1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
local string = require "string"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
This NSE script will query and parse pcworx protocol to a remote PLC.
The script will send a initial request packets and once a response is received,
it validates that it was a proper response to the command that was sent, and then
will parse out the data. PCWorx is a protocol and Program by Phoenix Contact.
http://digitalbond.com
]]
---
-- @usage
-- nmap --script pcworx-info -p 1962 <host>
--
--
-- @output
--| pcworx-info:
--| PLC Type: ILC 330 ETH
--| Model Number: 2737193
--| Firmware Version: 3.95T
--| Firmware Date: Mar 2 2012
--|_ Firmware Time: 09:39:02
--
--
-- @xmloutput
--<elem key="PLC Type">ILC 330 ETH</elem>
--<elem key="Model Number">2737193</elem>
--<elem key="Firmware Version">3.95T</elem>
--<elem key="Firmware Date">Mar 2 2012</elem>
--<elem key="Firmware Time">09:39:02</elem>
author = "Stephen Hilt (Digital Bond)"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery"}
portrule = shortport.port_or_service(1962, "pcworx", "tcp")
-- Safely extract a zero-terminated string if the blob is long enough
-- Returns nil if it is not.
local function get_string(blob, offset)
if #blob >= offset then
return string.unpack("z", blob, offset)
end
end
---
-- Action Function that is used to run the NSE. This function will send the initial query to the
-- host and port that were passed in via nmap. The initial response is parsed to determine if host
-- is a pcworx Protocol device. If it is then more actions are taken to gather extra information.
--
-- @param host Host that was scanned via nmap
-- @param port port that was scanned via nmap
action = function(host,port)
local init_comms = "\x01\x01\0\x1a\0\0\0\0x\x80\0\x03\0\x0cIBETH01N0_M\0"
-- create table for output
local output = stdnse.output_table()
-- create new socket
local socket = nmap.new_socket()
-- define the catch of the try statement
local catch = function()
socket:close()
end
local try = nmap.new_try(catch)
try(socket:connect(host, port))
try(socket:send(init_comms))
local response = try(socket:receive())
if not response:match("^\x81") then
stdnse.debug1("Unexpected or unknown PCWorx message.")
return nil
end
-- pcworx has a session ID that is generated by the PLC
-- This will pull the SID so we can communicate further to the PLC
local sid = string.sub(response, 18, 18)
local init_comms2 = "\x01\x05\0\x16\0\x01\0\0\x78\x80\0" .. sid .. "\0\0\0\x06\0\x04\x02\x95\0\0"
try(socket:send(init_comms2))
-- receive response
response = try(socket:receive())
-- TODO: verify this
-- this is the request that will pull all the information from the PLC
local req_info = "\x01\x06\0\x0e\0\x02\0\0\0\0\0" .. sid .. "\x04\0"
try(socket:send(req_info))
-- receive response
response = try(socket:receive())
-- if the response starts with 0x81 then we will continue
if not response:match("^\x81") then
stdnse.debug1("Unexpected or unknown PCWorx message.")
socket:close()
return nil
end
-- create output table with proper data
output["PLC Type"] = get_string(response, 31)
output["Model Number"] = get_string(response, 153)
output["Firmware Version"] = get_string(response, 67)
output["Firmware Date"] = get_string(response, 80)
output["Firmware Time"] = get_string(response, 92)
-- close socket and return output table
socket:close()
return output
end
|
