Industrial Control System (ICS)/Supervisory Control and Data Acquisition (SCADA) systems are part of the critical infrastructure found in power plants, chemical factories, oil refineries, and other large complexes. As the monitoring technology has matured, networking capabilities aimed to improve connectivity among components have introduced a new type of risk: network attacks. To make it worse, systems believed to be in isolated networks have been found connected to the internet and completely accessible remotely. Unfortunately, the number of critical systems found online has been growing steadily, and still to this day it is very common to find organizations with interconnected networks that allow access to network segments where the ICS/SCADA systems are.

It has been proven by security researchers that many ICS/SCADA protocols and products are extremely vulnerable as many were built without security. Nmap needs to be used carefully when scanning...

Critical infrastructure needs to be handled with extra care as there have been reports of scans and even ping sweeps rebooting or causing devices to go offline. This is especially dangerous in networks in production as damage or disruption to the service can cost hundreds of thousands, even millions, of dollars to the organization. For this reason, we can't aggressively scan and flood the network or worse, the device's TCP/IP stack; instead, a carefully selected list of probes must be used.

This recipe shows you how to identify common ICS/SCADA protocols safely with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -Pn -sT --scan-delay 1s --max-parallelism 1 - p80,102,443,502,530,593,789,1089-1091,1911,1962,2222,2404,4000,4840,4843,49 11,9600,19999,20000,20547,34962-34964,34980,44818,46823,46824,55000-55003 <target>

Each port listed corresponds to a known ICS/SCADA protocol...

Human Machine Interface (HMI) systems can be found in SCADA networks regularly and they do not necessarily operate on the same ports as other ICS/SCADA devices. However, some HMIs use ICS protocols. For example, Sielco Sistemi Winlog is a simple but very popular HMI software for PCs that has remote exploits publicly available.

This recipe shows you how to identify Sielco Sistemi Winlog instances (and HMI systems in general) on the network with Nmap.

How to do it...

To find Sielco Sistemi Winlog instances, run the following command:

$ nmap -Pn -sT -p46824 <target>

Server instances running on TCP port 46824 might indicate that this is a Sielco Winlog server.

How it works...

Sielco Sistemi Winlog's server runs on TCP port 46824 and it is susceptible to a critical remote code execution vulnerability. We used the nmap-Pn -sT -p46824 <target> command to identify whether the target is running a server on port 46824 (- p 46824). Once...

Siemens S7 PLC devices from the S7 300/400 family use the S7comm protocol for PLC programming, data exchange between PLCs and SCADA systems, and diagnostics purposes. These devices normally listen on port 102 (iso-tsap) and we can use some of the diagnostics functions to obtain information from the devices with some help from the scripting engine.

This recipe shows you how to enumerate Siemens S7 PLC devices with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -Pn -sT -p102 --script s7-info <target>

The s7-info script will obtain device information, as shown next:

PORT STATE SERVICE
102/tcp open    iso-tsap
| s7-info:
|     Module: 6ES7 420-2FK14-1DB3
|     Basic Hardware: 6ES7 420-2FK14-1DB3
|     Version: 3.2.11
|     System Name: SIMATIC 300(1)
|   ...

Modbus TCP/IP is a communication protocol used for transmitting information by many SCADA devices. It is considered one of the most popular open protocols and it is possible to find valid slave IDs and obtain information about the device and software remotely.

This recipe shows you how to enumerate Modbus Slave IDs (SIDs) with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -Pn -sT -p502 --script modbus-discover <target>

By default, the modbus-discover script will obtain the first SID device information, as shown next. The information displayed depends on the device's response:

PORT STATE SERVICE
502/tcp open    modbus
| modbus-discover:
|    sid0x0:
|_   Slave ID data: \xB4\xFFLMB3.0.3

How it works...

The modbus-discover script enumerates Modbus devices and their SID information. It was written by Alexander Rudakov to improve the...

BACnet devices are very common for interconnecting and controlling HVAC, power and ventilation systems, and many other components in building automation systems. It is possible to gather information from them, such as vendor, device name, serial number, description, location, and even the firmware version with some help from the Nmap Scripting Engine.

This recipe shows you how to detect and collect information from BACnet devices with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -Pn -sU -p47808 --script bacnet-info <target>

The bacnet-info script will obtain device information, as shown next:

PORT STATE SERVICE
47808/udp open  bacnet
| bacnet-info:
|    Vendor ID: CarelS.p.A. (77)
|    Vendor Name: CarelS.p.A.
|    Object-identifier: 77000
|    Firmware: A1.4.9 - B1.2.4
|    Application...

Ethernet/IP is a very popular protocol used in industrial systems that use Ethernet as the transport layer and the Common Industrial Protocol (CIP) to provide services and profiles needed for the applications. Ethernet/IP devices by several vendors usually operate on UDP port 44818, and we can gather information such as vendor name, product name, serial number, device type, product code, internal IP address, and version.

This recipe shows you how to enumerate Ethernet/IP devices with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -Pn -sU -p44818 --script enip-info <target>

The enip-info script will obtain device information as shown next:

PORT STATE SERVICE
44818/udp open  EtherNet-IP-2
| enip-info:
|    Vendor: Rockwell Automation/Allen-Bradley (1)
|    Product Name: PanelViewPlus_6 1500
|    Serial Number: 0x00123456...

Devices using the Niagara Fox protocol usually operate on TCP ports 1911 and 4911. They allow us to gather information remotely from them, such as application name, Java version, host OS, time zone, local IP address, and software versions involved in the stack. The fox-info NSE script is one of the very few tools available that allow us to work with this protocol and extract this information easily.

This recipe shows you how to detect and collect information from devices using the Niagara Fox protocol with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -Pn -sT -p1911,4911 --script fox-info <target>

The fox-info script will obtain device information, as shown next:

PORT STATE SERVICE
1911/tcp open   niagara-fox
| fox-info:
fox.version: 1.0.1
|    hostName: 192.168.1.128
|    hostAddress: 192.168.1.128
|    app.name...

ProConOS is a PLC runtime engine designed for embedded or PC-based control applications. The protocol can be queried for system information without authentication and it returns information such as PLC type, project name, project source code name, and ladder logic runtime information.

This recipe shows you how to enumerate ProConOS PLCs with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$nmap -Pn -sT -p20547 --script proconos-info <target>

The procons-info script will obtain device information, as shown next:

PORT STATE SERVICE
20547/tcp open  ProConOS
| proconos-info:
|    LadderLogicRuntime: ProConOS V4.1.0230 Feb 4 2011
|    PLC Type: Bristol: CWM V05:40:00 02/04
|    Project Name: Test
|    Boot Project:
|_   Project Source Code: Test_2

How it works...

The proconos-info script detects...

Omrom PLC devices use the FINS protocol, which communicates over UDP or TCP to control machines on the network. The Nmap Scripting Engine can enumerate these devices and obtain additional information.

This recipe shows you how to enumerate Omrom PLC devices with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -Pn -sU -p9600 --script omrom-info <target>

The omrom-info script will obtain device information, as shown next:

9600/udp open   OMRON FINS
| omron-info:
|    Controller Model: CJ2M-CPU32    02.01
|    Controller Version: 02.01
|    For System Use:
|    Program Area Size: 20
|    IOM size: 23
|    No. DM Words: 32768
|    Timer/Counter: 8
|    Expansion DM Size: 1
|    No. of...

PCWorx devices can be mapped on the network as they allow unauthenticated requests that return system information such as PLC type, model number, and firmware details.

This recipe shows you how to enumerate PCWorx devices with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -Pn -sT -p1962 --script pcworx-info <target>

The pcworx-info script will obtain device information, as shown next:

PORT STATE SERVICE
1962/tcp open   pcworx
| pcworx-info:
|    PLC Type: ILC 330 ETH
|    Model Number: 2737193
|    Firmware Version: 3.95T
|    Firmware Date: Mar   2 2012
|_   Firmware Time: 09:39:02

How it works...

The pcworx-info script detects PCWorx devices and gathers information about the device, such as type, model number, and firmware information. In the previous command, we...