• Stars
    star
    116
  • Rank 303,894 (Top 6 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created over 3 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This repository is focused on cybersecurity in the industrial world. Many industrial communication protocols and equipment is investigated and pentested

ICS and PLC Pentesting and Hacking

This is a cibersecurity repository where several industrial protocols and systems were investigated and pentested. This project was born as a telecommunications engineering final degree project at the Universidad Pontificia de Comillas ICAI by me, Miguel Oleo Blanco. For contacting me, please check the Contact section at the end. You can find examples of the attacks on my YouTube channel.

Protocols

  • S7Comm & S7Comm Plus
  • Profinet & Profibus
  • SCADA
  • ModBus

Tools

  • Kali Linux
  • Wireshark
  • Scapy
  • Python & packages

Modbus

ModBus Logo There are two Packet Replay attacks on these protocol. These two are into the Modbus folder of the repository Modbus Folder. Here you will find two .py files for these attack. On the PacketReplay-Complete.py differs from PacketReplay.py as it crafts a complete Modbus paquet from scratch. The simple PacketReplay.py just focus on crafting the Modbus field over TCP/IP.

For both Python scripts, you will need to import Scapy module with the following command:

Windows Scapy install

pip install --pre scapy[complete]

MacOS Scapy install

pip install --pre scapy[basic]

Then you need to instal Brew packet if you have not already have it:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"

Then you proceed installing Scapy's dependencies using Brew:

$ brew update
$ brew install libpcap

Finally enable it on Scapy:

conf.use_pcap = True

Profinet & Profibus

Profinet & Profibus logos

On this folder you will find several attacks and pcaps for pentesting devices working on these protocols.

  • Discovery.py: This scripts sends a Ethernet packet containing a hex string that acts as a Profinet discovery packet (pn_dcp). You must need to change the hex stream according to the source mac address to your mac address. It is recommended to use Wireshark and filtering by this type of packets. You must need Scapy to run the script.
  • FlashLED.py: This script is similar to the previous one. First you will need to run the Discovery.py in order to get a mac address of any Profinet device. This programm is optimized to blick the status led on a S7-1500 PLC. One you got the mac address, replace it on the hex stream, as well as the origin mac address.
  • PacketReplay-Completo.py: This script is a complete python programm to scann, craft and send profinet packets. You must edit the full code in order to be prepeared to run it.

Snap7 (S7Comm & S7Comm Plus)

Snap7 logo

In this resopitory you will find attacks, documents, and pcaps of both S7Comm protocol and its bigger brother S7Comm+:

  • S7Comm: In this folder you will find multiple Python Scripts that let you read and write data to internal variables of the PLC CPU. On the Test Scripts folder you will find multiple test scripts in which you can base your own developed code. You will find example codes of writing and reading from internal variables and interal databases.

    As an example for developing your own hacking interface, you can see the Read&Write.py which adds iteraction with the user by cli. For a realistic TIA PORTAL project, i used the CyberLabProject.py script.

  • S7Comm-plus: For these protocol you will find two scripts. The pr.py is an example of a simple packet replay and the denial.py is an example of a request overflow that denies the PLC for few seconds. If this last script is continiously being executed, the PLC would be completely denied for that perior of time.

For the attacks of both protocols, you would need to install Snap7 for python with this command:

pip install python-snap7

In addition, you will also need to install the binaries of the protocol into your computer.

Windows install

You just need to install move into your PC the Snap7.dll from Snap7 download

MacOS install

You will need to have Brew cli previously install and then install Snap7 with Brew:

brew install snap7

SCADA

SCADA example

In this section you will find a Python programm with a UI simulating a very simple SCADA system. This UI only have text showing the state of diferent variables and buttons to change its state. The UI is simple but it keeps it all real when it comes to a cyber attack. This SCADA example implements two protocols to make it more realistic. It works at the same time with ModBus and Snap7, with real time reading and writting. In order to attack this SCADA, please reffer to the attacks of each protocol.

For running this app you will need to install diferent Python modules (or create a requirements.txt with the following packages):

pip install python-snap7
pip install pickle-mixin
pip install python-tk
pip install pymodbus

Package

This packages contain all the code and funtionality from the repository on a terminal based GUI. You can find the realeases on the Releases website. It is recommended to download the latest version. Inside this package you will find the requirements.txt that need to be installed before running the main.py, with the following command:

pip install -r requirements.txt

After installing the requirements, you can directly run the main.py and the terminal GUI will guide you throught the different functionalities.

Contact