def main():
# Connect to PLC
client = plc.PLCClient('192.168.9.227')
if not client.connected:
sys.exit(1)
# Creating Connections Through the Connection Manager Object
if not client.forward_open():
sys.exit(1)
# Get_Instance_Attribute_List
# Set initial instance to 0x0
instanceid = 0x0
# status
status = ''
# Number of attributes to retrieve (2 bytes) + Attribute 1 - Symbol Name (2 bytes) + Attribute 2 - Symbol Type (2 bytes)
data = "\x02\x00\x01\x00\x02\x00"
while ("Success" not in status):
cippkt = CIP(service=0x55,
path=CIP_Path.make(class_id=0x6b,
instance_id=instanceid,
word_size=3)) / data
client.send_unit_cip(cippkt)
resppkt = client.recv_enippkt()
status = str(resppkt[CIP].status)
instanceid = parse_attributes(resppkt[CIP].load) + 1
client.forward_close()
def main():
# Connect to PLC
client = plc.PLCClient('192.168.9.227')
if not client.connected:
sys.exit(1)
# Creating Connections Through the Connection Manager Object
if not client.forward_open():
sys.exit(1)
# Fuzz the interface handle
# fuzz_interfacehandle(client)
# fuzz_timeout(client)
# fuzz_instanceid(client, 0x6b)
fuzz_classid(client, 0x1)
# fuzz_service_classid(client, 0x0)
# fuzz_pathsize(client, 0x6b, 0x227)
# simple_read_tag(client, 3, 0x6b, 0x227)
# Close the connection
client.forward_close()
def scan_one(class_name, instance_id, attribute_id=None):
success_service = set()
class_id = CLASS_CODES[class_name]
for service_id in CLASS_SERVICE_MAP[class_name]:
plc_client = plc.PLCClient(PLC_HOST)
if not plc_client.connected:
logging.error(("Cannot connect to server"))
sys.exit(1)
# Make packet detail
cippkt = CIP(service=service_id,
path=CIP_Path.make(class_id=class_id,
instance_id=instance_id,
attribute_id=attribute_id))
# Send a CIP request
plc_client.send_rr_cip(cippkt)
# Receive the response
resppkt = plc_client.recv_enippkt()
#resppkt.show()
try:
enip_tcp_status = resppkt["ENIP_TCP"].status
cip_tcp_status = resppkt["CIP_ResponseStatus"].status
except:
cip_tcp_status = None
if enip_tcp_status == 0x0 and cip_tcp_status == 0x0: # SUCCESS
success_service.add(service_id)
logging.debug(("Class " + str(class_name) + " supports serives " +
str(success_service)))
return success_service
success_list = []
success_service_list = []
for service_name in SERVICE_CODES.keys():
service_id = SERVICE_CODES[service_name]
for class_name in CLASS_CODES.keys():
class_id = CLASS_CODES[class_name]
for instance_id in range(INSTANCE_ID_RANGE[0], INSTANCE_ID_RANGE[1]):
logging.basicConfig(format='[%(levelname)s] %(message)s',
level=logging.DEBUG)
# Connect to PLC
client = plc.PLCClient(PLC_HOST)
if not client.connected:
sys.exit(1)
print("Established session {}".format(client.session_id))
# Send a CIP ReadTag request
cippkt = CIP(service=service_id,
path=CIP_Path.make(class_id=int(class_id),
instance_id=instance_id))
client.send_rr_cip(cippkt)
# Receive the response and show it
resppkt = client.recv_enippkt()
enip_tcp_status = resppkt["ENIP_TCP"].status
service_info = {
import logging
import sys
from cip import CIP, CIP_Path
import plc
logging.basicConfig(format='[%(levelname)s] %(message)s', level=logging.DEBUG)
# Connect to PLC
client = plc.PLCClient('192.168.6.70')
if not client.connected:
sys.exit(1)
print("Established session {}".format(client.session_id))
if not client.forward_open():
sys.exit(1)
# Send a CIP ReadTag request
cippkt = CIP(service=0x4c, path=CIP_Path.make_str("Raymond_INT"))
client.send_unit_cip(cippkt)
# Receive the response and show it
resppkt = client.recv_enippkt()
resppkt[CIP].show()
# Close the connection
client.forward_close()