Nmap modbus-discover NSE Script
This page contains detailed information about how to use the modbus-discover NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
Select: |
---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/modbus-discover.nse
Script categories: discovery, intrusive
Target service / protocol: modbus
Target network port(s): 502
List of CVEs: -
Script Description
The modbus-discover.nse script enumerates SCADA Modbus slave ids (sids) and collects their device information.
Modbus is one of the popular SCADA protocols. This script does Modbus device information disclosure. It tries to find legal sids (slave ids) of Modbus devices and to get additional information about the vendor and firmware. This script is improvement of modscan python utility written by Mark Bristow.
Information about MODBUS protocol and security issues:
- MODBUS application protocol specification: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
- Defcon 16 Modscan presentation: https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf
- Modscan utility is hosted at google code: http://code.google.com/p/modscan/
Modbus-discover NSE Script Arguments
This is a full list of arguments supported by the modbus-discover.nse script:
aggressiveBoolean value defines find all or just first sid
- - -
To use this script argument, add it to Nmap command line like in this example:
nmap --script=modbus-discover --script-args aggressive=value <target>
Modbus-discover NSE Script Example Usage
Here's an example of how to use the modbus-discover.nse script:
nmap --script modbus-discover.nse --script-args='modbus-discover.aggressive=true' -p 502 <host>
Modbus-discover NSE Script Example Output
Here's a sample output from the modbus-discover.nse script:
PORT STATE SERVICE
502/tcp open modbus
| modbus-discover:
| sid 0x64:
| Slave ID data: \xFA\xFFPM710PowerMeter
| Device identification: Schneider Electric PM710 v03.110
| sid 0x96:
|_ error: GATEWAY TARGET DEVICE FAILED TO RESPONSE
Modbus-discover NSE Script Example XML Output
Here's a sample XML output from the modbus-discover.nse script produced by providing the -oX <file>
Nmap option:
<table key="sid 0x64">
<elem key="Slave ID data">\xFA\xFFPM710PowerMeter</elem>
<elem key="Device identification">Schneider Electric PM710 v03.110</elem>
</table>
<table key="sid 0x96">
<elem key="error">GATEWAY TARGET DEVICE FAILED TO RESPONSE</elem>
</table>
Author
- Alexander Rudakov
References
- https://nmap.org/nsedoc/scripts/modbus-discover.html
- https://github.com/nmap/nmap/tree/master/scripts/modbus-discover.nse
- http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
- https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf
- http://code.google.com/p/modscan/
See Also
Visit Nmap NSE Library for more scripts.
The modbus-discover.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
MEMORY PARITY ERROR
Here is a relevant code snippet related to the "MEMORY PARITY ERROR" error message:
107: [2] = "ILLEGAL DATA ADDRESS",
108: [3] = "ILLEGAL DATA VALUE",
109: [4] = "SLAVE DEVICE FAILURE",
110: [5] = "ACKNOWLEDGE",
111: [6] = "SLAVE DEVICE BUSY",
112: [8] = "MEMORY PARITY ERROR",
113: [10] = "GATEWAY PATH UNAVAILABLE",
114: [11] = "GATEWAY TARGET DEVICE FAILED TO RESPOND"
115: }
116:
117: action = function(host, port)
GATEWAY TARGET DEVICE FAILED TO RESPOND
Here is a relevant code snippet related to the "GATEWAY TARGET DEVICE FAILED TO RESPOND" error message:
109: [4] = "SLAVE DEVICE FAILURE",
110: [5] = "ACKNOWLEDGE",
111: [6] = "SLAVE DEVICE BUSY",
112: [8] = "MEMORY PARITY ERROR",
113: [10] = "GATEWAY PATH UNAVAILABLE",
114: [11] = "GATEWAY TARGET DEVICE FAILED TO RESPOND"
115: }
116:
117: action = function(host, port)
118: -- If false, stop after first sid.
119: local aggressive = stdnse.get_script_args('modbus-discover.aggressive')
Version
This page has been created based on Nmap version 7.92.
Go back to menu.