everything for under 1k, it seems to me that a complete RTU might be a bit
> more expensive. Since this is "full disclosure", would you mind posting the
> 6 items you purchased and what you paid for them?
>
> Thanks!
>
> ________________________________
> Never miss a thing. Make Yahoo your homepage.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

gmaggro at rogers

Jan 11, 2008, 9:12 AM

Post #9 of 12 (1385 views)
Permalink

Re: scada/plc gear [In reply to]

Anyone one done any poking around with DNP3, ICCP, OPC, Ethernet/IP, etc.?

OK, some more results are in.

> - i.Board i.CanDoIt embedded webserver
> (http://www.csimn.com/CSI_pages/iboard.html) which is built similar to
> the Kohler in that it uses an embedded ethernet module, but this time
> from Digi (http://www.digi.com/products/embeddedsolutions/digiconnectme.jsp)

The Digiboard 'Connect ME' module has MAC prefix 00:40:9D and what
appears to be P/N: (1P) 50000878-03 M. At heart specs say it's an ARM
NS7520 MCU.

The iBoard is the most configurable device of the bunch so far and the
web interface is quite substantial. A very cool little box.

Stuff open on 21, 23, 80, 161, 502. sysDescr indicates "Control
Solutions i.CanDoIt BAS-700 ReMOTE I/O". HTTP is
Allegro-Software-RomPager/4.01, FTP says NET+OS 6.3.

Same basic tests on hammering 502 gave up nothing. Days pounding this
thing with crud and it never drops a connection or chokes. Can't wait to
start poking around inside of the modbus protocol instead of this cheese.

> - ADAM-4572 (http://www.ucs.co.uk/index.php?pid=948)

MAC prefix 00:D0:C9 "Advantech Co.".

Now this is an interesting box. The only thing open on it is 502. It's
not as robust as the iBoard, as hammering the ADAM-4572 on 502 with crud
caused it to stop responding within seconds. However, it came back
online within 10 seconds. It feels like this thing has a watchdog
built-in so when something throws an exception it reloads itself.

Opening it up, it's built of a great deal more discrete parts than the
other devices. The main parts are a couple QFPs (ARM MCU
S3C4510B01-QE80, Cortina Systems ethernet EGLXT970) and a PLCC
(am29f040b flash). I like the PLCC, that's easy to yank out, drop in a
programmer (I always liked the Needhams Electronics stuff) and dump.

-----------------------------

Handy utility in the same vein (but this one can perform writes) as the
modpoll utility mentioned earlier in the thread, is the mbread utility
contained in the following:
http://www.tuxplc.net/index.php?page=modbus-tcp-protocol

Commercial SCADA security testing platfom/service which looks to be
setting itself up as some kind of standard:
http://www.wurldtech.com/achilles/index.php

An amusing, and somewhat inflammatory, article about the state of SCADA
related blackhattery:
http://www.digitalbond.com/index.php/2008/01/03/chaos-computer-club-ccc-scada-presentation-report/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

gmaggro at rogers

Jan 15, 2008, 10:04 AM

Post #10 of 12 (1353 views)
Permalink

Re: scada/plc gear [In reply to]

The Phoenix Contact 'FL IL 24 BK-PAC' arrived the other day. It is a
wonderfully German piece of DIN rail
(http://www3.telus.net/public/dt0116/items/dinrails.jpg) gear:

http://eshop.phoenixcontact.com/phoenix/images/productimages/large/20260_1000_int_04.jpg
http://eshop.phoenixcontact.com/phoenix/treeViewClick.do?UID=2862314

There is a two digit LED display on it, with a reset button underneath.
As soon as I saw that, I figured stability would be an issue. This
turned out to be a correct assumption. While the most agressive of nmap
scans did not lock it up for me, Nessus (with everything enabled) did
every time. Normally the display reads '82' but when it goes south it
reads '88'.

In any case, nmap -TUVRC -p1-65535 shows TCP 80, 502, 1962 open along
with UDP 7, 161, 199, 1059, and 5500. Very interesting stuff. I've had
many dealings with networks of hundreds of thousands to millions of
nodes, and though the reasonable explanation is that I've forgotten it,
I don't ever recall seeing 1962/tcp and 5500/udp open. MAC prefix is
00:A0:45 (Phoenix Contact Gmbh & CO.). OS details, well... I severely
doubt this is a 3COM lan modem or Dell laser printer.

Hitting just 502 with crud caused it to stop responding within 10-30
seconds, but after a similarly short interval, 502 started responding again.

snmpwalking it gives a sysDescr of "Ethernet bus terminal", a sysName of
"FL IL 24 BK" and the ifDescr say "NET+ARM 10/100 Megabit Ethernet
Driver by NETSilicon" and "pNA+ Loopback Driver".

80 says "NET+ARM Web Server/1.00", and feels pretty snappy. The web
page, in addition to configuration options, also supplies a wiring
diagram and a mock-up the faceplate with status LEDs, and other
reference information (status codes, etc).

Reading through the manual/PDFs for this device indicates that it uses
Interbus protocol, which has since been subsumed into something called
Profinet. Awesome - something new to explore.

I'd recommend picking up a FLIL24BK since it runs quite the profile of
interesting stuff in addition to modbus. I don't get why echo is there,
unless the developers thought it would serve as some kind of diagnostic
facility. It also responds quite differently to the mbread (from the
modbus-0.9 package) command.

-----------------------------

I was made aware of an interesting and easy-to-use fuzzing program that
contains modbus testing functionality:
http://www.beyondsecurity.com/bestorm_overview.html

Now it's too expensive for individual purchase (it appears to be geared
towards businesses) but they have a 30 minute time limited demo that is
quite functional. It's windows only. Someone might find it valuable to
fire it up against a modbus target, along with a sniffer to see what's
going on. For beginners or GUI only folks, it would make a great
introduction.

Scapy (http://www.secdev.org/projects/scapy/) is proving a nice &
powerful framework for mucking around. It has a 'fuzz' command which,
though simple, ought to be enough to construct some very handy stuff.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

gmaggro at rogers

Jan 15, 2008, 1:42 PM

Post #11 of 12 (1356 views)
Permalink

Re: scada/plc gear [In reply to]

> An organized SCADA pen testing web presence would be extremely cool.
> ...
> What do you think? Do you think some sort of a forum/wiki would be a
> good medium to start with?

To some extent, yes, but considering that I do not respect intellectual
property laws of any kind, I just don't see how that would be workable.

For example: a compatriot of mine has a collection of SCADA related
Snort signatures. Someone else might have the Nessus SCADA plugins,
which are supposed to require you to sign up for a pricey feed.

Let's say they want to trade, or far more preferably, make the
information freely available. All at minimal risks to themselves, of
course. Not to help people protect themselves, but so people can
bootstrap their knowledge and perhaps generate attacks from them. Or
simply to shave time off due to laziness. I do not care, I just want to
see it out there and accessible to everyone.

Another example of particular interest to me is the PLCC flash on the
ADAM-4572 which I'm hoping contains all the code (i.e. nothing masked
onto the ARM mcu). It would be instructive to see how the network stack
was written, how modbus is implemented, etc. If this is the case I would
want to post the code for analysis. My assembly and reversing skills,
which are terrible in general, are even worse for anything non-x86. Much
help would be needed.

On a different note, I'd like to renew my call again for people to
donate to the software authors or projects that they use. Corporations
and businesses can take care of themselves, let's do what we can to
support the little guys - especially those that make the more 'evil'
tools :)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

gmaggro at rogers

Jan 24, 2008, 6:38 AM

Post #12 of 12 (1326 views)
Permalink

Re: scada/plc gear [In reply to]

One more device arrived, a Lantronix MSS485-T, an interesting and what
would appear to be older piece - it also supports IPX and LAT:
http://www.lantronix.com/device-networking/external-device-servers/mss485-t.html

All kinds of ports open on this thing according to nmap, but a little
odd... only TCP 23, 79, 513, 514, 2001, 2100, 2101, 3001, 7000, 13001,
14001.

There's no modbus (502) but I wasn't after that with this particular device.

Mac prefix is 00:80:A3 (Lantronix) and the OS guess is Lantronix MSSlite
device server.

snmpwalking yields a sysDescr of "Lantronix MSS485 Version
V3.6/4(000712)", a sysLocation "Micro Serial Server", a sysName
"MSS_1DF552" and an ifDescr "Lantronix Ethernet 802.3". According to
snmp it also says it has UDP 13, 37, 53, 123, 137, 161 and 520 open but
it lies.

A Nessus scan choked this thing up pretty good, and it would appear a
few aggresive nmap scans with scripting and versioning enabled caused it
to behave oddly. Oddly meaning some ports going filtered, others
dropping off, services still up running slow, etc. Perhaps a
co-incidence, but this device too has a reset button on it :)

I love cracking open the boxes on older gear; it tends to be built of
alot more discrete parts and glue, instead of single chip solutions.
Often this results in them being more hackable. Significantly easier to
rework or piggyback a QFP with a clip than a P/BGA, yes? Backdoor the
firmware before selling it to the target you want to penetrate... or
just put it on ebay, have someone buy it, and wait for it to call home
or spit creds to an IRC channel. I have seen this demonstrated in a
controlled environment, but I often wonder how feasible it would be in
real life for a small group of individuals to carry out.

In any case, the main parts are a 68EC000 10MHz CPU, a Nat Semi
DP83902AVLJ NIC, an AMD flash, some NEC DRAM, and a Lantronix ASIC that
I cannot seem to dig much up on. This is because the graphics are a
little strangely printed, but it looks to say "AIM I 0044LHU LANTRONIX
SAL-10/20MHz 220-170". I'm guessing it's something to do with the serial
(rs485) protocols, but I'd appreciate being told what it actually is.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com