HarpoS7

HarpoS7 is a C# library for authenticating sessions in the S7 Comm Plus protocol, supporting both legacy challenge (TIA Portal V16 and older) and TLS authentication (TIA Portal V17 and newer).

MIT License

Stars
8
View Code on GitHub
Ecosystems: C#, .NET

Bot releases are visible (Hide)

HarpoS7 - PoC 1.1.0 (pre3) - legitimation for S7-1500 & S7-1200 Latest Release

Published by bonk-dev 2 months ago

Experimental real PLC support

pre3 adds password auth for real S7-1200/1500 PLCs (PLCSIM is implemented, but not enabled in the PoC yet)

Resolves (probably): #3
Full Changelog: https://github.com/bonk-dev/HarpoS7/compare/v1.1.0-pre2...v1.1.0-pre3

Usage

192.168.1.10 - PLC IP address
102 - S7-CommPlus port (most likely the same across all PLCs)
zaq1@WSX - access password (optional, set it in your TIA Portal project first)

Windows (CMD)

HarpoS7.PoC.exe 192.168.1.10:102 - session auth without access password
HarpoS7.PoC.exe 192.168.1.10:102 "zaq1@WSX" - session auth with access password

Linux

Without access password

chmod +x ./HarpoS7.PoC
./HarpoS7.PoC 192.168.1.10:102

With access password

chmod +x ./HarpoS7.PoC
./HarpoS7.PoC 192.168.1.10:102 "zaq1@WSX"

OS X

Without access password

chmod +x ./HarpoS7.PoC
./HarpoS7.PoC 192.168.1.10:102

With access password

chmod +x ./HarpoS7.PoC
./HarpoS7.PoC 192.168.1.10:102 "zaq1@WSX"
HarpoS7 - PoC 1.1.0 (pre2) - real S7-1500 & S7-1200 support

Published by bonk-dev 2 months ago

Experimental real PLC support

pre2 fixes the Release variant (used the wrong key for symmetric key id) and adds S7-1200 support

Resolves (probably): #3
Full Changelog: https://github.com/bonk-dev/HarpoS7/compare/v1.1.0-pre1...v1.1.0-pre2

Usage

192.168.1.10 - PLC IP address
102 - S7-CommPlus port (most likely the same across all PLCs)

Windows (cmd)

HarpoS7.PoC.exe 192.168.1.10:102

Windows (PowerShell)

.\HarpoS7.PoC.exe 192.168.1.10:102

Linux

chmod +x ./HarpoS7.PoC
./HarpoS7.PoC 192.168.1.10:102

OS X

chmod +x ./HarpoS7.PoC
./HarpoS7.PoC 192.168.1.10:102
HarpoS7 - PoC 1.1.0 - real S7-1500 support

Published by bonk-dev 2 months ago

Experimental real PLC support

or support for family 0 public keys at least

Resolves (probably): #3
Full Changelog: https://github.com/bonk-dev/HarpoS7/compare/v1.0.0-dumper...v1.1.0-pre1

Usage

192.168.1.10 - PLC IP address
102 - S7-CommPlus port (most likely the same across all PLCs)

Windows (cmd)

HarpoS7.PoC.exe 192.168.1.10:102

Windows (PowerShell)

.\HarpoS7.PoC.exe 192.168.1.10:102

Linux

chmod +x ./HarpoS7.PoC
./HarpoS7.PoC 192.168.1.10:102

OS X

chmod +x ./HarpoS7.PoC
./HarpoS7.PoC 192.168.1.10:102
HarpoS7 - Key Dumper v1.0.0

Published by bonk-dev 8 months ago

Related Projects
KrbRelayUp

KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where L...

24 Apr 2022 1,522
Seatbelt

Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" ...

24 Jul 2018 3,704