Industrial control penetration framework ISF: Siemens S7-300PLC cracking and protection ideas

Category: Tags: ,

Series of articles:

How much do you know about typical attack methods in industrial control?

Industrial control experiment box: industrial control safety demonstration and protection suggestions

Industrial control penetration framework ISF: PLC password detection

Industrial Control Penetration Framework ISF: Information Collection


Environment introduction

At present, the laboratory uses Siemens S7-300PLC, and the CPU model is 315-2 PN/DP. The tools used for cracking are as follows:

Tool name Tool description
TIA Portal V13 PLC programming tool
s7clientdemo.exe S7-300 auxiliary tool for viewing cpu password setting status
Wireshark Used to intercept the communication message between PLC and host computer

s7clientdemo.exe download address:

0x01 Preparation

The password of Siemens series PLC usually has 4 setting states: full authority, read-only authority, minimum authority, and upload is not allowed. The authorization information for these levels is described in detail in the previous article.

Due to the negligence of the operator or the convenience of debugging, usually no password is set for the PLC, or only a simple password is set. Next, I will show the danger of doing so.

This article will start with the PLC password encryption method, and then discuss the possibility of brute force cracking of the PLC password, so as to come up with a way to ensure the security of the PLC password.

The figure above shows the appearance of the S7-300, usually through Step7 or TIA software to program and set up the PLC. Here we use Botu to set a password for the PLC.

0x02 algorithm decryption

For example, set the password status to read-only, the password is: 123456, and then re-establish a connection with the PLC through the upper computer, and when verifying the password, the following message is intercepted:

Picture: Message intercepted during password verification

Analyze it and draw the following laws:

S7-300 uses a reversible encryption algorithm, the password length is up to 8 digits, which are converted into 8 hexadecimal numbers through the reversible algorithm and sent to the PLC through the S7 protocol.

1. Convert a string of no more than 8 digits into 8 hexadecimal numbers:

2. The opData array elements are all 0x20 by default

If the password is 123456, the code of the reversible algorithm is as follows:

int main()
    char opData[8],Pwd[8],pass[8];
    int c;

    opData[0] = '1';
    opData[1] = '2';
    opData[2] = '3';
    opData[3] = '4';
    opData[4] = '5';
    opData[5] = '6';
    opData[6] = 0x20;
    opData[7] = 0x20;

    Pwd[0] = opData[0] ^ 0x55;        
    Pwd[1] = opData[1] ^ 0x55;
    for (c = 2; c < 8; c++) {
        Pwd[c] = opData[c] ^ 0x55 ^ Pwd[c - 2];

The Pwd array obtained after the program runs is shown below, which is consistent with the message we intercepted. This shows that the algorithm we found is correct.

    Pwd[0] = 0x64;
    Pwd[1] = 0x67;
    Pwd[2] = 0x02;
    Pwd[3] = 0x06;
    Pwd[4] = 0x62;
    Pwd[5] = 0x65;
    Pwd[6] = 0x17;
    Pwd[7] = 0x10;

After sending the converted password, you will get the message returned by the PLC. The returned message contains the result of verifying the correctness of the sent password. If the verification is passed, the error code will be set to 0x0000. If the password is incorrect, it will be another error code.

0x03 brute force cracking

After knowing the encryption algorithm of the password, we can generate a weak password dictionary, then encrypt the weak password through the encryption algorithm, and use the encrypted password dictionary to communicate with the PLC. If the decryption is successful, return the plain text password.


0x04 storage block decryption

Knowing the encryption process of the password and the encryption algorithm of the password, how is the CPU password stored in the PLC? Must brute force cracking be used to obtain the CPU password of an unknown device?

We studied the S7-300 CPU password and got the following results:

1. The CPU password is stored in the SDB0 block

2. How to save S7-300 CPU password in the block

The following 3 figures show the data of SDB0 block without encryption, read-only permission, and no read-write permission. In the state of read-only permission and no read-write permission, the CPU password is 000000.

After research, the following conclusions are reached:

The red box is the encrypted password, the number 02 in the blue box represents read-only access, and 03 represents non-read-write access. In the first picture, because there is no password, this part is missing.

3. Encryption algorithm:

We have found the encryption algorithm, which is similar to the above algorithm but slightly different. It is also a reversible encryption algorithm. The specific encryption algorithm procedure is as follows:

char opData[8],Pwd[8],pass[8];
    int c;

    opData[0] = '1';
    opData[1] = '2';
    opData[2] = '3';
    opData[3] = '4';
    opData[4] = '5';
    opData[5] = '6';
    opData[6] = 0xaa;    
    opData[7] = 0xaa;

    Pwd[0] = opData[0] ^ 0xaa;
    Pwd[1] = opData[1] ^ 0xaa;

    for (c = 2; c < 8; c++) {
        Pwd[c] = opData[c] ^ 0xaa ^ Pwd[c - 2];

Through the above reversible algorithm, we can assert that as long as the SDB0 block can be read, the plaintext password can be obtained directly based on the block information without brute force cracking. After obtaining the plaintext password, by sending a password-verified message, you have the right to download, and you can directly change the password to the settings you want. The setting can change the CPU password setting level (read-only or no read-write permission) ). Therefore, when setting the CPU password authority, we recommend setting it to a non-readable and writable state to increase the difficulty of obtaining the SDB0 block, so as to protect the password we set.

Protection methods and suggestions

Through the above examples, we know the CPU encryption method of S7-300, and give the idea of brute force cracking. Conversely, we can strengthen our PLC through the idea of brute force cracking, so that the PLC is more difficult to be compromised. We propose the following suggestions:


The PLC must set a password and set it to an unreadable and unwritable state to protect your program as much as possible.

When uploading and downloading, it is best to connect the computer directly to the PLC to avoid obtaining communication messages through man-in-the-middle or switches, so that the attacker can take advantage of it.

Don’t set weak passwords, try to set complex passwords, which can make the brute force cracking time longer and the chances of being discovered.

Do not expose the PLC on the public network.


There are no reviews yet.

Be the first to review “Industrial control penetration framework ISF: Siemens S7-300PLC cracking and protection ideas”

Your email address will not be published. Required fields are marked *