Scanning industrial networks
Network scanning is often among the first steps that is conducted when pentesting a network. A lot of applications, tools, guides… exist when talking about network scanning regular IT networks. However, available information is way scarcer when talking about industrial networks. In this post, I will try to encompass different tools and some tips worth considering when scanning industrial networks.
TL;DR: Head to the table below to check different tools for scanning industrial networks.
Tips when scanning industrial networks
Industrial networks (ICS, DCS, SCADA… you name it) are formed by interconnected devices that monitor, control and automate a wide range of physical processes. As such, they are quite ubiquitous: facilities such as dams, electric grids, forges, factories… are often controlled by them. I will use the generic “Industrial network” term as for the purpose of this post, there are little or no differences between different types of networks.
Scanning industrial networks, shares a fair amount of similarities to regular, IT network scanning. IT networks and industrial networks share a fair amount of technologies nowadays (e.g. network stack). Thus, it is perfectly possible to use regular IT scanning software in industrial networks. However, understanding the different nature of these networks is important when scanning, as regular usage of the tools in industrial environments can yield unexpected results: both in the quality of the scan (incorrectly identifying hosts) and the impact on the network.
There is a golden rule when scanning industrial networks: never, ever, scan a live industrial network. Industrial networks are often full of old devices with little or no exception handling to deal with received malformed packets (the type network scanners use). Therefore, consequences can be completely fortuitous and even dangerous, including physically threatening situations. You have been warned: avoid scanning industrial networks while active.
If no resilience testing documentation from the vendor is available, the [industrial] device should be considered fragile by default, period.
The usage of a testbed or a simulation/lab setup of the exact configuration of the network would be ideal. But, let’s face it, this is almost always impossible (especially in black box penetration tests), so the penetration test and the scan should take place during a planned downtime of the facility and when no one is near the places that could eventually harm them. scans of industrial networks belonging to critical infrastructures has to be carried out with maximum care (Do you imagine the consequences of losing control of a nuclear during a penetration test?).
Nmap is probably one of the most versatile and popular tools when scanning networks. Widely used in the IT world, it is best to change some parameters to when scanning industrial networks. Justin Searle summarizes them perfectly in his CS2013 talk:
- Disable OS detection, script scanning and traceroute options (do not use options -A nor -O)
- Avoid, if possible, UDP scanning (option -U)
- Slow scanning speed by using the -T option. If you are doing port scanning, –scan-delay might be useful
The Nmap Scripting Engine (NSE) is one of the most powerful features of Nmap. This engine allows users to extend Nmap’s features and automate tasks by writing scripts to suit different needs. Security professionals have created several scripts especially suited to industrial networks:
Redpoint A NSE script collection by Digital Bond. It provides scripts to discover BACnet and Ethernet/IP devices. Moreover, it also enumerates Schneider Electric Modicon PLCs and Siemens Simatic S7 PLCs.
Modbus-discover A NSE script that enumerates Modbus slaves in an industrial network. It is based on the now defunct Modscan.
Nmap-scada A NSE script collection designed to discover different Siemens devices (HMI, WinCC, PLCs. . . ) in the network. It uses UDP scanning, so keep an eye open if you use it in non-Siemens environments.
PLCScan is a network scanner aimed to find Modbus and Siemens devices on the network. It was released by the ScadaStrangeLove team. It is easy to use, fast and written in Python. It sends especially crafted packets depending on the protocol the device is using (this is determined by the port number the device is listening from).
ScadaScan is a tool for enumerating DNP3 and Modbus slaves. Written in Perl, its development has been paused for a while. It bruteforces the id field in read or request messages to find the slaves.
Profinet scanner is, as the name suggests, a scanner for Profinet enabled devices. It searches for PLCs, HMIs and workstations. Part of the scada-tools suite, also released by ScadaStrangeLove, this suite has more industrial security-related tools (no more network scanners, though).
|Scanning tool||Devices it enumerates||Written in||License|
|Redpoint|| BACnet and Ethernet/IP devices. |
Schneider Electric Modicon and Siemens S7 PLCs
|Lua||Same as Nmap (GPLv2)|
|Modbus-discover||Modbus slaves||Lua||Same as Nmap (GPLv2)|
|Nmap-scada|| Siemens devices: |
Simatic S7 PLCs, WinCC, HMI and Scalance switches
|Lua||Same as Nmap (GPLv2)|
|PLCScan||Siemens Simatic S7 PLCs & Modbus slaves||Python||GPLv3|
|ScadaScan||DNP3 & Modbus slaves||Perl||Apache 2.0|
|Profinet Scanner||Profinet devices (HMI, PLCs, Workstations)||Python||GPLv3|
As we can see, when scanning industrial networks, existing tools cover the main industrial protocols available in a modern facility. Once the devices have been identified, the penetration test or audit can continue to the next phase.