This NSE script is used to send a EtherNet/IP packet to a remote device that has TCP 44818 open. The script will send a Request Identity Packet and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. Information that is parsed includes Vendor ID, Device Type, Product name, Serial Number, Product code, Revision Number, as well as the Device IP.
This script was written based of information collected by using the the Wireshark dissector for CIP, and EtherNet/IP, The original information was collected by running a modified version of the ethernetip.py script (https://github.com/paperwork/pyenip)
nmap --script enip-info -sU -p 44818 <host>
44818/tcp open EtherNet/IP | enip-info: | Vendor: Rockwell Automation/Allen-Bradley (1) | Product Name: 1769-L32E Ethernet Port | Serial Number: 0x000000 | Device Type: Communications Adapter (12) | Product Code: 158 | Revision: 3.7 |_ Device IP: 192.168.1.1
Author: Stephen Hilt (Digital Bond)
License: Same as Nmap--See https://nmap.org/book/man-legal.html
- action (host, port)
Action Function that is used to run the NSE. This function will send the initial query to the host and port that were passed in via nmap. The initial response is parsed to determine if host is a EtherNet/IP device. If it is then more actions are taken to gather extra information.
- host: Host that was scanned via nmap
- port: port that was scanned via nmap