Compilation of industrial network protocols resources focusing on offensive security.
In this repository:
- You are currently viewing the Awesome Industrial Protocols page.
- Detailed pages for protocols are available in
protocols
. - All data is stored in MongoDB databases in
db
. - Turn/IP (in
srcs
) is a handy tool to manipulate this data, generate the awesome list and protocol pages, and simplify the research and test process on industrial protocols.
Note: Sometimes it is unclear whether a name refers to a protocol, a standard, or a complete environment, or if a protocol on a serial link can be accessed in any way from the Ethernet link (through a dedicated implementation or a gateway). I apologize for any confusion, and of course, I welcome any remarks or contributions.
Currently, there are 65 protocols with a total of 710 resources.
- ANSI-C12.22
- ATG
- BACnet/IP
- BSAP
- CAN
- CC-Link IE
- CIP
- CODESYS
- Crimson
- CSPv4
- DeviceNet
- DF1
- DICOM
- DNP3
- Ether-S-I/O
- EtherCAT
- Ethernet/IP
- ETP
- FF-HSE
- FINS
- FL-net
- FOCAS
- GE-SRTP
- GVCP
- GVSP
- HART-IP
- HICP
- HL7
- ICCP
- IEC-60870-5-104
- IEC-61850
- IEEE-C37.118
- ISA100.11a
- KNXnet/IP
- LIS
- LoRaWAN
- LSV/2
- M-Bus
- MDLC
- MELSEC
- Modbus
- MQTT
- MTConnect
- Niagara Fox
- OPC-DA
- OPC-UA
- PC-WORX
- PCCC
- POWERLINK
- ProConOs
- Profinet-DCP
- Profinet-IO
- RTPS
- S-Bus
- S7comm
- SECS/GEM
- SERCOS-III
- SLMP
- SOME/IP
- TriStation
- TSAA
- UMAS
- WITS
- XCP
- ZigBee
Name | ANSI-C12.22 |
---|---|
Alias | ANSI-C12.19, C1222 |
Description | Protocol to transport ANSI C12.19 tables on electric meter utility networks |
Keywords | Smart Grid, Meter |
Port | 1153/tcp, 1153/udp |
Specifications | RFC 6142, ANSI C12.22 specification, ANSI C12.19 Specification |
Wireshark dissector | packet-c1222.c |
Detailed page | ansi-c1222.md |
- ANSI C12.22 (c1222) - Description of protocol ANSI C12.22 on Wireshark Wiki
- An overview on ANSI C12.22 - Edward Beroset @ Electric Energy Online
- Looking Into The Eye Of The Meter - Cutaway @ DEF CON 20 (2013)
Name | ATG |
---|---|
Alias | TLS4, TLS-350, TLS-450 |
Description | Veeder Root's Automatic Tank Gauge (ATG) protocol |
Keywords | Gas, Guardian AST |
Port | 10001/tcp |
Specifications | Veeder Root serial interface manual for TLS-450, Veeder Root serial interface manual for TLS-350 |
Nmap script(s) | atg-info.nse |
Detailed page | atg.md |
- Network Router for ATG Applications Installation manual (577014-129) - Technical network documentation from Veeder Root
- Gas Station Nightmare: Are Exposed ATGs Our Next Security Crisis? - Jacob Marabelli (2023)
- The Little Pump Gauge That Could: Attacks Against Gas Pump Monitoring Systems - Kyle Wilhoit and Stephen Hilt @ Black Hat USA (2015)
- The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems - Kyle Wilhoit and Stephen Hilt (Trend Micro, 2015)
- GasPot - Honeypot simulating a Veeder Root Guardian AST
Name | BACnet/IP |
---|---|
Alias | BACnet |
Description | Building automation and control network communication protocol for HVAC systems |
Keywords | HVAC |
Port | 47808/udp |
Access | Paid |
Specifications | BACnet/IP Specification |
Nmap script(s) | bacnet-info.nse |
Wireshark dissector | packet-bacnet.c |
Example Pcap(s) | ICS-pcap BACnet, S4x15 ICS Village PCAP Files |
Detailed page | bacnetip.md |
- 10 things you should know about BACnet - Blog post on RTAutomation
- BACnet CVE-2019-12480 - On M's blog (2019)
- BACnet data representation - Blog post on RTAutomation
- (in)Security in Building Automation: How to Create Dark Buildings with Light Speed - Thomas Brandstetter @ Black Hat USA (2017)
- DEF CON Safe Mode Red Team Village - Chris Kubecka - Pwn the World - @ DEF CON (2020)
- HVACking Understand the Delta Between Security and Reality - Douglas McKee & Mark Bereza @ DEF CON 27 (2019)
- InSecurity in Building Automation - Thomas Brandsetter @ DEF CON 25 ICS Village (2017)
- Mixing industrial protocols with web application security - Bertin Bervis @ DEF CON 27 IoT Village (2019)
- Owning a Building: Exploiting Access Control and Facility Management Systems - Billy Rios @ Black Hat Asia (2014)
- BACnet Stack - BACnet open source protocol stack
- bacnet-docker - BACnet Tools in Docker
Name | BSAP |
---|---|
Alias | BSAP/IP, BSAP-IP |
Description | Emerson's Bristol Synchronous Asynchonous Protocol |
Keywords | Emerson, Bristol |
Port | 1234/udp |
Access | Free |
Specifications | BSAP Communications Application Programmer's Reference |
Detailed page | bsap.md |
- ICEFALL - Revisiting A Decade Of OT Insecure-By-Design Practices - Jos Wetzels @ Hack In The Box (2022)
Name | CAN |
---|---|
Alias | CANbus, CANopen, CAN-FD |
Description | Communication protocol enabling data exchange between electronic components in vehicles |
Keywords | CANbus |
Specifications | ISO-11898 |
Wireshark dissector | packet-canopen.c |
Scapy layer | can.py |
Detailed page | can.md |
- DBC Specification - A description of CAN database layout
- Linux SocketCAN documentation - kernel.org
- CAN Injection: keyless car theft - CANIS Automative Labs CTO blog (2023)
- CAN-FD - The basic idea - CAN in Automation
- Click here to download more cars - djnn
- #HITBCyberWeek D1T2 - Car Hacking: Practical Guide To Automotive Security - Yogesh Ojha - @ Hack In The Box (2020)
- #HITBCyberWeek D2T2 - RAMN: Resistant Automotive Miniature Network - @ Hack In The Box (2020)
- (Pen)Testing Vehicles with CANToolz - Alexey Sintsov @ Black Hat Europe (2016)
- Abusing CAN Bus Spec for DoS in Embedded Systems - Martin Petran @ DEF CON 31 Car Hacking Village (2023)
- Advanced CAN Injection Techniques for Vehicle Networks - Charlie Miller & Chris Valasek @ Black Hat USA (2016)
- Adventures in Building a CAN Bus Sniffer - Andrey Voloshin @ Hack In The Box (2020)
- All Aboard the CAN Bus or Motorcycle - Derrick @ DEF CON Safe Mode Car Hacking Village (2020)
- Backdooring & Remotely Controlling Cars - Sheila A. Berta & Claudio Carraciolo @ Hack In The Box (2018)
- Backdooring of Real Time Automotive OS Devices - @ Black Hat (2022)
- CAN Bus in Aviation Investigating CAN Bus in Avionics - Patrick Kiley @ DEF CON 27 Aviation Village (2019)
- CANsee: An Automobile Intrusion Detection System - Jun Li @ Hack In The Box (2016)
- Canspy: A Platform for Auditing Can Devices - Jonathan-Christofer Demay & Arnaud Lebrun @ Black Hat USA (2016)
- CANSPY: Auditing CAN Devices - Jonathan Christofer Demay, Arnaud Lebrun @ DEF CON 24 (2016)
- Cantact: An Open Tool for Automative Exploitation - Eric Evenchick @ Black Hat Asia (2016)
- canTot A CAN Bus Hacking Framework - Jay Turla @ DEF CON 30 Car Hacking Village (2022)
- Deep Learning on CAN BUS - Jun Li @ DEF CON 24 Car Hacking Village (2016)
- Free-Fall: Hacking Tesla from Wireless to CAN Bus - Ling Liu, Sen Nie & Yuefeng Du @ Black Hat USA (2017)
- Fuzzing CAN / CAN FD ECU's and Network - Samir Bhagwat @ DEF CON 29 Car Hacking Village (2021)
- Hopping on the CAN Bus - Eric Evenchick @ Black Hat USA (2015)
- A Fuzz Testing Methodology for Cyber-security Assurance of the Automotive CAN Bus - Daniel S. Fowler, Coventry University (2019)
- cantools - Python library to play with CAN databases & messages
- opendbc - A list of CAN databases retrieved from reverse-engineered cars
- python-can - Python library to plug to various CAN connectors
Name | CC-Link IE |
---|---|
Alias | CSP+, CC-Link, CC-Link IE TSN, CC-Link IE Control, CC-Link IE Field, CC-Link IE Field Basic |
Description | Industrial Ethernet communication network developed by the CC-Link Partner Association (CLPA) |
Keywords | Mitsubishi, CLPA |
Access | Free |
Specifications | CSP+ specification |
Detailed page | cc-link-ie.md |
- CC-Link IE Field Network playlist - Mitsubishi Training
Name | CIP |
---|---|
Alias | Common Industrial Protocol |
Description | ODVA's protocol suite for industrial automation communication |
Keywords | ODVA, Ethernet/IP, DeviceNet, ControlNet, CompoNet |
Wireshark dissector | packet-cip.c |
Example Pcap(s) | S4x15 ICS Village PCAP Files |
Detailed page | cip.md |
- Common Industrial Protocol (CIP) - Overview on ODVA.org
- CompoNet - Overview on ODVA.org
- ControlNet - Overview on ODVA.org
- DeviceNet - Overview on ODVA.org
- Ethernet/IP - Overview on ODVA.org
- Hunting EtherNet/IP Protocol Stacks - Sharon Brizinov @ SANS ICS Security Summit 2022
Name | CODESYS |
---|---|
Description | Programmable logic controller (PLC) development, communication protocol and runtime environment. |
Port | 1200/tcp |
Nmap script(s) | codesys-v2-discover.nse |
Detailed page | codesys.md |
- Analyzing PIPEDREAM - Challenges in Testing an ICS Attack Toolkit - Jimmy Wylie @ DEF CON 30 (2022)
- CoDe16; 16 Zero-Day Vulnerabilities Affecting CODESYS Framework Leading to Remote Code Execution - Vladimir Eliezer Tokarev @ Black Hat USA (2023)
Name | Crimson |
---|---|
Alias | Cr3 |
Description | Red Lion's programming protocol |
Port | 789/tcp |
Nmap script(s) | cr3-fingerprint.nse |
Wireshark dissector | cr3.lua |
Detailed page | crimson.md |
- Analysing the Attack Surface of an Industrial Data Acquisition Device - Overview of a Red Lion device using Crimson 3 (Andrew Ramsdale, 2019)
Name | CSPv4 |
---|---|
Alias | AB CSPv4, AB/Ethernet |
Description | Allen-Bradley's protocol for industrial Ethernet communication |
Keywords | Allen-Bradley, PCCC |
Port | 2222/tcp |
Nmap script(s) | cspv4-info.nse |
Detailed page | cspv4.md |
Name | DeviceNet |
---|---|
Description | CAN-based industrial automation network for device-level communication |
Keywords | CAN, CIP |
Wireshark dissector | packet-devicenet.c |
Detailed page | devicenet.md |
- Common Industrial Protocol (CIP) and the family of CIP networks - ODVA publication (2016)
- DeviceNet - Overview on ODVA.org
- DeviceNet and Ethernet/IP - Blog post on RTAutomation
Name | DF1 |
---|---|
Alias | DF-1 |
Description | Allen-Bradley serial communication protocol for industrial automation devices |
Keywords | PCCC, Allen-Bradley |
Access | Free |
Specifications | DF1 specification |
Detailed page | df1.md |
- AB/DF1 Protocol Tips - Lynn's Industrial Automation Protocol Tips blog
- abdf1 - AB DF1 Protocol RS232 driver for Micrologix, SLC500, PLC 5
- Df1 - Df1 protocol for Allen-Bradley PLC
Name | DICOM |
---|---|
Alias | DCM |
Description | Communication and management of medical imaging information |
Keywords | Radiography, Medical |
Port | 104/tcp |
Access | Free |
Specifications | DICOM Standard |
Nmap script(s) | dicom-ping.nse |
Wireshark dissector | packet-dcm.c |
Detailed page | dicom.md |
- Attack surfaces of smart medical infrastructure - Denis Makrushin (@difezza) @ Insomni'Hack (2019)
- Hacking a Hospital for Fun and Profit - Asaf Cohen & Ofir Kamil @ Hack In The Box (2018)
- How to Hack Medical Imaging Applications via DICOM - Maria Nedyak @ Hack In The Box (2020)
- I Am Not a Doctor but I Play One on Your Network - Tim Elrod & Stefan Morris @ DEF CON 19 (2011)
- Millions of Patient Records at Risk: The Perils of Legacy Protocols - @ Black Hat (2024)
- Understanding, Attacking & Securing Medical Devices - Ajay Pratap Singh @ Hack In The Box (2019)
- DCMTK - DICOM ToolKit
- dicom-server - Microsoft's OSS Implementation of DICOMweb standard
- pydicom - Python package to read, modify and write DICOM files
Name | DNP3 |
---|---|
Alias | Distributed Network Protocol |
Description | Industrial communication protocol for remote monitoring and control of automation systems |
Keywords | Power grid, Water |
Port | 20000/tcp, 20000/udp |
Access | Paid |
Specifications | IEEE 1815-2012 |
Security | Optional authentication, optional encryption with TLS |
Nmap script(s) | dnp3-info.nse |
Wireshark dissector | packet-dnp.c |
Example Pcap(s) | ICS-pcap DNP3 |
Detailed page | dnp3.md |
- Common Flaws in ICS Network Protocols - Mars Cheng & Selmon Yang @ Hack In The Box (2020)
- NSM 101 for ICS - Chris Sistrunk @ DEF CON 23 101 Track (2015)
- SCADA Protocol Implementation Considerations | SANS ICS Concepts - @ SANS ICS Security (2022)
- Sniffing SCADA - Karl Koscher @ DEF CON 23 Packet Capture Village (2015)
- Unraveling SCADA Protocols Using Sulley Fuzzer - Ganesh Devarajan @ DEF CON 15 (2014)
- dnp3-simulator - .NET DNP3 simulator with GUI
- FreyrSCADA DNP3 - DNP3 Protocol - Outstation Server and Client Master Simulator
- gec/dnp3 - Open source Distributed Network Protocol
- gec/dnp3slavesim - Parallel dnp3 slave simulator
- opendnp3 - DNP3 (IEEE-1815) protocol stack. Modern C++ with bindings for .NET and Java
- Step Function I/O DNP3 - Rust implementation of DNP3 (IEEE 1815) with idiomatic bindings for C, .NET, C++, and Java
Name | Ether-S-I/O |
---|---|
Alias | EtherSIO, ESIO |
Description | Proprietary protocol for Saia PCD controller I/O communication |
Keywords | SAIA |
Port | 6060/udp |
Wireshark dissector | packet-esio.c |
Example Pcap(s) | ICS-pcap Ether-S-I/O |
Detailed page | ether-s-io.md |
Name | EtherCAT |
---|---|
Alias | ECATF, ECAT |
Description | Real-time industrial Ethernet communication protocol for automation systems |
Port | 34980/udp |
Scapy layer | ethercat.py |
Example Pcap(s) | ICS-pcap EtherCAT |
Detailed page | ethercat.md |
- Industrial Network Options: EtherCAT Advantages, Challenges, and Specs - Carlos Aguilar, Control Automation (2023)
Name | Ethernet/IP |
---|---|
Alias | Enip |
Description | Ethernet-based industrial communication protocol for industrial automation systems |
Keywords | CIP |
Port | 44818/tcp, 2222/udp |
Access | Paid |
Specifications | Ethernet/IP Specifications |
Nmap script(s) | enip-info.nse, enip-enumerate.nse |
Wireshark dissector | packet-enip.c |
Scapy layer | enipTCP.py |
Example Pcap(s) | ICS-pcap Ethernet/IP, ICS-pcap EIP |
Detailed page | ethernetip.md |
- Common Industrial Protocol (CIP) and the family of CIP networks - ODVA publication (2016)
- Ethernet/IP - Overview on ODVA.org
- Fuzzing and PR’ing: How We Found Bugs in a Popular Third-Party EtherNet/IP Protocol Stack - Sharon Brizinov, Tal Keren (Claroty, 2021)
- Common Flaws in ICS Network Protocols - Mars Cheng & Selmon Yang @ Hack In The Box (2020)
- Hunting EtherNet/IP Protocol Stacks - Sharon Brizinov @ SANS ICS Security Summit 2022
- CIPster - Ethernet/IP (Common Industrial Protocol) stack in C++
- cpppo - Communications Protocol Python Parser and Originator -- EtherNet/IP CIP
- enip-stack-detector - EtherNet/IP & CIP Stack Detector
- OpENer - EtherNet/IP stack for I/O adapter devices
- pycomm3 - A Python Ethernet/IP library for communicating with Allen-Bradley PLCs
- scapy-cip-enip - Ethernet/IP dissectors for Scapy
Name | ETP |
---|---|
Description | Energistics' protocol for interoperable oil and gas data exchange |
Keywords | Energetics |
Detailed page | etp.md |
Name | FF-HSE |
---|---|
Alias | Foundation Fieldbus HSE, FF |
Description | Ethernet-based communication for industrial process automation devices |
Port | 1089/tcp, 1090/tcp, 1091/tcp, 1089/udp, 1090/udp, 1091/udp |
Wireshark dissector | packet-ff.c |
Detailed page | ff-hse.md |
Name | FINS |
---|---|
Alias | OMRON |
Description | Omron's industrial communication protocol for automation systems |
Port | 9600/udp |
Nmap script(s) | omrontcp-info.nse, omronudp-info.nse |
Wireshark dissector | packet-omron-fins.c |
Detailed page | fins.md |
- Analyzing PIPEDREAM - Challenges in Testing an ICS Attack Toolkit - Jimmy Wylie @ DEF CON 30 (2022)
- Common Flaws in ICS Network Protocols - Mars Cheng & Selmon Yang @ Hack In The Box (2020)
Name | FL-net |
---|---|
Alias | Factory LAN, OPCN-2 |
Description | Japan Electrical Manufacturers' Association's industrial-use open network |
Keywords | JEMA |
Port | 55000/udp, 55001/udp, 55002/udp, 55003/udp |
Access | Free |
Specifications | FL-net specification |
Detailed page | fl-net.md |
Name | FOCAS |
---|---|
Description | Standard protocol for collecting data from Fanuc CNC machines |
Keywords | Fanuc, CNC |
Port | 8193/tcp |
Detailed page | focas.md |
- Exploring Fanuc FOCAS Connectivity - Machine Metrics
Name | GE-SRTP |
---|---|
Alias | Fanuc |
Description | General Electric's protocol for communication between GE devices and SCADA |
Port | 18245/tcp |
Detailed page | ge-srtp.md |
Name | GVCP |
---|---|
Description | GigE Vision communication protocol for industrial cameras |
Keywords | GigE Vision, Camera |
Port | 3956/udp |
Specifications | GigE Vision Standard |
Wireshark dissector | packet-gvcp.c |
Detailed page | gvcp.md |
- GVCP packets - Details about GVCP packets from Aravis' documentation
- GigeVision - Simple GigeVision implementation with GVSP and GVSP
Name | GVSP |
---|---|
Description | GigE Vision stream protocol for industrial cameras |
Keywords | GigE Vision, Camera |
Port | 20202/udp |
Specifications | GigE Vision Standard |
Wireshark dissector | packet-gvsp.c |
Detailed page | gvsp.md |
- GigeVision - Simple GigeVision implementation with GVSP and GVSP
Name | HART-IP |
---|---|
Alias | HART, WirelessHART |
Description | IP-based communication protocol for HART (ICS) data transmission |
Wireshark dissector | packet-hartip.c |
Example Pcap(s) | ICS-pcap HART-IP |
Detailed page | hart-ip.md |
- WirelessHART Radio Communication Standard - Lessons in Industrial Automation textbook, Control Automation
- Dissecting Industrial Wireless Implementations - Blake Johnson @ DEF CON 25 ICS Village (2017)
- DTM Components: Shadow Keys to the ICS Kingdom - Alexander Bolshev and Gleb Cherbov @ Black Hat Europe (2014)
- ICSCorsair: How I Will PWN Your ERP Through 4-20 mA Current Loop - Alexander Bolshev and Gleb Cherbov @ Black Hat USA (2014)
- It WISNt Me Attacking Industrial Wireless Mesh Networks - Paternotte and van Ommeren @ DEF CON 25 (2018)
Name | HICP |
---|---|
Alias | SHICP |
Description | HMS IP Configuration Protocol |
Keywords | Anybus |
Port | 3250/udp |
Wireshark dissector | packet-hicp.c, packet-shicp.c |
Scapy layer | hicp.py |
Detailed page | hicp.md |
Name | HL7 |
---|---|
Description | Standard for healthcare data exchange and interoperability |
Wireshark dissector | packet-hl7.c |
Detailed page | hl7.md |
- #HITB2017AMS D2T2 - Hacking Medical Devices And Healthcare Infrastructure - Anirudh Duggal - @ Hack In The Box (2017)
- Healthscare – An Insider's Biopsy of Healthcare Application Security - @ Black Hat (2021)
- HL7Magic Medical Data Hacking Made Easy - Katie Inns @ DEF CON 31 (2023)
- I Am Not a Doctor but I Play One on Your Network - Tim Elrod & Stefan Morris @ DEF CON 19 (2011)
- Pestilential Protocol: How Unsecure HL7 Messages Threaten Patient Lives - Christian Dameff, Jeffrey Tully & Maxwell Bland @ Black Hat USA (2018)
- Playing with FHIR - Alissa Knight, Mitch Parker @ DEF CON 29 Biohacking Village (2021)
- Understanding HL7 2.X Standards, Pen Testing, and Defending HL7 2.X Messages - Anirudh Duggal @ Black Hat USA (2016)
Name | ICCP |
---|---|
Alias | IEC 60870-6, TASE.2 |
Description | Real-time data exchange between power system control centers |
Keywords | Power |
Port | 102/tcp |
Access | Paid |
Specifications | ICCP (TASE.2) specification |
Detailed page | iccp.md |
- Unraveling SCADA Protocols Using Sulley Fuzzer - Ganesh Devarajan @ DEF CON 15 (2014)
Name | IEC-60870-5-104 |
---|---|
Alias | IEC-104 |
Description | Grid communication protocol for control and monitoring |
Port | 2404/tcp |
Access | Paid |
Specifications | IEC-60870-5-104 Specification |
Nmap script(s) | iec-identify.nse |
Wireshark dissector | packet-iec104.c |
Scapy layer | iec104.py |
Example Pcap(s) | ICS-pcap IEC-60870-5-104, Industroyer2 pcap samples |
Detailed page | iec-60870-5-104.md |
- Industroyer/Crashoverride: Zero Things Cool About a Threat Group Targeting the Power Grid - Anton Cherepanov, Ben Miller, Joe Slowik, Robert Lee, and Robert Lipovsky @ Black Hat USA (2017)
- Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid Again - Robert Lipovsky & Anton Cherepanov @ Black Hat USA (2022)
- Description and analysis of IEC 104 Protocol - Technical report by Petr Matousek @ Faculty of Information Techology, Czech Republic (2017)
- FreyrSCADA IEC-60870-5-104 - IEC 60870-5-104 Protocol - RTU Server and Master Client Simulator
- lib60870 - Implementation of the IEC 60870-5-101/104 protocol
Name | IEC-61850 |
---|---|
Alias | IEC-61850/GOOSE, IEC-61850/GSSE, IEC-61850/SV |
Description | Communication networks and systems for power utility automation |
Keywords | Power grid |
Access | Paid |
Specifications | IEC 61850 Specification |
Wireshark dissector | packet-goose.c, packet-sv.c |
Detailed page | iec-61850.md |
- Fuzz Testing IEC 61850 - Markus Mahrla @ CS3STHLM 2019
- libiec61850 - Open-source library for the IEC 61850 protocols
Name | IEEE-C37.118 |
---|---|
Alias | C37.118, Synchrophasor, Synphasor |
Description | Standard for synchrophasor data exchange in power systems |
Keywords | Power |
Wireshark dissector | packet-synphasor.c |
Detailed page | ieee-c37118.md |
- OpenPDC - Open Source Phasor Data Concentrator
- PyMU - Library based on the C37.118.2-2011 standard used for accessing PMU data in real-time
Name | ISA100.11a |
---|---|
Description | Wireless standard for industrial automation and control systems |
Detailed page | isa10011a.md |
- It WISNt Me Attacking Industrial Wireless Mesh Networks - Paternotte and van Ommeren @ DEF CON 25 (2018)
Name | KNXnet/IP |
---|---|
Alias | KNX, KNX/IP, Konnex |
Description | Protocol for home and building automation systems |
Keywords | BMS, BAS, Building |
Port | 3671/udp |
Access | Free |
Specifications | KNXnet/IP Specifications |
Security | Optional, Security extensions available |
Nmap script(s) | knx-gateway-discover.nse, knx-gateway-info.nse |
Wireshark dissector | packet-knxip.c |
Scapy layer | knx.py |
Detailed page | knxnetip.md |
- knx.org - KNX official website
- (in)Security in Building Automation: How to Create Dark Buildings with Light Speed - Thomas Brandstetter @ Black Hat USA (2017)
- InSecurity in Building Automation - Thomas Brandsetter @ DEF CON 25 ICS Village (2017)
- Learn how to control every room at a luxury hotel remotely - Jesus Molina @ DEF CON 22 (2015)
- Learn How to Control Every Room at a Luxury Hotel Remotely - Jesus Nomeames @ Black Hat USA (2014)
- Pwning KNX & ZigBee Networks - HuiYu Wu, YuXiang Li & Yong Yang @ Hack In The Box (2018)
- Sneak into buildings with KNXnet/IP - Claire Vacherot @ DEF CON 29 (2021)
- An Overview of Wireless IoT Protocol Security in the Smart Home Domain - Stefan Marksteiner, Víctor Juan Expósito Jiménez, Heribert Vallant, Herwig Zeiner (2018)
- BOF - Testing framework for industrial protocols
- calimero - Lightweight KNX/IP framework in Java
- ETS - Engineering Tool Software for KNXnet/IP (ETS Demo is free)
- KNX Virtual - Windows-based application simulating a KNX installation
- knxd - KNXd service
- KNXmap - KNXnet/IP scanning and auditing tool
- Unpwning A Building - Peter Panholzer @ S4x22 (2022)
- XKNX - A KNX library written in Python
Name | LIS |
---|---|
Alias | LIS01-A2, LIS02-A2 |
Description | Protocol to transfer messages between clinical laboratory instruments and computer systems. |
Keywords | CLSI, Healthcare, Medical |
Port | 1520 |
Access | Paid |
Specifications | CLSI LIS01-A1 Specifications |
Detailed page | lis.md |
Name | LoRaWAN |
---|---|
Alias | LoRa |
Description | Long-range IoT communication protocol with low power requirements |
Keywords | Wireless |
Access | Free |
Specifications | LoRaWAN specification |
Wireshark dissector | packet-lorawan.c |
Detailed page | lorawan.md |
- #HITB2021AMS D2T2 - Security Analysis And Practical Attacks Of LPWAN - YuXiang Li & Wu HuiYu - @ Hack In The Box (2021)
- #HITBCyberWeek D3T1 - LoRaWAN Auditing - E. Martínez Fayó, M. Sequeira and C. Cerrudo - @ Hack In The Box (2020)
- Can you hear me now DEF CON - wasabi @ DEF CON 26 Wireless Village (2018)
- Lora Smart Water Meter Security Analysis - Zeng and Panel @ DEF CON 26 (2018)
- Outsmarting the Smart City - Daniel Crowley, Jennifer Savage and Mauro Paredes @ Black Hat USA (2018)
- Reversting LoRa Deconstructing a Next Gen Proprietary LP - Matt Knight @ DEF CON 24 Wireless Village (2016)
- ChirpOTLE - LoRaWAN Security Evaluation Framework
- ChirpStack Network Server - Open-source LoRaWAN network-server
- lorawan-server - Compact server for private LoRaWAN networks
- lorawan-stack - Open Source LoRaWAN Network Server
Name | LSV/2 |
---|---|
Alias | LSV2 |
Description | Communication protocol for Computer Numerical Control |
Keywords | CNC, Heidenhain |
Access | Paid |
Detailed page | lsv2.md |
- Collecting Data with the LSV/2 Protocol - General information about the protocol LSV/2
- pyLSV2 - A pure Python3 implementation of the LSV2 protocol
Name | M-Bus |
---|---|
Alias | Meter-Bus, EN13757 |
Description | Communication protocol for utility metering devices |
Access | The old specification is free, not the current one |
Specifications | M-Bus specification |
Detailed page | m-bus.md |
- FuxNet: The New ICS Malware that Targets Critical Infrastructure Sensors - Noam Moshe @ SANS ICS Security (2024)
Name | MDLC |
---|---|
Description | Motorola Data Link Control protocol |
Keywords | Motorola |
Detailed page | mdlc.md |
- ICEFALL - Revisiting A Decade Of OT Insecure-By-Design Practices - Jos Wetzels @ Hack In The Box (2022)
Name | MELSEC |
---|---|
Alias | MEL-SEC, MELSEC-Q |
Description | Communication protocol for Mitsubishi Electric's MELSEC series of PLCs |
Keywords | Mitsubishi, MELSOFT |
Port | 5007/tcp, 5006/udp |
Nmap script(s) | melsecq-discover.nse, melsecq-discover-udp.nse |
Detailed page | melsec.md |
- Taking Apart and Taking Over ICS & SCADA Ecosystems - Mars Cheng & Selmon Yang @ DEF CON 29 (2021)
Name | Modbus |
---|---|
Alias | Modbus TCP |
Description | Widely used industrial communication protocol |
Port | 502/tcp |
Specifications | Modbus TCP Specification |
Nmap script(s) | modbus-discover.nse, modicon-info.nse |
Wireshark dissector | packet-mbtcp.c |
Scapy layer | modbus.py |
Example Pcap(s) | ICS-pcap Modbus, S4x15 ICS Village PCAP Files |
Detailed page | modbus.md |
- Modbus Mesulog Standard Functions Help - Description for Modbus standard functions
- Articles about Modbus - Ozeki
- Introduction to Modbus and Modbus Function Codes - Shawn Dietrich, Control Automation (2023)
- Analyzing PIPEDREAM - Challenges in Testing an ICS Attack Toolkit - Jimmy Wylie @ DEF CON 30 (2022)
- Common Flaws in ICS Network Protocols - Mars Cheng & Selmon Yang @ Hack In The Box (2020)
- Fun with Modbus 0x5a Nothing New Still Relevant? - Arnaud Soullié @ DEF CON 25 ICS Village (2017)
- Industrial Control Systems : Pentesting PLCs 101 (Part 1/2) - Arnaud Soullie @ Black Hat Europe (2014)
- Industrial Control Systems : Pentesting PLCs 101 (Part 2/2) - Arnaud Soullie @ Black Hat Europe (2014)
- Industrial Protocol Gateways Under Analysis - Marco Balduzzi @ Black Hat USA (2020)
- Industrial Protocol Gateways: A Deep-Dive of Moxa MGate 5105-MB-EIP - Philippe Lin @ Hack In The Box (2020)
- Modbus Enumeration | SANS ICS Concepts - @ SANS ICS Security (2021)
- Modbus Man-In-The-Middle | SANS ICS Concepts - @ SANS ICS Security (2021)
- Modbus Traffic Analysis | SANS ICS Concepts - @ SANS ICS Security (2021)
- ModScan: A SCADA MODBUS Network Scanner - Mark Bristow @ DEF CON 16 (2013)
- Out of Control: Demonstrating SCADA device exploitation - Eric Forner & Brian Meixell @ Black Hat USA (2013)
- Stealing PLC Intellectual Property: A Red Teaming Story - Matteo Beccaro @ Hack In The Box (2017)
- The SCADA That Didn't Cry Wolf- Who's Really Attacking Your ICS Devices - Kyle Wilhoit @ Black Hat USA (2013)
- Understanding SCADA's Modbus Protocol - Justin Searle @ Black Hat Asia (2015)
- Unraveling SCADA Protocols Using Sulley Fuzzer - Ganesh Devarajan @ DEF CON 15 (2014)
- ctmodbus - A tool to interact with the Modbus protocol
- Malmod - Scripts to attack Modicon M340 via UMAS
- mbtget - A simple Modbus/TCP client in Perl
- PyModbus - A full modbus protocol written in python
Name | MQTT |
---|---|
Description | Publish-suscribe network protocol for message queue |
Keywords | Telemetry |
Nmap script(s) | mqtt-suscribe.nse |
Wireshark dissector | packet-mqtt.c |
Scapy layer | mqtt.py |
Detailed page | mqtt.md |
- Not Just Another IIoT Article: MQTT for Pneumatic Cylinder Maintenance - Shawn Dietrich, Control Automation (2023)
- Choo Choo, Network Train - The One to Rule Your Perimeter - Martin Hron @ Black Hat Europe (2022)
- Light Weight Protocol: Critical Implications - Lucas Lundgren, Neal Hindocha @ DEF CON 24 (2016)
- When Machines Can't Talk - Federico Maggi & Davide Quarta @ Black Hat Europe (2018)
Name | MTConnect |
---|---|
Alias | ANSI/MTC1.4-2018 |
Description | Protocol for data exchange between manufacturing equipment, devices, and software applications |
Keywords | CNC |
Port | 7878/tcp |
Detailed page | mtconnect.md |
- MTConnect.org - MTConnect official website
- How to Collect Data Using MTConnect - Machine Metrics
- Abusing CNC Technologies - Marco Balduzzi @ Black Hat Europe (2022)
- An Analysis Of Computer Numerical Control Machines In Industry 4.0 - Marco Balduzzi @ Hack In The Box (2023)
Name | Niagara Fox |
---|---|
Alias | Fox |
Description | Communication protocol used by Tridium Niagara devices |
Keywords | Tridium |
Port | 1911/tcp, 3011/tcp, 4911/tcp, 5011/tcp |
Nmap script(s) | fox-info.nse |
Detailed page | niagara-fox.md |
- foxdissector - Wireshark dissector for the Niagara Fox protocol in Lua
Name | OPC-DA |
---|---|
Alias | OPCDA |
Description | Legacy protocol for real-time data exchange in industrial systems |
Scapy layer | opc_da.py |
Detailed page | opc-da.md |
- Adventures in Attacking Wind Farm Control Networks - @ Black Hat (2018)
- DEF CON 25 Conference - Jason Staggs - Breaking Wind: Adventures Hacking Wind Farm Control Networks - @ DEF CON (2017)
- Open Platform Communications (OPC) | SANS ICS Concepts - @ SANS ICS Security (2021)
- Exploring the OPC attack surface - Claroty Team82 (2021)
- OPC Data Access IDAPython script - IDA Pro script to reverse engineer binaries containing OPC DA (ESET)
Name | OPC-UA |
---|---|
Alias | OPCUA |
Description | Open communication standard for industrial automation and control |
Port | 4840/tcp, 4840/udp, 4843/tcp (TLS) |
Specifications | OPC UA online reference |
Wireshark dissector | OPC-UA Plugin |
Detailed page | opc-ua.md |
- OPC UA Deep Dive (Part 1): History of the OPC UA Protocol - Claroty Team82 (2023)
- OPC UA Deep Dive (Part 2): What is OPC UA? - Claroty Team82 (2023)
- OPC UA Deep Dive (Part 3): Exploring the OPC UA Protocol - Claroty Team82 (2023)
- OPC UA Deep Dive Series (Part 4): Targeting Core OPC UA Components - Claroty Team82 (2023)
- OPC UA Deep Dive Series (Part 5): Inside Team82’s Research Methodology - Claroty Team82 (2023)
- Practical example of fuzzing OPC UA applications - Kaspersky ICS-CERT (2020)
- Understanding the OPC Unified Architecture (OPC UA) Protocol - Anthony King Ho, Control Automation (2023)
- A Broken Chain: Discovering OPC UA Attack Surface and Exploiting the Supply Chain - Eran Jacob @ Black Hat USA (2021)
- Analyzing PIPEDREAM - Challenges in Testing an ICS Attack Toolkit - Jimmy Wylie @ DEF CON 30 (2022)
- Exploiting OPC UA - Practical Attacks Against OPC UA Architectures - Sharon Brizinov, Noam Moshe @ DEF CON 31 (2023)
- Exploiting OPC-UA in Every Possible Way: Practical Attacks Against Modern OPC-UA Architectures - Sharon Brizinov & Noam Moshe @ Black Hat USA (2023)
- Open Platform Communications (OPC) | SANS ICS Concepts - @ SANS ICS Security (2021)
- Resting on Feet of Clay: Securely Bootstrapping OPC UA Deployments - Alessandro Erba & Nils Ole Tippenhauer @ Black Hat Europe (2021)
- Exploring the OPC attack surface - Claroty Team82 (2021)
- OPC UA Security Analysis - German Federal office for Information Security (2022)
- Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems - Alessandro Erba, Anne Müller, Nils Ole Tippenhauer (2021)
- freeopcua - Open Source C++ OPC-UA Server and Client Library
- OpalOPC - OPC UA vulnerability and misconfiguration scanner
- opcua-asyncio - Asyncio-based asynchronous OPC UA client and server based on python-opcua
- opcua-client-gui - Simple OPC-UA GUI client
- python-opcua - OPC UA Client and Server in Python
- UA-.NETStandard - Official OPC UA .NET Standard Stack from the OPC Foundation
Name | PC-WORX |
---|---|
Description | Software suite with proprietary protocol for Phoenix Contact PLCs |
Keywords | Phoenix Contact |
Port | 1962/tcp |
Nmap script(s) | pcworx-info.nse |
Detailed page | pc-worx.md |
Name | PCCC |
---|---|
Alias | AB/PCCC |
Description | Legacy command/response protocol for Allen-Bradley PLC communication |
Keywords | Allen-Bradley |
Detailed page | pccc.md |
- AB/PCCC Protocol Tips - Lynn's Industrial Automation Protocol Tips blog
- Ethernet/IP PCCC Service Codes - Lynn's Industrial protocols over IP blog
Name | POWERLINK |
---|---|
Alias | Ethernet PowerLink, EPL |
Description | Real-time Ethernet protocol for industrial automation and control |
Port | Ethernet |
Wireshark dissector | packet-epl.c |
Example Pcap(s) | ICS-pcap POWERLINK |
Detailed page | powerlink.md |
- Quick Start - POWERLINK on Raspberry Pi2 - Kalycito, 2018 (Web Archive, domain expired)
- openCONFIGURATOR - Open-source POWERLINK network configuration toolkit
- openPOWERLINK_V2 - GitHub page to openPOWERLINK protocol stack release 2
Name | ProConOs |
---|---|
Description | Real-time operating system with proprietary protocol for industrial automation and control |
Port | 20547/tcp |
Nmap script(s) | proconos-info.nse |
Detailed page | proconos.md |
Name | Profinet-DCP |
---|---|
Alias | PNDCP |
Description | Device identification, configuration, and network management protocol |
Port | Ethernet |
Scapy layer | pnio_dcp.py |
Detailed page | profinet-dcp.md |
Name | Profinet-IO |
---|---|
Alias | PNIO |
Description | Real-time communication between controllers and I/O devices |
Port | 34962/udp, 34963/udp, 34964/udp |
Scapy layer | pnio.py |
Detailed page | profinet-io.md |
- What Is the Difference Between Profibus and Profinet? - Antonio Armenta, Control Automation (2021)
Name | RTPS |
---|---|
Description | Real-Time Publish-Suscribe protocol for Data Distribution Systems (DDS) |
Keywords | RTI, DDS |
Port | 7412/udp |
Wireshark dissector | packet-rtps.c |
Scapy layer | rtps |
Detailed page | rtps.md |
- The Data Distribution Service (DDS) Protocol is Critical: Let's Use it Securely! - Federico Maggi, Erik Boasson @ Black Hat EU 2021
Name | S-Bus |
---|---|
Alias | Ether-S-Bus, SAIA S-Bus |
Description | SAIA's communication protocol for building automation |
Keywords | SAIA |
Access | Free |
Wireshark dissector | packet-sbus.c |
Example Pcap(s) | ICS-pcap Ether-S-Bus |
Detailed page | s-bus.md |
- ICEFALL - Revisiting A Decade Of OT Insecure-By-Design Practices - Jos Wetzels @ Hack In The Box (2022)
Name | S7comm |
---|---|
Alias | S7, S7commPlus |
Description | Communication protocol for Siemens S7 PLCs |
Port | 102/tcp |
Nmap script(s) | s7-info.nse, s7-enumerate.nse |
Wireshark dissector | packet-s7comm.c |
Example Pcap(s) | ICS-pcap S7 |
Detailed page | s7comm.md |
- The Siemens S7 Communication - Part 1 General Structure - On GyM's Personal Blog (2016)
- The Siemens S7 Communication - Part 2 Job Requests and Ack Data - On GyM's Personal Blog (2017)
- #HITB2021AMS COMMSEC D2 - Breaking Siemens SIMATIC S7 PLC Protection Mechanism - Gao Jian - @ Hack In The Box (2021)
- A Decade After Stuxnet: How Siemens S7 is Still an Attacker's Heaven - @ Black Hat (2024)
- Fuzzing and Breaking Security Functions of SIMATIC PLCs - Gao Jian @ Black Hat Europe (2022)
- PLC-Blaster: A worm Living Solely In The PLC - Ralf Spenneberg, Maik Brueggemann & Hendrik Schwartke @ Black Hat Asia (2016)
- Rogue7: Rogue Engineering-Station Attacks on S7 Simatic PLCs - Uriel Malin, Sara Bitan, Avishai Wool and Eli Biham @ Black Hat USA (2019)
- The spear to break the security wall of S7CommPlus - Cheng Lei @ DEF CON 25 (2017)
- python-snap7 - A Python wrapper for the snap7 PLC communication library
- s7-pcaps - Traffic captures between STEP7/WinCC and S7-300/S7-400 PLCs
- s7scan - Scan networks to gather basic information about Siemens PLCs
- Snap7 - Step7 Open Source Ethernet Communication Suite
Name | SECS/GEM |
---|---|
Alias | SECS, SECS-I, SECS-II, HSMS |
Description | Semiconductor equipment communication standard with generic equipment model |
Keywords | Semiconductor, MES |
Port | 5000/tcp (HSMS) |
Detailed page | secsgem.md |
Name | SERCOS-III |
---|---|
Alias | SERCOS |
Description | IEC standard universal bus for Ethernet-based real-time communication |
Wireshark dissector | packet-sercosiii.c |
Detailed page | sercos-iii.md |
Name | SLMP |
---|---|
Alias | Seamless Message Protocol |
Description | CC-Link's messaging protocol for industrial automation communication |
Keywords | Mitsubishi, CC-Link, CLPA |
Access | Free |
Specifications | SLMP specification |
Detailed page | slmp.md |
- PySLMPClient - Python client for SLMP
Name | SOME/IP |
---|---|
Description | Automotive Ethernet protocol for ECU communication over IP networks |
Keywords | Automotive, ECU |
Port | 30490 |
Wireshark dissector | packet-someip.c |
Detailed page | someip.md |
- SOME-IP.com - Main website with resources about SOME/IP
- Automotive Ethernet Fuzzing - Jonghyuk Song, Soohwan Oh, Woongjo Choi @ DEF CON 30 (2022)
Name | TriStation |
---|---|
Alias | Triconex TriStation |
Description | Triconex's proprietary protocol for safety system communication |
Keywords | Triconex, TRITON |
Wireshark dissector | TriStation.lua |
Detailed page | tristation.md |
- Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure - Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer @ Mandiant (2017, updated 2022)
- How TRITON Disrupted Safety Systems & Changed the Threat Landscape of Industrial Control Systems - Andrea Carcano, Marina Krotofil & Younes Dragoni @ Black Hat USA (2018)
- Thru the Eyes of the Attacker Designing Embedded Systems for ICS - Krotofil, Wetzels @ DEF CON 26 (2018)
- tricotools - Triconex TriStation utilities and tools
Name | TSAA |
---|---|
Description | Messaging protocol to read and write data to Triconex controllers |
Keywords | Triconex |
Detailed page | tsaa.md |
- Triconex System Access Application (TSAA) playlist - What Did You Learn Today (2021)
Name | UMAS |
---|---|
Description | Schneider Electric's proprietary protocol for communication systems |
Nmap script(s) | modicon-info.nse |
Wireshark dissector | modbus-umas-schneider.lua |
Detailed page | umas.md |
- Reverse of a schneider network protocol - biero llagas (2022)
- The secrets of Schneider Electric’s UMAS protocol - Kaspersky ICS CERT (2022)
- The Unity (UMAS) protocol (Part I) - Liras en la red (2017)
- The Unity (UMAS) protocol (Part II) - Liras en la red (2017)
- The Unity (UMAS) protocol (Part III) - Liras en la red (2017)
- The Unity (UMAS) protocol (Part IV) - Liras en la red (2017)
- The Unity (UMAS) protocol (Part V) - Liras en la red (2017)
- Going Deeper Into Schneider Modicon PAC Security - Gao Jian @ Hack In The Box (2021)
- Nakatomi Space: Lateral Movement As L1 Post-Exploitation In OT - Jos Wetzels @ Hack In The Box (2023)
- Apache PLC4PY UMAS Driver - UMAS protocol implementation in Python including ability to read the data dictionary (2024)
- Malmod - Scripts to attack Modicon M340 via UMAS
Name | WITS |
---|---|
Alias | WITS0, WITSML |
Description | Real-time drilling data transfer standard in oil and gas |
Keywords | Wellsite, Drilling, Geology |
Detailed page | wits.md |
Name | XCP |
---|---|
Alias | Universal Measurement and Calibration Protocol, ASAM MCD-1 XCP |
Description | Interface usually working on top of other protocols (such as USB, CAN/CAN-FD, FlexRay, Ethernet, SXL) to read and write the memory of an ECU |
Keywords | CANbus, Automotive, XCP, ASAM MCD-1 XCP |
Access | Paid |
Specifications | XCP Book v1.5, ASAM MCD-1 XCP specifications |
Scapy layer | automotive/xcp |
Detailed page | xcp.md |
- ASAM wiki on XCP standard - Wiki describing protocol history, frame layout, etc.
- AutoSAR requirements on XCP - AutoSAR requirements to implement XCP stack in an ECU
- The XCP Reference Book - Free technical book on XCP protocol and how to use it (Vector)
- a2lparser - Python A2L parser and XML exporter
- AutoFuze - Automotive Fuzzing tool providing XCP implementation over USB and CAN
- xcpdump - ASAM XCP sniffer for SocketCAN
Name | ZigBee |
---|---|
Alias | ZBee |
Description | Wireless communication protocol for low-power IoT devices. |
Wireshark dissector | packet-zbee-nwk.c |
Scapy layer | zigbee.py |
Detailed page | zigbee.md |
- A Lightbulb Worm? - Colin O'Flynn @ Black Hat USA (2016)
- Dont Be Silly It's Only a Lightbulb - Eyal Itkin @ DEF CON Safe Mode (2020)
- Exploring the 802 15 4 Attack Surface - FAZ @ DEF CON 26 WIRELESS VILLAGE (2018)
- Im A Newbie Yet I Can Hack ZigBee - Qing Yang @ DEF CON 23 (2015)
- Practical Exploitation Of Zigbee Networks With RF Transceivers by Nitin Lakshmanan & Sunil Kumar - @ Insomni'Hack (2022)
- Pwning KNX & ZigBee Networks - HuiYu Wu, YuXiang Li & Yong Yang @ Hack In The Box (2018)
- ZigBee Exploited The Good, The Bad, And The Ugly - Tobias Zillner & Sebastian Strobl @ Black Hat USA (2015)
- An Overview of Wireless IoT Protocol Security in the Smart Home Domain - Stefan Marksteiner, Víctor Juan Expósito Jiménez, Heribert Vallant, Herwig Zeiner (2018)
- KillerBee - IEEE 802.15.4/ZigBee Security Research Toolkit
- Mirage - Framework dedicated to the security analysis of wireless communications
Although the resources added to this page are always manually checked, not all resources linked here (especially tools) have been tested. Please remain careful when using them and don't run untrusted code on your installation.
awesome-industrial-protocols is licensed under CC0. Turn/IP is licensed under GPL-v3.