Customizing NeXpose Service Fingerprints
I was working with a large Bulk Energy Provider who was tasked per NERC to regularly identify all listening services on all “Critical Cyber Assets”. This seems like a fairly simple task however in most SCADA environments, services will orphan or fail with the list bit of probing. Let’s be frank…most control systems just don’t like packets thrown at them.
To take it a step further he also wanted to do a full vulnerability scan against the target services that were known to be stable. After identifying a list of services/ports that would fail when probed, we were able to accomplish this task in a single pass.
The caveat in this specific scenario was that the customer was using a SCADA template, which utilizes a few different approach methods then the standard template set. If you’re not using NeXpose to scan sensitive devices such as RTU‘s, a basic template can be used to label services running on non-standard ports or services label as “unknown”.
I’ve outline the steps below…
1.Copy your default-properties file located /opt/rapid7/nexpose/plugins/java/1/NetworkScanners/1
sudo cp default-services.properties default-services.properties.new
2.Edit the default services file.
Use your favorite text editor and edit the ports adding the name that you would like to appear as the service label.
sudo nano default-services.properties.new
3. Once saved, return to the NeXpose console to edit the template that will be used for the scan. Create a copy of the template you will be using for the scan.
4. Type in the name of your copied default-properties file into the “Default Service Names File” section.
5. Create your site using the newly created scan template and launch your scan.
The results from your scan can be now grouped in the Assets Tab under Services. You also can use the Audit Report to present all devices running the specific service fingerprint.
