Enumerating Siemens SIMATIC S7 PLCs
Siemens S7 PLC devices from the S7 300/400 family use the S7comm protocol for PLC programming, data exchange between PLCs and SCADA systems, and diagnostics purposes. These devices normally listen on port 102
(iso-tsap) and we can use some of the diagnostics functions to obtain information from the devices with some help from the scripting engine.
This recipe shows you how to enumerate Siemens S7 PLC devices with Nmap.
How to do it...
Open your terminal and enter the following Nmap command:
$ nmap -Pn -sT -p102 --script s7-info <target>
The s7-info
script will obtain device information, as shown next:
PORT STATE SERVICE 102/tcp open    iso-tsap | s7-info: |     Module: 6ES7 420-2FK14-1DB3 |     Basic Hardware: 6ES7 420-2FK14-1DB3 |     Version: 3.2.11 |     System Name: SIMATIC 300(1) |   ...