Script http-trane-info

Script types: portrule
Categories: discovery, version, safe
Download: https://svn.nmap.org/nmap/scripts/http-trane-info.nse

Script Summary

Attempts to obtain information from Trane Tracer SC devices. Trane Tracer SC is an intelligent field panel for communicating with HVAC equipment controllers deployed across several sectors including commercial facilities and others.

The information is obtained from the web server that exposes sensitive content to unauthenticated users.

Tested on Trane Tracer SC version 4.40.1211 and below.

References:

• http://websec.mx/publicacion/blog/Scripts-de-Nmap-para-Trane-Tracer-SC-HVAC

Script Arguments

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p80 --script trane-info.nse <target>

Script Output

| http-trane-info: 
|   serverName: XXXXX 
|   serverTime: 2017-09-24T01:03:08-05:00 
|   serverBootTime: 2017-08-03T02:06:39-05:00 
|   vendorName: Trane 
|   productName: Tracer SC 
|   productVersion: v4.20.1128 (release) 
|   kernelVersion: 2.6.30_HwVer12AB-hydra 
|   hardwareType: HwVer12AB 
|   hardwareSerialNumber: XXXXX 
|   devices: 
|     
|       isOffline: false 
|       equipmentUri: /equipment/dac/generic/1 
|       displayName: RTU-01 
|       equipmentFamily: AirHandler 
|       roleDocument: BCI-I_9a8c9b8116cd392fc0b4a233405f3f5964fa6b885809c810a8d0ed5478XXXXXX__RTU_Ipak_VAV 
|       deviceName: RTU-01 

Requires

• nmap
• http
• stdnse
• shortport
• table

---

Author:

• Pedro Joaquin <pjoaquin()websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html