Developed as a community asset
- Cutaway Security Tools and Scripts - Scripts and other tools to help parse data or gather information.
- ICS Security Resources - Various wordlists, models, tools, and scripts from academic work.
- CISA - Free Cybersecurity Services and Tools - This living repository includes cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.
- Modshaft - Modshaft is an IP-over-Modbus/TCP tunnel. It is useful for evading application-layer firewalls.
- ICS Evasion Attacks - Implementation of white box and black box classifier evasion from SUTD. Paper in repo.
- Modbus-VCR - The Modbus VCR records and replays Modbus traffic
- Ettercap plugin for IEC 60870-5-104 - Ettercap Plugin for Man-In-The-Middle Attacks on IEC 60870-5-104
- PlcInjector - Modbus stager in assembly and some scripts to upload/download data to the holding register of a PLC. More info here.
- plcinject - S7 PLC injection using Snap7
- Sixnet Tools - Tool for exploiting sixnet RTUs
- ICS Exploits - Industrial Army
- Defcon26 Tools - Tools demonstrated at DEF CON 26 talk "Hacking PLCs and Causing Havoc on Critical Infrastructures"
- Metasploit - Exploitation framework.
- Bettercap - A complete, modular, portable and easily extensible MITM framework.
- ISF (Industrial Exploitation Framework) - an exploitation framework based on open source project routersploit
- ISF(Industrial Security Exploitation Framework) - ISF(Industrial Security Exploitation Framework) is an exploitation framework based on Python, claiming to be based on the NSA Equation Group Fuzzbunch toolkit, developed by the ICSMASTER team.
- EtherSploit/IP - An interactive shell with a bunch of helpful commands to exploit EtherNet/IP vulnerabilities (more specifically Allen-Bradley MicroLogix implementation of ENIP)
- SIMATIC-SMACKDOWN - enumerates networks for S7 devices before launching a distributed attack to STOP PLC CPUs
- Gleg SCADA+ Pack - Commercial
- S7 Metasploit pack - Initial s7 metasploit modules.
- Schneider Electric PLC / Modbus modules from DEFCON 25 - Downloading a program from the PLC, gathering information about the PLC and forcing the values of the digital outputs, START/STOP
- IEC 104 Module - IEC104 Client for Metasploit merged into mainline
- random modbus tools - ICS Village talk at DEFCON 25
- Tenable PoCs
- VServer - CVE-2019-3946
- codesys - Misc CVEs
- Advantech WebAccess - CVE-2018-15705
- TIAPortal - Misc CVEs
- Schneider Electric - Misc CVEs
- Rockwell Automation - Misc CVEs
- Cisco Talos PoCs
- Allen Bradley MicroLogix - Misc CVEs
- Advantech WebAccess - Misc CVEs
- Moxa Industrial Secure Router - Misc CVEs
- Moxa Industrial Wireless Access Point - Misc CVEs, also here
- Siemens S7 PLC Bootloader Code Execution Utility - Non-invasive arbitrary code execution on the Siemens S7 PLC by using an undocumented bootloader protocol over UART. Siemens assigned SSA-686531 (CVE-2019-13945) for this vulnerability. Affected devices are Siemens S7-1200 (all variants including SIPLUS) and S7-200 Smart.
Note: The following tools haven't necessarily been utilized in an ICS context, but could be helpful.
- Laika Boss - Laika is an object scanner and intrusion detection system that strives to achieve the goal of a scalable, flexible, and verbose system.
(creative commons license)