infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/auxiliary/scanner/scada/moxa_discover.md

2.9 KiB
Raw Blame History

Vulnerable Application

The Moxa protocol listens on 4800/UDP and will respond to broadcast or direct traffic. The service is known to be used on Moxa devices in the NPort, OnCell, and MGate product lines.

A discovery packet compels a Moxa device to respond to the sender with some basic device information that is needed for more advanced functions. The discovery data is 8 bytes in length and is the most basic example of the Moxa protocol. It may be sent out as a broadcast (destination 255.255.255.255) or to an individual device.

Devices that respond to this query may be vulnerable to serious information disclosure vulnerabilities, such as CVE-2016-9361.

The module is the work of Patrick DeSantis of Cisco Talos and is derived from original work by K. Reid Wightman. Tested and validated on a Moxa NPort 6250 with firmware versions 1.13 and 1.15.

The discovery request contains the bytes:

\x01\x00\x00\x08\x00\x00\x00\x00

Where the function code (first byte) 0x01 is Moxa discovery/identify and the fourth byte is the length of the full data payload.

The first byte of a response will always be the func code + 0x80 (the most significant bit of the byte is set to 1, so 0b00000001 becomes 0b10000001, or 0x81).

A valid response is 24 bytes, starts with 0x81, and contains the values 0x00, 0x90, 0xe8 (the Moxa OIU) in bytes 14, 15, and 16.

Verification Steps

  1. Start msfconsole
  2. Do: use auxiliary/scanner/scada/moxa_discover
  3. Do: set RHOSTS
  4. Do: run
  5. Devices running the Moxa service should respond

Options

RHOSTS

Target(s) to scan; can be single target, a range, or broadcast.

Scenarios

msf > hosts

Hosts
=====

msf > use auxiliary/scanner/scada/moxa_discover
msf auxiliary(moxa_discover) > set RHOSTS 192.168.127.254
RHOSTS => 192.168.127.254
msf auxiliary(moxa_discover) > show options

Module options (auxiliary/scanner/scada/moxa_discover):

  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  BATCHSIZE  256              yes       The number of hosts to probe in each set
  RHOSTS     192.168.127.254  yes       The target address range or CIDR identifier
  RPORT      4800             yes       The target port (UDP)
  THREADS    10               yes       The number of concurrent threads

msf auxiliary(moxa_discover) > run

[+] 192.168.127.254:4800 Moxa Device Found!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(moxa_discover) > hosts

Hosts
=====

address          mac  name  os_name  os_flavor  os_sp  purpose  info         comments
-------          ---  ----  -------  ---------  -----  -------  ----         --------
192.168.127.254             Unknown                    device   Moxa Device

msf auxiliary(moxa_discover) >