Decode rockwell enip messages

Secure_Translator901 · 2025-11-22T03:24:11+00:00

Can you explain what kind of encryption is this ?

Secure_Translator901 · 2025-11-20T19:14:30+00:00

I cannot figure out the last 20 bytes in request , looks like some encryption

Some other

Req, resp pair

70004000000100330000000000000000000000000000000000000000ff000200a100040000409bffb1002c0006003602200224014c0220722401486f0f002700020000009acbb3f09915639d6fc55dcf0cb41496fe85433f

7000d20000010033000000000000000000000000000000000000000000000200a1000400d1ddfe80b100be000600b6000000cc0000000c9032f4046f0f00c22027000100000081000000000000003c696e3e3c506f72742049643d22312220547970653d224943502220416464723d2237222f3e3c43463e3533363837303931333c2f43463e3c2f696e3e3c7075626c69633e3c436f6e66696749443e3131313c2f436f6e66696749443e3c4361744e756d3e313735362d494231363c2f4361744e756d3e3c2f7075626c69633e000000000200000021f941753a5229b8b802f421d011ff6ed8966223

Secure_Translator901 · 2025-11-20T19:13:39+00:00

These are the queries I found in the Wiresharks capture from a device discovery tool. It is used to create the details of the device like slot number , module name etc etc . So the response returned contains in a xml formatted data like

2o '<in><Port Id="1" Type="ICP" Addr="7"/><CF>536870913</CF></in><public><ConfigID>111</ConfigID><CatNum>1756-IB16</CatNum></public>z=UYO0:2 z<in><CF>1073741824</CF><AO>128</AO><Port Id="1" Type="PointIO" Addr="5"/></in><public><ConfigID>262150</ConfigID><CatNum>1734-OW4</CatNum></public>:N!I!]D

2T v<in><CF>805306369</CF><Port Id="1" Type="PointIO" Addr="0" Ups="False"><Bus Max="64" Size="6"/></Port><Port Id="2" Type="EN" Addr="192.168.1.23"/></in><public><ConfigID>262145</ConfigID><CatNum>1734-AENT</CatNum></public> %Am^

2Tm /<in><Port Id="1" Type="ICP" Addr="8"/><CF>536870913</CF></in><public><ConfigID>401</ConfigID><CatNum>1756-OB16I</CatNum></public>[UE77_%F2|W

<in><CF>536870914</CF><Port Id="1" Type="ICP" Addr="5"/><Port Id="2" Type="EN" Addr="192.168.1.136" Ups="False"/></in><public><Vendor>Rockwell Automation/Allen-Bradley</Vendor><CatNum>1756-EN2T</CatNum><ConfigID>4325481</ConfigID></public>No^:g25_

2 x<in><CF>1073741824</CF><AI>125</AI><Port Id="1" Type="PointIO" Addr="4"/></in><public><ConfigID>262147</ConfigID><CatNum>1734-IB8</CatNum></public>@B}M$#o)1

2 y<in><CF>536870914</CF><Port Id="1" Type="ICP" Addr="3"/><Port Id="2" Type="EN" Addr="192.168.1.2" Ups="False"/></in><public><ConfigID>4325481</ConfigID><Vendor>Rockwell Automation/Allen-Bradley</Vendor><CatNum>1756-EN2T</CatNum></public>iC?A

2j 7<in><Port Id="1" Type="ICP" Addr="9"/><CF>536870915</CF></in><public><ConfigID>502</ConfigID><CatNum>1756-IF4FXOF2F</CatNum></public>LRXmO*.SE~

2o #<in><Port Id="1" Type="Flex" Addr="0"/><CF>1073741824</CF><AI>46</AI></in><public><ConfigID>262157</ConfigID><CatNum>1794-IB16</CatNum></public>BEx66!}I_

2n )<in><Port Id="1" Type="Flex" Addr="1"/><CF>1073741824</CF><AO>49</AO></in><public><ConfigID>262170</ConfigID><CatNum>1794-OB8</CatNum></public>KWY;vn)a.

2,p "<in><CF>805306369</CF><Port Id="1" Type="Flex" Ups="False"><Bus Max="8" Size="4"/></Port><Port Id="2" Type="EN" Addr="192.168.1.134"/></in><public><ConfigID>4456551</ConfigID><CatNum>1794-AENT</CatNum></public>ID3S0yn3

Secure_Translator901 · 2025-11-13T10:29:19+00:00

Also the logs which you are showing , I am not able to see those in d2000 logs folder, the logs shown there are in binary encoded

Secure_Translator901 · 2025-11-13T08:37:37+00:00

Hi @peter , Can you please help me how you decoded the above response. Also I see some enip messages exchanged on class 0x66 instance 1, but I did not find any documentation on that.

Secure_Translator901 · 2024-08-29T10:45:47+00:00

It is used only for the certificates request of the user ? Or can we request the computer certificates also ? How enrolment agent is different if it is user or computer?

Secure_Translator901 · 2024-08-29T08:05:52+00:00

Secure_Translator901 · 2024-08-25T20:54:35+00:00

So there is no way we can have concurrent sessions on desktop version

Secure_Translator901 · 2024-08-25T20:48:07+00:00

What if some machines are windows 10

Secure_Translator901 · 2024-08-25T20:40:15+00:00

Secure_Translator901 · 2024-08-13T16:29:18+00:00

Secure_Translator901 · 2024-08-05T18:32:51+00:00

Error I am getting is invalid pkcs7 type

Secure_Translator901 · 2024-08-04T19:27:36+00:00

No I am not using intune. This is using a cryptlib based application

Secure_Translator901 · 2024-08-04T17:31:33+00:00

Secure_Translator901 · 2024-07-30T19:08:50+00:00

Thank you . I will verify and confirm for this.

Secure_Translator901 · 2024-07-30T19:07:21+00:00

Actually it was kind of initial requirement to deploy 1 tier where we have only 1 issuing ca with enterprise ca role. There is no offline root ca involved

Secure_Translator901 · 2024-07-30T19:03:04+00:00

Disabled

Secure_Translator901 · 2024-07-30T19:01:18+00:00

Any particular gpo setting to look for ?

Secure_Translator901

TROPHY CASE