nmap扫描工控设备的脚本支持

参考资料

转自(http://www.360doc.com/content/15/1201/11/26186435_517125254.shtml)

介绍

NMAP是一款强大的网络扫描工具,除了普通的TCP/IP网络扫描之外,NMAP的扩展脚本功能为我们提供了更为广阔的应用范围。
针对脚本学习可以参考如下文章
《nmap脚本详解(非常详细)零基础入门到精通,收藏这一篇就够了》
通过配置脚本能够更为具体的判断设备的信息,目前标准版本里已经集成了607个脚本。

工控协议

简单介绍一下工控协议

  • CIP
    通用工业协议(Common Industrial Protocol,简称CIP)是一种应用在工业自动化的通信协议,由开放DeviceNet厂商协会(简称ODVA)所维护。以前的名称为控制信息协议(Control and Information Protocol,简称也是CIP)。通用工业协议,被deviceNet、ControlNet、EtherNet/IP三种网络所采用
  • Ethernet/lP
    EtherNet/IP是由罗克韦尔自动化公司开发的工业以太网通讯协定,由ODVA(ODVA)管理,可应用在程序控制及其他自动化的应用中,是通用工业协定(CIP)中的一部分。它建立在标准UDP/IP与TCP/IP协议之上,利用固定的以太网硬件和软件,为配置、访问和控制工业自动化设备定义了一个应用层协议。
    EtherNet/IP名称中的IP是“Industrial Protocol”(工业协议)的简称,和网际协议没有关系。
    EtherNet/IP将以太网的设备以预定义的设备种类加以分类,每种设备有其特别的行为,此外,EtherNet/IP设备可以:
    用用户数据报协议(UDP)的隐式报文传送基本I/O资料。
    用传输控制协议(TCP)的显式报文上传或下载参数、设定值、程式或配方。
    用主站轮询、从站周期性更新或是状态改变(COS)时更新的方式,方便主站监控从站的状态,讯息会用UDP的报文送出。
    用一对一、一对多或是广播的方式,透过用TCP的报文送出资料。
    EtherNet/IP使用TCP埠编号44818作为显式报文的处理,UDP埠编号2222作为隐式报文的处理。
  • PROFIBUS
    PROFIBUS是一个用在自动化技术的现场总线标准,在1987年由德国西门子公司等十四家公司及五个研究机构所推动,PROFIBUS是程序总线网络(PROcess FIeld BUS)的简称。PROFIBUS和用在工业以太网的PROFINET是二种不同的通信协议。是一种用于工厂自动化车间级监控和现场设备层数据通信与控制的现场总线技术,可实现现场设备层到车间级监控的分散式数字控制和现场通信网络。
  • DNP3
    DNP(Distributed Network Protocol,分布式网络协议)是一种应用于自动化组件之间的通讯协议,常见于电力、水处理等行业。简化OSI模型,只包含了物理层,数据层与应用层的体系结构(EPA)。SCADA可以使用DNP协议与主站、RTU、及IED进行通讯。
  • ICCP
    电力控制中心通讯协议。
  • OPC
    过程控制的OLE(OLE for Process Control)。OPC包括一整套接口、属性和方法的标准集,用于过程控制和制造业自动化系统。
  • BACnet
    楼宇自动控制网络数据通讯协议(A Data Communication Protocol for BuildingAutomation and Control Networks)。BACnet 协议是为计算机控制采暖、制冷、空调HVAC系统和其他建筑物设备系统定义服务和协议,
  • Siemens S7
    属于第7层的协议,用于西门子设备之间进行交换数据,通过TSAP,可加载MPIDP,以太网等不同物理结构总线或网络上,PLC一般可以通过封装好的通讯功能块实现。
  • 其他工控协议
    EC 60870-5-104、Tridium Niagara Fox、Crimson V3、OMRON FINS、PCWorx.ProConOs、MELSEC-Q

扫描插件

github上(https://github.com/digitalbond/Redpoint)提供了部分工控系统扫描插件

  • BACnet-discover-enumerate.nse
    用途:识别和枚举BACnet设备
    nmap -sU -Pn -p47808 -n --script BACnet-discover-enumerate <host>

  • enip-enumerate.nse
    识别和枚举Rockwell Automation(罗克韦尔自动化)等厂商的EtherNet/IP设备
    nmap -p44818 --script enip-enumeratehost <host>

  • fox-info.nse
    识别和枚举Niagara Fox(尼亚加拉福克斯)设备
    nmap -p1911--script fox-info <host>

  • modicon-info.nse
    识别和枚举Schneider Electric(施耐德电气)Modicon(子品牌)的PLC设备
    nmap -p502 --script modicon-info.nse -sV <host>

  • omron-info.nse
    识别和枚举Omron(欧姆龙)的PLC设备
    nmap -p9600 -script omontcp-info <host>
    nmap -sU -p9600 --script onronudp-info <host>

  • pcworx-info.nse
    识别和枚举使用了PC Worx的PLC设备
    nmap -p1962 --script pcworx-info -sV <host>

  • proconos-info.nse
    识别和枚举使用了ProConOs的PLC设备
    nmap -p20547 --script proconos-info -sV <host>

  • s7-enumerate.nse
    识别和枚举西门子SIMATIC S7系列PLC设备
    nmap -p102 --script s7-enumerate -sV <host>

实例演示

1、下载所有插件到本地(https://github.com/digitalbond/Redpoint)
2、所有插件复制到nmap的脚本文件夹下
使用相应脚本命令对目标进行检测
测试一个s7模拟器。
在这里插入图片描述

[root@c79 test]# nmap -p102 --script s7-enumerate.nse -sV 192.168.31.60
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-29 10:55 CST
NSE: DEPRECATION WARNING: bin.lua is deprecated. Please use Lua 5.3 string.pack
Nmap scan report for 192.168.31.60
Host is up (0.00017s latency).

PORT    STATE SERVICE  VERSION
102/tcp open  iso-tsap Siemens S7 PLC
| s7-info: 
|   Module: 6ES7 315-2EH14-0AB0 
|   Basic Hardware: 6ES7 315-2EH14-0AB0 
|   Version: 3.2.6
|   System Name: SNAP7-SERVER
|   Module Type: CPU 315-2 PN/DP
|   Serial Number: S C-C2UR28922012
|_  Copyright: Original Siemens Equipment
| s7-enumerate: 
|   Module: 6ES7 315-2EH14-0AB0 
|   Basic Hardware: 6ES7 315-2EH14-0AB0 
|   Version: 3.2.6
|   System Name: SNAP7-SERVER
|   Module Type: CPU 315-2 PN/DP
|   Serial Number: S C-C2UR28922012
|_  Copyright: Original Siemens Equipment
| fingerprint-strings: 
|   TerminalServerCookie: 
|_    Cookie: mstshash=nmap
MAC Address: 94:09:D3:10:33:61 (shenzhen maxtopic technology)
Service Info: Device: specialized

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.79 seconds

2、拓展
其实在nmap版本中自带了很多script。涵盖了不少常见的网络协议,这些脚本可以扩展出一些私有的数据。

[root@c79 test]# ls /usr/share/nmap/scripts/
acarsd-info.nse                       finger.nse                              http-svn-enum.nse                ms-sql-tables.nse               smb-print-text.nse
address-info.nse                      fingerprint-strings.nse                 http-svn-info.nse                ms-sql-xp-cmdshell.nse          smb-protocols.nse
afp-brute.nse                         firewalk.nse                            http-title.nse                   mtrace.nse                      smb-psexec.nse
afp-ls.nse                            firewall-bypass.nse                     http-tplink-dir-traversal.nse    murmur-version.nse              smb-security-mode.nse
afp-path-vuln.nse                     flume-master-info.nse                   http-trace.nse                   mysql-audit.nse                 smb-server-stats.nse
afp-serverinfo.nse                    fox-info.nse                            http-traceroute.nse              mysql-brute.nse                 smb-system-info.nse
afp-showmount.nse                     freelancer-info.nse                     http-trane-info.nse              mysql-databases.nse             smb-vuln-conficker.nse
ajp-auth.nse                          ftp-anon.nse                            http-unsafe-output-escaping.nse  mysql-dump-hashes.nse           smb-vuln-cve2009-3103.nse
ajp-brute.nse                         ftp-bounce.nse                          http-useragent-tester.nse        mysql-empty-password.nse        smb-vuln-cve-2017-7494.nse
ajp-headers.nse                       ftp-brute.nse                           http-userdir-enum.nse            mysql-enum.nse                  smb-vuln-ms06-025.nse
ajp-methods.nse                       ftp-libopie.nse                         http-vhosts.nse                  mysql-info.nse                  smb-vuln-ms07-029.nse
ajp-request.nse                       ftp-proftpd-backdoor.nse                http-virustotal.nse              mysql-query.nse                 smb-vuln-ms08-067.nse
allseeingeye-info.nse                 ftp-syst.nse                            http-vlcstreamer-ls.nse          mysql-users.nse                 smb-vuln-ms10-054.nse
amqp-info.nse                         ftp-vsftpd-backdoor.nse                 http-vmware-path-vuln.nse        mysql-variables.nse             smb-vuln-ms10-061.nse
asn-query.nse                         ftp-vuln-cve2010-4221.nse               http-vuln-cve2006-3392.nse       mysql-vuln-cve2012-2122.nse     smb-vuln-ms17-010.nse
auth-owners.nse                       ganglia-info.nse                        http-vuln-cve2009-3960.nse       nat-pmp-info.nse                smb-vuln-regsvc-dos.nse
auth-spoof.nse                        giop-info.nse                           http-vuln-cve2010-0738.nse       nat-pmp-mapport.nse             smb-vuln-webexec.nse
backorifice-brute.nse                 gkrellm-info.nse                        http-vuln-cve2010-2861.nse       nbd-info.nse                    smb-webexec-exploit.nse
backorifice-info.nse                  gopher-ls.nse                           http-vuln-cve2011-3192.nse       nbns-interfaces.nse             smtp-brute.nse
bacnet-info.nse                       gpsd-info.nse                           http-vuln-cve2011-3368.nse       nbstat.nse                      smtp-commands.nse
banner.nse                            hadoop-datanode-info.nse                http-vuln-cve2012-1823.nse       ncp-enum-users.nse              smtp-enum-users.nse
bitcoin-getaddr.nse                   hadoop-jobtracker-info.nse              http-vuln-cve2013-0156.nse       ncp-serverinfo.nse              smtp-ntlm-info.nse
bitcoin-info.nse                      hadoop-namenode-info.nse                http-vuln-cve2013-6786.nse       ndmp-fs-info.nse                smtp-open-relay.nse
bitcoinrpc-info.nse                   hadoop-secondary-namenode-info.nse      http-vuln-cve2013-7091.nse       ndmp-version.nse                smtp-strangeport.nse
bittorrent-discovery.nse              hadoop-tasktracker-info.nse             http-vuln-cve2014-2126.nse       nessus-brute.nse                smtp-vuln-cve2010-4344.nse
bjnp-discover.nse                     hbase-master-info.nse                   http-vuln-cve2014-2127.nse       nessus-xmlrpc-brute.nse         smtp-vuln-cve2011-1720.nse
broadcast-ataoe-discover.nse          hbase-region-info.nse                   http-vuln-cve2014-2128.nse       netbus-auth-bypass.nse          smtp-vuln-cve2011-1764.nse
broadcast-avahi-dos.nse               hddtemp-info.nse                        http-vuln-cve2014-2129.nse       netbus-brute.nse                sniffer-detect.nse
broadcast-bjnp-discover.nse           hnap-info.nse                           http-vuln-cve2014-3704.nse       netbus-info.nse                 snmp-brute.nse
broadcast-db2-discover.nse            hostmap-bfk.nse                         http-vuln-cve2014-8877.nse       netbus-version.nse              snmp-hh3c-logins.nse
broadcast-dhcp6-discover.nse          hostmap-crtsh.nse                       http-vuln-cve2015-1427.nse       nexpose-brute.nse               snmp-info.nse
broadcast-dhcp-discover.nse           hostmap-robtex.nse                      http-vuln-cve2015-1635.nse       nfs-ls.nse                      snmp-interfaces.nse
broadcast-dns-service-discovery.nse   http-adobe-coldfusion-apsa1301.nse      http-vuln-cve2017-1001000.nse    nfs-showmount.nse               snmp-ios-config.nse
broadcast-dropbox-listener.nse        http-affiliate-id.nse                   http-vuln-cve2017-5638.nse       nfs-statfs.nse                  snmp-netstat.nse
broadcast-eigrp-discovery.nse         http-apache-negotiation.nse             http-vuln-cve2017-5689.nse       nje-node-brute.nse              snmp-processes.nse
broadcast-hid-discoveryd.nse          http-apache-server-status.nse           http-vuln-cve2017-8917.nse       nje-pass-brute.nse              snmp-sysdescr.nse
broadcast-igmp-discovery.nse          http-aspnet-debug.nse                   http-vuln-misfortune-cookie.nse  nntp-ntlm-info.nse              snmp-win32-services.nse
broadcast-jenkins-discover.nse        http-auth-finder.nse                    http-vuln-wnr1000-creds.nse      nping-brute.nse                 snmp-win32-shares.nse
broadcast-listener.nse                http-auth.nse                           http-waf-detect.nse              nrpe-enum.nse                   snmp-win32-software.nse
broadcast-ms-sql-discover.nse         http-avaya-ipoffice-users.nse           http-waf-fingerprint.nse         ntp-info.nse                    snmp-win32-users.nse
broadcast-netbios-master-browser.nse  http-awstatstotals-exec.nse             http-webdav-scan.nse             ntp-monlist.nse                 socks-auth-info.nse
broadcast-networker-discover.nse      http-axis2-dir-traversal.nse            http-wordpress-brute.nse         omp2-brute.nse                  socks-brute.nse
broadcast-novell-locate.nse           http-backup-finder.nse                  http-wordpress-enum.nse          omp2-enum-targets.nse           socks-open-proxy.nse
broadcast-ospf2-discover.nse          http-barracuda-dir-traversal.nse        http-wordpress-users.nse         omron-info.nse                  ssh2-enum-algos.nse
broadcast-pc-anywhere.nse             http-bigip-cookie.nse                   http-xssed.nse                   openflow-info.nse               ssh-auth-methods.nse
broadcast-pc-duo.nse                  http-brute.nse                          iax2-brute.nse                   openlookup-info.nse             ssh-brute.nse
broadcast-pim-discovery.nse           http-cakephp-version.nse                iax2-version.nse                 openvas-otp-brute.nse           ssh-hostkey.nse
broadcast-ping.nse                    http-chrono.nse                         icap-info.nse                    openwebnet-discovery.nse        ssh-publickey-acceptance.nse
broadcast-pppoe-discover.nse          http-cisco-anyconnect.nse               iec-identify.nse                 oracle-brute.nse                ssh-run.nse
broadcast-rip-discover.nse            http-coldfusion-subzero.nse             ike-version.nse                  oracle-brute-stealth.nse        sshv1.nse
broadcast-ripng-discover.nse          http-comments-displayer.nse             imap-brute.nse                   oracle-enum-users.nse           ssl-ccs-injection.nse
broadcast-sonicwall-discover.nse      http-config-backup.nse                  imap-capabilities.nse            oracle-sid-brute.nse            ssl-cert-intaddr.nse
broadcast-sybase-asa-discover.nse     http-cookie-flags.nse                   imap-ntlm-info.nse               oracle-tns-version.nse          ssl-cert.nse
broadcast-tellstick-discover.nse      http-cors.nse                           impress-remote-discover.nse      ovs-agent-version.nse           ssl-date.nse
broadcast-upnp-info.nse               http-cross-domain-policy.nse            informix-brute.nse               p2p-conficker.nse               ssl-dh-params.nse
broadcast-versant-locate.nse          http-csrf.nse                           informix-query.nse               path-mtu.nse                    ssl-enum-ciphers.nse
broadcast-wake-on-lan.nse             http-date.nse                           informix-tables.nse              pcanywhere-brute.nse            ssl-heartbleed.nse
broadcast-wpad-discover.nse           http-default-accounts.nse               ip-forwarding.nse                pcworx-info.nse                 ssl-known-key.nse
broadcast-wsdd-discover.nse           http-devframework.nse                   ip-geolocation-geoplugin.nse     pgsql-brute.nse                 ssl-poodle.nse
broadcast-xdmcp-discover.nse          http-dlink-backdoor.nse                 ip-geolocation-ipinfodb.nse      pjl-ready-message.nse           sslv2-drown.nse
cassandra-brute.nse                   http-dombased-xss.nse                   ip-geolocation-map-bing.nse      pop3-brute.nse                  sslv2.nse
cassandra-info.nse                    http-domino-enum-passwords.nse          ip-geolocation-map-google.nse    pop3-capabilities.nse           sstp-discover.nse
cccam-version.nse                     http-drupal-enum.nse                    ip-geolocation-map-kml.nse       pop3-ntlm-info.nse              stun-info.nse
cics-enum.nse                         http-drupal-enum-users.nse              ip-geolocation-maxmind.nse       port-states.nse                 stun-version.nse
cics-info.nse                         http-enum.nse                           ip-https-discover.nse            pptp-version.nse                stuxnet-detect.nse
cics-user-brute.nse                   http-errors.nse                         ipidseq.nse                      puppet-naivesigning.nse         supermicro-ipmi-conf.nse
cics-user-enum.nse                    http-exif-spider.nse                    ipmi-brute.nse                   qconn-exec.nse                  svn-brute.nse
citrix-brute-xml.nse                  http-favicon.nse                        ipmi-cipher-zero.nse             qscan.nse                       targets-asn.nse
citrix-enum-apps.nse                  http-feed.nse                           ipmi-version.nse                 quake1-info.nse                 targets-ipv6-map4to6.nse
citrix-enum-apps-xml.nse              http-fetch.nse                          ipv6-multicast-mld-list.nse      quake3-info.nse                 targets-ipv6-multicast-echo.nse
citrix-enum-servers.nse               http-fileupload-exploiter.nse           ipv6-node-info.nse               quake3-master-getservers.nse    targets-ipv6-multicast-invalid-dst.nse
citrix-enum-servers-xml.nse           http-form-brute.nse                     ipv6-ra-flood.nse                rdp-enum-encryption.nse         targets-ipv6-multicast-mld.nse
clamav-exec.nse                       http-form-fuzzer.nse                    irc-botnet-channels.nse          rdp-ntlm-info.nse               targets-ipv6-multicast-slaac.nse
clock-skew.nse                        http-frontpage-login.nse                irc-brute.nse                    rdp-vuln-ms12-020.nse           targets-ipv6-wordlist.nse
coap-resources.nse                    http-generator.nse                      irc-info.nse                     realvnc-auth-bypass.nse         targets-sniffer.nse
couchdb-databases.nse                 http-git.nse                            irc-sasl-brute.nse               redis-brute.nse                 targets-traceroute.nse
couchdb-stats.nse                     http-gitweb-projects-enum.nse           irc-unrealircd-backdoor.nse      redis-info.nse                  targets-xml.nse
creds-summary.nse                     http-google-malware.nse                 iscsi-brute.nse                  resolveall.nse                  teamspeak2-version.nse
cups-info.nse                         http-grep.nse                           iscsi-info.nse                   reverse-index.nse               telnet-brute.nse
cups-queue-info.nse                   http-headers.nse                        isns-info.nse                    rexec-brute.nse                 telnet-encryption.nse
cvs-brute.nse                         http-hp-ilo-info.nse                    jdwp-exec.nse                    rfc868-time.nse                 telnet-ntlm-info.nse
cvs-brute-repository.nse              http-huawei-hg5xx-vuln.nse              jdwp-info.nse                    riak-http-info.nse              tftp-enum.nse
daap-get-library.nse                  http-icloud-findmyiphone.nse            jdwp-inject.nse                  rlogin-brute.nse                tftp-version.nse
daytime.nse                           http-icloud-sendmsg.nse                 jdwp-version.nse                 rmi-dumpregistry.nse            tls-alpn.nse
db2-das-info.nse                      http-iis-short-name-brute.nse           knx-gateway-discover.nse         rmi-vuln-classloader.nse        tls-nextprotoneg.nse
deluge-rpc-brute.nse                  http-iis-webdav-vuln.nse                knx-gateway-info.nse             rpcap-brute.nse                 tls-ticketbleed.nse
dhcp-discover.nse                     http-internal-ip-disclosure.nse         krb5-enum-users.nse              rpcap-info.nse                  tn3270-screen.nse
dicom-brute.nse                       http-joomla-brute.nse                   ldap-brute.nse                   rpc-grind.nse                   tor-consensus-checker.nse
dicom-ping.nse                        http-jsonp-detection.nse                ldap-novell-getpass.nse          rpcinfo.nse                     traceroute-geolocation.nse
dict-info.nse                         http-litespeed-sourcecode-download.nse  ldap-rootdse.nse                 rsa-vuln-roca.nse               tso-brute.nse
distcc-cve2004-2687.nse               http-ls.nse                             ldap-search.nse                  rsync-brute.nse                 tso-enum.nse
dns-blacklist.nse                     http-majordomo2-dir-traversal.nse       lexmark-config.nse               rsync-list-modules.nse          ubiquiti-discovery.nse
dns-brute.nse                         http-malware-host.nse                   llmnr-resolve.nse                rtsp-methods.nse                unittest.nse
dns-cache-snoop.nse                   http-mcmp.nse                           lltd-discovery.nse               rtsp-url-brute.nse              unusual-port.nse
dns-check-zone.nse                    http-methods.nse                        lu-enum.nse                      rusers.nse                      upnp-info.nse
dns-client-subnet-scan.nse            http-method-tamper.nse                  maxdb-info.nse                   s7-info.nse                     uptime-agent-info.nse
dns-fuzz.nse                          http-mobileversion-checker.nse          mcafee-epo-agent.nse             samba-vuln-cve-2012-1182.nse    url-snarf.nse
dns-ip6-arpa-scan.nse                 http-ntlm-info.nse                      membase-brute.nse                script.db                       ventrilo-info.nse
dns-nsec3-enum.nse                    http-open-proxy.nse                     membase-http-info.nse            servicetags.nse                 versant-info.nse
dns-nsec-enum.nse                     http-open-redirect.nse                  memcached-info.nse               shodan-api.nse                  vmauthd-brute.nse
dns-nsid.nse                          http-passwd.nse                         metasploit-info.nse              sip-brute.nse                   vmware-version.nse
dns-random-srcport.nse                http-phpmyadmin-dir-traversal.nse       metasploit-msgrpc-brute.nse      sip-call-spoof.nse              vnc-brute.nse
dns-random-txid.nse                   http-phpself-xss.nse                    metasploit-xmlrpc-brute.nse      sip-enum-users.nse              vnc-info.nse
dns-recursion.nse                     http-php-version.nse                    mikrotik-routeros-brute.nse      sip-methods.nse                 vnc-title.nse
dns-service-discovery.nse             http-proxy-brute.nse                    mmouse-brute.nse                 skypev2-version.nse             voldemort-info.nse
dns-srv-enum.nse                      http-put.nse                            mmouse-exec.nse                  smb2-capabilities.nse           vtam-enum.nse
dns-update.nse                        http-qnap-nas-info.nse                  modbus-discover.nse              smb2-security-mode.nse          vulners.nse
dns-zeustracker.nse                   http-referer-checker.nse                mongodb-brute.nse                smb2-time.nse                   vuze-dht-info.nse
dns-zone-transfer.nse                 http-rfi-spider.nse                     mongodb-databases.nse            smb2-vuln-uptime.nse            wdb-version.nse
docker-version.nse                    http-robots.txt.nse                     mongodb-info.nse                 smb-brute.nse                   weblogic-t3-info.nse
domcon-brute.nse                      http-robtex-reverse-ip.nse              mqtt-subscribe.nse               smb-double-pulsar-backdoor.nse  whois-domain.nse
domcon-cmd.nse                        http-robtex-shared-ns.nse               mrinfo.nse                       smb-enum-domains.nse            whois-ip.nse
domino-enum-users.nse                 http-sap-netweaver-leak.nse             msrpc-enum.nse                   smb-enum-groups.nse             wsdd-discover.nse
dpap-brute.nse                        http-security-headers.nse               ms-sql-brute.nse                 smb-enum-processes.nse          x11-access.nse
drda-brute.nse                        http-server-header.nse                  ms-sql-config.nse                smb-enum-services.nse           xdmcp-discover.nse
drda-info.nse                         http-shellshock.nse                     ms-sql-dac.nse                   smb-enum-sessions.nse           xmlrpc-methods.nse
duplicates.nse                        http-sitemap-generator.nse              ms-sql-dump-hashes.nse           smb-enum-shares.nse             xmpp-brute.nse
eap-info.nse                          http-slowloris-check.nse                ms-sql-empty-password.nse        smb-enum-users.nse              xmpp-info.nse
enip-info.nse                         http-slowloris.nse                      ms-sql-hasdbaccess.nse           smb-flood.nse
epmd-info.nse                         http-sql-injection.nse                  ms-sql-info.nse                  smb-ls.nse
eppc-enum-processes.nse               https-redirect.nse                      ms-sql-ntlm-info.nse             smb-mbenum.nse
fcrdns.nse                            http-stored-xss.nse                     ms-sql-query.nse                 smb-os-discovery.nse

随便测试一下s7的脚本

[root@c79 test]# nmap -p102 --script s7-info -sV 192.168.31.60                            
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-29 13:52 CST
Nmap scan report for 192.168.31.60
Host is up (0.00012s latency).

PORT    STATE SERVICE  VERSION
102/tcp open  iso-tsap Siemens S7 PLC
| s7-info: 
|   Module: 6ES7 315-2EH14-0AB0 
|   Basic Hardware: 6ES7 315-2EH14-0AB0 
|   Version: 3.2.6
|   System Name: SNAP7-SERVER
|   Module Type: CPU 315-2 PN/DP
|   Serial Number: S C-C2UR28922012
|_  Copyright: Original Siemens Equipment
| fingerprint-strings: 
|   TerminalServerCookie: 
|_    Cookie: mstshash=nmap
MAC Address: 94:09:D3:10:33:61 (shenzhen maxtopic technology)
Service Info: Device: specialized

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.53 seconds

似乎和前面的也没有区别,看来已经集成到标准版本里了。
测试modbus发现
在这里插入图片描述

[root@c79 test]# nmap -p502 --script modbus-discover -sV 192.168.31.60                  
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-29 13:50 CST
Nmap scan report for 192.168.31.60
Host is up (0.00023s latency).

PORT    STATE SERVICE VERSION
502/tcp open  modbus
| modbus-discover: 
|   sid 0x1: 
|_    error: ILLEGAL FUNCTION
MAC Address: 94:09:D3:10:33:61 (shenzhen maxtopic technology)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.33 seconds
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

胖哥王老师

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值