Redpoint is our internal project to develop NSE scripts for Nmap to identify and enumerate ICS devices. We are releasing some of the more helpful and less intrusive scripts on GitHub. The first was for BACnet devices, and now we have released a NSE script to identify and enumerate Siemens SIMATIC S7 PLCs.

Full credit for the idea and concept for this script goes to Positive Technologies and SCADA STRANGE LOVE. We ran PLCScan to generate the pcaps, copied what they found useful to enumerate, and used it as QA for our Redpoint script. This script is basically a way to get the PLCScan capabilities in Nmap. Since we use Nmap for enumeration in our assessments and have a number of Redpoint scripts we run in an Nmap category, it was worthwhile for us to port it over. Hopefully the large community that likes Nmap will find it useful.

Let’s go to the screen shots:

ICS Enumeration

We pulled the information from the Module field to identify the model, eg S7 315, S7 317, S7 312. Beyond the value for inventory purposes, it is helpful to identify what are the high powered, most critical PLCs or how large and complex the process you found is.

The System Name and Plant Identification Fields could be very helpful if they were entered by integrator or asset owner. We have scanned devices where the System Name was descriptive and others where it was not changed from the default (and therefore not included in output from the NSE). We have yet to see the Plant Identification Field used, but a large organization with multiple plants may find this helpful, as would the person enumerating the S7 PLCs.

Image by Simon and Katrina McPherson