protocols

ICS Protocols

Developed as a community asset

General / Miscellaneous Releases

• ICS System Ports List - This is a list of common ICS tcp/udp ports.
• PoC 2013 SCADA Release - Power of Community 2013 conference special release of ICS/SCADA toolkit
• Industrial Control Systems Network Protocol Parsers (ICSNPP) - DHS CISA Industrial Control Systems protocol parsers plugins for the Zeek network security monitoring framework
• Triangle Microworks DTM - Distributed Test Manager (DTM) is a Windows® application that can simulate the SCADA communications in the substation and perform automated tests to confirm system or individual device behavior. commercial
• Awesome Industrial Protocols - Offensive security-oriented list of industrial network protocols resources, by Orange Cyberdefense Team.

AMI

• C1218 Termineter - c1218 powermeter emulator
• Newer Termineter - Smart Meter Security Testing Framework
• Kamstrup Meter Protocol (KMP) - TCP/IP Kamstrup Meter Protocol (KMP) implementation

BACnet

Protocol Implementation

• Public Review of ASHRAE Standards - A way to read some of the ASRAE standards that are out for public review.
• BACpypes - BACpypes provides a BACnet application layer and network layer written in Python for daemons, scripting, and graphical interfaces.
• BACnet SC Reference Implementation - BACnet Secure Connect Reference Implementation. More details about the standard here. Wireshark dissector docs here
• BACnet Stack - C stack for BACnet

Protocol Parsers

• zeek plugin bacnet - BACnet Zeek Plugin from Amazon
• yet another zeek plugin bacnet - BACnet Zeek Plugin by Aaron Heller + SANS whitepaper
• ICSNPP Bacnet for Zeek - DHS CISA Bacnet parser for Zeek

Fuzzing

• Fuzzowski - partially implemented BACnet fuzzing

Bristol Standard Asynchronous Protocol (BSAP)

• ICSNPP BSAP IP for Zeek - DHS CISA BSAP plugin for Zeek

DNP3

Protocol Implementation

• OpenDNP3 - Opendnp3 is the de facto reference implementation of IEEE-1815 (DNP3) provided under the Apache License.
• pydnp3 wrapper - Python wrapper for opendnp3
• DNP3 Simulator - Graphical DNP3 Master/Outstation simulator
• PIFaceRTU - Opendnp3 running on a Raspberry Pi with Piface I/O board
• LangSec DNP3 Parser - Parsing DNP3 using parser combinators in C.
• Proxyd - TCP Proxy for testing hammer based parsers (such as the DNP3 parser above)
• ICSNPP DNP3 for Zeek - DHS CISA DNP3 logging extensions to Zeek
• dnp3 - rust implementation - Rust implementation of DNP3 (IEEE 1815) with idiomatic bindings for C, .NET, and Java

Traffic Generation

• DNP3 Traffic Generation - OpenDNP3-based traffic generation that can take a profile of traffic, apply scriptable variation, and result in output of DNP3 traffic matching that profile.
• DNP3Crafter - DNP3Crafter is a very simple Python script which use sockets to send precalculated DNP3 packets over TCP and allows you to choose the number of repetitions. It's use is designed for testing purposes.

Fuzzing

• AEGIS Fuzzer - Aegis™ is a smart fuzzing framework for a growing number of protocols that can identify robustness and security issues in communications software before it is deployed in a production system. [commercial] Early Open Source version is mirrored here: Open-Source.
• ICSFuzz - an PLC-side fuzzing tool for uncovering vulnerabilities in ICS control applications.

Ethercat

• ICSNPP Ethercat for Zeek - DHS CISA Ethercat plugin for Zeek

Ethernet/IP and CIP

• EtherNet/IP+CIP dissector for Scapy - a Python library which can be used to interact with components of a network using ENIP (Ethernet/IP) and CIP (Common Industrial Protocol) protocols. It uses scapy to implement packet dissectors which are able to decode a part of the network traffic. These dissectors can also be used to craft packets, which allows directly communicating with the PLCs (Programmable Logic Controllers) of the network. Use case
• Scapy implementation of DLR (Device Level Ring) protocol
• Zeek implementation for ethernet/ip - This repository contains the necessary files in order to inspect Ethernet/IP and Common Industrial Protocol packets with Zeek.
• CPPPO - Communications Protocol Python Parser and Originator (EtherNet/IP CIP implementation) - Cpppo is used to implement binary communications protocol parsers. The protocol’s communication elements are described in terms of state machines which change state in response to input events, collecting the data and producing output data artifacts.
• pycomm - pycomm is a package that includes a collection of modules used to communicate with PLCs. At the moment the first module in the package is ab_comm. ab_comm is a module that contains a set of classes used to interface Rockwell PLCs using Ethernet/IP protocol. The "clx" class can be used to communicate with Compactlogix, Controllogix PLCs The "slc" can be used to communicate with Micrologix or SLC PLCs
• pycomm3 - A Python Ethernet/IP library for communicating with Allen-Bradley PLCs.
• pyCIP - CIP protocol implementation in Python3
• zeek plugin enip - EthernetIP Zeek Plugin from Amazon
• ICSNPP ENIP and CIP for Zeek - DHS CISA ENIP and CIP plugin for Zeek
• Molex EtherNet/IP Tool - The EtherNet/IP tool (EIPTool) is a small and simple helper tool which assists to explore CIP objects of EtherNet/IP nodes, without having any EDS files. It uses the explicit messaging to read and write CIP attributes.
• Claroty ENIP / CIP Stack Detector - EtherNet/IP & CIP Stack Detector that can help both cyber-security researchers, OT engineers, and asset owners to identify devices that are running a specific EtherNet/IP protocol stack.

Genisys

• ICSNPP Genisys for Zeek - DHS CISA Genisys plugin for Zeek

IEC 104

• IEC Server - Software to simulate server side of systems using a telecontrol message Protocol specified in the IEC 60870-5. Original website http://area-x1.lima-city.de is down, so this has been mirrored.
• OpenMRTS - MRTS is an attempt to create open source IEC 870-5-101/104 based components for telecontrol and supervisory systems and to become a complete solution in future.
• QTester104 - This software implements the IEC60870-5-104 protocol (client side) for substation data acquisition and control via tcp/ip network using the QT UI Framework. It can be compiled on Linux and Windows platforms. It's possible to poll and view data from the substation system (RTU/concentrator) and also send commands.
• lib60870 - Implements IEC 60870-5-104 protocol.

IEC 61850

Protocol Implementation

• libIEC61850 - open source library for IEC 61850.
• rapid61850 - Rapid-prototyping protection and control schemes with IEC 61850

Tools

• IEDScout - IEDScout provides access to 61850-based IEDs and can simulate entire Ed. {1,2} IEDs. Specifically, IEDScout lets you look inside the IED and at its communication. All data modeled and exchanged becomes visible and accessible. Additionally, IEDScout serves numerous useful tasks, which could otherwise only be performed with dedicated engineering tools or even a functioning master station. IEDScout shows an overview representing the typical workflow of commissioning, but also provides detailed information upon request. [commercial] Free 30 day evaluation license.
• Goose-Stalker - Goose-Stalker is a project to analyze and interact with Ethernet types associated with IEC 61850. Currently, the project is focused on Ethernet type 0x88b8 as published by the goose-IEC61850-scapy. The project has morphed significantly and the direction is to progress this even further.

Traffic Generation

• IEC 61850 Toolchain - This toolchain aims to enable users (e.g., power grid operators) to easily create customized datasets for the validation of cybersecurity solutions for IEC 61850 communication-based substations. This toolchain processes different inputs (e.g., substation configurations, attack configurations, and simulation settings) and carries out the necessary processing steps needed for generating the customized datasets. This toolchain is basing on an open source project libIEC61850.

IEEE C37.118

Protocol Implementation

• C37.118-2005 Spec -- C37.118-2005 (deprecated). Note, this is a paid IEEE spec
• C37.118-2011 Spec -- C37.118-2011 (current). Note, this is a paid IEEE spec
• pyMU - Python C37.118-2011 parser
• pyPMU - WIP Python implementation
• Wireshark Dissector - Implemented C37.118 wireshark dissector
• Grid Solutions Framework C37.118 - GSF implementation (.net)
• LangSec C37.118 Parser - LangSec based C37.118 parser
• ICSNPP Synchrophasor parser for Zeek - DHS CISA C37.118 parser for Zeek

Tools

• pyMU - Python C37.118-2011 parser
• pyPMU - WIP Python implementation
• PMU Connection Tester - Full fledged PMU connection tester, speaking c37.118 amongst many other synchrophasor protocols

LoRaWAN

Tools

• chirpotle - A LoRaWAN Securiy Evaluation Framework

Modbus

Protocol Implementation

• pyModBus - A full modbus protocol written in python.
• Go modbus - modbus write in pure go, support rtu,ascii,tcp master library,also support tcp slave.
• Modbus for Go - Fault-tolerant implementation of modbus protocol in Go (golang)
• ModbusPal - ModbusPal is a MODBUS slave simulator. Its purpose is to offer an easy to use interface with the capabilities to reproduce complex and realistic MODBUS environments. Mirror available here.
• SMOD - MODBUS Penetration Testing Framework. smod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest modbus protocol. It is a full Modbus protocol implementation using Python and Scapy. (mirrored as original source is now gone)
• mbtget - A simple modbus/TCP client write in pure Perl.
• ICSNPP Modbus for Zeek - DHS CISA Modbus extensions to logging for Zeek
• rodbus - Rust implementation of Modbus with idiomatic bindings for C, C++, .Net, and Java

Traffic Generation

• Modbus Traffic Generation - pyModbus-based traffic generation that can take a profile of traffic, apply scriptable variation, and result in output of Modbus traffic matching that profile.

Fuzzing

• AEGIS Fuzzer - Aegis™ is a smart fuzzing framework for a growing number of protocols that can identify robustness and security issues in communications software before it is deployed in a production system. [commercial] Early Open Source version is mirrored here: Open-Source.
• Modbus Fuzzer - Modbus Protocol Fuzzer
• Modbus network fuzzer - The modbus network fuzzer uses Boofuzz for the fuzzing of the protocol (By Søren Knudsen)
• Fuzzowski - partially implemented Modbus fuzzing

Multispeak

Protocol Implementation

• Multispeak - Implementation of multispeak protocol.
• Simple-Mutlispeak - a simple, extendable, interface for communicating with a webservice implementing the Multispeak Standard.
• MS-SPEAK - Multi-Speak - Secure Protocol Enterprise Access Kit. Note, check the Phase 3 branch for more current development.

OPC UA

Protocol Implementation

• OPC UA .Net Standard - Official OPC UA .Net Standard Stack and Samples from the OPC Foundation
• OPC UA Client GUI - A simple OPC-UA GUI client.
• OPC UA Server Simulator - Simulate real-time and historical data using OPC UA Server Simulator.
• OPC UA Server and Client C++ Libraries - LGPL OPC-UA server and client library written in C++ and with a lot of code auto-generated from xml specification using python.
• ICSNPP OPC-UA Binary parser for Zeek - DHS CISA OPC UA Binary protocol parser for Zeek

Tools

• OpalOPC - An OPC UA vulnerability and misconfiguration scanner. [commercial] Free for non-commercial use.

OpenADR

Protocol Implementation / Tools

• OpenADR 2.0a VEN Python - EnerNOC Open Source Python OpenADR 2.0a VEN client implementation
• EPRI OpenADR VTN Implementation - OpenADR 2.0 Profile Specification B Profile for virtual top node implementation.
• OpenADR Java Implementation - OpenADR minimal VEN / VTN 2.0a / 2.0b skeleton implementations in Java
• Node-Red Implementation - Node-Red OADR2 VEN Implementation w/ HTTP transport

PROFINET

Protocol Implementation

• Profinet - Python - Simple PROFINET implementation in python
• Profinet - C - PROFINET implementation in C
• Profinet Explorer - Simple PROFINET explorer written in C#
• zeek plugin Profinet - PROFINET Zeek Plugin from Amazon
• PROFINET GSD Checker - Free tool to show and edit the content of GSD files for PROFINET in an easy to understand table view. It also contains a function to check the accuracy of GSD files which helps to build a valid description file.

Fuzzing

• ProFuzz - Simple PROFINET fuzzer based on Scapy

SEL Fast Message

• Wireshark Dissector - SEL Fast Message - Wireshark Dissector for SEL Fast Message
• Grid Solutions Framework SEL Fast Message - GSF implementation (.net)
• SEL Applications Guides - Look up AG95-10 and AG2002-14 product codes.
• SELProtoPy - Schweitzer Engineering Laboratories (SEL) Protocol Bindings in Python. Implements SEL Fast Meter, Fast Message, and Fast Operate.

Siemens S7

• Snap7 - open source Siemens S7 communication library.
• LibNoDave - Another (less complete) open source communication library for the S7 protocol.
• S7comm - open source Wireshark dissector plugin for the Siemens S7 protocol.
• Python Snap7 Wrapper - A Python wrapper for the snap7 PLC communication library
• Zeek-IDS S7 Protocol Parser - S7 protocol parser for Zeek IDS
• zeek plugin s7 - S7 Zeek Plugin from Amazon
• SPPA S7 Data port dissector - SPPA-T3000 Automation server (PLC) dissector + whitepaper by Kaspersky Security Services team
• ICSNPP S7comm parser for Zeek - DHS CISA S7comm parser for Zeek

SSP21

• SSP21 - Specification - SSP21 specification
• SSP21 - C++ - SSP21 reference implementation in C++
• SSP21 - Rust - SSP21 core library in Rust

TriStation

• FireEye TriStation Wireshark Dissector - reverse engineered wireshark dissector from Mandiant/FireEye team after Triton discovery.
• Nozomi TriStation Wireshark Dissector - another TriStation dissector, this time from Nozomi, also incldues pcap, and basic honeypot simulator.

Zigbee

• Killerbee - IEEE 802.15.4/ZigBee Security Research Toolkit.

General Protocol Fuzzing

• AFL - American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary.

• WinAFL - AFL that works for Windows binaries.

(creative commons license)