312-50V10 · Question #886
Jim, a professional hacker, targeted an organization that is operating critical Industrial Infrastructure. Jim used Nmap to scan open pons and running services on systems connected to the organization
The correct answer is D. nmap -Pn -sT -p 102 -script s7-info < Target IP >. The Nmap s7-info NSE script targets port 102 (ISO-TSAP) to enumerate Siemens S7 PLCs and retrieve industrial device metadata such as vendor name, product code, and device name.
Question
Jim, a professional hacker, targeted an organization that is operating critical Industrial Infrastructure. Jim used Nmap to scan open pons and running services on systems connected to the organization's OT network. He used an Nmap command to identify Ethernet/IP devices connected to the Internet and further gathered Information such as the vendor name, product code and name, device name, and IP address. Which of the following Nmap commands helped Jim retrieve the required information?
Options
- Anmap -Pn -sU -p 44818 -script emp-info < Target IP >
- Bnmap -Pn -sT -p 46824A < Target ip >
- Cnmap -Pn-sT -scan-delay is -max-parallelism 1 -p < Port List >< Target IP >
- Dnmap -Pn -sT -p 102 -script s7-info < Target IP >
How the community answered
(54 responses)- A19% (10)
- B6% (3)
- C9% (5)
- D67% (36)
Why each option
The Nmap s7-info NSE script targets port 102 (ISO-TSAP) to enumerate Siemens S7 PLCs and retrieve industrial device metadata such as vendor name, product code, and device name.
Port 44818 is associated with EtherNet/IP, and the script name 'emp-info' is not a valid Nmap NSE script - the correct script for EtherNet/IP enumeration is 'enip-info', making this command non-functional as written.
Port 46824 is not a recognized standard port for any common industrial protocol, and using -sT (TCP connect) on an invalid port would not yield the described device metadata.
This command uses scan-delay and parallelism throttling options intended for IDS evasion during generic port scanning, but does not specify any ICS-specific script or port to retrieve vendor and device information.
The s7-info Nmap script communicates over port 102 using the ISO-TSAP transport layer that underlies the Siemens S7 protocol, and it retrieves detailed device information including vendor name, product code, product name, and firmware version from S7-compatible PLCs on OT networks. This is the standard Nmap technique used in ICS/SCADA reconnaissance to fingerprint Siemens industrial controllers.
Concept tested: Nmap ICS/SCADA S7 PLC enumeration with NSE scripts
Source: https://nmap.org/nsedoc/scripts/s7-info.html
Topics
Community Discussion
No community discussion yet for this question.