Analysis of communication process and replay attack of Siemens S7comm-plus

Category: Tag:

I. Overview

Siemens PLC is widely used in industrial control systems. This article mainly uses S7-1200 V3.0.2 firmware version PLC and TIA13 environment to carry out the preliminary analysis of the S7comm-plus encryption protocol and the analysis of the anti-replay attack.

II, Siemens PLC introduction

Siemens PLC is widely used in industrial control systems. Siemens controllers include S7-200, S7-300, S7-400, S7-1200 and S7-1500 versions of Siemens PLC,

S7-200, S7-300, and S7-400 series PLCs use the early Siemens proprietary protocol S7comm for communication. PLCs with S7-1200/1500 series firmware versions below V3.0 use Siemens’ new generation S7comm-Plus protocol for communication, which uses some special coding specifications. The firmware version of the S7-1200/1500 series is above V3.0 and adopts the latest S7comm-Plus protocol. The S7comm-plus protocol introduces a session ID to prevent replay attacks.

To check which models and corresponding firmware versions of the S7 plc series are available, please refer to the figure below.

III, agreement analysis

3.1 Protocol structure
The S7Comm-plus Ethernet protocol is based on the OSI model as follows:

Through packet capture analysis and wireshark source code analysis, we can know that the frame structure of the S7Comm-plus protocol is roughly composed of a header, a data field, and a tail. The head and tail are fixed, and the data field has different frame structures and contents. A big difference. The frame structure diagram is as follows:


3.2 Head and tail analysis

The composition of Header and Trailer is the same, including protocol number, PDU type and data length information. Its structure is shown in the figure below:

The head and tail have the same structure. Protocol id is one byte, PDU type is one byte, Length is two bytes. PDU type defines the type of the frame.

3.3 Data Domain Analysis

The Data field is the most complex and most varied area in the frame structure. Through analysis, the Data field can be divided into three parts: Integrity part, D_header and Data. The specific structure is shown in the figure below:

(1) D_Head

When the PDU type is 0x01 and 0x02, there is no 32-bit Integrity part in the data packet. When the pdu type is 0x03, there are 32-bit Integrity part in the data packet; there are two reseved and one unknown parts in the data header, for different frames The value is different. From wireshark capture data analysis, the value distribution is as follows:

(2) Data

The structure, content and format of the data part are related to the PDU type and opcode. The data part has many types and is more complicated. For detailed analysis, you can read the wireshark s7comm-plus protocol analysis code.

Four, anti-replay attack analysis

4.1 Environmental installation

(1) PC1 ( Install software TIA13, used to connect S71200 plc equipment, and start and stop PLC CPU control, mainly used for packet capture analysis, Botu software adds the correct PLC equipment, and configures the PLC network Address to ensure that the connection is successful, as shown below:

The following content is visible to members

You do not have permission to read this content, click here to become a member and refresh this page to read it


There are no reviews yet.

Be the first to review “Analysis of communication process and replay attack of Siemens S7comm-plus”

Your email address will not be published. Required fields are marked *