{"id":28100124,"url":"https://github.com/mottasec/ics-ninja-scanner","last_synced_at":"2026-04-30T13:33:51.055Z","repository":{"id":293096379,"uuid":"982935314","full_name":"MottaSec/ICS-Ninja-Scanner","owner":"MottaSec","description":"Multi-protocol ICS security scanner detecting vulnerabilities in Modbus, S7, DNP3, BACnet, MQTT \u0026 SNMP. Features configurable scan intensities, safe-by-default operation \u0026 comprehensive reporting. Identifies misconfigurations \u0026 security flaws in industrial environments.","archived":false,"fork":false,"pushed_at":"2025-05-13T16:23:14.000Z","size":2710,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-13T17:31:47.281Z","etag":null,"topics":["bacnet","cybersecurity","dnp3","ics-security","industrial-control-systems","modbus","mqtt","ot-security","pentesting","plc","plc-security","python","s7","scada-security","security-scanner","snmp","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://mottasec.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MottaSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-13T16:12:32.000Z","updated_at":"2025-05-13T16:23:18.000Z","dependencies_parsed_at":"2025-05-13T17:32:05.527Z","dependency_job_id":"e35dde93-0b4a-4d0a-8566-902eaa92757e","html_url":"https://github.com/MottaSec/ICS-Ninja-Scanner","commit_stats":null,"previous_names":["mottasec/ics-ninja-scanner"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MottaSec%2FICS-Ninja-Scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MottaSec%2FICS-Ninja-Scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MottaSec%2FICS-Ninja-Scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MottaSec%2FICS-Ninja-Scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MottaSec","download_url":"https://codeload.github.com/MottaSec/ICS-Ninja-Scanner/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254003118,"owners_count":21997837,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bacnet","cybersecurity","dnp3","ics-security","industrial-control-systems","modbus","mqtt","ot-security","pentesting","plc","plc-security","python","s7","scada-security","security-scanner","snmp","vulnerability-scanner"],"created_at":"2025-05-13T18:30:25.757Z","updated_at":"2026-04-30T13:33:51.048Z","avatar_url":"https://github.com/MottaSec.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ICS Ninja Scanner\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"images/logo.png\" alt=\"ICS Ninja Scanner Logo\" width=\"300px\"\u003e\n\u003c/p\u003e\n\n**Multi-protocol Industrial Control System security assessment platform.**\n\nICS Ninja Scanner is a comprehensive security assessment tool purpose-built for industrial environments. It discovers, fingerprints, and tests ICS/SCADA devices across **11 protocols**, correlates findings against a built-in **CVE database**, maps results to **ICS compliance frameworks** (IEC 62443, NIST 800-82, NERC CIP), and tracks your security posture over time with **scan diffing and trend analysis**.\n\nDesigned by penetration testers who actually assess OT environments — not another IT scanner bolted onto port 502.\n\n\u003e ⚖️ Licensed under [PolyForm Noncommercial 1.0.0](LICENSE) — free for research, education, and non-commercial use.\n\n---\n\n## Why ICS Ninja?\n\nMost security scanners treat ICS as an afterthought. ICS Ninja was built ICS-first:\n\n- **Safe by default** — passive discovery at low intensity, write tests auto-restore original values\n- **Protocol-native** — speaks Modbus, S7, IEC 104, DNP3, BACnet, etc. natively (no generic TCP probing)\n- **Cross-protocol intelligence** — detects multi-protocol attack surfaces (e.g., same device on Modbus + S7 + SNMP with inconsistent auth)\n- **Built-in CVE correlation** — embedded database of ICS-specific CVEs, matched against discovered device info\n- **Compliance mapping** — auto-maps findings to IEC 62443, NIST 800-82, and NERC CIP requirements\n- **Scan diffing** — compare assessments over time, track remediation, detect regression\n- **Rate limiting** — millisecond-level request throttling for fragile PLCs and RTUs\n- **Industry scan profiles** — pre-built configs for Siemens plants, substations, BMS, water treatment, oil \u0026 gas, and more\n\n---\n\n## Installation\n\n```bash\n# Core only (no protocol libraries)\npip install ics-ninja\n\n# With all protocol libraries\npip install ics-ninja[all]\n\n# Specific protocols only\npip install ics-ninja[modbus,s7,mqtt]\n\n# Development\npip install ics-ninja[all,dev]\n```\n\n### Docker\n\n```bash\ndocker build -t ics-ninja .\ndocker run --rm ics-ninja scan --target 192.168.1.100 --protocols modbus --intensity low\n```\n\n### From Source\n\n```bash\ngit clone https://github.com/mottasec/ics-ninja-scanner.git\ncd ics-ninja-scanner\npip install -e \".[all]\"\n```\n\n---\n\n## Quick Start\n\n### Basic Scanning\n\n```bash\n# Discover ICS devices on a subnet (passive, safe for production)\nics-ninja scan --target 192.168.1.0/24 --protocols all --intensity low\n\n# Deep scan a specific PLC\nics-ninja scan --target 192.168.1.100 --protocols s7,modbus --intensity medium\n\n# Full security assessment with rate limiting (for fragile devices)\nics-ninja scan --target 192.168.1.100 --protocols all --intensity high --rate-limit 0.5 --yes\n```\n\n### Using Scan Profiles\n\nSkip manual protocol selection — use industry-specific profiles:\n\n```bash\n# Siemens manufacturing plant (S7 + Profinet + OPC-UA + Modbus + SNMP + MQTT)\nics-ninja scan --target 10.0.0.0/24 --protocols all --profile siemens-plant\n\n# Electrical substation (IEC 104 + DNP3 + Modbus, conservative intensity)\nics-ninja scan --target 10.0.0.0/24 --protocols all --profile substation\n\n# Quick recon across all protocols\nics-ninja scan --target 192.168.1.0/24 --protocols all --profile quick\n```\n\nAvailable profiles: `siemens-plant`, `rockwell-plant`, `substation`, `bms`, `water-treatment`, `oil-gas`, `quick`, `full`\n\n### CVE Correlation\n\nCross-reference scan findings against the embedded ICS CVE database:\n\n```bash\n# Scan with CVE correlation enabled\nics-ninja scan --target 192.168.1.100 --protocols s7,modbus --intensity medium --cve-check\n\n# View CVE database statistics\nics-ninja cve-db\n```\n\nThe CVE database includes vendor-specific entries for Siemens, Rockwell, Schneider, ABB, and other major ICS vendors, with CVSS scores and affected version ranges.\n\n### Compliance Mapping\n\nMap findings to ICS security frameworks:\n\n```bash\n# Map against IEC 62443\nics-ninja scan --target 192.168.1.0/24 --protocols all --intensity medium \\\n    --compliance iec62443\n\n# Map against all frameworks (IEC 62443 + NIST 800-82 + NERC CIP)\nics-ninja scan --target 192.168.1.0/24 --protocols all --intensity medium \\\n    --compliance all\n```\n\n### Scan Diffing \u0026 Trend Analysis\n\nTrack your security posture over time:\n\n```bash\n# Compare two scan reports\nics-ninja diff old_scan.json new_scan.json --format html --output delta.html\n\n# Auto-diff against the most recent previous scan for the same target\nics-ninja scan --target 192.168.1.0/24 --protocols all --intensity medium \\\n    --output-format json --output-file scan_q1 --diff-baseline\n\n# Analyze risk trend across multiple scans (oldest first)\nics-ninja trend scan_q1.json scan_q2.json scan_q3.json scan_q4.json --output trend.txt\n```\n\n### Reporting\n\n```bash\n# Generate HTML report for stakeholders\nics-ninja scan --target 192.168.1.0/24 --protocols all --intensity medium \\\n    --output-format html --output-file assessment_report\n\n# Export all formats at once (TXT + JSON + CSV + HTML)\nics-ninja scan --target 192.168.1.0/24 --protocols all --intensity medium \\\n    --output-format all --output-file full_assessment\n\n# Combine everything: CVE check + compliance + HTML report + auto-diff\nics-ninja scan --target 192.168.1.0/24 --protocols all --intensity medium \\\n    --cve-check --compliance all --output-format json,html \\\n    --output-file assessment --diff-baseline\n```\n\n---\n\n## Supported Protocols\n\n| Protocol | Port | What It Tests |\n|----------|------|---------------|\n| **Modbus TCP** | 502 | Device ID (FC 43/14), register read/write, Modbus/TLS, broadcast detection |\n| **Siemens S7** | 102 | CPU state, module inventory, CVE checks, protection levels, PLC clock, web server |\n| **IEC 60870-5-104** | 2404 | Multi-station testing, IEC 62351 security, 5 control command types, sequence tracking |\n| **MQTT** | 1883/8883 | Broker auth, MQTT v5, WebSocket, QoS, retained messages, client ID impersonation |\n| **SNMP** | 161 | Community strings, SNMPv3, BER-encoded walk, write testing |\n| **OPC-UA** | 4840 | Security modes, anonymous access, certificate analysis, node browsing |\n| **BACnet** | 47808 | WhoIs discovery, WriteProperty testing, ReinitializeDevice, device enumeration |\n| **EtherNet/IP** | 44818 | CIP sessions, tag read/write, ForwardOpen, identity enumeration |\n| **DNP3** | 20000 | Secure Authentication, control commands, outstation enumeration |\n| **Profinet** | 34964 | DCP discovery, security class detection, RPC testing |\n| **HART-IP** | 5094 | Session management, command enumeration, sub-device discovery |\n\n## Scan Intensity Levels\n\n| Level | What It Does | Safe for Production? |\n|-------|-------------|---------------------|\n| 🟢 **Low** | Passive discovery — version detection, banner grabbing, protocol fingerprinting | ✅ Yes |\n| 🟡 **Medium** | Active queries — read registers, check auth, enumerate security settings | ⚠️ Generally safe |\n| 🔴 **High** | Write tests — unauthenticated control attempts, write verification with auto-restore | ❌ Maintenance window only |\n\nHigh-intensity scans prompt for confirmation (bypass with `--yes`). Write tests automatically restore original values and verify restoration.\n\n---\n\n## Scan Profiles\n\nPre-built configurations for common ICS environments:\n\n| Profile | Environment | Protocols | Default Intensity |\n|---------|------------|-----------|-------------------|\n| `siemens-plant` | Siemens manufacturing | S7, Profinet, OPC-UA, Modbus, SNMP, MQTT | Medium |\n| `rockwell-plant` | Rockwell/Allen-Bradley | EtherNet/IP, Modbus, SNMP, OPC-UA, MQTT | Medium |\n| `substation` | Electrical substation | IEC 104, DNP3, Modbus, SNMP, MQTT | Low |\n| `bms` | Building management | BACnet, Modbus, SNMP, MQTT, OPC-UA | Medium |\n| `water-treatment` | Water/wastewater | DNP3, Modbus, SNMP, MQTT, OPC-UA | Low |\n| `oil-gas` | Oil \u0026 gas / process | HART-IP, Modbus, OPC-UA, SNMP, MQTT, Profinet | Medium |\n| `quick` | Any — fast recon | All | Low |\n| `full` | Any — full assessment | All | High |\n\n---\n\n## CLI Reference\n\n```\nics-ninja scan [OPTIONS]\n  --target TEXT                    Target IP, range, or CIDR  [required]\n  --protocols TEXT                 Comma-separated protocols or 'all'  [required]\n  --intensity [low|medium|high]   Scan intensity  [default: low]\n  --profile TEXT                   Apply a scan profile (overrides protocols/intensity)\n  --cve-check                     Enable CVE correlation\n  --compliance [iec62443|nist80082|nerccip|all]  Compliance framework mapping\n  --diff-baseline                 Auto-compare with most recent previous scan\n  --output-format [txt|json|csv|html|all]  Output format  [default: txt]\n  --output-file TEXT              Output filename (without extension)\n  --rate-limit FLOAT              Delay between requests in seconds\n  --timeout INTEGER               Connection timeout in seconds  [default: 5]\n  --threads INTEGER               Parallel scan threads  [default: 10]\n  --no-verify                     Disable TLS verification\n  --yes / -y                      Skip confirmation for high intensity\n  --debug                         Enable debug logging\n\nics-ninja list                    List available protocols and scanner status\nics-ninja version                 Show version\nics-ninja profiles                List available scan profiles\nics-ninja cve-db                  Show CVE database statistics\nics-ninja diff OLD NEW [--format txt|json|html] [--output FILE]\n                                  Compare two scan reports\nics-ninja trend FILE1 FILE2 ... [--output FILE]\n                                  Risk trend analysis across multiple scans\n```\n\n---\n\n## Output Formats\n\n| Format | Use Case |\n|--------|----------|\n| **TXT** | Terminal output, quick review |\n| **JSON** | Integration with SIEM, ticketing, other tools |\n| **CSV** | Spreadsheets, bulk analysis |\n| **HTML** | Styled report with executive summary, severity charts, and remediation priorities |\n\nHTML reports include CVSS scores (auto-calculated for all findings), severity distribution charts, and compliance mapping when enabled.\n\n---\n\n## Safety\n\nThis tool is for **authorized security assessments only**. Always:\n\n1. 🔐 Get written authorization before scanning any ICS environment\n2. 🟢 Start with low intensity in production\n3. ⏰ Use maintenance windows for high-intensity scans\n4. 📊 Monitor target systems during scanning\n5. 🐌 Use `--rate-limit` for sensitive/legacy devices\n\n---\n\n## Contributing\n\nWe welcome contributions — especially new protocol scanners. See [CONTRIBUTING.md](CONTRIBUTING.md) for the dev setup, scanner checklist, and PR process.\n\n## Security\n\nFound a vulnerability in ICS Ninja Scanner itself? See [SECURITY.md](SECURITY.md) for responsible disclosure.\n\n## License\n\n[PolyForm Noncommercial License 1.0.0](LICENSE) — free for research, education, non-commercial organizations, and personal use. Commercial use requires a separate license from [MottaSec](https://mottasec.com).\n\n---\n\nBuilt by [MottaSec](https://mottasec.com)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmottasec%2Fics-ninja-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmottasec%2Fics-ninja-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmottasec%2Fics-ninja-scanner/lists"}