KagisoSec_
Service bank
SERVICE 44818/tcp 2222/udp

EtherNet/IP (CIP)

aka enip, cip, rockwell

Industrial protocol on 44818 (TCP) / 2222 (UDP) used by Allen-Bradley / Rockwell PLCs. Unauthenticated — enumerate the PLC's identity and tags, and in OT contexts read/write the control logic.

service ics ot plc

Ports

PortProtoNotes
44818tcpEtherNet/IP explicit messaging
2222udpEtherNet/IP implicit (I/O)

Fingerprint

  • nmap enip-info returns vendor, product name, serial, revision
  • List Identity response on 44818

Exploitation primitives

  • enip-info / cpppo enumerate PLC identity and tags
  • Read tag values (process state)
  • Write tags / change PLC mode — DANGEROUS, affects physical process

Overview

EtherNet/IP on 44818 is the CIP protocol for Rockwell/Allen-Bradley PLCs. Reachable controllers answer identity and tag queries with no auth.

Enumeration

Identity:

nmap -p44818 --script enip-info <TARGET>

Read a tag with cpppo:

python3 -m cpppo.server.enip.client --address <TARGET> "Tag_Name"

Hardening

Isolate the OT/ICS network, enforce read-only access via a gateway, and never expose 44818 beyond the cell zone.

References