Our Stephen Hilt released another Project Redpoint script as part of his DerbyCon presentation on Sunday. Modicon-info.nse will identify PLC’s and other Schneider Electric/Modicon devices on the network and then enumerates the device.
The script pulls information that would be helpful in maintaining an inventory as well as assessing the security status of the device, such as types of Ethernet, CPU modules and memory cards as well as the firmware version.
My favorite part of the script is the Project Information field. Here you will see the name of the Project, the version number of Unity Pro (the engineering workstation software) that was used to load the Project, and often where on the engineering workstation the Project file is stored. Below is sample output; click on the picture to see a larger version.
This script is possible due to Schneider Electric’s proprietary and magic function code 90. This is the same function code that Reid used in the modicon_stux_transfer metasploit module to upload and download logic to the PLC a la Stuxnet. You can do almost anything you want to the Schneider PLC’s through this unauthenticated, insecure by design function code 90.
The script begins using function code 43 to identify if there is a Modbus device at the targeted IP address. Schneider, unlike many vendors, supports function code 43 and will return some variant of Schneider in the response message. I should note that even if the Modbus device being queried does not support function code 43 the response can confirm it is a Modbus device.
We had an internal discussion on whether the script should include all identified Modbus devices, but decided to only report on Schneider/Modicon devices since there were already Modbus detection capabilities in Nmap. If we can pull additional useful information there may be a generic Modbus script in the Redpoint rack in the future.