Imitate S7 SIemens PLC

0
votes

I am trying to imitate a SIEMENS S7 PLC so that scanners like Nmap, Zgrab and NESSUS will detect my Raspberry as an PLC. When looking at the NSE script voor Nmap (based on lua) itÅ› clear that the response can be decoded with the following structure:

DATA                DATA TYPE   Location in response
Protocol ID         C           8
SZL-ID              C           31
Module information  z           44
Basic Hardware      z           72
Version Number      CCC         123
Plant ID            z           108 + offset
Copyright           z           142 + offset
Serial Number       z           176 + offset
System name         z           40 + offset
Module Type         z           74 + offset

Where: z is a zero-terminated string
       C is an unsgined char
       offset = 4

The connection to the PLC is established via socket connection. Now I am looking for a way to recreate this package and respond accordingly.

2
socketsplcspoofing

2 Answers

0
votes

Have a look at the Snap7.

Somehow this library does what you need. It acts as S7-PLC, and responds even to Simatic Manager.

0
votes

As Freeman suggests, install windows iot core on your raspberry and use Snap7 to emulate your S7 PLC on raspberry. You will also be able to control remote IO stations with your 'Soft PLC'.