Re: [Full-disclosure] scada/plc gear
- From: gmaggro <gmaggro@xxxxxxxxxx>
- Date: Fri, 11 Jan 2008 12:12:47 -0500
Anyone one done any poking around with DNP3, ICCP, OPC, Ethernet/IP, etc.?
OK, some more results are in.
- i.Board i.CanDoIt embedded webserver
(http://www.csimn.com/CSI_pages/iboard.html) which is built similar to
the Kohler in that it uses an embedded ethernet module, but this time
from Digi (http://www.digi.com/products/embeddedsolutions/digiconnectme.jsp)
The Digiboard 'Connect ME' module has MAC prefix 00:40:9D and what
appears to be P/N: (1P) 50000878-03 M. At heart specs say it's an ARM
NS7520 MCU.
The iBoard is the most configurable device of the bunch so far and the
web interface is quite substantial. A very cool little box.
Stuff open on 21, 23, 80, 161, 502. sysDescr indicates "Control
Solutions i.CanDoIt BAS-700 ReMOTE I/O". HTTP is
Allegro-Software-RomPager/4.01, FTP says NET+OS 6.3.
Same basic tests on hammering 502 gave up nothing. Days pounding this
thing with crud and it never drops a connection or chokes. Can't wait to
start poking around inside of the modbus protocol instead of this cheese.
- ADAM-4572 (http://www.ucs.co.uk/index.php?pid=948)
MAC prefix 00:D0:C9 "Advantech Co.".
Now this is an interesting box. The only thing open on it is 502. It's
not as robust as the iBoard, as hammering the ADAM-4572 on 502 with crud
caused it to stop responding within seconds. However, it came back
online within 10 seconds. It feels like this thing has a watchdog
built-in so when something throws an exception it reloads itself.
Opening it up, it's built of a great deal more discrete parts than the
other devices. The main parts are a couple QFPs (ARM MCU
S3C4510B01-QE80, Cortina Systems ethernet EGLXT970) and a PLCC
(am29f040b flash). I like the PLCC, that's easy to yank out, drop in a
programmer (I always liked the Needhams Electronics stuff) and dump.
-----------------------------
Handy utility in the same vein (but this one can perform writes) as the
modpoll utility mentioned earlier in the thread, is the mbread utility
contained in the following:
http://www.tuxplc.net/index.php?page=modbus-tcp-protocol
Commercial SCADA security testing platfom/service which looks to be
setting itself up as some kind of standard:
http://www.wurldtech.com/achilles/index.php
An amusing, and somewhat inflammatory, article about the state of SCADA
related blackhattery:
http://www.digitalbond.com/index.php/2008/01/03/chaos-computer-club-ccc-scada-presentation-report/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- References:
- Re: [Full-disclosure] scada/plc gear
- From: Worthless Email
- Re: [Full-disclosure] scada/plc gear
- From: b9u4ea
- Re: [Full-disclosure] scada/plc gear
- Prev by Date: Re: [Full-disclosure] FWD: PhotoPost vBGallery ImportantSecurity Bulletin
- Next by Date: [Full-disclosure] StreamAudio ChainCast ProxyManager ccpm_0237.dll Buffer Overflow
- Previous by thread: Re: [Full-disclosure] scada/plc gear
- Next by thread: Re: [Full-disclosure] scada/plc gear
- Index(es):
Relevant Pages
|
