Ask Your Question
0

device type or device version trough the protocol header frame

asked 2021-04-20 15:59:11 +0000

macampic gravatar image

Is there any way I could know the device type or device version trough the protocol header frame for an OT environment? or any other way?Not nmap

edit retag flag offensive close merge delete

Comments

Depends entirely on the protocols being used and possibly the messages exchanged by the protocol. What protocol do you have in mind?

grahamb gravatar imagegrahamb ( 2021-04-20 16:13:36 +0000 )edit

I am thinking about industrial protocols, for example modbus. I would like to know if for example it is a PLC or HMI

macampic gravatar imagemacampic ( 2021-04-20 16:15:29 +0000 )edit

These are commercial products (The ICS Detection Challenge took place at S4x18 and S4x19) with some talk about open source tools in the S4x19 ICS Detection Challenge Results.
There are a few "community tools" available from Dragos.

Chuckc gravatar imageChuckc ( 2021-04-21 01:08:29 +0000 )edit

Presumably "OT" means "operational technology".

Guy Harris gravatar imageGuy Harris ( 2021-04-21 08:50:15 +0000 )edit

In this case yes, the part of the network involved in the (usually) industrial process that is unfortunately sometimes connected to the IT network and occasionally even worse, part of the same. In an ideal world there would be an airgap.

grahamb gravatar imagegrahamb ( 2021-04-21 09:24:04 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-04-20 18:05:34 +0000

grahamb gravatar image

For Modbus you can determine which is the client and which is the server by the source IP's of the requests and responses. A server is more than likely a PLC and an HMI more than likely a client. Some items, e.g. a SCADA system could be both, as a client to a PLC and as a server for handoff to other items, e.g. an HMI.

There is nothing else in the Modbus protocol that would allow you to determine specific about the devices, although some servers might map data such as hardware\software versions to specific registers, but that would be specific for that device and its configuration. Clients won't be sending anything that might identify them.

Other protocols, e.g. DNP3, do have protocol specific commands to obtain device information such as group 0 Device Attributes, but unless a master station issues a request for these values you won't see them in the traffic.

edit flag offensive delete link more

Comments

You may also be able to infer the manufacturer by inspection of the MAC addresses, if the device is on the same network segment.

grahamb gravatar imagegrahamb ( 2021-04-22 16:03:39 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2021-04-20 15:59:11 +0000

Seen: 51 times

Last updated: Apr 20