Documentation ¶
Overview ¶
Package siemens provides a zgrab2 module that scans for Siemens S7. Default port: TCP 102 Ported from the original zgrab. Input and output are identical.
Index ¶
- Constants
- Variables
- func GetS7Banner(logStruct *S7Log, connection net.Conn, reconnect ReconnectFunction) (err error)
- func RegisterModule()
- type COTPConnectionPacket
- type COTPDataPacket
- type Flags
- type Module
- type ReconnectFunction
- type S7Error
- type S7Log
- type S7Packet
- type Scanner
- func (scanner *Scanner) GetName() string
- func (scanner *Scanner) GetTrigger() string
- func (scanner *Scanner) Init(flags zgrab2.ScanFlags) error
- func (scanner *Scanner) InitPerSender(senderID int) error
- func (scanner *Scanner) Protocol() string
- func (scanner *Scanner) Scan(target zgrab2.ScanTarget) (zgrab2.ScanStatus, interface{}, error)
- type TPKTPacket
Constants ¶
const ( S7_PROTOCOL_ID = byte(0x32) S7_REQUEST_ID = uint16(0) S7_REQUEST = byte(0x01) S7_REQUEST_USER_DATA = byte(0x07) S7_ACKNOWLEDGEMENT = byte(0x02) S7_RESPONSE = byte(0x03) S7_SZL_REQUEST = byte(0x04) S7_SZL_FUNCTIONS = byte(0x04) S7_SZL_READ = byte(0x01) S7_SZL_MODULE_IDENTIFICATION = uint16(0x11) S7_SZL_COMPONENT_IDENTIFICATION = uint16(0x1c) S7_DATA_BYTE_OFFSET = 12 // offset for real data )
Variables ¶
var ( // S7_ERROR_CODES maps error codes to the friendly error string S7_ERROR_CODES = map[uint32]string{ 0x05: "address error", 0x0a: "item not available", 0x8104: "context not supported", 0x8500: "wrong PDU size", } )
Functions ¶
func GetS7Banner ¶
func GetS7Banner(logStruct *S7Log, connection net.Conn, reconnect ReconnectFunction) (err error)
GetS7Banner scans the target for S7 information, reconnecting if necessary.
Types ¶
type COTPConnectionPacket ¶
type COTPConnectionPacket struct { // DestinationRef is the DST-REF TPDU field DestinationRef uint16 // SourceRef is the SCE-REF TPDU field SourceRef uint16 // DestinationTSAP is the destination transport service access point. DestinationTSAP uint16 // SourceTSAP is the source transport service access point. SourceTSAP uint16 // TPDUSize is the size (in bytes) of the TPDU TPDUSize byte }
COTPConnectionPacket is defined in RFC 892.
func (*COTPConnectionPacket) Marshal ¶
func (cotpConnPacket *COTPConnectionPacket) Marshal() ([]byte, error)
Marshal encodes a COTPConnectionPacket to binary.
func (*COTPConnectionPacket) Unmarshal ¶
func (cotpConnPacket *COTPConnectionPacket) Unmarshal(bytes []byte) error
Unmarshal decodes a COTPConnectionPacket from binary that must be a connection confirmation.
type COTPDataPacket ¶
type COTPDataPacket struct {
Data []byte
}
COTPDataPacket wraps the state / interface for a COTP data packet.
func (*COTPDataPacket) Marshal ¶
func (cotpDataPacket *COTPDataPacket) Marshal() ([]byte, error)
Marshal encodes a COTPDataPacket to binary.
func (*COTPDataPacket) Unmarshal ¶
func (cotpDataPacket *COTPDataPacket) Unmarshal(bytes []byte) error
Unmarshal decodes a COTPDataPacket from binary.
type Flags ¶
type Flags struct { zgrab2.BaseFlags // TODO: configurable TSAP source / destination, etc Verbose bool `long:"verbose" description:"More verbose logging, include debug fields in the scan results"` }
Flags holds the command-line configuration for the siemens scan module. Populated by the framework.
type Module ¶
type Module struct { }
Module implements the zgrab2.Module interface.
func (*Module) NewFlags ¶
func (module *Module) NewFlags() interface{}
NewFlags returns a default Flags object.
func (*Module) NewScanner ¶
NewScanner returns a new Scanner instance.
type ReconnectFunction ¶
ReconnectFunction is used to re-connect to the target to re-try the scan with a different TSAP destination.
type S7Log ¶
type S7Log struct { // IsS7 indicates that S7 was actually detected, so it should always be true. IsS7 bool `json:"is_s7"` // System is the first field returned in the component ID response. System string `json:"system,omitempty"` // Module is the second field returned in the component ID response. Module string `json:"module,omitempty"` // PlantId is the third field returned in the component ID response. PlantId string `json:"plant_id,omitempty"` // Copyright is the fourth field returned in the component ID response. Copyright string `json:"copyright,omitempty"` // SerialNumber is the fifth field returned in the component ID response. SerialNumber string `json:"serial_number,omitempty"` // ModuleType is the sixth field returned in the component ID response. ModuleType string `json:"module_type,omitempty"` // ReservedForOS is the seventh field returned in the component ID response. ReservedForOS string `json:"reserved_for_os,omitempty"` // MemorySerialNumber is the eighth field returned in the component ID response. MemorySerialNumber string `json:"memory_serial_number,omitempty"` // CpuProfile is the ninth field returned in the component ID response. CpuProfile string `json:"cpu_profile,omitempty"` // OemId is the tenth field returned in the component ID response. OEMId string `json:"oem_id,omitempty"` // Location is the eleventh field returned in the component ID response. Location string `json:"location,omitempty"` // ModuleId is the first field returned in the module identification response. ModuleId string `json:"module_id,omitempty"` // Hardware is the second field returned in the module identification response. Hardware string `json:"hardware,omitempty"` // Fiirmware is the third field returned in the module identification response. Firmware string `json:"firmware,omitempty"` }
S7Log is the output type for the Siemens S7 scan.
type S7Packet ¶
S7Packet represents an S7 packet.
type Scanner ¶
type Scanner struct {
// contains filtered or unexported fields
}
Scanner implements the zgrab2.Scanner interface.
func (*Scanner) GetTrigger ¶
GetTrigger returns the Trigger defined in the Flags.
func (*Scanner) InitPerSender ¶
InitPerSender initializes the scanner for a given sender.
func (*Scanner) Scan ¶
func (scanner *Scanner) Scan(target zgrab2.ScanTarget) (zgrab2.ScanStatus, interface{}, error)
Scan probes for Siemens S7 services. 1. Connect to TCP port 102 2. Send a COTP connection packet with destination TSAP 0x0102, source TSAP 0x0100 3. If that fails, reconnect and send a COTP connection packet with destination TSAP 0x0200, source 0x0100 4. Negotiate S7 5. Request to read the module identification (and store it in the output) 6. Request to read the component identification (and store it in the output) 7. Return the output
type TPKTPacket ¶
type TPKTPacket struct { // Data is the packet's content Data []byte }
TPKTPacket is defined in RFC 1006
func (*TPKTPacket) Marshal ¶
func (tpktPacket *TPKTPacket) Marshal() ([]byte, error)
Marshal encodes a TPKTPacket to binary.
func (*TPKTPacket) Unmarshal ¶
func (tpktPacket *TPKTPacket) Unmarshal(bytes []byte) error
Unmarshal decodes a TPKTPacket from binary.