{"id":1114,"date":"2023-01-19T10:17:10","date_gmt":"2023-01-19T10:17:10","guid":{"rendered":"https:\/\/inprotech.es\/?p=1114"},"modified":"2025-02-17T10:59:18","modified_gmt":"2025-02-17T10:59:18","slug":"s7comm-protocol-security-analyzed","status":"publish","type":"post","link":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/","title":{"rendered":"S7Comm protocol: security analyzed"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">The S7 Communication protocol\u00a0 (hereafter S7Comm) is a Siemens\u00a0 proprietary protocol that first appeared in 1994 with the launch of Simatic S7 products such as S7-200, S7-300 and\u00a0<\/span><span style=\"font-weight: 400;\">S7-400, although it is currently\u00a0<\/span><span style=\"font-weight: 400;\">integrated by all SIMATIC S7 and C7\u00a0<\/span><span style=\"font-weight: 400;\">CPU devices and is independent of the\u00a0<\/span><span style=\"font-weight: 400;\">bus used, as this protocol can be used\u00a0<\/span><span style=\"font-weight: 400;\">both through Industrial Ethernet and\u00a0<\/span><span style=\"font-weight: 400;\">through other physical or network\u00a0<\/span><span style=\"font-weight: 400;\">layers such as over RS-485 for MPI\u00a0<\/span><span style=\"font-weight: 400;\">(Multi-Point-Interface) or Profibus [1].<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This protocol is mainly used for data\u00a0<\/span><span style=\"font-weight: 400;\">exchange, as well as for access from\u00a0<\/span><span style=\"font-weight: 400;\">other devices such as HMI or SCADA.<\/span><\/p>\n\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">As this is a proprietary protocol, there is\u00a0<\/span><span style=\"font-weight: 400;\">not much information publicly available\u00a0<\/span><span style=\"font-weight: 400;\">about it, although there are several\u00a0<\/span><span style=\"font-weight: 400;\">projects that can help to understand it,\u00a0<\/span><span style=\"font-weight: 400;\">such as Snap7 [2], which is an open\u00a0<\/span><span style=\"font-weight: 400;\">source library that can be used to\u00a0<\/span><span style=\"font-weight: 400;\">interact with Siemens S7 products and\u00a0<\/span><span style=\"font-weight: 400;\">includes extensive technical\u00a0<\/span><span style=\"font-weight: 400;\">documentation on the operation of this\u00a0<\/span><span style=\"font-weight: 400;\">protocol.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Another large open source project that\u00a0<\/span><span style=\"font-weight: 400;\">includes information on this S7 protocol\u00a0<\/span><span style=\"font-weight: 400;\">is PLC4X [3], which includes a set of\u00a0<\/span><span style=\"font-weight: 400;\">libraries to implement communication\u00a0<\/span><span style=\"font-weight: 400;\">between PLCs with different industrial\u00a0<\/span><span style=\"font-weight: 400;\">protocols through its API, including S7.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When we talk about the S7Comm\u00a0<\/span><span style=\"font-weight: 400;\">protocol, we could really be referring to\u00a0<\/span><span style=\"font-weight: 400;\">both S7Comm and its most recent\u00a0<\/span><span style=\"font-weight: 400;\">version, S7Comm Plus, of which there is\u00a0<\/span><span style=\"font-weight: 400;\">very little information and which\u00a0<\/span><span style=\"font-weight: 400;\">includes, as a new feature, an\u00a0<\/span><span style=\"font-weight: 400;\">encryption layer. Throughout this\u00a0<\/span><span style=\"font-weight: 400;\">article, we will only talk about the\u00a0<\/span><span style=\"font-weight: 400;\">S7Comm protocol, which is mainly used\u00a0<\/span><span style=\"font-weight: 400;\">for connections between PLCs and PC\u00a0<\/span><span style=\"font-weight: 400;\">stations.<\/span><\/p>\n<figure id=\"attachment_1066\" aria-describedby=\"caption-attachment-1066\" style=\"width: 701px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1066\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/1.jpeg\" alt=\"\" width=\"701\" height=\"434\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/1.jpeg 1106w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/1-300x186.jpeg 300w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/1-1024x634.jpeg 1024w\" sizes=\"auto, (max-width: 701px) 100vw, 701px\" \/><figcaption id=\"caption-attachment-1066\" class=\"wp-caption-text\">Figura 1. Profinet vs S7Comm Plus vs S7 Comm<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h2>Technical description<\/h2>\n<p><span style=\"font-weight: 400;\">Generally, the communication designed\u00a0<\/span><span style=\"font-weight: 400;\">by Siemens follows the traditional\u00a0<\/span><span style=\"font-weight: 400;\">master-slave (or client-server) model.\u00a0<\/span><span style=\"font-weight: 400;\">where a master (or client) PC sends S7\u00a0<\/span><span style=\"font-weight: 400;\">requests to the slave (or server) PLC <\/span><span style=\"font-weight: 400;\">device).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The implementation of the S7 protocol\u00a0<\/span><span style=\"font-weight: 400;\">over TCP\/IP is based on the blockoriented ISO transport service.\u00a0<\/span><span style=\"font-weight: 400;\">This protocol is encapsulated in the\u00a0<\/span><span style=\"font-weight: 400;\">TPKT and ISO-COTP protocols, allowing\u00a0<\/span><span style=\"font-weight: 400;\">the transfer of the PDU (Protocol Data\u00a0<\/span><span style=\"font-weight: 400;\">Unit) via TCP, using by default TCP\/102\u00a0<\/span><span style=\"font-weight: 400;\">port for communications.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Each of the data blocks that are\u00a0<\/span><span style=\"font-weight: 400;\">transmitted are so-called PDUs, the\u00a0<\/span><span style=\"font-weight: 400;\">length of which is negotiated during\u00a0<\/span><span style=\"font-weight: 400;\">connection setup.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The protocol is function and\/or\u00a0<\/span><span style=\"font-weight: 400;\">command oriented, which means that\u00a0<\/span><span style=\"font-weight: 400;\">the transmission generally consists of\u00a0<\/span><span style=\"font-weight: 400;\">an S7 request and a response to that\u00a0<\/span><span style=\"font-weight: 400;\">request. Each of these commands\u00a0<\/span><span style=\"font-weight: 400;\">consists of the following commands\u00a0<\/span><span style=\"font-weight: 400;\">fields, the last two being optional:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Header<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Parameter set (and parameter\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">data)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">For a better understanding of S7\u00a0<\/span><span style=\"font-weight: 400;\">encapsulation, the following picture shows how S7 is first encapsulated in\u00a0<\/span><span style=\"font-weight: 400;\">ISO over TCP and then in TCP\/IP:<\/span><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_1068\" aria-describedby=\"caption-attachment-1068\" style=\"width: 702px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1068\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/2.jpeg\" alt=\"\" width=\"702\" height=\"160\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/2.jpeg 956w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/2-300x68.jpeg 300w\" sizes=\"auto, (max-width: 702px) 100vw, 702px\" \/><figcaption id=\"caption-attachment-1068\" class=\"wp-caption-text\">Figura 2. Encapsulado de protocolos<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><b>HEADER<\/b><b>: <\/b><span style=\"font-weight: 400;\">contains PDU length and\u00a0<\/span><span style=\"font-weight: 400;\">identification information, and message\u00a0<\/span><span style=\"font-weight: 400;\">type constant.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">These headers are between 10 and 12\u00a0<\/span><span style=\"font-weight: 400;\">bytes long; ACK messages contain two\u00a0<\/span><span style=\"font-weight: 400;\">additional bytes of error code. Apart\u00a0<\/span><span style=\"font-weight: 400;\">from this, the header format is always\u00a0<\/span><span style=\"font-weight: 400;\">the same in all PDUs.<\/span><\/p>\n<figure id=\"attachment_1070\" aria-describedby=\"caption-attachment-1070\" style=\"width: 700px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1070\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/3.jpeg\" alt=\"\" width=\"700\" height=\"240\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/3.jpeg 805w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/3-300x103.jpeg 300w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><figcaption id=\"caption-attachment-1070\" class=\"wp-caption-text\">Figura 3. Cabecera PDU S7<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><b>Protocol ID: <\/b><span style=\"font-weight: 400;\">Protocol identifier. It is constant, it will always be 0x32.<\/span><\/p>\n<p><b>Message Type: <\/b><span style=\"font-weight: 400;\">Type of the message; sometimes referred to as ROSCTR (Remote Operating Service Control) 0x01-Job Request: Request sent by the master (e.g. read\/write memory, read\/write blocks, start\/stop device, setup communication)<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">0x02-Ack: Simple ACK sent by the slave without data field.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">0x03-Ack-Data: ACK with optional data field, contains the response to a job request.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">0x07-Userdata: An extension of the original protocol; the parameter field contains the request\/response ID. Used for e.g. scheduling or debugging tasks, SZL reads, security functions, time settings, cyclic reads, etc.)<\/span><\/li>\n<\/ul>\n<p><b>Reserved<\/b><span style=\"font-weight: 400;\">: Always 0x0000 (ignored).<\/span><\/p>\n<p><b>PDU reference: <\/b><span style=\"font-weight: 400;\">Generated by the master; it is incremented with each new transmission and is used to link the responses with their requests, i.e. for frame traceability, Little-Endian.<\/span><\/p>\n<p><b>Parameter length<\/b><span style=\"font-weight: 400;\">: The size of the parameter field, Big Endian.<\/span><\/p>\n<p><b>Data length<\/b><span style=\"font-weight: 400;\">: The size of the data field, Big-Endian.<\/span><\/p>\n<p><b>Error class<\/b><span style=\"font-weight: 400;\">: Only present in Ack-Data messages.<\/span><\/p>\n<p><b>Error Code<\/b><span style=\"font-weight: 400;\">: Only present in Ack-Data messages.<\/span><\/p>\n<p><b>PARAMETERS AND DATA:<\/b><span style=\"font-weight: 400;\"> The parameter header is specific to the message type and for Job and Ack Data messages shall start with a function code. The structure of the rest of the fields depends on this value. This function code determines the purpose of the message and serves as a basis for the message exchanges that will take place.<\/span><\/p>\n<h4><b>Functions<\/b><\/h4>\n<p><b>Setup Communication<\/b><\/p>\n<figure id=\"attachment_1072\" aria-describedby=\"caption-attachment-1072\" style=\"width: 677px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1072\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/4.jpeg\" alt=\"\" width=\"677\" height=\"254\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/4.jpeg 677w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/4-300x113.jpeg 300w\" sizes=\"auto, (max-width: 677px) 100vw, 677px\" \/><figcaption id=\"caption-attachment-1072\" class=\"wp-caption-text\">Figura 4. Cabecera Setup Comm SEQ<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Before any message can be exchanged, client and server (master and slave) exchange the Job and ACK Data message pair at the beginning of each session. Their function is to negotiate the size of the ACK queue and the maximum length of the PDU. The ACK queue length determines the number of parallel Jobs that can be started simultaneously without acknowledgement. Both the ACK queue length and PDU length fields are Big Endian.<\/span><\/p>\n<p><b>Read\/Write Variable [0x04\/0x05]<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The S7 protocol supports multiple variable read\/write queries in a single message with different addressing modes. There are three main modes:<\/span><\/p>\n<p><b>Any-type: <\/b><span style=\"font-weight: 400;\">This is the default addressing mode and is used for variable queries arbitrary. The three parameters (area, address, type) are specified for each addressed variable<\/span><\/p>\n<p><b>Db-type<\/b><span style=\"font-weight: 400;\">: This is a special mode designed to address database variables. It is more compact.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Than any-type addressing.<\/span><\/p>\n<p><b>Symbolic-addressing: <\/b><span style=\"font-weight: 400;\">This mode is used by the S7-1200\/1500 series devices and allows the addressing of certain variables with their predefined symbolic names. This mode is rare.<\/span><\/p>\n<p><b>Block Upload\/Download [0x1a-1f]<\/b><\/p>\n<p><span style=\"font-weight: 400;\">In Siemens devices, the program code and most of the program data are stored in blocks. These blocks have their own header and encoding format, which can be found in more detail in the official Siemens documentation. [4]<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The message exchange sequence can be either upload block or download block. The main difference between the two is that in download block, the direction of communication changes and &#8220;the slave becomes the master&#8221;, i.e. it is the slave that sends the data to the master.<\/span><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_1074\" aria-describedby=\"caption-attachment-1074\" style=\"width: 533px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1074\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/5.jpeg\" alt=\"\" width=\"533\" height=\"601\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/5.jpeg 533w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/5-266x300.jpeg 266w\" sizes=\"auto, (max-width: 533px) 100vw, 533px\" \/><figcaption id=\"caption-attachment-1074\" class=\"wp-caption-text\">Figura 5. Secuencia upload block.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_1076\" aria-describedby=\"caption-attachment-1076\" style=\"width: 522px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1076\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/6.jpeg\" alt=\"\" width=\"522\" height=\"571\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/6.jpeg 522w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/6-274x300.jpeg 274w\" sizes=\"auto, (max-width: 522px) 100vw, 522px\" \/><figcaption id=\"caption-attachment-1076\" class=\"wp-caption-text\">Figura 6. Secuencia download block.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><b>PLC Control [0x28]<\/b><\/p>\n<p><span style=\"font-weight: 400;\">PLC Control messages are used to execute different routines on the slave device that modify its execution\/memory state. These commands are used to start or stop the execution of the PLC control program, activate or delete program blocks in the device or save its configuration in persistent memory.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>PLC Stop [0x29]<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The PLC Stop message is essentially the same as the PLC control message with the difference that the message has no parameters and the routine part is always set to P_PROGRAM.<\/span><\/p>\n<h4><b>MSG Type \u2013 Userdata [5]<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">In cases where the message type field is 0x07-Userdata, the format of the frame containing the parameter field and data field changes with respect to cases where a Job request or Ack data is sent. The fields are as follows:<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Parameters:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Parameter Head<\/span><\/i><\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Parameter length: <\/span><\/i><span style=\"font-weight: 400;\">longitud del campo par\u00e1metros\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Method: Request\/Response<\/span><\/i><span style=\"font-weight: 400;\">(0x11\/0x12)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Type<\/span><\/i><span style=\"font-weight: 400;\">: <\/span><i><span style=\"font-weight: 400;\">Request <\/span><\/i><span style=\"font-weight: 400;\">(4)\/<\/span><i><span style=\"font-weight: 400;\">Response<\/span><\/i><span style=\"font-weight: 400;\">(8)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Function Group:<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Programmer commands<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Cyclic data\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Block functions<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">CPU functions\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Security\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Time functions<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Subfunction: dependen del valor del campo <\/span><\/i><span style=\"font-weight: 400;\">\u201c<\/span><i><span style=\"font-weight: 400;\">Function Group\u201d; <\/span><\/i><span style=\"font-weight: 400;\">para el caso de <\/span><i><span style=\"font-weight: 400;\">CPU Functions:<\/span><\/i>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Read SZL<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Message service\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Transition to stop\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Alarm was acknowledged in HMI\/SCADA 1<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Alarm was acknowledged in HMI\/SCADA 2<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">PLC is indicating a ALARM message\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">HMI\/SCADA initiating ALARM subscription<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Sequence number<\/span><\/i><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Data unit reference number: <\/span><\/i><span style=\"font-weight: 400;\">(only for responsive<\/span><i><span style=\"font-weight: 400;\">)<\/span><\/i><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Last data unit: <\/span><\/i><span style=\"font-weight: 400;\">(solo para <\/span><i><span style=\"font-weight: 400;\">Response)\u00a0<\/span><\/i><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><i><span style=\"font-weight: 400;\">Yes (0x00)<\/span><\/i><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><i><span style=\"font-weight: 400;\">No (0x01)<\/span><\/i><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Error code: <\/span><\/i><span style=\"font-weight: 400;\">(solo para <\/span><i><span style=\"font-weight: 400;\">Response)<\/span><\/i><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Datos<\/span><\/i><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Return code:<\/span><\/i><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x00 &#8211; Reserved\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x01 &#8211; Hardware fault\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x03 &#8211; Accessing the object not allowed\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x05 &#8211; Address out of range\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x06 &#8211; Data type not supported\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x07 &#8211; Data type inconsistent\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x0a &#8211; Object does not exist\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0xff &#8211; Success<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Transport size:\u00a0<\/span><\/i>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x00 &#8211; NULL\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x03 &#8211; BIT\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x04 &#8211; BYTE\/WORD\/DWORD\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x05 &#8211; INTEGER\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x07 &#8211; REAL\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">0x09 &#8211; OCTET STRING<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Length<\/span><\/i><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">SZL-ID<\/span><\/i><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">SZL-Index: <\/span><\/i><span style=\"font-weight: 400;\">With certain partial lists or extracts from partial lists an object type ID or object number must be specified.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Length of a data record of the partial list in bytes: (Response only<\/span><i><span style=\"font-weight: 400;\">)<\/span><\/i><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Number of data records contained in the partial list: (for Response only<\/span><i><span style=\"font-weight: 400;\">)<\/span><\/i><\/li>\n<\/ul>\n<h4><span style=\"font-weight: 400;\">SZL-ID<\/span><\/h4>\n<p><span style=\"font-weight: 400;\">SZLs or SSLs (System Status Lists) are lists describing the current status of a PLC, the contents of which can be read, but not changed.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">These lists are virtual lists that are created by the CPU operating system when requested [5]. The information that can be extracted through these SSLs is the following:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">System data<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">CPU configuration<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Priority class status<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Communication<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Status data of CPU modules<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Module diagnostic data<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Diagnostic buffer<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Analysing the fields contained within the SZLs, we find the following:<\/span><\/p>\n<figure id=\"attachment_1078\" aria-describedby=\"caption-attachment-1078\" style=\"width: 701px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1078\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/7.jpeg\" alt=\"\" width=\"701\" height=\"222\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/7.jpeg 770w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/7-300x95.jpeg 300w\" sizes=\"auto, (max-width: 701px) 100vw, 701px\" \/><figcaption id=\"caption-attachment-1078\" class=\"wp-caption-text\">Figura 7. Campos SZL-ID<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Consisting of three main fields::<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><i><span style=\"font-weight: 400;\">Module class <\/span><\/i><span style=\"font-weight: 400;\">(4 bits)<\/span><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1106 aligncenter\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/8.jpeg\" alt=\"\" width=\"501\" height=\"108\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/8.jpeg 811w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/8-300x65.jpeg 300w\" sizes=\"auto, (max-width: 501px) 100vw, 501px\" \/><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\">Number of the partial list extract (4 bits): The number of partial list extracts and their meaning depend on the particular system status list to which they belong. With the number of the partial list extract, you specify which subset of a partial list you want to read.<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Number of the partial list (8 bits): Using the partial list number, specifies which partial list of the system status list is to be read.<\/span><\/li>\n<li><i><span style=\"font-weight: 400;\">SZL-Index: With certain partial lists or extracts from partial lists an ID of type must be specified\u00a0<\/span><\/i><\/li>\n<li style=\"list-style-type: none;\"><\/li>\n<\/ul>\n<figure id=\"attachment_1108\" aria-describedby=\"caption-attachment-1108\" style=\"width: 701px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1108\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/9.jpeg\" alt=\"\" width=\"701\" height=\"209\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/9.jpeg 1246w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/9-300x90.jpeg 300w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/9-1024x306.jpeg 1024w\" sizes=\"auto, (max-width: 701px) 100vw, 701px\" \/><figcaption id=\"caption-attachment-1108\" class=\"wp-caption-text\">Figura 8. Captura de tr\u00e1fico.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">As can be seen in Figure 8, packets 10 and 11, the first thing that is done before exchanging messages via S7 is to exchange the Job and ACK Data message pair to set the size of the ACK queue and the maximum length of the PDU.\u00a0<\/span><\/p>\n<figure id=\"attachment_1080\" aria-describedby=\"caption-attachment-1080\" style=\"width: 621px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1080\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/10.jpeg\" alt=\"\" width=\"621\" height=\"318\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/10.jpeg 617w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/10-300x154.jpeg 300w\" sizes=\"auto, (max-width: 621px) 100vw, 621px\" \/><figcaption id=\"caption-attachment-1080\" class=\"wp-caption-text\">Figura 9. Job Request (m\u00e1ster-ASUSTekC)<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_1082\" aria-describedby=\"caption-attachment-1082\" style=\"width: 552px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1082\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/11.jpeg\" alt=\"\" width=\"552\" height=\"314\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/11.jpeg 552w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/11-300x171.jpeg 300w\" sizes=\"auto, (max-width: 552px) 100vw, 552px\" \/><figcaption id=\"caption-attachment-1082\" class=\"wp-caption-text\">Figura 10. ACK Data (esclavo-Siemens)<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">You can see in the images above the parameters described above for the Setup Communication function, such as Protocol ID=0x32, and the Job (0x01) and Ack_Data (0x03) functions<\/span><i><span style=\"font-weight: 400;\">.<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">After the connection is established, Request &#8211; Response functions start to be exchanged with an MSG Type<\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">0x07 Userdata, through which the client performs &#8220;Read SZL&#8221; or System Status List functions. Based on what was discussed in the previous chapter about how SSLs (or SZLs) work, it is possible to deduce which operations are being performed on the selected capture and extract information from it. In addition, Wireshark itself identifies which operation corresponds to each of the SSL-IDs<\/span><\/i><span style=\"font-weight: 400;\">:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In packet 17 (Figure 8), the client sends an SZL-ID (SSL-ID)=0x0000, so all the IDs of the lists available to the PLC are obtained:<\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">SZL-ID: 0x0000, Diagnostic type: CPU, Number of the partial list extract: All SZL partial lists of the module, Number of the partial list: List of all the SZL-IDs of a module.<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">Below is a sample of the lists returned by the server:<\/span><\/p>\n<figure id=\"attachment_1084\" aria-describedby=\"caption-attachment-1084\" style=\"width: 699px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1084\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/12.jpeg\" alt=\"\" width=\"699\" height=\"298\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/12.jpeg 960w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/12-300x128.jpeg 300w\" sizes=\"auto, (max-width: 699px) 100vw, 699px\" \/><figcaption id=\"caption-attachment-1084\" class=\"wp-caption-text\">Figura 11. SZL-IDs (SSL-IDs) disponibles en el esclavo.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">From here you can extract important information as you can see below; after the previous query of all existing SSLIDs, one of them is SSL-ID=0x111, which corresponds to Diagnostic type: CPU, Number of the partial list extract: A single identification data record, Number of the partial list: Module identification<\/span><i><span style=\"font-weight: 400;\">.<\/span><\/i><\/p>\n<figure id=\"attachment_1086\" aria-describedby=\"caption-attachment-1086\" style=\"width: 705px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1086\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/13.jpeg\" alt=\"\" width=\"705\" height=\"78\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/13.jpeg 994w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/13-300x33.jpeg 300w\" sizes=\"auto, (max-width: 705px) 100vw, 705px\" \/><figcaption id=\"caption-attachment-1086\" class=\"wp-caption-text\">Figura 12. ZL-ID=0x111.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_1088\" aria-describedby=\"caption-attachment-1088\" style=\"width: 700px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1088\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/14.jpeg\" alt=\"\" width=\"700\" height=\"196\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/14.jpeg 1003w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/14-300x84.jpeg 300w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><figcaption id=\"caption-attachment-1088\" class=\"wp-caption-text\">Figura 13. Solicitud informaci\u00f3n del m\u00f3dulo del esclavo.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_1090\" aria-describedby=\"caption-attachment-1090\" style=\"width: 700px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1090\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/15.jpeg\" alt=\"\" width=\"700\" height=\"279\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/15.jpeg 969w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/15-300x120.jpeg 300w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><figcaption id=\"caption-attachment-1090\" class=\"wp-caption-text\">Figura 14. Informaci\u00f3n del m\u00f3dulo devuelta por el esclavo.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">As can be seen in the two figures above, the slave returns hardware information: 6ES7151-8AB01-0AB0. If you do a quick Google search, you can find out which specific device is communicating, as it also returns the OS version value (3). According to the search, the device involved is the following: SIMATIC DP, IM151-8 PN\/DP CPU for ET 200S, 192 KB working memory, PROFINET int. interface (with three RJ45 ports) as IO controller, no battery MMC required. [7]<\/span><\/p>\n<p><span style=\"font-weight: 400;\">It can be seen from Figure 16 that the module name is indeed IM151-8 PN\/DP CPU.\u00a0<\/span><\/p>\n<figure id=\"attachment_1092\" aria-describedby=\"caption-attachment-1092\" style=\"width: 701px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1092\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/16.jpeg\" alt=\"\" width=\"701\" height=\"155\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/16.jpeg 832w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/16-300x66.jpeg 300w\" sizes=\"auto, (max-width: 701px) 100vw, 701px\" \/><figcaption id=\"caption-attachment-1092\" class=\"wp-caption-text\">Figura 15. Versi\u00f3n de firmware.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_1094\" aria-describedby=\"caption-attachment-1094\" style=\"width: 699px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1094\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/17.jpeg\" alt=\"\" width=\"699\" height=\"301\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/17.jpeg 771w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/17-300x129.jpeg 300w\" sizes=\"auto, (max-width: 699px) 100vw, 699px\" \/><figcaption id=\"caption-attachment-1094\" class=\"wp-caption-text\">Figura 16. Nombre del m\u00f3dulo.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_1096\" aria-describedby=\"caption-attachment-1096\" style=\"width: 700px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1096\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/18.jpeg\" alt=\"\" width=\"700\" height=\"355\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/18.jpeg 761w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/18-300x152.jpeg 300w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><figcaption id=\"caption-attachment-1096\" class=\"wp-caption-text\">Figura 17. N\u00famero de serie, m\u00f3dulo y tarjeta de memoria.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">The status of the system&#8217;s LEDs is also read out:<\/span><\/p>\n<figure id=\"attachment_1098\" aria-describedby=\"caption-attachment-1098\" style=\"width: 701px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1098\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/19.jpeg\" alt=\"\" width=\"701\" height=\"261\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/19.jpeg 913w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/19-300x112.jpeg 300w\" sizes=\"auto, (max-width: 701px) 100vw, 701px\" \/><figcaption id=\"caption-attachment-1098\" class=\"wp-caption-text\">Figura 18. Estado LEDs.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">In addition, it has been possible to read the internal clocks of the system:<\/span><\/p>\n<figure id=\"attachment_1100\" aria-describedby=\"caption-attachment-1100\" style=\"width: 549px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1100\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/20.jpeg\" alt=\"\" width=\"549\" height=\"414\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/20.jpeg 549w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/20-300x226.jpeg 300w\" sizes=\"auto, (max-width: 549px) 100vw, 549px\" \/><figcaption id=\"caption-attachment-1100\" class=\"wp-caption-text\">Figura 19. Reloj interno.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">You can even read an extract from the device&#8217;s diagnostic logs:<\/span><\/p>\n<figure id=\"attachment_1102\" aria-describedby=\"caption-attachment-1102\" style=\"width: 804px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1102\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/21.jpeg\" alt=\"\" width=\"804\" height=\"351\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/21.jpeg 804w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/21-300x131.jpeg 300w\" sizes=\"auto, (max-width: 804px) 100vw, 804px\" \/><figcaption id=\"caption-attachment-1102\" class=\"wp-caption-text\">Figura 20. Logs de diagn\u00f3stico.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Furthermore, as can be seen in Figure 20, through the SZL-ID=0x00a0 it is even possible to extract the existing entries in the diagnostic buffer and read each one of them; in this particular case, it can be seen that on 20 August 2014 at 11:53, an event &#8220;Mode transition from STARTUP to RUN&#8221; was generated. The following figure includes more existing events in the buffer:<\/span><\/p>\n<figure id=\"attachment_1104\" aria-describedby=\"caption-attachment-1104\" style=\"width: 700px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-1104\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/22.jpeg\" alt=\"\" width=\"700\" height=\"417\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/22.jpeg 786w, https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/22-300x179.jpeg 300w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><figcaption id=\"caption-attachment-1104\" class=\"wp-caption-text\">Figura 21. Logs de diagn\u00f3stico.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h2><b>Conclusions<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Although the latest version of the S7 protocol (S7 Comm Plus) has encryption and authentication mechanisms,<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Its use is not yet widespread and it is still common to find the S7-ISOonTCP protocol (S7 which has been the subject of analysis in this article).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As could be seen in the analysis of the capture, the information exchanged between master and slave is in plain text so that all the information sent between the two can be captured.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This protocol, as it does not have authentication, allows an attacker who has access to the network where the master and slave (PC and PLC) are located, to sniff network traffic and obtain valuable information from the PLC so that, once the IP address of the PLC and the model and\/or firmware version have been identified, a search for vulnerabilities that could affect this device can be carried out.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In addition, Siemens devices by default use tcp port 102 to run their services, so you could also use an nmap query targeting only port 102 on an entire network to get information about devices that may be behind this port.<\/span><\/p>\n<h2><b>Referencias<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">[1] <a href=\"https:\/\/support.industry.siemens.com\/cs\/document\/26483647\/what-properties-advantages-and-special-features-does-the-s7-protocoloffer-?\">https:\/\/support.industry.siemens.com\/cs\/document\/26483647\/what-properties-advantages-and-special-features-does-the-s7-protocoloffer-?<\/a><\/span><span style=\"font-weight: 400;\">dti=0&amp;lc=en-WW<\/span><\/p>\n<p><span style=\"font-weight: 400;\">[2] <\/span><a href=\"http:\/\/snap7.sourceforge.net\/\"><span style=\"font-weight: 400;\">http:\/\/snap7.sourceforge.net\/<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">[3] <\/span><a href=\"https:\/\/plc4x.incubator.apache.org\/protocols\/s7\/index.html\"><span style=\"font-weight: 400;\">https:\/\/plc4x.incubator.apache.org\/protocols\/s7\/index.html<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">[4] <\/span><a href=\"https:\/\/support.industry.siemens.com\/cs\/document\/45531107\/simatic-programming-with-step-7-v5-5?dti=0&amp;lc=en-WW\"><span style=\"font-weight: 400;\">https:\/\/support.industry.siemens.com\/cs\/document\/45531107\/simatic-programming-with-step-7-v5-5?dti=0&amp;lc=en-WW<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">[5] System Software for S7-300\/400 System and Standard Functions Volume \u00bd, <\/span><a href=\"https:\/\/readthedocs.web.cern.ch\/download\/attachments\/21177680\/SIEMENS%20S7%20-%20SZL%20addresses%20guide.pdf?version=1&amp;modificationDate=1403874207000&amp;api=v2\"><span style=\"font-weight: 400;\">https:\/\/readthedocs.web.cern.ch\/download\/attachments\/21177680\/SIEMENS%20S7%20-%20SZL%20addresses%20guide.pdf?version=1&amp;modificationDate=1403874207000&amp;api=v2<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">[6] <a href=\"https:\/\/wiki.wireshark.org\/SampleCaptures#s7comm-s7-communication\">https:\/\/wiki.wireshark.org\/SampleCaptures#s7comm-s7-communication<\/a><\/span><\/p>\n<p><span style=\"font-weight: 400;\">[7] <a href=\"https:\/\/mall.industry.siemens.com\/mall\/es\/es\/Catalog\/Product\/6ES7151-8AB01-0AB0\">https:\/\/mall.industry.siemens.com\/mall\/es\/es\/Catalog\/Product\/6ES7151-8AB01-0AB0<\/a><\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The S7 Communication protocol\u00a0 (hereafter S7Comm) is a Siemens\u00a0 proprietary protocol that first appeared in 1994 with the launch of Simatic S7 products such as S7-200, S7-300 and\u00a0S7-400, although it is currently\u00a0integrated by all SIMATIC S7 and C7\u00a0CPU devices and is independent of the\u00a0bus used, as this protocol can be used\u00a0both through Industrial Ethernet and\u00a0through&#8230;<\/p>\n","protected":false},"author":1,"featured_media":1112,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[54,17],"tags":[],"class_list":["post-1114","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-r-and-d","category-techpapers-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>S7Comm protocol: security analyzed - InprOTech<\/title>\n<meta name=\"description\" content=\"In this white paper we discuss the security of the S7Comm Protocol. This Siemens proprietary protocol is currently integrated in all SIMATIC S7 and C7 CPU devices and is independent of the bus used, as this protocol can be used over Industrial Ethernet as well as over other physical or network layers such as over RS-485 for MPI (Multi-Point-Interface) or Profibus.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"S7Comm protocol: security analyzed - InprOTech\" \/>\n<meta property=\"og:description\" content=\"In this white paper we discuss the security of the S7Comm Protocol. This Siemens proprietary protocol is currently integrated in all SIMATIC S7 and C7 CPU devices and is independent of the bus used, as this protocol can be used over Industrial Ethernet as well as over other physical or network layers such as over RS-485 for MPI (Multi-Point-Interface) or Profibus.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/\" \/>\n<meta property=\"og:site_name\" content=\"InprOTech\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-19T10:17:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-17T10:59:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/protocolo-S7Comm.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"768\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/#\\\/schema\\\/person\\\/cb0ae1292b18b48c1e89b0e4e7ef15d9\"},\"headline\":\"S7Comm protocol: security analyzed\",\"datePublished\":\"2023-01-19T10:17:10+00:00\",\"dateModified\":\"2025-02-17T10:59:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/\"},\"wordCount\":2517,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/inprotech.es\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/protocolo-S7Comm.jpg\",\"articleSection\":[\"R&amp;D\",\"Techpapers\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/\",\"url\":\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/\",\"name\":\"S7Comm protocol: security analyzed - InprOTech\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/inprotech.es\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/protocolo-S7Comm.jpg\",\"datePublished\":\"2023-01-19T10:17:10+00:00\",\"dateModified\":\"2025-02-17T10:59:18+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/#\\\/schema\\\/person\\\/cb0ae1292b18b48c1e89b0e4e7ef15d9\"},\"description\":\"In this white paper we discuss the security of the S7Comm Protocol. This Siemens proprietary protocol is currently integrated in all SIMATIC S7 and C7 CPU devices and is independent of the bus used, as this protocol can be used over Industrial Ethernet as well as over other physical or network layers such as over RS-485 for MPI (Multi-Point-Interface) or Profibus.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/#primaryimage\",\"url\":\"https:\\\/\\\/inprotech.es\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/protocolo-S7Comm.jpg\",\"contentUrl\":\"https:\\\/\\\/inprotech.es\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/protocolo-S7Comm.jpg\",\"width\":1536,\"height\":768},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/s7comm-protocol-security-analyzed\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\\\/\\\/inprotech.es\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"S7Comm protocol: security analyzed\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/#website\",\"url\":\"https:\\\/\\\/inprotech.es\\\/\",\"name\":\"InprOTech\",\"description\":\"The Cybersecurity Solution for the Industrial Environment\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/inprotech.es\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/#\\\/schema\\\/person\\\/cb0ae1292b18b48c1e89b0e4e7ef15d9\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\\\/\\\/inprotech.es\"],\"url\":\"https:\\\/\\\/inprotech.es\\\/en\\\/author\\\/moon\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"S7Comm protocol: security analyzed - InprOTech","description":"In this white paper we discuss the security of the S7Comm Protocol. This Siemens proprietary protocol is currently integrated in all SIMATIC S7 and C7 CPU devices and is independent of the bus used, as this protocol can be used over Industrial Ethernet as well as over other physical or network layers such as over RS-485 for MPI (Multi-Point-Interface) or Profibus.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/","og_locale":"en_US","og_type":"article","og_title":"S7Comm protocol: security analyzed - InprOTech","og_description":"In this white paper we discuss the security of the S7Comm Protocol. This Siemens proprietary protocol is currently integrated in all SIMATIC S7 and C7 CPU devices and is independent of the bus used, as this protocol can be used over Industrial Ethernet as well as over other physical or network layers such as over RS-485 for MPI (Multi-Point-Interface) or Profibus.","og_url":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/","og_site_name":"InprOTech","article_published_time":"2023-01-19T10:17:10+00:00","article_modified_time":"2025-02-17T10:59:18+00:00","og_image":[{"width":1536,"height":768,"url":"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/protocolo-S7Comm.jpg","type":"image\/jpeg"}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/#article","isPartOf":{"@id":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/"},"author":{"name":"admin","@id":"https:\/\/inprotech.es\/#\/schema\/person\/cb0ae1292b18b48c1e89b0e4e7ef15d9"},"headline":"S7Comm protocol: security analyzed","datePublished":"2023-01-19T10:17:10+00:00","dateModified":"2025-02-17T10:59:18+00:00","mainEntityOfPage":{"@id":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/"},"wordCount":2517,"commentCount":0,"image":{"@id":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/#primaryimage"},"thumbnailUrl":"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/protocolo-S7Comm.jpg","articleSection":["R&amp;D","Techpapers"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/","url":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/","name":"S7Comm protocol: security analyzed - InprOTech","isPartOf":{"@id":"https:\/\/inprotech.es\/#website"},"primaryImageOfPage":{"@id":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/#primaryimage"},"image":{"@id":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/#primaryimage"},"thumbnailUrl":"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/protocolo-S7Comm.jpg","datePublished":"2023-01-19T10:17:10+00:00","dateModified":"2025-02-17T10:59:18+00:00","author":{"@id":"https:\/\/inprotech.es\/#\/schema\/person\/cb0ae1292b18b48c1e89b0e4e7ef15d9"},"description":"In this white paper we discuss the security of the S7Comm Protocol. This Siemens proprietary protocol is currently integrated in all SIMATIC S7 and C7 CPU devices and is independent of the bus used, as this protocol can be used over Industrial Ethernet as well as over other physical or network layers such as over RS-485 for MPI (Multi-Point-Interface) or Profibus.","breadcrumb":{"@id":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/#primaryimage","url":"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/protocolo-S7Comm.jpg","contentUrl":"https:\/\/inprotech.es\/wp-content\/uploads\/2023\/01\/protocolo-S7Comm.jpg","width":1536,"height":768},{"@type":"BreadcrumbList","@id":"https:\/\/inprotech.es\/en\/s7comm-protocol-security-analyzed\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/inprotech.es\/en\/"},{"@type":"ListItem","position":2,"name":"S7Comm protocol: security analyzed"}]},{"@type":"WebSite","@id":"https:\/\/inprotech.es\/#website","url":"https:\/\/inprotech.es\/","name":"InprOTech","description":"The Cybersecurity Solution for the Industrial Environment","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/inprotech.es\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/inprotech.es\/#\/schema\/person\/cb0ae1292b18b48c1e89b0e4e7ef15d9","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/inprotech.es"],"url":"https:\/\/inprotech.es\/en\/author\/moon\/"}]}},"_links":{"self":[{"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/posts\/1114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/comments?post=1114"}],"version-history":[{"count":1,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/posts\/1114\/revisions"}],"predecessor-version":[{"id":1115,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/posts\/1114\/revisions\/1115"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/media\/1112"}],"wp:attachment":[{"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/media?parent=1114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/categories?post=1114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/tags?post=1114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}