NSEDoc

• Index
• NSE Documentation

Categories

• auth
• broadcast
• brute
• default
• discovery
• dos
• exploit
• external
• fuzzer
• intrusive
• malware
• safe
• version
• vuln

Scripts (show 437)(437)Scripts (437)

• acarsd-info
• address-info
• afp-brute
• afp-ls
• afp-path-vuln
• afp-serverinfo
• afp-showmount
• ajp-auth
• ajp-brute
• ajp-headers
• ajp-methods
• ajp-request
• amqp-info
• asn-query
• auth-owners
• auth-spoof
• backorifice-brute
• backorifice-info
• banner
• bitcoin-getaddr
• bitcoin-info
• bitcoinrpc-info
• bittorrent-discovery
• bjnp-discover
• broadcast-ataoe-discover
• broadcast-avahi-dos
• broadcast-bjnp-discover
• broadcast-db2-discover
• broadcast-dhcp-discover
• broadcast-dhcp6-discover
• broadcast-dns-service-discovery
• broadcast-dropbox-listener
• broadcast-eigrp-discovery
• broadcast-igmp-discovery
• broadcast-listener
• broadcast-ms-sql-discover
• broadcast-netbios-master-browser
• broadcast-networker-discover
• broadcast-novell-locate
• broadcast-pc-anywhere
• broadcast-pc-duo
• broadcast-pim-discovery
• broadcast-ping
• broadcast-pppoe-discover
• broadcast-rip-discover
• broadcast-ripng-discover
• broadcast-sybase-asa-discover
• broadcast-tellstick-discover
• broadcast-upnp-info
• broadcast-versant-locate
• broadcast-wake-on-lan
• broadcast-wpad-discover
• broadcast-wsdd-discover
• broadcast-xdmcp-discover
• cassandra-brute
• cassandra-info
• cccam-version
• citrix-brute-xml
• citrix-enum-apps
• citrix-enum-apps-xml
• citrix-enum-servers
• citrix-enum-servers-xml
• couchdb-databases
• couchdb-stats
• creds-summary
• cups-info
• cups-queue-info
• cvs-brute
• cvs-brute-repository
• daap-get-library
• daytime
• db2-das-info
• db2-discover
• dhcp-discover
• dict-info
• distcc-cve2004-2687
• dns-blacklist
• dns-brute
• dns-cache-snoop
• dns-check-zone
• dns-client-subnet-scan
• dns-fuzz
• dns-ip6-arpa-scan
• dns-nsec-enum
• dns-nsec3-enum
• dns-nsid
• dns-random-srcport
• dns-random-txid
• dns-recursion
• dns-service-discovery
• dns-srv-enum
• dns-update
• dns-zeustracker
• dns-zone-transfer
• domcon-brute
• domcon-cmd
• domino-enum-users
• dpap-brute
• drda-brute
• drda-info
• duplicates
• eap-info
• epmd-info
• eppc-enum-processes
• finger
• firewalk
• firewall-bypass
• flume-master-info
• ftp-anon
• ftp-bounce
• ftp-brute
• ftp-libopie
• ftp-proftpd-backdoor
• ftp-vsftpd-backdoor
• ftp-vuln-cve2010-4221
• ganglia-info
• giop-info
• gkrellm-info
• gopher-ls
• gpsd-info
• hadoop-datanode-info
• hadoop-jobtracker-info
• hadoop-namenode-info
• hadoop-secondary-namenode-info
• hadoop-tasktracker-info
• hbase-master-info
• hbase-region-info
• hddtemp-info
• hostmap-bfk
• hostmap-robtex
• http-affiliate-id
• http-apache-negotiation
• http-auth
• http-auth-finder
• http-awstatstotals-exec
• http-axis2-dir-traversal
• http-backup-finder
• http-barracuda-dir-traversal
• http-brute
• http-cakephp-version
• http-chrono
• http-config-backup
• http-cors
• http-date
• http-default-accounts
• http-domino-enum-passwords
• http-drupal-enum-users
• http-drupal-modules
• http-email-harvest
• http-enum
• http-exif-spider
• http-favicon
• http-form-brute
• http-form-fuzzer
• http-frontpage-login
• http-generator
• http-git
• http-gitweb-projects-enum
• http-google-malware
• http-grep
• http-headers
• http-huawei-hg5xx-vuln
• http-icloud-findmyiphone
• http-icloud-sendmsg
• http-iis-webdav-vuln
• http-joomla-brute
• http-litespeed-sourcecode-download
• http-majordomo2-dir-traversal
• http-malware-host
• http-method-tamper
• http-methods
• http-open-proxy
• http-open-redirect
• http-passwd
• http-php-version
• http-phpself-xss
• http-proxy-brute
• http-put
• http-qnap-nas-info
• http-rfi-spider
• http-robots.txt
• http-robtex-reverse-ip
• http-robtex-shared-ns
• http-sitemap-generator
• http-slowloris
• http-slowloris-check
• http-sql-injection
• http-title
• http-tplink-dir-traversal
• http-trace
• http-traceroute
• http-unsafe-output-escaping
• http-userdir-enum
• http-vhosts
• http-virustotal
• http-vlcstreamer-ls
• http-vmware-path-vuln
• http-vuln-cve2009-3960
• http-vuln-cve2010-0738
• http-vuln-cve2010-2861
• http-vuln-cve2011-3192
• http-vuln-cve2011-3368
• http-vuln-cve2012-1823
• http-waf-detect
• http-waf-fingerprint
• http-wordpress-brute
• http-wordpress-enum
• http-wordpress-plugins
• iax2-brute
• iax2-version
• icap-info
• ike-version
• imap-brute
• imap-capabilities
• informix-brute
• informix-query
• informix-tables
• ip-forwarding
• ip-geolocation-geobytes
• ip-geolocation-geoplugin
• ip-geolocation-ipinfodb
• ip-geolocation-maxmind
• ipidseq
• ipv6-node-info
• ipv6-ra-flood
• irc-botnet-channels
• irc-brute
• irc-info
• irc-sasl-brute
• irc-unrealircd-backdoor
• iscsi-brute
• iscsi-info
• isns-info
• jdwp-exec
• jdwp-info
• jdwp-inject
• jdwp-version
• krb5-enum-users
• ldap-brute
• ldap-novell-getpass
• ldap-rootdse
• ldap-search
• lexmark-config
• llmnr-resolve
• lltd-discovery
• maxdb-info
• mcafee-epo-agent
• membase-brute
• membase-http-info
• memcached-info
• metasploit-info
• metasploit-msgrpc-brute
• metasploit-xmlrpc-brute
• mmouse-brute
• mmouse-exec
• modbus-discover
• mongodb-brute
• mongodb-databases
• mongodb-info
• mrinfo
• ms-sql-brute
• ms-sql-config
• ms-sql-dac
• ms-sql-dump-hashes
• ms-sql-empty-password
• ms-sql-hasdbaccess
• ms-sql-info
• ms-sql-query
• ms-sql-tables
• ms-sql-xp-cmdshell
• msrpc-enum
• mtrace
• murmur-version
• mysql-audit
• mysql-brute
• mysql-databases
• mysql-dump-hashes
• mysql-empty-password
• mysql-enum
• mysql-info
• mysql-query
• mysql-users
• mysql-variables
• mysql-vuln-cve2012-2122
• nat-pmp-info
• nat-pmp-mapport
• nbstat
• ncp-enum-users
• ncp-serverinfo
• ndmp-fs-info
• ndmp-version
• nessus-brute
• nessus-xmlrpc-brute
• netbus-auth-bypass
• netbus-brute
• netbus-info
• netbus-version
• nexpose-brute
• nfs-ls
• nfs-showmount
• nfs-statfs
• nping-brute
• nrpe-enum
• ntp-info
• ntp-monlist
• omp2-brute
• omp2-enum-targets
• openlookup-info
• openvas-otp-brute
• oracle-brute
• oracle-brute-stealth
• oracle-enum-users
• oracle-sid-brute
• ovs-agent-version
• p2p-conficker
• path-mtu
• pcanywhere-brute
• pgsql-brute
• pjl-ready-message
• pop3-brute
• pop3-capabilities
• pptp-version
• qscan
• quake3-info
• quake3-master-getservers
• rdp-enum-encryption
• rdp-vuln-ms12-020
• realvnc-auth-bypass
• redis-brute
• redis-info
• resolveall
• reverse-index
• rexec-brute
• riak-http-info
• rlogin-brute
• rmi-dumpregistry
• rmi-vuln-classloader
• rpc-grind
• rpcap-brute
• rpcap-info
• rpcinfo
• rsync-brute
• rsync-list-modules
• rtsp-methods
• rtsp-url-brute
• samba-vuln-cve-2012-1182
• servicetags
• sip-brute
• sip-call-spoof
• sip-enum-users
• sip-methods
• skypev2-version
• smb-brute
• smb-check-vulns
• smb-enum-domains
• smb-enum-groups
• smb-enum-processes
• smb-enum-sessions
• smb-enum-shares
• smb-enum-users
• smb-flood
• smb-ls
• smb-mbenum
• smb-os-discovery
• smb-print-text
• smb-psexec
• smb-security-mode
• smb-server-stats
• smb-system-info
• smb-vuln-ms10-054
• smb-vuln-ms10-061
• smbv2-enabled
• smtp-brute
• smtp-commands
• smtp-enum-users
• smtp-open-relay
• smtp-strangeport
• smtp-vuln-cve2010-4344
• smtp-vuln-cve2011-1720
• smtp-vuln-cve2011-1764
• sniffer-detect
• snmp-brute
• snmp-hh3c-logins
• snmp-interfaces
• snmp-ios-config
• snmp-netstat
• snmp-processes
• snmp-sysdescr
• snmp-win32-services
• snmp-win32-shares
• snmp-win32-software
• snmp-win32-users
• socks-auth-info
• socks-brute
• socks-open-proxy
• ssh-hostkey
• ssh2-enum-algos
• sshv1
• ssl-cert
• ssl-date
• ssl-enum-ciphers
• ssl-google-cert-catalog
• ssl-known-key
• sslv2
• stun-info
• stun-version
• stuxnet-detect
• svn-brute
• targets-asn
• targets-ipv6-multicast-echo
• targets-ipv6-multicast-invalid-dst
• targets-ipv6-multicast-mld
• targets-ipv6-multicast-slaac
• targets-sniffer
• targets-traceroute
• telnet-brute
• telnet-encryption
• tftp-enum
• tls-nextprotoneg
• traceroute-geolocation
• unusual-port
• upnp-info
• url-snarf
• ventrilo-info
• versant-info
• vmauthd-brute
• vnc-brute
• vnc-info
• voldemort-info
• vuze-dht-info
• wdb-version
• whois
• wsdd-discover
• x11-access
• xdmcp-discover
• xmpp-brute
• xmpp-info

Libraries (show 106)(106)Libraries (106)

• afp
• ajp
• amqp
• asn1
• base32
• base64
• bin
• bit
• bitcoin
• bittorrent
• bjnp
• brute
• cassandra
• citrixxml
• comm
• creds
• cvs
• datafiles
• dhcp
• dhcp6
• dns
• dnsbl
• dnssd
• drda
• eap
• eigrp
• ftp
• giop
• gps
• http
• httpspider
• iax2
• ike
• imap
• informix
• ipOps
• ipp
• iscsi
• isns
• jdwp
• json
• ldap
• lfs
• listop
• match
• membase
• mobileme
• mongodb
• msrpc
• msrpcperformance
• msrpctypes
• mssql
• mysql
• natpmp
• ncp
• ndmp
• netbios
• nmap
• nrpc
• nsedebug
• omp2
• openssl
• ospf
• packet
• pcre
• pgsql
• pop3
• pppoe
• proxy
• rdp
• redis
• rmi
• rpc
• rpcap
• rsync
• rtsp
• sasl
• shortport
• sip
• smb
• smbauth
• smtp
• snmp
• socks
• srvloc
• ssh1
• ssh2
• sslcert
• stdnse
• strbuf
• strict
• stun
• tab
• target
• tftp
• tns
• unpwdb
• upnp
• url
• versant
• vnc
• vulns
• vuzedht
• wsdd
• xdmcp
• xmpp

File modbus-discover

Script types: portrule
Categories: discovery, intrusive
Download: http://nmap.org/svn/scripts/modbus-discover.nse

User Summary

Enumerates SCADA Modbus slave ids (sids) and collects their device information.

Modbus is one of the popular SCADA protocols. This script does Modbus device information disclosure. It tries to find legal sids (slave ids) of Modbus devices and to get additional information about the vendor and firmware. This script is improvement of modscan python utility written by Mark Bristow.

Information about MODBUS protocol and security issues:

• MODBUS application protocol specification: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
• Defcon 16 Modscan presentation: https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf
• Modscan utility is hosted at google code: http://code.google.com/p/modscan/

Script Arguments

aggressive

- boolean value defines find all or just first sid

Example Usage

nmap --script modbus-discover.nse --script-args='modbus-discover.aggressive=true' -p 502 <host>

Script Output

PORT    STATE SERVICE
502/tcp open  modbus
| modbus-discover:
|   Positive response for sid = 0x64
|     SLAVE ID DATA: \xFA\xFFPM710PowerMeter
|     DEVICE IDENTIFICATION: Schneider Electric PM710 v03.110
|_  Positive error response for sid = 0x96 (GATEWAY TARGET DEVICE FAILED TO RESPONSE)

Requires

• bin
• comm
• nmap
• shortport
• stdnse
• string
• table

---

Author: Alexander Rudakov

License: Same as Nmap--See http://nmap.org/book/man-legal.html