Siemens Simatic S7-300 - Manuals

Page 4 - Exploiting Siemens Simatic S7 PLCs; TCP/IP with reaction times at 100ms

Exploiting Siemens Simatic S7 PLCs 4 1.2.1 Communication In recent years, PLCs have evolved. Antiquated technology has been replaced with seamlessly connected devices, utilizing common networking standards, such as IEEE 802.3 Ethernet and IEEE 802.11 Wi-Fi. With recent changes in automation protocol...

Page 5 - Figure 1.1 PROFINET devices in use 2013 projection.; PROFINET Nodes In Use By 2013

Exploiting Siemens Simatic S7 PLCs 5 Figure 1.1 PROFINET devices in use 2013 projection. Wireshark supports PROFINET recording that will permit the analysis of the Ethernet message frames. The attacks we are discussing are not against PROFINET itself, but it is important to cover it in this paper be...

Page 6 - Screen Capture of the Step 7 v10

Exploiting Siemens Simatic S7 PLCs 6 1.2.4 Programming Engineers and programmers rely on application software that allows the operator to design ladder logic in order to control the process attached to the PLC. Ladder logic is a programming language that represents a program by a graphical diagram b...

Page 7 - Programming; Leveraging Open Protocols

Exploiting Siemens Simatic S7 PLCs 7 Step 7 TIA Portal supports the following features. • Programming • Communication • Diagnostics • Testing Figure 1.3 Screen Capture of the Step 7 v10 Totally Integrated Automation Portal (TIA) 2. Leveraging Open Protocols If we send the ISO-TSAP client packets fro...

Page 12 - Figure 2.3 S7-1200 packet capture follow TCP stream

Exploiting Siemens Simatic S7 PLCs 12 Figure 2.3 S7-1200 packet capture follow TCP stream Figure 2.4 S7-1200 TCP Stream Figure 2.5 a typical TCP stream for the S7-1200 during a CPU/STOP command.

Page 14 - Simatic S7 PLC Replay Attack Scenario in 5 steps.; Capture ISO-TSAP traffic from the engineering workstation.

Exploiting Siemens Simatic S7 PLCs 14 MSerious firmware exception \n(not relevant for user, system code: WSerious memory test function failure \n(not relevant for user, system code: KSerious memory exception \n(not relevant for user, system code: LSerious hardware test function failure \n(not releva...

Page 19 - Fun with Simatic Step 7 and Meterpreter

Exploiting Siemens Simatic S7 PLCs 19 modifications to the hardware configuration, such as changing the IP address, time of day, password, logic, tag names, data block names, as well as deleting data, adding new code, downloading the project file from the PLC, and so on. It bears repeating that with...

Page 20 - The Disclosure Process

Exploiting Siemens Simatic S7 PLCs 20 found this vulnerability by using one of the many fuzzer modules in Metasploit. I’ve already written an exploit for it and decided it would be an interesting experiment to write some scripts for Meterpreter that would inject a payload into the Step 7 engineering...

Page 24 - My test lab under “special conditions”

Exploiting Siemens Simatic S7 PLCs 24 My test lab under “special conditions” I would like to thank my employer, NSS Labs of Austin TX, for sponsoring this effort by purchasing all the hardware and providing me with the time to carry out my investigations. Without them, this research would not have b...