Nmap s7-info NSE Script


This page contains detailed information about how to use the s7-info NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Select:
Overview
Error Messages

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/s7-info.nse
Script categories: discovery, version
Target service / protocol: iso-tsap, tcp
Target network port(s): 102
List of CVEs: -

Script Description

The s7-info.nse script enumerates Siemens S7 PLC Devices and collects their device information. This script is based off PLCScan that was developed by Positive Research and Scadastrangelove (https://code.google.com/p/plcscan/). This script is meant to provide the same functionality as PLCScan inside of Nmap. Some of the information that is collected by PLCScan was not ported over; this information can be parsed out of the packets that are received.

Thanks to Positive Research, and Dmitry Efanov for creating PLCScan

S7-info NSE Script Arguments

The s7-info.nse script does not have any arguments.

S7-info NSE Script Example Usage

Here's an example of how to use the s7-info.nse script:

nmap --script s7-info.nse -p 102 <host/s>

S7-info NSE Script Example Output

Here's a sample output from the s7-info.nse script:

102/tcp open  Siemens S7 PLC
| s7-info:
|   Basic Hardware: 6ES7 315-2AG10-0AB0
|   System Name: SIMATIC 300(1)
|   Copyright: Original Siemens Equipment
|   Version: 2.6.9
|   Module Type: CPU 315-2 DP
|   Module: 6ES7 315-2AG10-0AB0
|_  Serial Number: S C-X4U421302009

S7-info NSE Script Example XML Output

Here's a sample XML output from the s7-info.nse script produced by providing the -oX <file> Nmap option:

<elem key="Basic Hardware">6ES7 315-2AG10-0AB0</elem>
<elem key="System Name">SIMATIC 300(1)</elem>
<elem key="Copyright">Original Siemens Equipment</elem>
<elem key="Version">2.6.9</elem>
<elem key="Object Name">SimpleServer</elem>
<elem key="Module Type">CPU 315-2 DP</elem>
<elem key="Module">6ES7 315-2AG10-0AB0</elem>
<elem key="Serial Number">S C-X4U421302009</elem>
<elm key="Plant Identification"></elem>

Author

  • Stephen Hilt (Digital Bond)

References

See Also

Visit Nmap NSE Library for more scripts.

The s7-info.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.

Error Sending S7COMM

Here is a relevant code snippet related to the "Error Sending S7COMM" error message:

62:	-- @param query the specific query that you want to send/receive on.
63:	-- @param bytes how many bytes (minimum) you expect back
64:	local function send_receive(socket, query, bytes)
65:	  local sendstatus, senderr = socket:send(query)
66:	  if(sendstatus == false) then
67:	    return "Error Sending S7COMM"
68:	  end
69:	  -- receive response
70:	  local rcvstatus, response = socket:receive_bytes(bytes)
71:	  if(rcvstatus == false) then
72:	    return "Error Reading S7COMM"

Error Reading S7COMM

Here is a relevant code snippet related to the "Error Reading S7COMM" error message:

67:	    return "Error Sending S7COMM"
68:	  end
69:	  -- receive response
70:	  local rcvstatus, response = socket:receive_bytes(bytes)
71:	  if(rcvstatus == false) then
72:	    return "Error Reading S7COMM"
73:	  end
74:	  return response
75:	end
76:	
77:	---

Error establishing connection for %s - %s

Here is a relevant code snippet related to the "Error establishing connection for %s - %s" error message:

207:	  -- create socket for communications
208:	  local sock = nmap.new_socket()
209:	  -- connect to host
210:	  local constatus, conerr = sock:connect(host, port)
211:	  if not constatus then
212:	    stdnse.debug1('Error establishing connection for %s - %s', host, conerr)
213:	    return nil
214:	  end
215:	  -- send and receive the COTP Packet
216:	  response  = send_receive(sock, COTP, 6)
217:	  -- unpack the PDU Type

Error establishing connection for %s - %s

Here is a relevant code snippet related to the "Error establishing connection for %s - %s" error message:

223:	    stdnse.debug1('S7INFO:: CREATING NEW SOCKET')
224:	    sock = nmap.new_socket()
225:	    -- connect to host
226:	    local constatus, conerr = sock:connect(host, port)
227:	    if not constatus then
228:	      stdnse.debug1('Error establishing connection for %s - %s', host, conerr)
229:	      return nil
230:	    end
231:	    response = send_receive(sock, alt_COTP, 6)
232:	    local CC_connect_confirm = string.byte(response, 6)
233:	    if ( CC_connect_confirm ~= 0xd0) then

S7 INFO:: Could not negotiate COTP

Here is a relevant code snippet related to the "S7 INFO:: Could not negotiate COTP" error message:

229:	      return nil
230:	    end
231:	    response = send_receive(sock, alt_COTP, 6)
232:	    local CC_connect_confirm = string.byte(response, 6)
233:	    if ( CC_connect_confirm ~= 0xd0) then
234:	      stdnse.debug1('S7 INFO:: Could not negotiate COTP')
235:	      return nil
236:	    end
237:	  end
238:	  -- send and receive the ROSCTR Setup Packet
239:	  response  = send_receive(sock, ROSCTR_Setup, 8)

Version

This page has been created based on Nmap version 7.92.

Go back to menu.