The remote host is running an OPC Data Access Server.  OPC Data Access is commonly used in SCADA and DCS for data exchange between different applications.  OPC DA also provides indirect read or write access to IO points on SCADA, DCS, PLCs via a Windows server instead of directly contacting the field device using a SCADA protocol.

This host has one or more OPC components present and may act as an OPC Client, Server or both. OPC provides a DCOM interface to allow access to process control data residing on PLCs, RTUs, and Historians.

OPC Servers function as a gateway.

The remote device appears to be a Modicon Quantum controller that can be accessed via Telnet using default credentials.  An attacker could leverage this issue to gain administrative access to the affected device.

The Modicon Quantum, Premium and Momentum brands of PLC's have a private SNMP MIB that is available on the Internet.  The Web Password Status has been obtained via an SNMP Get Request.  The Web Password Status is either enabled or disabled. 

A Web Password Status of disabled identifies a vulnerability.

The Modicon Quantum, Premium and Momentum brands of PLC's have a private SNMP MIB that is available on the Internet.  The Modbus mode has been obtained via an SNMP Get Request.  The Modbus mode is either direct, gateway, unit or some combination of these three types.

The Modbus mode could help an attacker determine the type of attack necessary against the PLC.

The Modicon Quantum, Premium and Momentum brands of PLC's have a private SNMP MIB that is available on the Internet.  The scan status has been obtained via an SNMP Get Request.  The scan status is either idle, operational or stopped. 

An attacker may use this information to determine the status of a PLC.

The Modicon Quantum, Premium, and Momentum brands of PLC's have a private SNMP MIB that is available on the Internet.  The type of Modicon PLC has been obtained via an SNMP Get Request.  The response will be the model type such as 'Quantum'. 

An attacker may use this information to profile the SCADA system and investigate known vulnerabilities of the PLC.

The remote web server appears to be a Modicon Quantum controller that can be accessed using a default set of credentials.  An attacker could leverage this issue to gain administrative access to the affected device.

The remote FTP server has an account with a known username / password combination, which is hardcoded into the device's firmware and difficult to change or remove. An attacker may be able to use this to gain privileged authenticated access to the system, which could allow for other attacks against the affected device.

The Modicon Quantum, Premium and Micro models of PLC have an HTTP server interface.  The Modicon PLC web server and content was identified on the host.

A Modicon PLC Modbus TCP interface is listening on TCP port 502 and is accessible via proprietary function code 126. An attacker that is able to gain network access to this device can reprogram PLC logic or otherwise impact the integrity of the physical process.

Using function code 2, Modbus can read the discrete inputs from a Modbus slave, which is commonly used by SCADA and DCS field devices.
Discrete inputs represent binary (i.e boolean) values that often map to switches, relays, or other sensors. A sample of discrete inputs read from the device are provided by the plugin output.

The ability to read discrete inputs may help an attacker profile a system.

Using function code 1, Modbus can reads the coils in a Modbus slave, which is commonly used by SCADA and DCS field devices. Coils refer to the binary output settings and are typically mapped to actuators.
A sample of coil settings read from the device are provided by the plugin output.

The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a write coil message.

Tamarack Consulting supplies software and consulting services to vendors implementing standards-based communications in the electric utility industry.  Although Windows demo versions of the stack are available from distributors such as Netted Automation, this software is primarily used in embedded microcontrollers such as RTUs and IEDs.

The remote host is running a SISCO ICCP server. ICCP servers are commonly used in electric transmission and generation systems. The SISCO stack is used in many third-party ICCP servers including those sold by Areva and Siemens.

SISCO's ICCP stack is used in many third-party ICCP servers including those sold by Siemens and Areva.  The SISCO stack found in the host system does not properly handle malformed packets.  A remote, unauthenticated attacker may be able to crash the ICCP server on the host.

ICCP servers are commonly used in electric transmission and generation systems. Many vendors have integrated the LiveData ICCP stack including Advanced Control Systems, Barco, Eliop, GEA-India, Hitachi, Invensys Process Systems, LiveData, LogicaCMG, Ratio Control Central Stations, SPL Worldgroup, S&C Electric, and Telvent.

The ICCP stack (and other protocols MMS and IEC 61850) includes ISO 7073 (RFC 905) at the Transport Layer.  ISO 7073 specifies the Connection Oriented Transport Protocol (COTP) that includes a pair of user configurable 16-bit numeric, or in some cases ASCII string values, to identify client endpoints called Transport Service Access Points (TSAP's). 

The TSAP used in the host server was guessed by trying a sample of possible values that are commonly used and easily attempted by trial-and-error.

The ICCP stack (and other protocols such as MMS and IEC 61850) include ISO 8073 (RFC 905) at the Transport Layer. ISO 8073 specifies the Connection Oriented Transport Protocol (COTP) that uses a pair of user configurable 16-bit numeric, or in some cases ASCII string values, to identify client endpoints called Transport Service Access Points (TSAPs).

Note that ICCP by itself does not offer protection against eavesdropping, spoofing, man-in-the-middle, and similar attacks.

There are a variety of reasons why polling SCADA outstations may not provide adequate or timely information.  To address this, DNP3 supports unsolicited response where the outstations initiate a response without a poll request when a threshold is exceeded or an event is triggered.  The host has a DNP3 server that currently is configured to support unsolicited response.

DNP3 Application Layer function code 1 (Read) allows object values to be read across the network.  Binary input settings are typically mapped to relays or other sensors which are either on or off. 

The ability to read binary inputs may help an attacker profile a system.

The DNP3 protocol is a multi-layer protocol that begins with a link layer connection.  The DNP3 link layer address is required to establish a link layer connection.  The DNP3 link layer address for the host was easily guessed, and a valid DNP3 link layer connection was established. 

If a link layer connection is successful, additional Read/Write operations to compromise the integrity process control data may be possible.

The remote host is running a Siemens Telegyr ICCP Gateway. ICCP servers are commonly used in electric transmission and generation systems. Production EMS systems should be scanned carefully because they have been known to have vulnerabilities in proprietary applications and protocols.

The remote host is running the Telvent OASyS Application. Telvent OASyS is a SCADA system widely used to control pipelines. It may also be found in electric, water, and other SCADA systems.

The remote host contains Siemens S7-SCL (Structured Control Language) Development Tools. Siemens S7-SCL is a programming language based on PASCAL used for programming controllers on DCS/SCADA networks. S7-SCL is consistent with the ST (Structured Text) language define in DIN EN/IEC 61131-3 and is used to quickly automate tasks.

The remote host is running the Siemens PDM (Proces Device Manager) Application. Siemens SIMATIC PDM is used to manage multiple field devices from different vendors. It is common in plant/manufacturing systems and other SCADA systems.

National Instruments Lookout is an web-based human machine interface (HMI) and supervisory control and data acquisition (SCADA) software system for managing manufacturing and process control applications.

The remote host is running a Matrikon OPC Server for SCADA ControlLogix, which enables OPC access to ControlLogix PLCs. OPC servers are commonly used in SCADA and DCS systems to exchange data between different vendor systems and disparate applications.

The remote host is running Matrikon's OPC Explorer tool. This is a free tool that identifies and tests OPC servers and is useful for troubleshooting. Matrikon is one of the leading distributors of OPC-based applications.

The host contains additional OPC/DCOM applications and there may be trust relationships to exploit against OPC servers.

The remote host is running a Matrikon OPC Server for Modbus devices and used to access data from PLCs, RTUs, and IEDs. OPC servers are commonly used in SCADA and DCS systems to exchange data between different vendor systems and disparate applications.

The remote host is running an Areva/Alstom EMS (Energy Management) Server. Areva/Alstom EMS servers are commonly used in electric transmission and generation systems.

Production EMS systems should be scanned carefully because they have been known to have vulnerabilities in proprietary applications and protocols.

ID	Name	Severity
23829	OPC Data Access (DA) Server Detection	info
23828	OPC Application Components Detection	info
23827	Modicon Quantum Telnet Server Default Credentials	medium
23826	Modicon PLC Web Password Status Disclosure SNMP Request Password Status Remote Disclosure	medium
23825	Modicon PLC Modbus Slave Mode SNMP Request Modbus Mode Remote Disclosure	medium
23824	Modicon PLC IO Scan Status SNMP Request Scan Status Remote Disclosure	medium
23823	Modicon PLC CPU Type SNMP Request Model Type Remote Disclosure	medium
23822	Modicon Quantum HTTP Server Default Credentials	high
23821	Schneider Electric FTP Server Default Credentials	critical
23820	Modicon PLC Embedded HTTP Server Detection	medium
23819	Modicon Modbus/TCP Programming Function Code Access	medium
23818	Modbus/TCP Discrete Input Access	medium
23817	Modbus/TCP Coil Access	medium
23816	Tamarack IEC 61850 Server Detection	info
23815	SISCO OSI/ICCP Stack Detection	info
23814	SISCO OSI Stack Vulnerability Scan Remote DoS	high
23813	LiveData ICCP Server Detection	info
23812	ICCP/COTP TSAP Addressing Weakness	medium
23811	ICCP/COTP (ISO 8073) Protocol Detection	high
23810	DNP3 Outstation Unsolicited Messaging Support	medium
23809	DNP3 Binary Inputs Access Remote Information Disclosure	medium
23808	DNP3 Link Layer Brute Force Addressing Disclosure	medium
23807	Siemens-Telegyr ICCP Gateway Detection	info
23806	Telvent OASyS System Detection	info
23805	Siemens S7-SCL Development Tools Detection	info
23804	Siemens SIMATIC PDM Detection	info
23803	National Instruments Lookout Detection	info
23802	Matrikon OPC Server for ControlLogix Detection	info
23801	Matrikon OPC Explorer Detection	info
23800	Matrikon OPC Server for Modbus Detection	info
23799	Areva/Alstom Energy Management System Detection	info

Detections

Analytics

SCADA Family for Nessus

info

info

medium

medium

medium

medium

medium

high

critical

medium

medium

medium

medium

info

info

high

info

medium

high

medium

medium

medium

info

info

info

info

info

info

info

info

info