Hi there, I`m, Nick Kramer.
Description: This program allows you to take the password to unload a project from PLC Siemens LOGO! 8.
LICENCIA = GPLv3.
The PLC project password is requested by the host by sending a TCP packet "4bc001e000000000000000000000047657450726748656164000010270000" (size28 bytes) to port 10005. In response, the PLC sends a packet containing the header "4b0004600000000000000000000000" (size 16 bytes) and the encrypted password (size 48 bytes).
This program sends a "password request" packet, receives a response from the PLC, the packet with the password, removes the "header", and decrypts the remaining data. PLC IP address is stored in the console. After that it checks if the IP address is correct, if it is, the following information will be shown to the console:
- "Size msg:" - Size of the received packet (with header).
- "msg view:" - Representation of the PLC response in HEX format.
- "Password size:" Password size.
- "Password:" - Password.
- Make sure that your device is communicating with the PLC;
- Check for an open port 10005.
- Run this program.
- Enter the IP address of the PLC correctly and press "Enter".
This vulnerability has been tested on a Siemens LOGO PLC (Model: 6ED1052-1MD08-0BA0).
- Isolate the PLC from the global network (Internet);
- Limit access of network equipment, to the PLC on port 10005.
- The password must not be associated with anything (for example Admin - Administrator). It is desirable to create passwords using random password generators.