Pentesting ICS (DNP3)

What is DNP3?

DNP3 Simulators

C++: Docs:

Use –recursive when cloning:

git clone --recursive


DNP3 Identification:

  1. Shodanhq dork: port:20000
  2. Using nmap with script dnp3-info.nse
# Add script to nmap directory
$ sudo mv dnp3-info.nse /usr/share/nmap/scripts/

# Update nmap db
$ sudo nmap --script-updatedb

# Start scanner
$ nmap --script=dnp3-info
  1. When you identified the host, the DNP3_RAW, my C client to interact with devices with DNP3 enabled 🙂

Exploit and stuff:

MiTM, packet replay? To be continued…




Leave a Reply

Your email address will not be published. Required fields are marked *