{"id":13627691,"url":"https://github.com/klsecservices/s7scan","last_synced_at":"2025-04-17T00:32:24.964Z","repository":{"id":167425004,"uuid":"152721930","full_name":"klsecservices/s7scan","owner":"klsecservices","description":"The tool for enumerating Siemens S7 PLCs through TCP/IP or LLC network","archived":false,"fork":false,"pushed_at":"2018-12-28T12:11:56.000Z","size":5325,"stargazers_count":133,"open_issues_count":0,"forks_count":45,"subscribers_count":15,"default_branch":"master","last_synced_at":"2024-11-08T18:45:11.018Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/klsecservices.png","metadata":{"files":{"readme":"README.md","changelog":"changelog","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-10-12T08:52:04.000Z","updated_at":"2024-11-06T12:42:47.000Z","dependencies_parsed_at":"2023-07-17T14:41:50.542Z","dependency_job_id":null,"html_url":"https://github.com/klsecservices/s7scan","commit_stats":null,"previous_names":["klsecservices/s7scan"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klsecservices%2Fs7scan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klsecservices%2Fs7scan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klsecservices%2Fs7scan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klsecservices%2Fs7scan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/klsecservices","download_url":"https://codeload.github.com/klsecservices/s7scan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249293045,"owners_count":21245673,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T22:00:37.223Z","updated_at":"2025-04-17T00:32:24.000Z","avatar_url":"https://github.com/klsecservices.png","language":"Python","readme":"# s7scan  \n\n## General description\n**s7scan** is a tool that scans networks, enumerates Siemens PLCs and gathers basic information about them, such as PLC firmware and hardwaare version, network configuration and security parameters.\nIt is completely written on Python.  \nThe tool uses S7 protocol to connect to talk toPLCs. More specifically, it performs \"Read SZL\" to get information about controllers. Formats of these requests are documented in \"Siemens SIMATIC System Software for S7-300/400 System and\nStandard Functions. Reference manual\", which can be found at the following link:  https://cache.industry.siemens.com/dl/files/574/1214574/att_44504/v1/SFC_e.pdf  \nMain features of the utility:\n1. Identifying all active PLCs in a particular network;\n2. Obtaining basic information about each PLC:  \n    a. PLC type;  \n    b. Software version;  \n    c. Hardware version;  \n    d. Protection settings applied to the PLC (key position, r/w/rw access rights);  \n    e. Network configuration of the PLC.  \n3. Supporting both TCP/IP and LLC transport protocols.\n4. Ability to be built as a stand-alone binary with pyinstaller  \n\n**s7scan** is based on the utility called \"plcscan\" from Dmitry Efanov (Positive Research). Comparing this old version, here are main differences:  \n    - Support of low-level LLC protocol;  \n    - Showing protection configuration of PLCs;  \n    - Improvements fo default COTP TSAP checking procedure in order to find all PLCs within racks;  \n    - Improved stability.  \n    \nThe tool is designed to use scapy for crafting and sending low-level LLC packets. Still, for TCP/IP communications it uses standard OS socket interface for simplicity and stability.  \n\n## What is this tool actually for?\nThe main purpose of the tool providing technical specialists/security auditors the ability to enumerate PLCs for that additional security configuration and/or firmware updates are needed.\n\n## Installation\nActual installation is not required. Just download **s7scan** and run python with s7scan.py  \nThe tool currently depends on scapy, so scapy installation is required.\nThe tool currently works with Python 2 only\n\n## Use cases\nYou can use s7scan in the following form:\n1. Usage with python and scapy installed on the machine. In this case you only need to download **s7scan**, go to its directory and run \"python s7scan.py\" in the console.\n2. Usage on computers without python. In this case the option is to use pyinstaller. Install it, go to s7scan folder and run\n\n```\n\"pyinstaller --onefile s7scan.py\"\n```\nto build a stand-alone binary. Then distribute this binary to the target computer and use it.  \nBoth use-cases are acceptable on Linux/Windows/Mac.  \nAlternatively, you can use pre-built executables built by pyinstaller in **dist** directory.  \n\n**Note:** on Windows you will need WinPcap (or Npcap) if you want to scan LLC networks. If installing it is not an option, you have 2 alternatives:  \n1. Download and run portable version of Wireshark;\n2. Use the script winpcap_installer_test.py that is included in s7scan. Run \n```\nwinpcap_installer_test.py install\n```\ncommand in your console, and it will perform silent install of WinPcap. After scanning you can simply run \n```\nwinpcap_installer.py uninstall\n```\nto get rid of all WinPcap files. You can also run \n```\nwinpcap_installer_test.py check\n```\nin order to check whether WinPcap is installed on the machine.  \n\n## Kudos\n`@_moradek_` at twitter for help with development    \n\n## Disclaimer of warranty\n\nTHERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. \nEXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES \nPROVIDE THE PROGRAM \"AS IS\" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, \nINCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF \nTHE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST \nOF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.  \nIF ANYONE BELIEVES THAT THIS TOOL HAVE BEEN VIOLATED SOME COPYRIGHTS, PLEASE EMAIL US, \nAND ALL THE NECESSARY CHANGES WILL BE MADE.\n\n## Less formal disclaimer (or why we had to write the disclaimer at all)\n\nThis open-source tool was developed for internal purposes. It was tested on \nseveral different PLC families: S7-300, S7-400 and S7-1500. Nevertheless, it's \nstill just a result of a research project, and as always, it may be vulnerable to \nmistakes and lack of knowledge under some hypothetical circumstances. Neither the\nauthor of the tool nor Kaspersky Lab are responsible for any possible\ndamage caused by the tool to the industrial equipment or any technological and \nbusiness processes. Use the tool only after considering the consequences, and at\nyour own risk.  \n\n## Contacts\nPlease feel free to contact us if you have any questions/suggestions/feedback related \nto the tool. Use the following coordinates:  \n    **Twitter:** @zero_wf from @kl_secservices  \n    **Github:**  @klsecservices  \nAny contribution to the project is always welcome!\n","funding_links":[],"categories":["S7comm","Industrial Control and SCADA Systems","Tools"],"sub_categories":["Tools","Docker Containers of Penetration Testing Distributions and Tools","Zealandia","Industrial Control and SCADA Systems"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fklsecservices%2Fs7scan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fklsecservices%2Fs7scan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fklsecservices%2Fs7scan/lists"}