PLCScan is a utility that was released by the ScadaStrangeLove group. PLCScan can be used to identify PLC devices and other modbus devices on the network.
How PLCScan Works
PLCScan is python script that checks the availability of two ports, TCP/102 and TCP/502, if it discovers either of these two ports open, it will call other functions/scripts based on the port. As an example if it discovers TCP/502 open, it will call the modbus functions, within this function information is collected by pulling the MEI type for the device identification. This then will return the device identification and that information is presented to the screen. Below is a screenshot of the of the information and process that PLCScan uses to collect information.
PLCScan In Control Systems
PLCScan is a simple tool that will get fast results from PLC devices. The information is pulled from the devices directly and can cause some issues if used with out testing first on like devices. PLCScan does provide some error checking within the code that should limit some of the issues. The information that it gathers, is good information, on the PLCScan site they have two examples of outputs that you might see. The output from these devices can include as an example firmware versions.
This is a snippet of the code that shows that it has built in some of the messages that it might see from a modbus device
This is an example of the MEI 14 that PLCScan is polling. This information would contain things such as the firmware version as shown in the image above that was pulled from the PLCScan website.
Here is a sample output from PLCScan, this example is from scanning a Honeynet Virtual machine. This would show more information if an actual PLC was up and running, this example does show a good result that there is something listening on port TCP/502.
PLCScan can be found here, and should be included as a tool in the assessment toolkit for a control systems assessment. This is a simple tool that has shown to be effective to collect information that would help out an assessment team with collecting information with PLC devices.