Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added service probes for KNX + OPC UA #2730

Closed
wants to merge 3 commits into from
Closed

Added service probes for KNX + OPC UA #2730

wants to merge 3 commits into from

Conversation

f0rw4rd
Copy link

@f0rw4rd f0rw4rd commented Oct 25, 2023

Added service probes for KNX + OPC UA and first time submitting service probes :-).

KNX: Sends a DeviceDesc packet with NAT ip and port (0.0.0.0:0). This allows scanning of internet facing KNX devices as well as internal ones. Tested on 1 internal network and 2K public devices. Additional the service for port 3671 was renamed to knxip because EIBnetIP is a the less common service compared to KNX (successor for EIB). The matching rule can extract the FriendlyName but can not extract the vendor via the MAC. The probe for TCP is different by one byte which is the knx header flag for TCP.

Example output (snippet)

Nmap scan report for 130.xxx.xxx.xx
Host is up (0.060s latency).

PORT     STATE SERVICE VERSION
3671/tcp open  knxip   IP Router Secure N 146
Service Info: Device: KNXnet-IP GW

Nmap scan report for 130.xxx.xxx.xx
Host is up (0.069s latency).

PORT     STATE SERVICE VERSION
3671/tcp open  knxip   MDT VisuControl Easy
Service Info: Device: KNXnet-IP GW

Nmap scan report for 139.xxx.xxx.xx
Host is up (0.087s latency).

PORT     STATE SERVICE VERSION
3671/tcp open  knxip   bOS KNX Server
Service Info: Device: KNXnet-IP GW

OPC UA: Sends a OPC UA Hello message and tests if the response is a ACK or ERR message. Tested on a local open62541 server and tested on public opcua servers (https://github.com/node-opcua/node-opcua/wiki/publicly-available-OPC-UA-Servers-and-Clients). Detects only the OPC UA protocol and direct server version detection is not possible.

Example output (snippet):

Nmap scan report for opcuaserver.com (173.183.147.103)
Host is up (0.042s latency).
Not shown: 8 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE VERSION
4840/tcp  open  opcua   OPC UA Binary Connection Protocol
48010/tcp open  opcua   OPC UA Binary Connection Protocol

Both were tested on the following nmap version:

Nmap version 7.94 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.4.6 openssl-3.1.2 libssh2-1.11.0 libz-1.3 libpcre-8.45 libpcap-1.10.4 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

@f0rw4rd
Copy link
Author

f0rw4rd commented Oct 27, 2023

Simplified the regex to include special chars and added the OPC UA error code + message to the rule. This allows to easily detect problems with the OPC UA server e.g. a wrong host name. A error messages at least includes the error code (hex(2156068864) -> 0x80830000) and may include a error message of the server. The error codes are standardized.

Nmap scan report for 134.209.49.44
Host is up (0.19s latency).

PORT      STATE SERVICE VERSION
62541/tcp open  opcua   OPC UA Binary Connection Protocol (Error 2156068864 unrecognized endpoint url: opc.tcp://nmap)

@f0rw4rd f0rw4rd mentioned this pull request Mar 5, 2024
Open
ValtteriL added a commit to ValtteriL/nmap that referenced this pull request Apr 7, 2024
@ValtteriL
Merge with nmap#2730
af3691b
@f0rw4rd
Copy link
Author

f0rw4rd commented Apr 22, 2024

Close because of duplicate with #2791

@f0rw4rd f0rw4rd closed this Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@f0rw4rd