Nmap

Nmap is a wonderful tool, but keep in mind that many intrusion detection systems will notice the activity, so make sure you have permission for your target network. The work below is mostly oriented at Siemens Siematic S7's.

We will use the following commands:

nmap -Pn skip host discovery and treat all as online. May take a while at times. nmap -sU for UDP scanning nmap -p <port ranges> to scan specific ranges nmap -sV for version detection nmap --script to enable the scripting engine

Slow down the scan (we are targeting older devices) nmap --max-paralism 1

Below is a nmap -Pn example on the Ubuntu server with the honeypots set up:

Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2023-11-29 15:31 EST
Stats: 0:03:37 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 38.63% done; ETC: 15:40 (0:05:19 remaining)
Stats: 0:13:41 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 97.83% done; ETC: 15:45 (0:00:18 remaining)
Nmap scan report for 192.168.178.1
Host is up (0.0063s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
8080/tcp filtered http-proxy
8181/tcp filtered intermapper
9000/tcp filtered cslistener
49152/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 943.08 seconds

Reconnaisance with nmap

Once it's established that a Siemens Siematic S7 is found, either by being on the same network and using netdiscover or finding an IP through Shodan, the next step is to nmap [IP] -Pn -p for discovering TCP ports open to us. What we are looking for is a UDP port open, with nmap -sU [IP] -Pn -F on a second terminal window. The second terminal searches for the 100 most frequently used UDP ports.

Most often this is port 161 (or 16100).

More info about the PLC can be extracted with snmp-check as well as the below scripts from the scripting engine.

example nmap [IP] -Pn - p [range]:

nmap range

example nmap -sU [IP] -Pn -F UDP scan:

nmap UDP

Nmap Scripting Engine

A scripting engine is like plug-ins for the existing tool, with extended features. Often used for advanced reconnaissance on specific types of machinery or other networking tasks like security auditing.

To use the scripting engine, you follow the base structure of this command:

sudo nmap [IP] -Pn -p [port number] --script [script-name.nse]

Replace the variables with corresponding IP and script names.

from the Redpoint we got s7-info.nse for more info on module and version of the S7 and s7-enumerate.nse for checking which machines are open to the internet. In our case it will be 1: our S7 simulation running on the Ubuntu Server from the python-snap7 module.

example of the enumerate output:

enumerate

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search