SCADA StrangeLove: S4x13 Releases: S7 password offline bruteforce tool

Wednesday, January 16, 2013

S4x13 Releases: S7 password offline bruteforce tool

As you know S7 protocol, used to communication between Engineering Stations, SCADA, HMI and PLC can be protected by password.

On-line authentication is a simple challenge-response protocol.

Password hashed (SHA1) on client (TIA Portal)
Server (PLC) provide 20 byte challenge
Client calculate HMAC-SHA1(challenge, SHA1(password) as response

Enjoy our special S4x13 release by Alexander Timorin, Dmitry Sklyarov
Parameters are hardcoded, sorry.

cfg_pcap_file = 'path to .pcap file'
cfg_dictionary_file = 'path to dictionary file'

Feel free to contribute.

Download link: http://pastebin.com/0G9Q2k6y

4 comments:

0x8cb35January 18, 2013 at 7:12 AM
Can the original PCAP be made available as well?
ReplyDelete
SCADAStrangeLoveJanuary 27, 2013 at 6:20 AM
Follow ups:
http://scadastrangelove.blogspot.com/2013/01/comments-to-ics-cert-ics-alert-13-016-02.html

http://scadastrangelove.blogspot.com/2013/01/siemens-s7-jtr.html
ReplyDelete
pasta20November 9, 2016 at 10:07 AM

Hello
I question whether it is possible to read the password from the ET 200 SP CPU1512SP-1PN
I have files .pcap
I send to email.
Regards.
ReplyDelete
pasta20November 9, 2016 at 10:14 AM
https://drive.google.com/file/d/0ByaUgqKmRbqteFg5MTVSM1ZkcVE/view
ReplyDelete

Add comment