Skip to content
This repository has been archived by the owner on Apr 25, 2024. It is now read-only.

Latest commit

 

History

History
83 lines (66 loc) · 3.89 KB

s7comm_scan.zh-cn.md

File metadata and controls

83 lines (66 loc) · 3.89 KB

S7comm Scan

使用 S7comm Scan module

root@kali:~/Desktop/temp/isf# python isf.py

  _____ _____  _____ _____ _____  _      ____ _____ _______
 |_   _/ ____|/ ____/ ____|  __ \| |    / __ \_   _|__   __|
   | || |    | (___| (___ | |__) | |   | |  | || |    | |
   | || |     \___ \\___ \|  ___/| |   | |  | || |    | |
  _| || |____ ____) |___) | |    | |___| |__| || |_   | |
 |_____\_____|_____/_____/|_|    |______\____/_____|  |_|


                ICS Exploitation Framework

Note     : ICSSPOLIT is fork from routersploit at
           https://github.com/reverse-shell/routersploit
Dev Team : wenzhe zhu(dark-lbp)
Version  : 0.1.0

Exploits: 6 Scanners: 3 Creds: 13

ICS Exploits:
    PLC: 6          ICS Switch: 0
    Software: 0

isf >
isf > search scanner
scanners/profinet_dcp_scan
scanners/s7comm_scan
scanners/vxworks_6_scan
isf > use scanners/s7comm_scan
isf (S7comm PLC Scan) >

设置目标参数

isf (S7comm PLC Scan) > show options

Target options:

   Name       Current settings     Description
   ----       ----------------     -----------
   target                          string for hosts as nmap use it 'scanme.nmap.org' or '198.116.0-255.1-127' or '216.163.128.20/20'
   port       102                  S7comm port, default is 102/TCP


Module options:

   Name         Current settings     Description
   ----         ----------------     -----------
   min_slot     2                    Minimum PLC Slot number for scan, default is 2, set to 4 if you want start with slot 4
   min_rack     0                    Minimum PLC Rack number for scan, default is 0, set to 1 if you want start with rack 1
   max_rack     0                    Maximum PLC Rack number for scan, default is 0, set to 1 if you want scan up to rack 1
   max_slot     5                    Maximum PLC Slot number for scan, default is 5, set to 10 if you want scan up to slot 5
   verbose      0                    Scapy verbose level, 0 to 2
   
isf (S7comm PLC Scan) > set target 192.168.1.0/24
[+] {'target': '192.168.1.0/24'}

执行扫描

isf (S7comm PLC Scan) > run
[*] Running module...
[+] Host: 192.168.1.10, port:102 is open
[*] Tring to scan 192.168.1.10 with Rack0/Slot2
[ERROR   ][s7_client.send_receive_packet] [Errno 54] Connection reset by peer
[ERROR   ][s7_client.send_receive_s7_packet] [Errno 54] Connection reset by peer
[ERROR   ][s7_client.send_receive_s7_packet] [Errno 54] Connection reset by peer
[ERROR   ][s7_client.get_target_info] Can't get order code and version from target
[*] Tring to scan 192.168.1.10 with Rack0/Slot3
[*] Tring to scan 192.168.1.10 with Rack0/Slot4
[ERROR   ][s7_client.send_receive_packet] [Errno 54] Connection reset by peer
[ERROR   ][s7_client.send_receive_s7_packet] [Errno 54] Connection reset by peer
[ERROR   ][s7_client.send_receive_s7_packet] [Errno 54] Connection reset by peer
[ERROR   ][s7_client.get_target_info] Can't get order code and version from target
[*] Tring to scan 192.168.1.10 with Rack0/Slot5
[ERROR   ][s7_client.send_receive_packet] [Errno 54] Connection reset by peer
[ERROR   ][s7_client.send_receive_s7_packet] [Errno 54] Connection reset by peer
[ERROR   ][s7_client.send_receive_s7_packet] [Errno 54] Connection reset by peer
[ERROR   ][s7_client.get_target_info] Can't get order code and version from target
[+] Find 1 targets
Order Code           Module Type Name    Firmware Version    Module Name    Serial Number    Rack/Slot    IP Address
-------------------  ------------------  ------------------  -------------  ---------------  -----------  --------------
6ES7 412-2EK06-0AB0  CPU 412-2 PN/DP     V 6.0.3                            SVPF126xxxx      0/3          192.168.1.10