nmap icon indicating copy to clipboard operation
nmap copied to clipboard
verified publisher icon nmap

Add scripts to perform unicast and broadcast device discovery for Codesys V3 based PLCs

Open agalauner-r7 opened this issue 4 years ago • 3 comments

This patch adds two NSE scripts which allows device discovery of Codesys V3 based PLCs on a network.

Codesys is a widely used PLC runtime licensed and customized by different automation vendors. This runtime has a custom network protocol that contains multiple protocol layers. It supports different physical layers like serial links, CAN, but also Ethernet using UDP or TCP. It supports routing between different network segments, tunnels higher layer application layer traffic between devices and so on and so forth. It's complicated and it is mostly being used for the engineering software to interact with PLCs on the network even though you can do a lot more with it.

It is also used for device discovery. The scripts I wrote use the device discovery mechanisms of this protocol to find devices on a network segment. There is a broadcast variant that tries to find all devices on a network and a unicast variant that allows to query information from a single device.

Sample outputs:

Broadcast variant:

$ sudo ./nmap --script broadcast-codesys-discover -e enp11s0f0.20    
[sudo] password for andy: 
Starting Nmap 7.92SVN ( https://nmap.org ) at 2021-09-28 19:17 CEST
Pre-scan script results:
| broadcast-codesys-discover: 
|   192.168.20.13: 
|     interface: enp11s0f0.20
|     deviceAddress: 192.168.20.13
|     targetVendor: WAGO
|     targetName: WAGO 750-8206 PFC200 2ETH RS CAN DPS
|     deviceName: PFC200-438F4C
|     targetID: 0x10061204
|     targetType: 0x1000
|_    targetVersion: 5.15.4.0
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 3.29 seconds

Unicast variant:

$ sudo ./nmap --script codesys-plc-info -sU -p1740 192.168.20.13 
[sudo] password for andy: 
Starting Nmap 7.92SVN ( https://nmap.org ) at 2021-09-28 19:22 CEST
Nmap scan report for pfc200-438f4c.research.galauner.de (192.168.20.13)
Host is up (0.00063s latency).

PORT     STATE         SERVICE
1740/udp open|filtered encore
| codesys-plc-info: 
|   192.168.20.13: 
|     deviceAddress: 192.168.20.13
|     targetVendor: WAGO
|     targetName: WAGO 750-8206 PFC200 2ETH RS CAN DPS
|     deviceName: PFC200-438F4C
|     targetID: 0x10061204
|     targetType: 0x1000
|_    targetVersion: 5.15.4.0
MAC Address: 00:30:DE:43:8F:4C (Wago Kontakttechnik Gmbh)

Nmap done: 1 IP address (1 host up) scanned in 3.60 seconds

agalauner-r7 avatar Sep 28 '21 17:09 agalauner-r7

@bonsaiviking - Is there any testing/linting you'd like to see on this? I've kinda of avoided touching it since Andy and I work on the same team at R7.

tsellers-r7 avatar Nov 16 '21 19:11 tsellers-r7

Hi @tsellers-r7 and @agalauner-r7 . Thanks for submitting these and for the reminder. We'll take a look at this and the #1846 one soon.

fyodor avatar Dec 02 '21 19:12 fyodor

I finally managed to address all the feedback in https://github.com/nmap/nmap/pull/2373/commits/f681640d9de3d1c8a332488eb534b198a370009f

agalauner-r7 avatar Jul 05 '22 16:07 agalauner-r7