Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Parser for ModuleIdentificationRequest of s7 Protocol #423

Merged
merged 5 commits into from
Apr 22, 2024

Conversation

developStorm
Copy link
Member

@developStorm developStorm commented Apr 17, 2024

Rewrote response parser with information provided in the issue. Resolves #212.

Tested against some real S7 modules and appears to work, absolutely makes more sense than the original code. However, would be great if we can confirm on a device we control.

Also, ModuleId field in type S7Log struct formerly reflects "Order number of the module". This behavior is kept in current version for forward compatibility but not sure if we should rename it to sth else.

Copy link
Contributor

@phillip-stephens phillip-stephens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor nitpicks, looks great overall for code quality + documentation.

To be perfectly honest, I've been unable to convince myself that I understand the Index W#16#XY format that Siemens is using and haven't found any guides online. Like for example, Index W#16#0006 and W#16#0007: remaining numbers of the version ID, does this refer to bits 6 and 7? The use of the word "index" makes me think it's referring to a specific bit in the word, but that seems very arbitrary for a 16 bit value. I'm unsure what else it could mean, but also don't feel confident in it being bits 6 and 7.

If you found some better explanations in your digging, lmk, otherwise IMO we should wait for a real Siemens device to test against to confirm understanding.

modules/siemens/s7.go Outdated Show resolved Hide resolved
modules/siemens/s7.go Show resolved Hide resolved
modules/siemens/s7.go Outdated Show resolved Hide resolved
modules/siemens/s7.go Show resolved Hide resolved
modules/siemens/s7.go Outdated Show resolved Hide resolved
developStorm and others added 3 commits April 17, 2024 15:53
Co-authored-by: Phillip Stephens <phillip@cs.stanford.edu>
Co-authored-by: Phillip Stephens <phillip@cs.stanford.edu>
@phillip-stephens phillip-stephens self-requested a review April 22, 2024 18:58
Copy link
Contributor

@phillip-stephens phillip-stephens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for your work on this

@phillip-stephens phillip-stephens merged commit 17c73ee into master Apr 22, 2024
2 checks passed
@Valentinbist
Copy link

I was just reminded to this. I wrote an s7 Parser some years ago and did some larger measurements.

I also used the "Indexes 6 and 7", but also found an additional one, "129", which was so common, that I added it.

	switch int(s7Packet.Data[((i-1)*28 + S7_DATA_BYTE_OFFSET+1)]){
	case 1:
		logStruct.ModuleId = string(s7Packet.Data[((i-1)*28 + S7_DATA_BYTE_OFFSET+2):((i-1)*28 + S7_DATA_BYTE_OFFSET+22)])
		major := s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-3)]
		minor := s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-2)]
		patch := s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-1)]
		logStruct.VersionModule = fmt.Sprintf("%d.%d.%d", major, minor, patch)
		logStruct.VersionModuleByte = string(s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-4)])
	case 6:
		logStruct.Hardware = string(s7Packet.Data[((i-1)*28 + S7_DATA_BYTE_OFFSET+2):((i-1)*28 + S7_DATA_BYTE_OFFSET+22)])
		major := s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-3)]
		minor := s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-2)]
		patch := s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-1)]
		logStruct.VersionHardware = fmt.Sprintf("%d.%d.%d", major, minor, patch)
		logStruct.VersionHardwareByte = string(s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-4)])
	case 7:
		logStruct.Firmware = string(s7Packet.Data[((i-1)*28 + S7_DATA_BYTE_OFFSET+2):((i-1)*28 + S7_DATA_BYTE_OFFSET+22)])
		major := s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-3)]
		minor := s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-2)]
		patch := s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-1)]
		logStruct.Version = fmt.Sprintf("%d.%d.%d", major, minor, patch)
		logStruct.VersionByte = string(s7Packet.Data[(i*28 + S7_DATA_BYTE_OFFSET-4)])
	case 129:
		logStruct.Unknown11 = string(s7Packet.Data[((i-1)*28 + S7_DATA_BYTE_OFFSET+2):((i)*28 + S7_DATA_BYTE_OFFSET)])
		major := s7Packet.Data[((i-1)*28 + S7_DATA_BYTE_OFFSET)]
		minor := s7Packet.Data[((i-1)*28 + S7_DATA_BYTE_OFFSET+1)]
		logStruct.Unknown11num = fmt.Sprintf("%d%d", major, minor)
	default:
		logStruct.Unknown112 = string(s7Packet.Data[((i-1)*28 + S7_DATA_BYTE_OFFSET+2):((i)*28 + S7_DATA_BYTE_OFFSET)])
		major := s7Packet.Data[((i-1)*28 + S7_DATA_BYTE_OFFSET)]
		minor := s7Packet.Data[((i-1)*28 + S7_DATA_BYTE_OFFSET+1)]
		logStruct.Unknown112num = fmt.Sprintf("%d%d", major, minor)
	}

(Sorry for the dodgy quality, it was my first go code written in a nighty hurry...)

Some documentation I wrote back in the day:

s7_scanner_info.pdf

The source of the Siemens data was:
Siemens. System Software for S7-300/400 System and Standard Functions . Technical report, Siemens, 2010.

I can also recommend getting an account at https://support.industry.siemens.com/cs/start?lc=de-DE, to get the manuals.

This code was stable enough to conduct Interner-wide Measurements and the resulting IDs and numbers were checked against expected Siements behaviour (such as "legal and existing" patch levels and device IDs) and verififed as far as possible to detect honeypots.
Maybe that helps you!

@phillip-stephens phillip-stephens deleted the fix/s7-module-versions branch April 23, 2024 22:44
@developStorm
Copy link
Member Author

@Valentinbist Thank you for sharing all these details! These are really helpful and we'll patch our parser accordingly soon. Btw, did the unknown11 field help in your analysis of your scan results? Do you think it would be good if we were to include it in ZGrab output?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

siemens module firmware version
3 participants