Siemens Profinet Scanner - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/scada/profinet_siemens metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Siemens Profinet Scanner
Module: auxiliary/scanner/scada/profinet_siemens
Source code: modules/auxiliary/scanner/scada/profinet_siemens.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will use Layer2 packets, known as Profinet Discovery packets, to detect all Siemens (and sometimes other) devices on a network. It is perfectly SCADA-safe, as there will only be ONE single packet sent out. Devices will respond with their IP configuration and hostnames. Created by XiaK Industrial Security Research Center (www[dot]xiak[dot]be))
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/scanner/scada/profinet_siemens
msf auxiliary(profinet_siemens) > show targets
... a list of targets ...
msf auxiliary(profinet_siemens) > set TARGET target-id
msf auxiliary(profinet_siemens) > show options
... show and set options ...
msf auxiliary(profinet_siemens) > exploit
Knowledge Base
Siemens Industrial controllers and most other industrial OEMs use a proprietary protocol to discover their devices accross a network. In the case of Siemens this is called the Profinet Discover Protocol. Known in Wireshark as PN_DCP
It works purely on Layer 2 (Ethernet addresses) and sends out a single multicast packet (making it safe to use in sensitive networks). Each profinet enabled responds with an array of information: - Its IP address, Subnetmask and Gateway - Its Profinet Devicename ('Station Name') - The Type of station - A Vendor ID (e.g. '002a'), signifing the vendor (e.g. 'Siemens') - A Device Role (e.g. '01'), signifing the type of device (e.g. 'IO-Controller') - A Device ID (e.g. '010d'), signifing the device type (e.g. 'S7-1200')
Vulnerable Application
This is a hardware choice of design, and as such CANNOT be changed without loss of compatibility. Possible mitigations include: pulling the plug (literally), using network isolation (Firewall, Router, IDS, IPS, network segmentation, etc...) or not allowing bad people on your network.
Most, if not all, PLC's (computers that control engines, robots, conveyor belts, sensors, camera's, doorlocks, CRACs ...) have vulnerabilities where, using their own tools, remote configuration and programming can be done WITHOUT authentication. Investigators and underground hackers are just now creating simple tools to convert the, often proprietary, protocols into simple scripts. The operating word here is "proprietary". Right now, the only thing stopping very bad stuff from happening.
Verification Steps
The following demonstrates a basic scenario, we "detect" two devices:
msf > search profinet
msf > use auxiliary/scanner/scada/profinet_siemens
msf auxiliary(profinet_siemens) > run
[*] Sending packet out to eth0
[+] Parsing packet from 00:0e:8c:cf:7b:1a
Type of station: ET200S CPU
Name of station: pn-io-1
Vendor and Device Type: Siemens, ET200S
Device Role: IO-Controller
IP, Subnetmask and Gateway are: 172.16.108.11, 255.255.0.0, 172.16.108.11
[+] Parsing packet from 00:50:56:b6:fe:b6
Type of station: SIMATIC-PC
Name of station: nm
Vendor and Device Type: Siemens, PC Simulator
Device Role: IO-Controller
IP, Subnetmask and Gateway are: 172.16.30.102, 255.255.0.0, 172.16.0.1
[+] I found 2 devices for you!
[*] Auxiliary module execution completed
Options
msf auxiliary(profinet_siemens) > show options
Module options (auxiliary/scanner/scada/profinet_siemens):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE eth0 yes Set an interface
TIMEOUT 2 yes Seconds to wait, set longer on slower networks
By default, the module uses interface 'eth0', there is a check to see if it is live.
The module will send out an ethernet packet and wait for responses. By default, it will wait 2 seconds for any responses, this is long enough for most networks. Increase this on larger and/or slower networks, it just increases the wait time.
Go back to menu.
Msfconsole Usage
Here is how the scanner/scada/profinet_siemens auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/scada/profinet_siemens
msf6 auxiliary(scanner/scada/profinet_siemens) > show info
Name: Siemens Profinet Scanner
Module: auxiliary/scanner/scada/profinet_siemens
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Tijl Deneut <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ANSWERTIME 2 yes Seconds to wait for answers, set longer on slower networks
INTERFACE eth0 yes Set an interface
Description:
This module will use Layer2 packets, known as Profinet Discovery
packets, to detect all Siemens (and sometimes other) devices on a
network. It is perfectly SCADA-safe, as there will only be ONE
single packet sent out. Devices will respond with their IP
configuration and hostnames. Created by XiaK Industrial Security
Research Center (www[dot]xiak[dot]be))
References:
https://wiki.wireshark.org/PROFINET/DCP
https://github.com/tijldeneut/ICSSecurityScripts
Module Options
This is a complete list of options available in the scanner/scada/profinet_siemens auxiliary module:
msf6 auxiliary(scanner/scada/profinet_siemens) > show options
Module options (auxiliary/scanner/scada/profinet_siemens):
Name Current Setting Required Description
---- --------------- -------- -----------
ANSWERTIME 2 yes Seconds to wait for answers, set longer on slower networks
INTERFACE eth0 yes Set an interface
Advanced Options
Here is a complete list of advanced options supported by the scanner/scada/profinet_siemens auxiliary module:
msf6 auxiliary(scanner/scada/profinet_siemens) > show advanced
Module advanced options (auxiliary/scanner/scada/profinet_siemens):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/scada/profinet_siemens module can do:
msf6 auxiliary(scanner/scada/profinet_siemens) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/scada/profinet_siemens auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/scada/profinet_siemens) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
No devices found, maybe you are running virtually?
Here is a relevant code snippet related to the "No devices found, maybe you are running virtually?" error message:
119: parse_profinet(data[28..-1])
120: print_line('')
121: i += 1
122: end
123: if i.zero?
124: print_warning('No devices found, maybe you are running virtually?')
125: else
126: print_good("I found #{i} devices for you!")
127: end
128: end
129:
Error: interface <IFACE> not active?
Here is a relevant code snippet related to the "Error: interface <IFACE> not active?" error message:
135:
136: eth_pkt = PacketFu::EthPacket.new
137: begin
138: eth_pkt.eth_src = PacketFu::Utils.whoami?(iface: iface)[:eth_src]
139: rescue
140: print_error("Error: interface #{iface} not active?")
141: return
142: end
143: eth_pkt.eth_daddr = "01:0e:cf:00:00:00"
144: eth_pkt.eth_proto = 0x8100
145: eth_pkt.payload = packet
Go back to menu.
Related Pull Requests
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7296 Merged Pull Request: Profinet siemens
References
- CVE: Not available
- https://wiki.wireshark.org/PROFINET/DCP
- https://github.com/tijldeneut/ICSSecurityScripts
See Also
Check also the following modules related to this module:
- auxiliary/scanner/scada/bacnet_l3
- auxiliary/scanner/scada/digi_addp_reboot
- auxiliary/scanner/scada/digi_addp_version
- auxiliary/scanner/scada/digi_realport_serialport_scan
- auxiliary/scanner/scada/digi_realport_version
- auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess
- auxiliary/scanner/scada/koyo_login
- auxiliary/scanner/scada/modbus_banner_grabbing
- auxiliary/scanner/scada/modbusclient
- auxiliary/scanner/scada/modbusdetect
- auxiliary/scanner/scada/modbus_findunitid
- auxiliary/scanner/scada/moxa_discover
- auxiliary/scanner/scada/pcomclient
- auxiliary/scanner/scada/sielco_winlog_fileaccess
- auxiliary/dos/scada/siemens_siprotec4
- exploit/windows/browser/siemens_solid_edge_selistctrlx
- auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli
- auxiliary/admin/scada/ge_proficy_substitute_traversal
- auxiliary/admin/scada/modicon_command
- auxiliary/admin/scada/modicon_password_recovery
- auxiliary/admin/scada/modicon_stux_transfer
- auxiliary/admin/scada/moxa_credentials_recovery
- auxiliary/admin/scada/multi_cip_command
- auxiliary/admin/scada/pcom_command
- auxiliary/admin/scada/phoenix_command
- auxiliary/admin/scada/yokogawa_bkbcopyd_client
- auxiliary/dos/scada/allen_bradley_pccc
- auxiliary/dos/scada/beckhoff_twincat
- auxiliary/dos/scada/d20_tftp_overflow
- auxiliary/dos/scada/igss9_dataserver
- auxiliary/dos/scada/yokogawa_logsvr
Authors
Tijl Deneut <tijl.deneut[at]howest.be>
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.