• ICS Protocols
  • Developed as a community asset
  • General / Miscellaneous Releases
  • AMI
  • BACnet
  • DNP3
    • Protocol Implementation
    • Fuzzing
  • Ethernet/IP and CIP
  • IEC 104
  • IEC 61850
    • Protocol Implementation
    • Tools
  • IEEE C37.118
    • Protocol Implementation
    • Tools
  • Modbus
    • Protocol Implementation
    • Fuzzing
  • PROFINET
    • Protocol Implementation
    • Fuzzing
  • SEL Fast Message
  • Siemens S7
  • TriStation
  • Zigbee
  • General Protocol Fuzzing

https://github.com/ITI/ICS-Security-Tools 工控安全工具

ICS Protocols

Developed as a community asset

General / Miscellaneous Releases

• PoC 2013 SCADA Release - Power of Community 2013 conference special release of ICS/SCADA toolkit

AMI

• Termineter - c1218 powermeter emulator

BACnet

• BACpypes - BACpypes provides a BACnet application layer and network layer written in Python for daemons, scripting, and graphical interfaces.

DNP3

Protocol Implementation

• OpenDNP3 - Opendnp3 is the de facto reference implementation of IEEE-1815 (DNP3) provided under the Apache License.
• DNP3 Simulator - Graphical DNP3 Master/Outstation simulator
• PIFaceRTU - Opendnp3 running on a Raspberry Pi with Piface I/O board
• LangSec DNP3 Parser - Parsing DNP3 using parser combinators in C.
• Proxyd - TCP Proxy for testing hammer based parsers (such as the DNP3 parser above)

Fuzzing

• AEGIS Fuzzer - Aegis™ is a smart fuzzing framework for a growing number of protocols that can identify robustness and security issues in communications software before it is deployed in a production system. [commercial] Early Open Source version is mirrored here: Open-Source.

Ethernet/IP and CIP

• EtherNet/IP+CIP dissector for Scapy - a Python library which can be used to interact with components of a network using ENIP (Ethernet/IP) and CIP (Common Industrial Protocol) protocols. It uses scapy to implement packet dissectors which are able to decode a part of the network traffic. These dissectors can also be used to craft packets, which allows directly communicating with the PLCs (Programmable Logic Controllers) of the network. Use case
• Scapy implementation of DLR (Device Level Ring) protocol
• CPPPO - Communications Protocol Python Parser and Originator (EtherNet/IP CIP implementation) - Cpppo is used to implement binary communications protocol parsers. The protocol’s communication elements are described in terms of state machines which change state in response to input events, collecting the data and producing output data artifacts.
• pycomm - pycomm is a package that includes a collection of modules used to communicate with PLCs. At the moment the first module in the package is ab_comm. ab_comm is a module that contains a set of classes used to interface Rockwell PLCs using Ethernet/IP protocol. The “clx” class can be used to communicate with Compactlogix, Controllogix PLCs The “slc” can be used to communicate with Micrologix or SLC PLCs
• pyCIP - CIP protocol implementation in Python3

IEC 104

• IEC Server - Software to simulate server side of systems using a telecontrol message Protocol specified in the IEC 60870-5. Original website http://area-x1.lima-city.de is down, so this has been mirrored.
• OpenMRTS - MRTS is an attempt to create open source IEC 870-5-101/104 based components for telecontrol and supervisory systems and to become a complete solution in future.
• QTester104 - This software implements the IEC60870-5-104 protocol (client side) for substation data acquisition and control via tcp/ip network using the QT UI Framework. It can be compiled on Linux and Windows platforms. It’s possible to poll and view data from the substation system (RTU/concentrator) and also send commands.
• lib60870 - Implements IEC 60870-5-104 protocol.

IEC 61850

Protocol Implementation

• libIEC61850 - open source library for IEC 61850.
• rapid61850 - Rapid-prototyping protection and control schemes with IEC 61850

Tools

• IEDScout - IEDScout provides access to 61850-based IEDs and can simulate entire Ed. {1,2} IEDs. Specifically, IEDScout lets you look inside the IED and at its communication. All data modeled and exchanged becomes visible and accessible. Additionally, IEDScout serves numerous useful tasks, which could otherwise only be performed with dedicated engineering tools or even a functioning master station. IEDScout shows an overview representing the typical workflow of commissioning, but also provides detailed information upon request. [commercial] Free 30 day evaluation license.

IEEE C37.118

Protocol Implementation

• C37.118-2005 Spec – C37.118-2005 (deprecated). Note, this is a paid IEEE spec
• C37.118-2011 Spec – C37.118-2011 (current). Note, this is a paid IEEE spec
• pyMU - Python C37.118-2011 parser
• pyPMU - WIP Python implementation
• Wireshark Dissector - Implemented C37.118 wireshark dissector
• Grid Solutions Framework C37.118 - GSF implementation (.net)
• LangSec C37.118 Parser - LangSec based C37.118 parser

Tools

• pyMU - Python C37.118-2011 parser
• pyPMU - WIP Python implementation
• PMU Connection Tester - Full fledged PMU connection tester, speaking c37.118 amongst many other synchrophasor protocols

Modbus

Protocol Implementation

• pyModBus - A full modbus protocol written in python.
• Modbus for Go - Fault-tolerant implementation of modbus protocol in Go (golang)
• ModbusPal - ModbusPal is a MODBUS slave simulator. Its purpose is to offer an easy to use interface with the capabilities to reproduce complex and realistic MODBUS environments. Mirror available here.
• SMOD - MODBUS Penetration Testing Framework. smod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest modbus protocol. It is a full Modbus protocol implementation using Python and Scapy. This software could be run on Linux/OSX under python 2.7.x.

Fuzzing

• AEGIS Fuzzer - Aegis™ is a smart fuzzing framework for a growing number of protocols that can identify robustness and security issues in communications software before it is deployed in a production system. [commercial] Early Open Source version is mirrored here: Open-Source.

PROFINET

Protocol Implementation

• Profinet - Python - Simple PROFINET implementation in python
• Profinet - C - PROFINET implementation in C
• Profinet Explorer - Simple PROFINET explorer written in C#

Fuzzing

• ProFuzz - Simple PROFINET fuzzer based on Scapy

SEL Fast Message

• Wireshark Dissector - SEL Fast Message - Wireshark Dissector for SEL Fast Message
• Grid Solutions Framework SEL Fast Message - GSF implementation (.net)
• SEL Applications Guides - Look up AG95-10 and AG2002-14 product codes.

Siemens S7

• Snap7 - open source Siemens S7 communication library.
• LibNoDave - Another (less complete) open source communication library for the S7 protocol.
• S7comm - open source Wireshark dissector plugin for the Siemens S7 protocol.
• Python Snap7 Wrapper - A Python wrapper for the snap7 PLC communication library
• Bro-IDS S7 Protocol Parser - S7 protocol parser for Bro IDS

TriStation

• FireEye TriStation Wireshark Dissector - reverse engineered wireshark dissector from Mandiant/FireEye team after Triton discovery.
• Nozomi TriStation Wireshark Dissector - another TriStation dissector, this time from Nozomi, also incldues pcap, and basic honeypot simulator.

Zigbee

• Killerbee - IEEE 802.15.4/ZigBee Security Research Toolkit.

General Protocol Fuzzing

• AFL - American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary.

(creative commons license)