Script s7-info

Script types: portrule
Categories: discovery, version
Download: https://svn.nmap.org/nmap/scripts/s7-info.nse

Script Summary

Enumerates Siemens S7 PLC Devices and collects their device information. This script is based off PLCScan that was developed by Positive Research and Scadastrangelove (https://code.google.com/p/plcscan/). This script is meant to provide the same functionality as PLCScan inside of Nmap. Some of the information that is collected by PLCScan was not ported over; this information can be parsed out of the packets that are received.

Thanks to Positive Research, and Dmitry Efanov for creating PLCScan

Example Usage

nmap --script s7-info.nse -p 102 <host/s>

Script Output

102/tcp open  Siemens S7 PLC
| s7-info:
|   Basic Hardware: 6ES7 315-2AG10-0AB0
|   System Name: SIMATIC 300(1)
|   Copyright: Original Siemens Equipment
|   Version: 2.6.9
|   Module Type: CPU 315-2 DP
|   Module: 6ES7 315-2AG10-0AB0
|_  Serial Number: S C-X4U421302009

Requires

• nmap
• shortport
• stdnse
• string
• table

---

Author:

• Stephen Hilt (Digital Bond)

License: Same as Nmap--See https://nmap.org/book/man-legal.html

action

action (host, port)

Action Function that is used to run the NSE. This function will send the initial query to the host and port that were passed in via nmap. The initial response is parsed to determine if host is a S7COMM device. If it is then more actions are taken to gather extra information.

Parameters

host

Host that was scanned via nmap

port

port that was scanned via nmap