Introduction
ISF(Industrial
Exploitation Framework)
: It is a exploitation framework written in python and based on open
source project routersploit. It helps us to test vulnerabilities with
multiple programmable logic controller (PLC) and Industrial Control
System (ICS) software.
Link
:- https://github.com/dark-lbp/isf
Modbus
: Modbus
is a serial communication protocol. Which is used to connecting
industrial electronic devices because they are free and easy to
deploy. It has one Master and one (at least) or more Slaves. Each
slave has unique 8-bit device address or unit number.
Coils
and registers are names or pre-defined variables for memory
addresses. The coil is a boolean (bit) variable and a register is an
integer variable. There are discrete inputs (read-only boolean),
coils (read-write boolean), input registers (read-only integer), and
holding registers (read-write integer).
Requirements
* gnureadline
* requests
* paramiko
* beautifulsoup4
* pysnmp
* python-nmap
* scapy
Exploit modules included in
ICSSPLOIT
*
s7_300_400_plc_control.py:
Siemens S7-300 and S7-400 start/stop
*
vxworks_rpc_dos.py:
Works on all Vxworks system which Remote Procedure
call
(RPC) protocols is enabled.(CVE-2015-7599)
*
quantum_140_plc_control.py:
Schneider Quantum 140 series start/stop.
*
crash_qnx_inetd_tcp_service.py:
Crash QNX Inetd tcp service started with inetd.
*
qconn_remote_exec.py:
QCONN QNX Neutrino remote command execution
vulnerability.
Installation
There
is requirements file which can be installed by using pip as:
pip install -r requirements
PoC
-->
Setup Modbus master and one slave on other machine in network.
-->
Import
module
Move
to downloaded directory isf and type python
from
icssploit.clients.modbus_tcp_client import ModbusClient
-->
Init
Client
target
= ModbusClient(name=’modbus_tcp_client’, ip=’<IP>’)
eg:
target = ModbusClient(name=’modbus_tcp_client’,
ip=’192.168.0.115’)
target.connect()
We
are now connected to Modbus Client.
-->
Read
Coils
target.read_coils(address=<Address
Of Slave>, count=<Count Of Coils>)
eg:
target.read_coils(address=100, count=10)
This
is used to read the values of coil at specified slave address.
-->
Write
Coils
target.write_multiple_coils(address=<Address
Of Slave>, values=[<Values To
Be
Written>])
eg:
target.write_multiple_coils(address=100, values=[1, 1, 1, 1, 1, 1, 1,
1])
We
can also change or write the values of coils here.
Now
we can read coils again to confirm the changes made.