Script profinet-cm-lookup

Script types: prerule
Categories: discovery, intrusive
Download: https://svn.nmap.org/nmap/scripts/profinet-cm-lookup.nse

Script Summary

Sends a DCERPC EPM Lookup Request to PROFINET devices. the DCE/RPC Endpoint Mapper (EPM) targeting Profinet Devices.

Profinet Devices support the udp-based PNIO-CM protocol under port 34964. PNIO-CM uses DCE/RPC as its underlying protocol.

Profinet Devices support a DCE/RPC UUID Entity under the UUID variant 'dea00001-6c97-11d1-8271-00a02442df7d'. This script sends the Lookup Request for this UUID.

References:

• https://rt-labs.com/docs/p-net/profinet_details.html#dce-rpc-uuid-entities
• https://wiki.wireshark.org/EPM

Example Usage

nmap -sU <target_ip> -p 34964 --script profinet-cm-lookup

Script Output

PORT		STATE	SERVICE			REASON
34964/udp open|filtered profinet-cm no-response
| profinet-cm-lookup:
|   ipAddress: 192.168.10.12
|   annotationOffset: 0
|   annotationLength: 64
|_  annotation: S7-1500                   6ES7 672-5DC01-0YA0      0 V  2  1  7

Requires

• nmap
• stdnse
• shortport
• string

---

Author:

• DINA-community

License: Same as Nmap--See https://nmap.org/book/man-legal.html