Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] scada/plc gear

From: gmaggro (gmaggrorogers.com)
Date: Thu Jan 24 2008 - 08:38:21 CST

One more device arrived, a Lantronix MSS485-T, an interesting and what
would appear to be older piece - it also supports IPX and LAT:

All kinds of ports open on this thing according to nmap, but a little
odd... only TCP 23, 79, 513, 514, 2001, 2100, 2101, 3001, 7000, 13001,

There's no modbus (502) but I wasn't after that with this particular device.

Mac prefix is 00:80:A3 (Lantronix) and the OS guess is Lantronix MSSlite
device server.

snmpwalking yields a sysDescr of "Lantronix MSS485 Version
V3.6/4(000712)", a sysLocation "Micro Serial Server", a sysName
"MSS_1DF552" and an ifDescr "Lantronix Ethernet 802.3". According to
snmp it also says it has UDP 13, 37, 53, 123, 137, 161 and 520 open but
it lies.

A Nessus scan choked this thing up pretty good, and it would appear a
few aggresive nmap scans with scripting and versioning enabled caused it
to behave oddly. Oddly meaning some ports going filtered, others
dropping off, services still up running slow, etc. Perhaps a
co-incidence, but this device too has a reset button on it :)

I love cracking open the boxes on older gear; it tends to be built of
alot more discrete parts and glue, instead of single chip solutions.
Often this results in them being more hackable. Significantly easier to
rework or piggyback a QFP with a clip than a P/BGA, yes? Backdoor the
firmware before selling it to the target you want to penetrate... or
just put it on ebay, have someone buy it, and wait for it to call home
or spit creds to an IRC channel. I have seen this demonstrated in a
controlled environment, but I often wonder how feasible it would be in
real life for a small group of individuals to carry out.

In any case, the main parts are a 68EC000 10MHz CPU, a Nat Semi
DP83902AVLJ NIC, an AMD flash, some NEC DRAM, and a Lantronix ASIC that
I cannot seem to dig much up on. This is because the graphics are a
little strangely printed, but it looks to say "AIM I 0044LHU LANTRONIX
SAL-10/20MHz 220-170". I'm guessing it's something to do with the serial
(rs485) protocols, but I'd appreciate being told what it actually is.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/