Awesome Industrial Protocols
Compilation of industrial network protocols resources focusing on offensive security.
In this repository:
- You are currently viewing the Awesome Industrial Protocols page.
- Detailed pages for protocols are available in
protocols. - All data is stored in MongoDB databases in
db. - Turn/IP (in
srcs) is a handy tool to manipulate this data, generate the awesome list and protocol pages, and simplify the research and test process on industrial protocols.
Note: Sometimes it is unclear whether a name refers to a protocol, a standard, or a complete environment, or if a protocol on a serial link can be accessed in any way from the Ethernet link (through a dedicated implementation or a gateway). I apologize for any confusion, and of course, I welcome any remarks or contributions.
Contents
- BACnet/IP
- CAN
- CC-Link IE
- CIP
- CODESYS
- CSPv4
- DeviceNet
- DF1
- DICOM
- DNP3
- Ether-S-I/O
- EtherCAT
- Ethernet/IP
- ETP
- FF-HSE
- FINS
- FL-net
- GE-SRTP
- HART-IP
- HICP
- HL7
- ICCP
- IEC-60870-5-104
- IEC-61850
- IEEE-C37.118
- ISA100.11a
- KNXnet/IP
- LIS
- LoRaWAN
- M-Bus
- MELSEC
- Modbus
- MQTT
- Niagara Fox
- OPC-DA
- OPC-UA
- PC-WORX
- PCCC
- POWERLINK
- ProConOs
- Profinet-DCP
- Profinet-IO
- S-Bus
- S7comm
- SECS/GEM
- SERCOS-III
- SLMP
- SOME/IP
- TriStation
- TSAA
- UMAS
- WITS
- ZigBee
BACnet/IP
| Name | BACnet/IP |
|---|---|
| Alias | BACnet |
| Description | Building automation and control network communication protocol for HVAC systems |
| Keywords | HVAC |
| Port | 47808/udp |
| Access | Paid |
| Specifications | BACnet/IP Specification |
| Nmap script(s) | bacnet-info.nse |
| Wireshark dissector | packet-bacnet.c |
| Detailed page | bacnetip.md |
Articles
- 10 things you should know about BACnet - Blog post on RTAutomation
- BACnet CVE-2019-12480 - On M's blog (2019)
- BACnet data representation - Blog post on RTAutomation
Conferences
- (in)Security in Building Automation: How to Create Dark Buildings with Light Speed - Thomas Brandstetter @ Black Hat USA (2017)
- HVACking Understand the Delta Between Security and Reality - Douglas McKee & Mark Bereza @ DEF CON 27 (2019)
- InSecurity in Building Automation - Thomas Brandsetter @ DEF CON 25 ICS Village (2017)
- Mixing industrial protocols with web application security - Bertin Bervis @ DEF CON 27 IoT Village (2019)
- Owning a Building: Exploiting Access Control and Facility Management Systems - Billy Rios @ Black Hat Asia (2014)
Tools
- BACnet Stack - BACnet open source protocol stack
- bacnet-docker - BACnet Tools in Docker
CAN
| Name | CAN |
|---|---|
| Alias | CANbus, CANopen, CAN-FD |
| Description | Communication protocol enabling data exchange between electronic components in vehicles |
| Keywords | CANbus |
| Specifications | ISO-11898 |
| Wireshark dissector | packet-canopen.c |
| Scapy layer | can.py |
| Detailed page | can.md |
Documentations
- DBC Specification - A description of CAN database layout
- Linux SocketCAN documentation - kernel.org
Articles
- CAN Injection: keyless car theft - CANIS Automative Labs CTO blog (2023)
- CAN-FD - The basic idea - CAN in Automation
- Click here to download more cars - djnn
Conferences
- (Pen)Testing Vehicles with CANToolz - Alexey Sintsov @ Black Hat Europe (2016)
- All Aboard the CAN Bus or Motorcycle - Derrick @ DEF CON Safe Mode Car Hacking Village (2020)
- CAN Bus in Aviation Investigating CAN Bus in Avionics - Patrick Kiley @ DEF CON 27 Aviation Village (2019)
- CANSPY: Auditing CAN Devices - Jonathan Christofer Demay, Arnaud Lebrun @ DEF CON 24 (2016)
- Cantact: An Open Tool for Automative Exploitation - Eric Evenchick @ Black Hat Asia (2016)
- canTot A CAN Bus Hacking Framework - Jay Turla @ DEF CON 30 Car Hacking Village (2022)
- Deep Learning on CAN BUS - Jun Li @ DEF CON 24 Car Hacking Village (2016)
- DEF CON 31 Car Hacking Village - Abusing CAN Bus Spec for DoS in Embedded Systems - Martin Petran - @ DEF CON (2023)
- Free-Fall: Hacking Tesla from Wireless to CAN Bus - Ling Liu, Sen Nie & Yuefeng Du @ Black Hat USA (2017)
- Fuzzing CAN / CAN FD ECU's and Network - Samir Bhagwat @ DEF CON 29 Car Hacking Village (2021)
- Hopping on the CAN Bus - Eric Evenchick @ Black Hat USA (2015)
- Self-Driving and Connected Cars: Fooling Sensors and Tracking Drivers - Jonathan Petit @ Black Hat Europe (2015)
Papers
- A Fuzz Testing Methodology for Cyber-security Assurance of the Automotive CAN Bus - Daniel S. Fowler, Coventry University (2019)
Tools
- cantools - Python library to play with CAN databases & messages
- opendbc - A list of CAN databases retrieved from reverse-engineered cars
- python-can - Python library to plug to various CAN connectors
CC-Link IE
| Name | CC-Link IE |
|---|---|
| Alias | CSP+, CC-Link, CC-Link IE TSN, CC-Link IE Control, CC-Link IE Field, CC-Link IE Field Basic |
| Description | Industrial Ethernet communication network developed by the CC-Link Partner Association (CLPA) |
| Keywords | Mitsubishi, CLPA |
| Access | Free |
| Specifications | CSP+ specification |
| Detailed page | cc-link-ie.md |
Documentations
- CC-Link IE Field Network playlist - Mitsubishi Training
CIP
| Name | CIP |
|---|---|
| Alias | Common Industrial Protocol |
| Description | ODVA's protocol suite for industrial automation communication |
| Keywords | ODVA, Ethernet/IP, DeviceNet, ControlNet, CompoNet |
| Wireshark dissector | packet-cip.c |
| Detailed page | cip.md |
Documentations
- Common Industrial Protocol (CIP) - Overview on ODVA.org
- CompoNet - Overview on ODVA.org
- ControlNet - Overview on ODVA.org
- DeviceNet - Overview on ODVA.org
- Ethernet/IP - Overview on ODVA.org
Conferences
- Hunting EtherNet/IP Protocol Stacks - Sharon Brizinov @ SANS ICS Security Summit 2022
CODESYS
| Name | CODESYS |
|---|---|
| Description | Programmable logic controller (PLC) development, communication protocol and runtime environment. |
| Port | 1200/tcp |
| Detailed page | codesys.md |
Conferences
- Analyzing PIPEDREAM - Challenges in Testing an ICS Attack Toolkit - Jimmy Wylie @ DEF CON 30 (2022)
CSPv4
| Name | CSPv4 |
|---|---|
| Alias | AB CSPv4, AB/Ethernet |
| Description | Allen-Bradley's protocol for industrial Ethernet communication |
| Keywords | Allen-Bradley, PCCC |
| Port | 2222/tcp |
| Nmap script(s) | cspv4-info.nse |
| Detailed page | cspv4.md |
DeviceNet
| Name | DeviceNet |
|---|---|
| Description | CAN-based industrial automation network for device-level communication |
| Keywords | CAN, CIP |
| Wireshark dissector | packet-devicenet.c |
| Detailed page | devicenet.md |
Documentations
- Common Industrial Protocol (CIP) and the family of CIP networks - ODVA publication (2016)
- DeviceNet - Overview on ODVA.org
Articles
- DeviceNet and Ethernet/IP - Blog post on RTAutomation
DF1
| Name | DF1 |
|---|---|
| Alias | DF-1 |
| Description | Allen-Bradley serial communication protocol for industrial automation devices |
| Keywords | PCCC, Allen-Bradley |
| Access | Free |
| Specifications | DF1 specification |
| Detailed page | df1.md |
Articles
- AB/DF1 Protocol Tips - Lynn's Industrial Automation Protocol Tips blog
Tools
- abdf1 - AB DF1 Protocol RS232 driver for Micrologix, SLC500, PLC 5
- Df1 - Df1 protocol for Allen-Bradley PLC
DICOM
| Name | DICOM |
|---|---|
| Alias | DCM |
| Description | Communication and management of medical imaging information |
| Keywords | Radiography, Medical |
| Port | 104/tcp |
| Access | Free |
| Specifications | DICOM Standard |
| Nmap script(s) | dicom-ping.nse |
| Wireshark dissector | packet-dcm.c |
| Detailed page | dicom.md |
Conferences
- I Am Not a Doctor but I Play One on Your Network - Tim Elrod & Stefan Morris @ DEF CON 19 (2011)
Tools
- DCMTK - DICOM ToolKit
- dicom-server - Microsoft's OSS Implementation of DICOMweb standard
- pydicom - Python package to read, modify and write DICOM files
DNP3
| Name | DNP3 |
|---|---|
| Alias | Distributed Network Protocol |
| Description | Industrial communication protocol for remote monitoring and control of automation systems |
| Keywords | Power grid, Water |
| Port | 20000/tcp, 20000/udp |
| Access | Paid |
| Specifications | IEEE 1815-2012 |
| Security | Optional authentication, optional encryption with TLS |
| Nmap script(s) | dnp3-info.nse |
| Wireshark dissector | packet-dnp.c |
| Example Pcap(s) | ICS-pcap DNP3 |
| Detailed page | dnp3.md |
Conferences
- NSM 101 for ICS - Chris Sistrunk @ DEF CON 23 101 Track (2015)
- SCADA Protocol Implementation Considerations | SANS ICS Concepts - @ SANS ICS Security (2022)
- Sniffing SCADA - Karl Koscher @ DEF CON 23 Packet Capture Village (2015)
- Unraveling SCADA Protocols Using Sulley Fuzzer - Ganesh Devarajan @ DEF CON 15 (2014)
Tools
- dnp-info - Nmap discovery script for DNP3
- dnp3-simulator - .NET DNP3 simulator with GUI
- FreyrSCADA DNP3 - DNP3 Protocol - Outstation Server and Client Master Simulator
- gec/dnp3 - Open source Distributed Network Protocol
- gec/dnp3slavesim - Parallel dnp3 slave simulator
- opendnp3 - DNP3 (IEEE-1815) protocol stack. Modern C++ with bindings for .NET and Java
- Step Function I/O DNP3 - Rust implementation of DNP3 (IEEE 1815) with idiomatic bindings for C, .NET, C++, and Java
Ether-S-I/O
| Name | Ether-S-I/O |
|---|---|
| Alias | EtherSIO, ESIO |
| Description | Proprietary protocol for Saia PCD controller I/O communication |
| Keywords | SAIA |
| Port | 6060/udp |
| Wireshark dissector | packet-esio.c |
| Example Pcap(s) | ICS-pcap Ether-S-I/O |
| Detailed page | ether-s-io.md |
EtherCAT
| Name | EtherCAT |
|---|---|
| Alias | ECATF, ECAT |
| Description | Real-time industrial Ethernet communication protocol for automation systems |
| Port | 34980/udp |
| Scapy layer | ethercat.py |
| Example Pcap(s) | ICS-pcap EtherCAT |
| Detailed page | ethercat.md |
Articles
- Industrial Network Options: EtherCAT Advantages, Challenges, and Specs - Carlos Aguilar, Control Automation (2023)
Ethernet/IP
| Name | Ethernet/IP |
|---|---|
| Alias | Enip |
| Description | Ethernet-based industrial communication protocol for industrial automation systems |
| Keywords | CIP |
| Port | 44818/tcp, 2222/udp |
| Access | Paid |
| Specifications | Ethernet/IP Specifications |
| Nmap script(s) | enip-info.nse, enip-enumerate.nse |
| Wireshark dissector | packet-enip.c |
| Scapy layer | enipTCP.py |
| Example Pcap(s) | ICS-pcap Ethernet/IP, ICS-pcap EIP |
| Detailed page | ethernetip.md |
Documentations
- Common Industrial Protocol (CIP) and the family of CIP networks - ODVA publication (2016)
- Ethernet/IP - Overview on ODVA.org
Articles
- Fuzzing and PR’ing: How We Found Bugs in a Popular Third-Party EtherNet/IP Protocol Stack - Sharon Brizinov, Tal Keren (Claroty, 2021)
Conferences
- Hunting EtherNet/IP Protocol Stacks - Sharon Brizinov @ SANS ICS Security Summit 2022
Tools
- CIPster - Ethernet/IP (Common Industrial Protocol) stack in C++
- cpppo - Communications Protocol Python Parser and Originator -- EtherNet/IP CIP
- enip-stack-detector - EtherNet/IP & CIP Stack Detector
- OpENer - EtherNet/IP stack for I/O adapter devices
- pycomm3 - A Python Ethernet/IP library for communicating with Allen-Bradley PLCs
- scapy-cip-enip - Ethernet/IP dissectors for Scapy
ETP
| Name | ETP |
|---|---|
| Description | Energistics' protocol for interoperable oil and gas data exchange |
| Keywords | Energetics |
| Detailed page | etp.md |
FF-HSE
| Name | FF-HSE |
|---|---|
| Alias | Foundation Fieldbus HSE, FF |
| Description | Ethernet-based communication for industrial process automation devices |
| Port | 1089/tcp, 1090/tcp, 1091/tcp, 1089/udp, 1090/udp, 1091/udp |
| Wireshark dissector | packet-ff.c |
| Detailed page | ff-hse.md |
FINS
| Name | FINS |
|---|---|
| Alias | OMRON |
| Description | Omron's industrial communication protocol for automation systems |
| Port | 9600/udp |
| Nmap script(s) | omrontcp-info.nse, omronudp-info.nse |
| Wireshark dissector | packet-omron-fins.c |
| Detailed page | fins.md |
Conferences
- Analyzing PIPEDREAM - Challenges in Testing an ICS Attack Toolkit - Jimmy Wylie @ DEF CON 30 (2022)
FL-net
| Name | FL-net |
|---|---|
| Alias | Factory LAN, OPCN-2 |
| Description | Japan Electrical Manufacturers' Association's industrial-use open network |
| Keywords | JEMA |
| Port | 55000/udp, 55001/udp, 55002/udp, 55003/udp |
| Access | Free |
| Specifications | FL-net specification |
| Detailed page | fl-net.md |
GE-SRTP
| Name | GE-SRTP |
|---|---|
| Description | General Electric's protocol for communication between GE devices and SCADA |
| Port | 18245/tcp |
| Detailed page | ge-srtp.md |
HART-IP
| Name | HART-IP |
|---|---|
| Alias | HART, WirelessHART |
| Description | IP-based communication protocol for HART (ICS) data transmission |
| Wireshark dissector | packet-hartip.c |
| Example Pcap(s) | ICS-pcap HART-IP |
| Detailed page | hart-ip.md |
Articles
- WirelessHART Radio Communication Standard - Lessons in Industrial Automation textbook, Control Automation
Conferences
- Dissecting Industrial Wireless Implementations - Blake Johnson @ DEF CON 25 ICS Village (2017)
- DTM Components: Shadow Keys to the ICS Kingdom - Alexander Bolshev and Gleb Cherbov @ Black Hat Europe (2014)
- ICSCorsair: How I Will PWN Your ERP Through 4-20 mA Current Loop - Alexander Bolshev and Gleb Cherbov @ Black Hat USA (2014)
- It WISNt Me Attacking Industrial Wireless Mesh Networks - Paternotte and van Ommeren @ DEF CON 25 (2018)
HICP
| Name | HICP |
|---|---|
| Alias | SHICP |
| Description | HMS IP Configuration Protocol |
| Keywords | Anybus |
| Port | 3250/udp |
| Wireshark dissector | packet-hicp.c, packet-shicp.c |
| Scapy layer | hicp.py |
| Detailed page | hicp.md |
HL7
| Name | HL7 |
|---|---|
| Description | Standard for healthcare data exchange and interoperability |
| Wireshark dissector | packet-hl7.c |
| Detailed page | hl7.md |
Conferences
- HL7Magic Medical Data Hacking Made Easy - Katie Inns @ DEF CON 31 (2023)
- I Am Not a Doctor but I Play One on Your Network - Tim Elrod & Stefan Morris @ DEF CON 19 (2011)
- Pestilential Protocol: How Unsecure HL7 Messages Threaten Patient Lives - Christian Dameff, Jeffrey Tully & Maxwell Bland @ Black Hat USA (2018)
- Playing with FHIR - Alissa Knight, Mitch Parker @ DEF CON 29 Biohacking Village (2021)
- Understanding HL7 2.X Standards, Pen Testing, and Defending HL7 2.X Messages - Anirudh Duggal @ Black Hat USA (2016)
ICCP
| Name | ICCP |
|---|---|
| Alias | IEC 60870-6, TASE.2 |
| Description | Real-time data exchange between power system control centers |
| Keywords | Power |
| Port | 102/tcp |
| Access | Paid |
| Specifications | ICCP (TASE.2) specification |
| Detailed page | iccp.md |
Conferences
- Unraveling SCADA Protocols Using Sulley Fuzzer - Ganesh Devarajan @ DEF CON 15 (2014)
IEC-60870-5-104
| Name | IEC-60870-5-104 |
|---|---|
| Alias | IEC-104 |
| Description | Grid communication protocol for control and monitoring |
| Port | 2404/tcp |
| Access | Paid |
| Specifications | IEC-60870-5-104 Specification |
| Nmap script(s) | iec-identify.nse |
| Wireshark dissector | packet-iec104.c |
| Scapy layer | iec104.py |
| Example Pcap(s) | ICS-pcap IEC-60870-5-104, Industroyer2 pcap samples |
| Detailed page | iec-60870-5-104.md |
Conferences
- Industroyer/Crashoverride: Zero Things Cool About a Threat Group Targeting the Power Grid - Anton Cherepanov, Ben Miller, Joe Slowik, Robert Lee, and Robert Lipovsky @ Black Hat USA (2017)
- Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid Again - Robert Lipovsky & Anton Cherepanov @ Black Hat USA (2022)
Papers
- Description and analysis of IEC 104 Protocol - Technical report by Petr Matousek @ Faculty of Information Techology, Czech Republic (2017)
Tools
- FreyrSCADA IEC-60870-5-104 - IEC 60870-5-104 Protocol - RTU Server and Master Client Simulator
- lib60870 - Implementation of the IEC 60870-5-101/104 protocol
IEC-61850
| Name | IEC-61850 |
|---|---|
| Alias | IEC-61850/GOOSE, IEC-61850/GSSE, IEC-61850/SV |
| Description | Communication networks and systems for power utility automation |
| Keywords | Power grid |
| Access | Paid |
| Specifications | IEC 61850 Specification |
| Wireshark dissector | packet-goose.c, packet-sv.c |
| Detailed page | iec-61850.md |
Conferences
- Fuzz Testing IEC 61850 - Markus Mahrla @ CS3STHLM 2019
Tools
- libiec61850 - Open-source library for the IEC 61850 protocols
IEEE-C37.118
| Name | IEEE-C37.118 |
|---|---|
| Alias | C37.118, Synchrophasor, Synphasor |
| Description | Standard for synchrophasor data exchange in power systems |
| Keywords | Power |
| Wireshark dissector | packet-synphasor.c |
| Detailed page | ieee-c37118.md |
Tools
- OpenPDC - Open Source Phasor Data Concentrator
- PyMU - Library based on the C37.118.2-2011 standard used for accessing PMU data in real-time
ISA100.11a
| Name | ISA100.11a |
|---|---|
| Description | Wireless standard for industrial automation and control systems |
| Detailed page | isa10011a.md |
Conferences
- It WISNt Me Attacking Industrial Wireless Mesh Networks - Paternotte and van Ommeren @ DEF CON 25 (2018)
KNXnet/IP
| Name | KNXnet/IP |
|---|---|
| Alias | KNX, KNX/IP, Konnex |
| Description | Protocol for home and building automation systems |
| Keywords | BMS, BAS, Building |
| Port | 3671/udp |
| Access | Free |
| Specifications | KNXnet/IP Specifications |
| Security | Optional, Security extensions available |
| Nmap script(s) | knx-gateway-discover.nse, knx-gateway-info.nse |
| Wireshark dissector | packet-knxip.c |
| Scapy layer | knx.py |
| Detailed page | knxnetip.md |
Documentations
- knx.org - KNX official website
Conferences
- (in)Security in Building Automation: How to Create Dark Buildings with Light Speed - Thomas Brandstetter @ Black Hat USA (2017)
- InSecurity in Building Automation - Thomas Brandsetter @ DEF CON 25 ICS Village (2017)
- Learn how to control every room at a luxury hotel remotely - Jesus Molina @ DEF CON 22 (2015)
- Learn How to Control Every Room at a Luxury Hotel Remotely - Jesus Nomeames @ Black Hat USA (2014)
- Sneak into buildings with KNXnet/IP - Claire Vacherot @ DEF CON 29 (2021)
Papers
- An Overview of Wireless IoT Protocol Security in the Smart Home Domain - Stefan Marksteiner, Víctor Juan Expósito Jiménez, Heribert Vallant, Herwig Zeiner (2018)
Tools
- BOF - Testing framework for industrial protocols
- calimero - Lightweight KNX/IP framework in Java
- ETS - Engineering Tool Software for KNXnet/IP (ETS Demo is free)
- KNX Virtual - Windows-based application simulating a KNX installation
- knxd - KNXd service
- KNXmap - KNXnet/IP scanning and auditing tool
- Unpwning A Building - Peter Panholzer @ S4x22 (2022)
- XKNX - A KNX library written in Python
LIS
| Name | LIS |
|---|---|
| Alias | LIS01-A2, LIS02-A2 |
| Description | Protocol to transfer messages between clinical laboratory instruments and computer systems. |
| Keywords | CLSI, Healthcare, Medical |
| Port | 1520 |
| Access | Paid |
| Specifications | CLSI LIS01-A1 Specifications |
| Detailed page | lis.md |
LoRaWAN
| Name | LoRaWAN |
|---|---|
| Alias | LoRa |
| Description | Long-range IoT communication protocol with low power requirements |
| Keywords | Wireless |
| Access | Free |
| Specifications | LoRaWAN specification |
| Wireshark dissector | packet-lorawan.c |
| Detailed page | lorawan.md |
Conferences
- Can you hear me now DEF CON - wasabi @ DEF CON 26 Wireless Village (2018)
- Lora Smart Water Meter Security Analysis - Zeng and Panel @ DEF CON 26 (2018)
- Outsmarting the Smart City - Daniel Crowley, Jennifer Savage and Mauro Paredes @ Black Hat USA (2018)
- Reversting LoRa Deconstructing a Next Gen Proprietary LP - Matt Knight @ DEF CON 24 Wireless Village (2016)
Tools
- ChirpOTLE - LoRaWAN Security Evaluation Framework
- ChirpStack Network Server - Open-source LoRaWAN network-server
- lorawan-server - Compact server for private LoRaWAN networks
- lorawan-stack - Open Source LoRaWAN Network Server
M-Bus
| Name | M-Bus |
|---|---|
| Alias | Meter-Bus, EN13757 |
| Description | Communication protocol for utility metering devices |
| Access | The old specification is free, not the current one |
| Specifications | M-Bus specification |
| Detailed page | m-bus.md |
MELSEC
| Name | MELSEC |
|---|---|
| Alias | MEL-SEC |
| Description | Communication protocol for Mitsubishi Electric's MELSEC series of PLCs |
| Keywords | Mitsubishi, MELSOFT |
| Detailed page | melsec.md |
Conferences
- Taking Apart and Taking Over ICS & SCADA Ecosystems - Mars Cheng & Selmon Yang @ DEF CON 29 (2021)
Modbus
| Name | Modbus |
|---|---|
| Alias | Modbus TCP |
| Description | Widely used industrial communication protocol |
| Port | 502/tcp |
| Specifications | Modbus TCP Specification |
| Nmap script(s) | modbus-discover.nse, modicon-info.nse |
| Wireshark dissector | packet-mbtcp.c |
| Scapy layer | modbus.py |
| Example Pcap(s) | ICS-pcap Modbus |
| Detailed page | modbus.md |
Articles
- Articles about Modbus - Ozeki
- Introduction to Modbus and Modbus Function Codes - Shawn Dietrich, Control Automation (2023)
Conferences
- Analyzing PIPEDREAM - Challenges in Testing an ICS Attack Toolkit - Jimmy Wylie @ DEF CON 30 (2022)
- Fun with Modbus 0x5a Nothing New Still Relevant? - Arnaud Soullié @ DEF CON 25 ICS Village (2017)
- Industrial Control Systems : Pentesting PLCs 101 (Part 1/2) - Arnaud Soullie @ Black Hat Europe (2014)
- Industrial Control Systems : Pentesting PLCs 101 (Part 2/2) - Arnaud Soullie @ Black Hat Europe (2014)
- Industrial Protocol Gateways Under Analysis - Marco Balduzzi @ Black Hat USA (2020)
- Modbus Enumeration | SANS ICS Concepts - @ SANS ICS Security (2021)
- Modbus Man-In-The-Middle | SANS ICS Concepts - @ SANS ICS Security (2021)
- ModScan: A SCADA MODBUS Network Scanner - Mark Bristow @ DEF CON 16 (2013)
- Out of Control: Demonstrating SCADA device exploitation - Eric Forner & Brian Meixell @ Black Hat USA (2013)
- The SCADA That Didn't Cry Wolf- Who's Really Attacking Your ICS Devices - Kyle Wilhoit @ Black Hat USA (2013)
- Understanding SCADA's Modbus Protocol - Justin Searle @ Black Hat Asia (2015)
- Unraveling SCADA Protocols Using Sulley Fuzzer - Ganesh Devarajan @ DEF CON 15 (2014)
Tools
- ctmodbus - A tool to interact with the Modbus protocol
- Malmod - Scripts to attack Modicon M340 via UMAS
- PyModbus - A full modbus protocol written in python
MQTT
| Name | MQTT |
|---|---|
| Description | Publish-suscribe network protocol for message queue |
| Keywords | Telemetry |
| Nmap script(s) | mqtt-suscribe.nse |
| Wireshark dissector | packet-mqtt.c |
| Scapy layer | mqtt.py |
| Detailed page | mqtt.md |
Articles
- Not Just Another IIoT Article: MQTT for Pneumatic Cylinder Maintenance - Shawn Dietrich, Control Automation (2023)
Conferences
- Choo Choo, Network Train - The One to Rule Your Perimeter - Martin Hron @ Black Hat Europe (2022)
- Light Weight Protocol: Critical Implications - Lucas Lundgren, Neal Hindocha @ DEF CON 24 (2016)
- When Machines Can't Talk - Federico Maggi & Davide Quarta @ Black Hat Europe (2018)
Niagara Fox
| Name | Niagara Fox |
|---|---|
| Alias | Fox |
| Description | Communication protocol used by Tridium Niagara devices |
| Keywords | Tridium |
| Port | 1911/tcp, 3011/tcp, 4911/tcp, 5011/tcp |
| Nmap script(s) | fox-info.nse |
| Detailed page | niagara-fox.md |
Tools
- foxdissector - Wireshark dissector for the Niagara Fox protocol in Lua
OPC-DA
| Name | OPC-DA |
|---|---|
| Alias | OPCDA |
| Description | Legacy protocol for real-time data exchange in industrial systems |
| Scapy layer | opc_da.py |
| Detailed page | opc-da.md |
Papers
- Exploring the OPC attack surface - Claroty Team82 (2021)
Tools
- OPC Data Access IDAPython script - IDA Pro script to reverse engineer binaries containing OPC DA (ESET)
OPC-UA
| Name | OPC-UA |
|---|---|
| Alias | OPCUA |
| Description | Open communication standard for industrial automation and control |
| Port | 4840/tcp, 4840/udp, 4843/tcp (TLS) |
| Wireshark dissector | OPC-UA Plugin |
| Detailed page | opc-ua.md |
Articles
- OPC UA Deep Dive (Part 1): History of the OPC UA Protocol - Claroty Team82 (2023)
- OPC UA Deep Dive (Part 2): What is OPC UA? - Claroty Team82 (2023)
- OPC UA Deep Dive (Part 3): Exploring the OPC UA Protocol - Claroty Team82 (2023)
- OPC UA Deep Dive Series (Part 4): Targeting Core OPC UA Components - Claroty Team82 (2023)
- OPC UA Deep Dive Series (Part 5): Inside Team82’s Research Methodology - Claroty Team82 (2023)
- Practical example of fuzzing OPC UA applications - Kaspersky ICS-CERT (2020)
- Understanding the OPC Unified Architecture (OPC UA) Protocol - Anthony King Ho, Control Automation (2023)
Conferences
- A Broken Chain: Discovering OPC UA Attack Surface and Exploiting the Supply Chain - Eran Jacob @ Black Hat USA (2021)
- Analyzing PIPEDREAM - Challenges in Testing an ICS Attack Toolkit - Jimmy Wylie @ DEF CON 30 (2022)
- Exploiting OPC UA - Practical Attacks Against OPC UA Architectures - Sharon Brizinov, Noam Moshe @ DEF CON 31 (2023)
- Resting on Feet of Clay: Securely Bootstrapping OPC UA Deployments - Alessandro Erba & Nils Ole Tippenhauer @ Black Hat Europe (2021)
Papers
- Exploring the OPC attack surface - Claroty Team82 (2021)
- OPC UA Security Analysis - German Federal office for Information Security (2022)
- Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems - Alessandro Erba, Anne Müller, Nils Ole Tippenhauer (2021)
Tools
- freeopcua - Open Source C++ OPC-UA Server and Client Library
- OpalOPC - OPC UA vulnerability and misconfiguration scanner
- opcua-client-gui - Simple OPC-UA GUI client
- python-opcua - OPC UA Client and Server in Python
- UA-.NETStandard - Official OPC UA .NET Standard Stack from the OPC Foundation
PC-WORX
| Name | PC-WORX |
|---|---|
| Description | Software suite with proprietary protocol for Phoenix Contact PLCs |
| Keywords | Phoenix Contact |
| Port | 1962/tcp |
| Nmap script(s) | pcworx-info.nse |
| Detailed page | pc-worx.md |
PCCC
| Name | PCCC |
|---|---|
| Alias | AB/PCCC |
| Description | Legacy command/response protocol for Allen-Bradley PLC communication |
| Keywords | Allen-Bradley |
| Detailed page | pccc.md |
Articles
- AB/PCCC Protocol Tips - Lynn's Industrial Automation Protocol Tips blog
- Ethernet/IP PCCC Service Codes - Lynn's Industrial protocols over IP blog
POWERLINK
| Name | POWERLINK |
|---|---|
| Alias | Ethernet PowerLink, EPL |
| Description | Real-time Ethernet protocol for industrial automation and control |
| Port | Ethernet |
| Wireshark dissector | packet-epl.c |
| Detailed page | powerlink.md |
Articles
- Quick Start - POWERLINK on Raspberry Pi2 - Kalycito, 2018 (Web Archive, domain expired)
Tools
- openCONFIGURATOR - Open-source POWERLINK network configuration toolkit
- openPOWERLINK - Open-source POWERLINK protocol stack
- openPOWERLINK_V2 - GitHub page to openPOWERLINK protocol stack release 2
ProConOs
| Name | ProConOs |
|---|---|
| Description | Real-time operating system with proprietary protocol for industrial automation and control |
| Port | 20547/tcp |
| Nmap script(s) | proconos-info.nse |
| Detailed page | proconos.md |
Profinet-DCP
| Name | Profinet-DCP |
|---|---|
| Alias | PNDCP |
| Description | Device identification, configuration, and network management protocol |
| Port | Ethernet |
| Scapy layer | pnio_dcp.py |
| Detailed page | profinet-dcp.md |
Profinet-IO
| Name | Profinet-IO |
|---|---|
| Alias | PNIO |
| Description | Real-time communication between controllers and I/O devices |
| Port | 34962/udp, 34963/udp, 34964/udp |
| Scapy layer | pnio.py |
| Detailed page | profinet-io.md |
Articles
- What Is the Difference Between Profibus and Profinet? - Antonio Armenta, Control Automation (2021)
S-Bus
| Name | S-Bus |
|---|---|
| Alias | Ether-S-Bus, SAIA S-Bus |
| Description | SAIA's communication protocol for building automation |
| Keywords | SAIA |
| Access | Free |
| Wireshark dissector | packet-sbus.c |
| Example Pcap(s) | ICS-pcap Ether-S-Bus |
| Detailed page | s-bus.md |
S7comm
| Name | S7comm |
|---|---|
| Alias | S7, S7commPlus |
| Description | Communication protocol for Siemens S7 PLCs |
| Port | 102/tcp |
| Nmap script(s) | s7-info.nse, s7-enumerate.nse |
| Wireshark dissector | packet-s7comm.c |
| Example Pcap(s) | ICS-pcap S7 |
| Detailed page | s7comm.md |
Articles
- The Siemens S7 Communication - Part 1 General Structure - On GyM's Personal Blog (2016)
- The Siemens S7 Communication - Part 2 Job Requests and Ack Data - On GyM's Personal Blog (2017)
Conferences
- Fuzzing and Breaking Security Functions of SIMATIC PLCs - Gao Jian @ Black Hat Europe (2022)
- PLC-Blaster: A worm Living Solely In The PLC - Ralf Spenneberg, Maik Brueggemann & Hendrik Schwartke @ Black Hat Asia (2016)
- Rogue7: Rogue Engineering-Station Attacks on S7 Simatic PLCs - Uriel Malin, Sara Bitan, Avishai Wool and Eli Biham @ Black Hat USA (2019)
- The spear to break the security wall of S7CommPlus - Cheng Lei @ DEF CON 25 (2017)
Tools
- python-snap7 - A Python wrapper for the snap7 PLC communication library
- s7-pcaps - Traffic captures between STEP7/WinCC and S7-300/S7-400 PLCs
- s7scan - Scan networks to gather basic information about Siemens PLCs
- Snap7 - Step7 Open Source Ethernet Communication Suite
SECS/GEM
| Name | SECS/GEM |
|---|---|
| Alias | SECS, SECS-I, SECS-II, HSMS |
| Description | Semiconductor equipment communication standard with generic equipment model |
| Keywords | Semiconductor, MES |
| Port | 5000/tcp (HSMS) |
| Detailed page | secsgem.md |
SERCOS-III
| Name | SERCOS-III |
|---|---|
| Alias | SERCOS |
| Description | IEC standard universal bus for Ethernet-based real-time communication |
| Wireshark dissector | packet-sercosiii.c |
| Detailed page | sercos-iii.md |
SLMP
| Name | SLMP |
|---|---|
| Alias | Seamless Message Protocol |
| Description | CC-Link's messaging protocol for industrial automation communication |
| Keywords | Mitsubishi, CC-Link, CLPA |
| Access | Free |
| Specifications | SLMP specification |
| Detailed page | slmp.md |
Tools
- PySLMPClient - Python client for SLMP
SOME/IP
| Name | SOME/IP |
|---|---|
| Description | Automotive Ethernet protocol for ECU communication over IP networks |
| Keywords | Automotive, ECU |
| Port | 30490 |
| Wireshark dissector | packet-someip.c |
| Detailed page | someip.md |
Documentations
- SOME-IP.com - Main website with resources about SOME/IP
Conferences
- Automotive Ethernet Fuzzing - Jonghyuk Song, Soohwan Oh, Woongjo Choi @ DEF CON 30 (2022)
TriStation
| Name | TriStation |
|---|---|
| Alias | Triconex TriStation |
| Description | Triconex's proprietary protocol for safety system communication |
| Keywords | Triconex, TRITON |
| Wireshark dissector | TriStation.lua |
| Detailed page | tristation.md |
Articles
- Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure - Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer @ Mandiant (2017, updated 2022)
Conferences
- How TRITON Disrupted Safety Systems & Changed the Threat Landscape of Industrial Control Systems - Andrea Carcano, Marina Krotofil & Younes Dragoni @ Black Hat USA (2018)
- Thru the Eyes of the Attacker Designing Embedded Systems for ICS - Krotofil, Wetzels @ DEF CON 26 (2018)
Tools
- tricotools - Triconex TriStation utilities and tools
TSAA
| Name | TSAA |
|---|---|
| Description | Messaging protocol to read and write data to Triconex controllers |
| Keywords | Triconex |
| Detailed page | tsaa.md |
Documentations
- Triconex System Access Application (TSAA) playlist - What Did You Learn Today (2021)
UMAS
| Name | UMAS |
|---|---|
| Description | Schneider Electric's proprietary protocol for communication systems |
| Nmap script(s) | modicon-info.nse |
| Wireshark dissector | modbus-umas-schneider.lua |
| Detailed page | umas.md |
Articles
- Reverse of a schneider network protocol - biero llagas (2022)
- The secrets of Schneider Electric’s UMAS protocol - Kaspersky ICS CERT (2022)
- The Unity (UMAS) protocol (Part I) - Liras en la red (2017)
- The Unity (UMAS) protocol (Part II) - Liras en la red (2017)
- The Unity (UMAS) protocol (Part III) - Liras en la red (2017)
- The Unity (UMAS) protocol (Part IV) - Liras en la red (2017)
- The Unity (UMAS) protocol (Part V) - Liras en la red (2017)
Tools
- Malmod - Scripts to attack Modicon M340 via UMAS
WITS
| Name | WITS |
|---|---|
| Alias | WITS0, WITSML |
| Description | Real-time drilling data transfer standard in oil and gas |
| Keywords | Wellsite, Drilling, Geology |
| Detailed page | wits.md |
ZigBee
| Name | ZigBee |
|---|---|
| Alias | ZBee |
| Description | Wireless communication protocol for low-power IoT devices. |
| Wireshark dissector | packet-zbee-nwk.c |
| Scapy layer | zigbee.py |
| Detailed page | zigbee.md |
Conferences
- A Lightbulb Worm? - Colin O'Flynn @ Black Hat USA (2016)
- Dont Be Silly It's Only a Lightbulb - Eyal Itkin @ DEF CON Safe Mode (2020)
- Exploring the 802 15 4 Attack Surface - FAZ @ DEF CON 26 WIRELESS VILLAGE (2018)
- Im A Newbie Yet I Can Hack ZigBee - Qing Yang @ DEF CON 23 (2015)
- ZigBee Exploited The Good, The Bad, And The Ugly - Tobias Zillner & Sebastian Strobl @ Black Hat USA (2015)
Papers
- An Overview of Wireless IoT Protocol Security in the Smart Home Domain - Stefan Marksteiner, Víctor Juan Expósito Jiménez, Heribert Vallant, Herwig Zeiner (2018)
Tools
- KillerBee - IEEE 802.15.4/ZigBee Security Research Toolkit
- Mirage - Framework dedicated to the security analysis of wireless communications
All unreviewed AI-generated data is marked with
*.
AI is used as a search engine with an extra step. It is never used to find resources because it does not find them, it invents them. More details here.
awesome-industrial-protocols is licensed under CC0. Turn/IP is licensed under GPL-v3.