GithubHelp home page GithubHelp logo

bdong1988 / scapy-cip-enip Goto Github PK

View Code? Open in Web Editor NEW

This project forked from scy-phy/scapy-cip-enip

0.0 1.0 0.0 25 KB

EtherNet/IP+CIP dissector for Scapy

License: MIT License

Python 100.00%

scapy-cip-enip's Introduction

Ethernet/IP dissectors for Scapy

This repository contains a Python library which can be used to interact with components of a network using ENIP (Ethernet/IP) and CIP (Common Industrial Protocol) protocols. It uses scapy (http://www.secdev.org/projects/scapy/) to implement packet dissectors which are able to decode a part of the network traffic. These dissectors can also be used to craft packets, which allows directly communicating with the PLCs (Programmable Logic Controllers) of the network.

This project has been created to help analyzing the behavior of SWaT, a water treatment testbed built at SUTD (Singapore University of Technology and Design). For more information on our work, visit http://scy-phy.net

Therefore, it mostly implements a subset of CIP specification, which is used in this system.

Requirements

Example of packet decoding

Here is the raw content of a packet sent to a PLC to query a tag (in SWaT), as seen by an hexadecimal viewer:

00000000: 801d 9cc8 bde7 001d 9cc6 72e8 0800 4500  ..........r...E.
00000010: 005e 2f95 4000 8006 4746 c0a8 0164 c0a8  .^/[email protected]..
00000020: 010a c203 af12 8e7a 4387 01bd 1e5e 5018  .......zC....^P.
00000030: 829c 2a07 0000 7000 1e00 0200 1600 0000  ..*...p.........
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0200 a100 0400 2042 b5ff b100  .......... B....
00000060: 0a00 8a07 4c03 20b2 2500 2200            ....L. .%.".

This packet can be decoded using this Python script:

#!/usr/bin/env python2
import binascii
from scapy.all import *
import cip

rawpkt = binascii.unhexlify(
    '801d9cc8bde7001d9cc672e808004500005e2f95400080064746c0a80164'
    'c0a8010ac203af128e7a438701bd1e5e5018829c2a07000070001e000200'
    '1600000000000000000000000000000000000000000000000200a1000400'
    '2042b5ffb1000a008a074c0320b225002200')
pkt = Ether(rawpkt)
pkt.show()

This script prints the structure of the packet with every protocol layer (Ethernet, IP, ENIP and CIP):

###[ Ethernet ]###
  dst       = 00:1d:9c:c8:bd:e7
  src       = 00:1d:9c:c6:72:e8
  type      = 0x800
###[ IP ]###
     version   = 4L
     ihl       = 5L
     tos       = 0x0
     len       = 94
     id        = 12181
     flags     = DF
     frag      = 0L
     ttl       = 128
     proto     = tcp
     chksum    = 0x4746
     src       = 192.168.1.100
     dst       = 192.168.1.10
     \options   \
###[ TCP ]###
        sport     = 49667
        dport     = EtherNet_IP_2
        seq       = 2390377351
        ack       = 29171294
        dataofs   = 5L
        reserved  = 0L
        flags     = PA
        window    = 33436
        chksum    = 0x2a07
        urgptr    = 0
        options   = []
###[ ENIP_TCP ]###
           command_id= SendUnitData
           length    = 30
           session   = 1441794
           status    = success
           sender_context= 0
           options   = 0
###[ ENIP_SendUnitData ]###
              interface_handle= 0
              timeout   = 0
              count     = 2
              \items     \
               |###[ ENIP_SendUnitData_Item ]###
               |  type_id   = conn_address
               |  length    = 4
               |###[ ENIP_ConnectionAddress ]###
               |     connection_id= 4290069024
               |###[ ENIP_SendUnitData_Item ]###
               |  type_id   = conn_packet
               |  length    = 10
               |###[ ENIP_ConnectionPacket ]###
               |     sequence  = 1930
               |###[ CIP ]###
               |        direction = request
               |        service   = Read_Tag_Service
               |        \path      \
               |         |###[ CIP_Path ]###
               |         |  wordsize  = 3
               |         |  path      = class 0xb2,instance 0x22
               |        \status    \

Moreover, each component of the packet is accessible in Python. For example, adding print(pkt[cip.CIP].path) at the end of the script shows the path of the tag being queried in this CIP request:

[<CIP_Path  wordsize=3 path=class 0xb2,instance 0x22 |>]

Interfacing with a PLC

The scapy dissectors can be used to craft packet and therefore communicate with a PLC using ENIP and CIP. These communications require several handshakes:

  • a TCP handshake to establish a communication channel,
  • an ENIP handshake to register an ENIP session,
  • an optional CIP handshake (with ForwardOpen messages).

The file plc.py provides PLCClient class, which implements an abstraction level of the state of a communication with a PLC. Here is for example how to use this class to read tag HMI_LIT101 on the PLC sitting at address 192.168.1.10:

import logging
import sys

from cip import CIP, CIP_Path
import plc

logging.basicConfig(format='[%(levelname)s] %(message)s', level=logging.DEBUG)

# Connect to PLC
client = plc.PLCClient('192.168.1.10')
if not client.connected:
    sys.exit(1)
print("Established session {}".format(client.session_id))

if not client.forward_open():
    sys.exit(1)

# Send a CIP ReadTag request
cippkt = CIP(service=0x4c, path=CIP_Path.make_str("HMI_LIT101"))
client.send_unit_cip(cippkt)

# Receive the response and show it
resppkt = client.recv_enippkt()
resppkt[CIP].show()

# Close the connection
client.forward_close()

scapy-cip-enip's People

Contributors

fishilico avatar noleti avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.