Detecting ICCP Servers with Nessus
Although we showed screenshots several weeks back, we haven’t showed any scan output yet for the SCADA Nessus Plugins we’ve been developing with Tenable.
For this one I’m just running this from the command line, but this is what would show up the Nessus Scan report if the ICCP Server detection plugin successfully found an ICCP server.
# nasl -t 192.168.169.11 scada_iccp_cotp_detect.naslSynopsis: COTP (ISO 7073) is running on the host and may be part of an ICCP server, MMS application, or substation automation device that uses IEC61850/UCA.Description: The ICCP stack (and other protocols such as MMS and IEC 61850) include ISO 7073(RFC 905) at the Transport Layer. ISO 7073 specifies the Connection Oriented Transport Protocol (COTP) that uses a pair of user configurable 16-bit numeric, or in some cases ASCII string values, to identify client endpoints called Transport Service Access Points (TSAP's).See Also: http://wiki.ethereal.com/COTP
Solution: Upgrade to Secure ICCP or limit TCP/102 traffic to authorized hosts.
Risk factor: Low / CVSS Base Score: 3
Plugin output: One or more COTP Disconnect Requests returned by host
With the following being sent on the wire:
With the following being sent on the wire: root@franz-d610:~# tethereal port 102Capturing on eth1
0.000000 192.168.169.61 -> 192.168.169.11 TCP 54480 > iso-tsap [SYN] Seq=0 Len=0 MSS=1460 TSV=23621379 TSER=0 WS=2
0.001517 192.168.169.11 -> 192.168.169.61 TCP iso-tsap > 54480 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
0.001618 192.168.169.61 -> 192.168.169.11 TCP 54480 > iso-tsap [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=23621380 TSER=0
0.001697 192.168.169.61 -> 192.168.169.11 COTP CR TPDU src-ref: 0×0001 dst-ref: 0×0000
0.001846 192.168.169.11 -> 192.168.169.61 COTP DR TPDU src-ref: 0×0000 dst-ref: 0×0001
0.001969 192.168.169.61 -> 192.168.169.11 TCP 54480 > iso-tsap [ACK] Seq=20 Ack=12 Win=5840 Len=0 TSV=23621381 TSER=6167700
0.002047 192.168.169.11 -> 192.168.169.61 TCP iso-tsap > 54480 [RST] Seq=12 Len=0
0.002122 192.168.169.61 -> 192.168.169.11 TCP 54481 > iso-tsap [SYN] Seq=0 Len=0 MSS=1460 TSV=23621381 TSER=0 WS=2
0.002881 192.168.169.11 -> 192.168.169.61 TCP iso-tsap > 54481 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
0.002973 192.168.169.61 -> 192.168.169.11 TCP 54481 > iso-tsap [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=23621381 TSER=0
0.003050 192.168.169.61 -> 192.168.169.11 COTP CR TPDU src-ref: 0×0001 dst-ref: 0×0000
0.003167 192.168.169.11 -> 192.168.169.61 COTP DR TPDU src-ref: 0×0000 dst-ref: 0×0001
0.003281 192.168.169.61 -> 192.168.169.11 TCP 54481 > iso-tsap [ACK] Seq=28 Ack=12 Win=5840 Len=0 TSV=23621382 TSER=6167700
0.003358 192.168.169.11 -> 192.168.169.61 TCP iso-tsap > 54481 [RST] Seq=12 Len=0Although it looks fairly simple, there is a little more going on behind the scenes. Based on two messages we sometimes can determine a lot more than whether COTP is active. One implementation of 61850 responded with a connection confirm to invalid TSAPs, while another common ICCP implementation sends a "banner" of sorts similiar to Telnet/FTP/SSH.
And all of this is without any authentication credentials.
Author: Matt Franz
Posted: October 23rd, 2006 under ICCP, Nessus SCADA Plugins.
Comments: none
Write a comment