Wednesday, January 16, 2013

S4x13 Releases: S7 password offline bruteforce tool

As you know S7 protocol, used to communication between Engineering Stations, SCADA, HMI and PLC can be protected by password.




On-line authentication is a simple challenge-response protocol.
  • Password hashed (SHA1) on client (TIA Portal)
  • Server (PLC) provide 20 byte challenge
  • Client calculate HMAC-SHA1(challenge, SHA1(password) as response

Enjoy our special S4x13 release by Alexander Timorin, Dmitry Sklyarov
Parameters are hardcoded, sorry.
 
cfg_pcap_file = 'path to .pcap file'
cfg_dictionary_file = 'path to dictionary file'

Feel free to contribute.

2 comments:

  1. Can the original PCAP be made available as well?

    ReplyDelete
  2. Follow ups:
    http://scadastrangelove.blogspot.com/2013/01/comments-to-ics-cert-ics-alert-13-016-02.html

    http://scadastrangelove.blogspot.com/2013/01/siemens-s7-jtr.html

    ReplyDelete