Nmap iec-identify NSE Script
This page contains detailed information about how to use the iec-identify NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
| Select: |
|---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/iec-identify.nse
Script categories: discovery, intrusive
Target service / protocol: iec-104, tcp
Target network port(s): 2404
List of CVEs: -
Script Description
The iec-identify.nse script attempts to identify IEC 60870-5-104 ICS protocol.
After probing with a TESTFR (test frame) message, a STARTDT (start data transfer) message is sent and general interrogation is used to gather the list of information object addresses stored.
Iec-identify NSE Script Arguments
The iec-identify.nse script does not have any arguments.
Iec-identify NSE Script Example Usage
Here's an example of how to use the iec-identify.nse script:
nmap --script=iec-identify <target>
Iec-identify NSE Script Example Output
Here's a sample output from the iec-identify.nse script:
| iec-identify:
| ASDU address: 105
|_ Information objects: 30
Iec-identify NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.
Authors
- Aleksandr Timorin
- Daniel Miller
References
- https://nmap.org/nsedoc/scripts/iec-identify.html
- https://github.com/nmap/nmap/tree/master/scripts/iec-identify.nse
See Also
Visit Nmap NSE Library for more scripts.
The iec-identify.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
Connect error: %s
Here is a relevant code snippet related to the "Connect error: %s" error message:
45: action = function(host, port)
46:
47: local output = stdnse.output_table()
48: local socket, err = comm.opencon(host, port)
49: if not socket then
50: stdnse.debug1("Connect error: %s", err)
51: return nil
52: end
53:
54: -- send TESTFR ACT command
55: -- Test frame, like "ping"
Failed to send: %s
Here is a relevant code snippet related to the "Failed to send: %s" error message:
54: -- send TESTFR ACT command
55: -- Test frame, like "ping"
56: local TESTFR = "\x68\x04\x43\0\0\0"
57: local status, err = socket:send( TESTFR )
58: if not status then
59: stdnse.debug1("Failed to send: %s", err)
60: return nil
61: end
62:
63: -- receive TESTFR answer
64: local apcitype, recv = get_asdu(socket)
protocol error: %s
Here is a relevant code snippet related to the "protocol error: %s" error message:
61: end
62:
63: -- receive TESTFR answer
64: local apcitype, recv = get_asdu(socket)
65: if not apcitype then
66: stdnse.debug1("protocol error: %s", recv)
67: return nil
68: end
69: if apcitype ~= 0x83 then
70: stdnse.print_debug(1, "Not IEC-104. TESTFR response: %#x", apcitype)
71: return nil
Failed to send: %s
Here is a relevant code snippet related to the "Failed to send: %s" error message:
73:
74: -- send STARTDT ACT command
75: local STARTDT = "\x68\x04\x07\0\0\0"
76: status, err = socket:send( STARTDT )
77: if not status then
78: stdnse.debug1("Failed to send: %s", err)
79: return nil
80: end
81:
82: -- receive STARTDT answer
83: apcitype, recv = get_asdu(socket)
protocol error: %s
Here is a relevant code snippet related to the "protocol error: %s" error message:
80: end
81:
82: -- receive STARTDT answer
83: apcitype, recv = get_asdu(socket)
84: if not apcitype then
85: stdnse.debug1("protocol error: %s", recv)
86: return nil
87: end
88: if apcitype ~= 0x0b then
89: stdnse.debug1("STARTDT ACT did not receive STARTDT CON: %#x", apcitype)
90: return nil
Failed to send: %s
Here is a relevant code snippet related to the "Failed to send: %s" error message:
101: -- Information object address: 0
102: -- QOI: 0x14 (20), Station interrogation (global)
103: local C_IC_NA_1_broadcast = "\x68\x0e\0\0\0\0\x64\x01\x06\0\xff\xff\0\0\0\x14"
104: status, err = socket:send( C_IC_NA_1_broadcast )
105: if not status then
106: stdnse.debug1("Failed to send: %s", err)
107: return nil
108: end
109:
110: local asdu_address
111: local ioas = 0
Error in C_IC_NA_1: %s
Here is a relevant code snippet related to the "Error in C_IC_NA_1: %s" error message:
113: local limit = 10
114: while limit > 0 do
115: limit = limit - 1
116: apcitype, recv = get_asdu(socket)
117: if not apcitype then
118: stdnse.debug1("Error in C_IC_NA_1: %s", recv)
119: break
120: end
121: if apcitype & 0x01 == 0 then -- Type I, numbered information transfer
122: -- skip 2 bytes Tx, 2 bytes Rx
123: local typeid = recv:byte(5)
Version
This page has been created based on Nmap version 7.92.
Go back to menu.
