Nmap modbus-discover NSE Script


This page contains detailed information about how to use the modbus-discover NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Select:
Overview
Error Messages

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/modbus-discover.nse
Script categories: discovery, intrusive
Target service / protocol: modbus
Target network port(s): 502
List of CVEs: -

Script Description

The modbus-discover.nse script enumerates SCADA Modbus slave ids (sids) and collects their device information.

Modbus is one of the popular SCADA protocols. This script does Modbus device information disclosure. It tries to find legal sids (slave ids) of Modbus devices and to get additional information about the vendor and firmware. This script is improvement of modscan python utility written by Mark Bristow.

Information about MODBUS protocol and security issues:

Modbus-discover NSE Script Arguments

This is a full list of arguments supported by the modbus-discover.nse script:

aggressive

Boolean value defines find all or just first sid

- - -
To use this script argument, add it to Nmap command line like in this example:

nmap --script=modbus-discover --script-args aggressive=value <target>

Modbus-discover NSE Script Example Usage

Here's an example of how to use the modbus-discover.nse script:

nmap --script modbus-discover.nse --script-args='modbus-discover.aggressive=true' -p 502 <host>

Modbus-discover NSE Script Example Output

Here's a sample output from the modbus-discover.nse script:

PORT    STATE SERVICE
502/tcp open  modbus
| modbus-discover:
|   sid 0x64:
|     Slave ID data: \xFA\xFFPM710PowerMeter
|     Device identification: Schneider Electric PM710 v03.110
|   sid 0x96:
|_    error: GATEWAY TARGET DEVICE FAILED TO RESPONSE

Modbus-discover NSE Script Example XML Output

Here's a sample XML output from the modbus-discover.nse script produced by providing the -oX <file> Nmap option:

 <table key="sid 0x64">
   <elem key="Slave ID data">\xFA\xFFPM710PowerMeter</elem>
   <elem key="Device identification">Schneider Electric PM710 v03.110</elem>
 </table>
 <table key="sid 0x96">
   <elem key="error">GATEWAY TARGET DEVICE FAILED TO RESPONSE</elem>
 </table>

Author

  • Alexander Rudakov

References

See Also

Visit Nmap NSE Library for more scripts.

The modbus-discover.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.

MEMORY PARITY ERROR

Here is a relevant code snippet related to the "MEMORY PARITY ERROR" error message:

107:	  [2]  = "ILLEGAL DATA ADDRESS",
108:	  [3]  = "ILLEGAL DATA VALUE",
109:	  [4]  = "SLAVE DEVICE FAILURE",
110:	  [5]  = "ACKNOWLEDGE",
111:	  [6]  = "SLAVE DEVICE BUSY",
112:	  [8]  = "MEMORY PARITY ERROR",
113:	  [10] = "GATEWAY PATH UNAVAILABLE",
114:	  [11] = "GATEWAY TARGET DEVICE FAILED TO RESPOND"
115:	}
116:	
117:	action = function(host, port)

GATEWAY TARGET DEVICE FAILED TO RESPOND

Here is a relevant code snippet related to the "GATEWAY TARGET DEVICE FAILED TO RESPOND" error message:

109:	  [4]  = "SLAVE DEVICE FAILURE",
110:	  [5]  = "ACKNOWLEDGE",
111:	  [6]  = "SLAVE DEVICE BUSY",
112:	  [8]  = "MEMORY PARITY ERROR",
113:	  [10] = "GATEWAY PATH UNAVAILABLE",
114:	  [11] = "GATEWAY TARGET DEVICE FAILED TO RESPOND"
115:	}
116:	
117:	action = function(host, port)
118:	  -- If false, stop after first sid.
119:	  local aggressive = stdnse.get_script_args('modbus-discover.aggressive')

Version

This page has been created based on Nmap version 7.92.

Go back to menu.