-
Notifications
You must be signed in to change notification settings - Fork 28
/
s71200-enumerate-old.nse
105 lines (95 loc) · 3.22 KB
/
s71200-enumerate-old.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
-- Nmap Scripting Engine
-- required packages for this script
--
-- ICS Discovery Tools Releases
-- ICS Security Workspace(plcscan.org)
---
local bin = require "bin"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
description = [[
discover Siemens SIMATIC S7 1200 PLC.
Based on TIA Portal software.
]]
author = "ICS Security Workspace(plcscan.org)"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery","intrusive"}
--
-- @usage
-- nmap -sP --script s71200-enumerate-old.nse -p 102 <host/s>
--
-- @output
--102/tcp open Siemens S7 1200 Ethernet Controller
--| s71200-enumerate-old.nse:
--| Basic Hardware: 6ES7 212-1HE31-0XB0
--|_ Firmware Version: V3.0
--
function set_nmap(host, port)
port.state = "open"
port.version.name = "iso-tsap"
port.version.product = "Siemens S7 1200 Ethernet Controller"
nmap.set_port_version(host, port)
nmap.set_port_state(host, port, "open")
end
function send_receive(socket, query)
local sendstatus, senderr = socket:send(query)
if(sendstatus == false) then
return "Error Sending pack"
end
local rcvstatus,response = socket:receive()
if(rcvstatus == false) then
return "Error Reading pack"
end
return response
end
portrule = shortport.port_or_service(102, "iso-tsap", "tcp")
action = function(host,port)
-- soft handshake Methods one
local connectpack = bin.pack("H","030000231ee00000000600c1020600c20f53494d415449432d524f4f542d4553c0010a")
-- soft handshake Methods two
-- local connectpack = bin.pack("H","0300001611e00000000800c1020600c2020600c0010a")
-- send local connection packet(IE NIC and session)
local gethwinfo = bin.pack("H","030000e502f080720100d631000004ca00000001"..
"00000120360000011d00040000000000a1000000"..
"d3821f0000a38169001515536572766572536573"..
"73696f6e5f31433943333932a3822100152c313a"..
"3a3a362e303a3a5443502f4950202d3e2042726f"..
"6164636f6d204e65744c696e6b2028544d29202e"..
"2e2ea38228001500a38229001500a3822a001516"..
"4846504654385246375052474837595f34313831"..
"3731a3822b000401a3822c001201c9c392a3822d"..
"001500a1000000d3817f0000a381690015155375"..
"62736372697074696f6e436f6e7461696e6572a2"..
"a20000000072010000")
local response
local output = stdnse.output_table()
local sock = nmap.new_socket()
local constatus,conerr = sock:connect(host,port)
if not constatus then
stdnse.print_debug(1,
'Error establishing connection for %s - %s', host,conerr
)
return nil
end
response = send_receive(sock, connectpack)
local s7, length_hex = bin.unpack("C", response, 4)
if ( length_hex == 0x23 ) then
s7, output["Connectstatus"] = "S7 Connect ok"
response = send_receive(sock, gethwinfo)
local s7, protocol_id = bin.unpack("C", response, 1)
if ( #response > 80 and protocol_id == 0x03 ) then
local s, e = string.find(response, "6ES7")
local o, d = string.find(response, "V")
local offset = 15
output["Basic Hardware"] = string.sub(response, s, e + offset)
output["Firmware Version"] = string.sub(response, o, d + 3)
set_nmap(host, port)
sock:close()
return output
end
sock:close()
end
end