Script http-trane-info

Script types: portrule
Categories: discovery, version, safe

Script Summary

Attempts to obtain information from Trane Tracer SC devices. Trane Tracer SC is an intelligent field panel for communicating with HVAC equipment controllers deployed across several sectors including commercial facilities and others.

The information is obtained from the web server that exposes sensitive content to unauthenticated users.

Tested on Trane Tracer SC version 4.40.1211 and below.


Script Arguments


See the documentation for the slaxml library., http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p80 --script trane-info.nse <target>

Script Output

| http-trane-info: 
|   serverName: XXXXX 
|   serverTime: 2017-09-24T01:03:08-05:00 
|   serverBootTime: 2017-08-03T02:06:39-05:00 
|   vendorName: Trane 
|   productName: Tracer SC 
|   productVersion: v4.20.1128 (release) 
|   kernelVersion: 2.6.30_HwVer12AB-hydra 
|   hardwareType: HwVer12AB 
|   hardwareSerialNumber: XXXXX 
|   devices: 
|       isOffline: false 
|       equipmentUri: /equipment/dac/generic/1 
|       displayName: RTU-01 
|       equipmentFamily: AirHandler 
|       roleDocument: BCI-I_9a8c9b8116cd392fc0b4a233405f3f5964fa6b885809c810a8d0ed5478XXXXXX__RTU_Ipak_VAV 
|       deviceName: RTU-01 



  • Pedro Joaquin <pjoaquin()>

License: Same as Nmap--See