Enumerates Siemens S7 PLC Devices and collects their device information. This script is based off PLCScan that was developed by Positive Research and Scadastrangelove (https://code.google.com/p/plcscan/). This script is meant to provide the same functionality as PLCScan inside of Nmap. Some of the information that is collected by PLCScan was not ported over; this information can be parsed out of the packets that are received.
Thanks to Positive Research, and Dmitry Efanov for creating PLCScan
nmap --script s7-info.nse -p 102 <host/s>
102/tcp open Siemens S7 PLC | s7-info: | Basic Hardware: 6ES7 315-2AG10-0AB0 | System Name: SIMATIC 300(1) | Copyright: Original Siemens Equipment | Version: 2.6.9 | Module Type: CPU 315-2 DP | Module: 6ES7 315-2AG10-0AB0 |_ Serial Number: S C-X4U421302009
Author: Stephen Hilt (Digital Bond)
License: Same as Nmap--See http://nmap.org/book/man-legal.html
- action (host, port)
Action Function that is used to run the NSE. This function will send the initial query to the host and port that were passed in via nmap. The initial response is parsed to determine if host is a S7COMM device. If it is then more actions are taken to gather extra information.
- host: Host that was scanned via nmap
- port: port that was scanned via nmap