Merge pull request #12079 from projectdiscovery/ICS

ICS Network Templates

network/detection/ics/allen-bradley/allen-bradley-compactlogix-detect.yaml

@@ -0,0 +1,30 @@
+id: allen-bradley-compactlogix-detect
+
+info:
+  name: Allen-Bradley CompactLogix Series PLC - Detect
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detected Allen-Bradley CompactLogix series via the ENIP-CIP protocol using the -resp flag to view the PLC model.
+  metadata:
+    verified: true
+    shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"'
+  tags: ics,allen-bradley,compactlogix,detect,network,tcp
+
+tcp:
+  - inputs:
+      - data: "630000000000000000000000000000000000000000000000"
+        type: hex
+        read: 200
+        name: info
+
+    host:
+      - "{{Hostname}}"
+    port: 44818
+    read-size: 1024
+
+    matchers:
+      - type: binary
+        part: info
+        binary:
+          - "313736392d" # 1769- (1769-L23: Built-in I/O || 1769-L24ER: With expansion capabilities || 1769-L30ER: Higher performance || 1769-L35ER: High-end version)

network/detection/ics/allen-bradley/allen-bradley-guardplc-detect.yaml

@@ -0,0 +1,40 @@
+id: allen-bradley-guardplc-detect
+
+info:
+  name: Allen-Bradley GuardPLC Series PLC - Detect
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detected Allen-Bradley (Rockwell Automation) GuardPLC series PLCs by identifying 1753-, 1754-, and 1755- model prefixes via the EtherNet/IP CIP protocol over port 44818. GuardPLC is a safety-rated PLC family designed for safety-critical industrial automation and SIS applications.
+  metadata:
+    shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"'
+  tags: ics,allen-bradley,guardplc,detect,network,tcp
+
+tcp:
+  - inputs:
+      - data: "630000000000000000000000000000000000000000000000"
+        type: hex
+        read: 200
+        name: info
+
+    host:
+      - "{{Hostname}}"
+    port: 44818
+    read-size: 1024
+
+    matchers-condition: or
+    matchers:
+      - type: binary
+        part: info
+        binary:
+          - "313735332d" # 1753
+
+      - type: binary
+        part: info
+        binary:
+          - "313735342d" # 1754
+
+      - type: binary
+        part: info
+        binary:
+          - "313735352d" # 1755

network/detection/ics/allen-bradley/allen-bradley-micro800-detect.yaml

@@ -0,0 +1,29 @@
+id: allen-bradley-micro800-detect
+
+info:
+  name: Allen-Bradley Micro800 Series PLC - Detect
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detected Allen-Bradley (Rockwell Automation) Micro800 series PLCs by identifying the 2080- model prefix via the EtherNet/IP CIP protocol over port 44818. The Micro800 series is a compact PLC family widely used in industrial automation and control systems.
+  metadata:
+    shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"'
+  tags: ics,allen-bradley,micro800,detect,network,tcp
+
+tcp:
+  - inputs:
+      - data: "630000000000000000000000000000000000000000000000"
+        type: hex
+        read: 200
+        name: info
+
+    host:
+      - "{{Hostname}}"
+    port: 44818
+    read-size: 1024
+
+    matchers:
+      - type: binary
+        part: info
+        binary:
+          - "323038302d"

network/detection/ics/allen-bradley/allen-bradley-micrologix-detect.yaml

@@ -0,0 +1,34 @@
+id: allen-bradley-micrologix-detect
+
+info:
+  name: Allen-Bradley MicroLogix Series PLC - Detect
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detected Allen-Bradley (Rockwell Automation) MicroLogix series PLCs by identifying the 1761-, 1762-, 1763-, 1764-, and 1766- model prefixes via the EtherNet/IP CIP protocol over port 44818.The MicroLogix series includes compact PLCs such as the 1100, 1400, and 1500, widely used in industrial automation and control systems.
+  metadata:
+    shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"'
+  tags: ics,allen-bradley,micrologix,detect,network,tcp
+
+tcp:
+  - inputs:
+      - data: "630000000000000000000000000000000000000000000000"
+        type: hex
+        read: 200
+        name: info
+
+    host:
+      - "{{Hostname}}"
+    port: 44818
+    read-size: 1024
+
+    matchers:
+      - type: binary
+        part: info
+        binary:
+          - "313736312d" # 1761- (1761: Fixed I/O, entry-level controllers)
+          - "313736322d" # 1762- (1762: Similar to 1761 but with expansion capabilities)
+          - "313736332d" # 1763- (1763: MicroLogix 1100 series)
+          - "313736342d" # 1764- (1764: MicroLogix 1400 series)
+          - "313736362d" # 1766- (1766: MicroLogix 1500 series)
+        condition: or

network/detection/ics/allen-bradley/allen-bradley-plc5-detect.yaml

@@ -0,0 +1,32 @@
+id: allen-bradley-plc5-detect
+
+info:
+  name: Allen-Bradley PLC-5 Series PLC - Detect
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detected Allen-Bradley (Rockwell Automation) PLC-5 series PLCs by identifying the 1771-, 1772-, and 1785- model prefixes via the EtherNet/IP CIP protocol over port 44818.
+  metadata:
+    shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"'
+  tags: ics,allen-bradley,plc-5,detect,network,tcp
+
+tcp:
+  - inputs:
+      - data: "630000000000000000000000000000000000000000000000"
+        type: hex
+        read: 200
+        name: info
+
+    host:
+      - "{{Hostname}}"
+    port: 44818
+    read-size: 1024
+
+    matchers:
+      - type: binary
+        part: info
+        binary:
+          - "313737312d" # 1771
+          - "313737322d" # 1772
+          - "313738352d" # 1785- https://www.ideadigitalcontent.com/files/11994/ID-SPE-1785-sg001_-en-p.pdf
+        condition: or

network/detection/ics/allen-bradley/allen-bradley-slc-500-detect.yaml

@@ -0,0 +1,31 @@
+id: allen-bradley-slc-500-detect
+
+info:
+  name: Allen-Bradley SLC-500 Series PLC - Detect
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detected Allen-Bradley (Rockwell Automation) SLC-500 series PLCs by identifying the 1746- and 1747- model prefixes via the EtherNet/IP CIP protocol over port 44818. The SLC-500 series is a legacy but still widely deployed PLC family used in industrial automation and control systems.
+  metadata:
+    shodan-query: 'port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"'
+  tags: ics,allen-bradley,slc-500,detect,network,tcp
+
+tcp:
+  - inputs:
+      - data: "630000000000000000000000000000000000000000000000"
+        type: hex
+        read: 200
+        name: info
+
+    host:
+      - "{{Hostname}}"
+    port: 44818
+    read-size: 1024
+
+    matchers:
+      - type: binary
+        part: info
+        binary:
+          - "313734362d" # 1746-
+          - "313737322d" # 1747-
+        condition: or

network/detection/ics/red-lion-enip-detect.yaml

@@ -0,0 +1,33 @@
+id: red-lion-enip-detect
+
+info:
+  name: Red Lion ENIP - Detect
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detects Red Lion industrial control devices by sending Ethernet/IP (ENIP) protocol requests to port 789 and identifying devices that respond with "Red Lion Controls" in their response. This template can be used to discover and fingerprint Red Lion devices on industrial networks.
+  metadata:
+    max-request: 2
+  tags: ics,redlion,detect,network,tcp
+
+tcp:
+  - inputs:
+      - data: "0004012b1b00"
+        type: hex
+        read: 200
+        name: info
+      - data: "0004012a1a00"
+        type: hex
+        read: 200
+        name: note
+
+    host:
+      - "{{Hostname}}"
+    port: 502
+    read-size: 1024
+
+    matchers:
+      - type: binary
+        part: info
+        binary:
+          - "526564204c696f6e20436f6e74726f6c73" # Red Lion Controls

network/detection/ics/schneider-modicon/schneider-modicon-340-detect.yaml

@@ -0,0 +1,40 @@
+id: schneider-modicon-340-detect
+
+info:
+  name: Schneider Electric Modicon 340 Series PLC - Detect
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detected Schneider Electric Modicon 340 series PLCs by identifying the BMX P34 signature via the UMAS protocol over Modbus TCP (port 502).The Modicon 340 series is part of Schneider Electric’s industrial automation product line used in Industrial Control Systems (ICS).
+  metadata:
+    verified: true
+    shodan-query: port:502 "P34"
+  tags: ics,schenider,modicon,detect,network
+
+tcp:
+  - inputs:
+      - data: "000000000005002b0e0200"
+        type: hex
+        read: 200
+        name: info
+      - data: "000100000004005a0002"
+        type: hex
+        read: 200
+        name: note
+
+    host:
+      - "{{Hostname}}"
+    port: 502
+    read-size: 1024
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: note
+        words:
+          - "BMX P34"
+
+      - type: word
+        part: info
+        words:
+          - "Schneider Electric"

network/detection/ics/schneider-modicon/schneider-modicon-580-detect.yaml

@@ -0,0 +1,41 @@
+id: schneider-modicon-580-detect
+
+info:
+  name: Schneider Electric Modicon 580 Series PLC - Detect
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detected Schneider Electric Modicon 580 series PLCs by identifying the BME P58 signature via the UMAS protocol over Modbus TCP (port 502).The Modicon 580 series is part of Schneider Electric’s industrial automation product line used in Industrial Control Systems (ICS).
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: port:502 "P58"
+  tags: ics,schenider,modicon,detect,network
+
+tcp:
+  - inputs:
+      - data: "000000000005002b0e0200"
+        type: hex
+        read: 200
+        name: info
+      - data: "000100000004005a0002"
+        type: hex
+        read: 200
+        name: note
+
+    host:
+      - "{{Hostname}}"
+    port: 502
+    read-size: 1024
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: note
+        words:
+          - "BME P58"
+
+      - type: word
+        part: info
+        words:
+          - "Schneider Electric"

network/enumeration/modicon-info.yaml

@@ -0,0 +1,44 @@
+id: modicon-info
+
+info:
+  name: Schneider Modicon PLC Information Disclosure
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detected Schneider Electric Modicon PLCs via the Modbus TCP protocol by extracting device identification information.Extracted the device model and version from responses on port 502 for fingerprinting and ICS vulnerability assessment.
+  metadata:
+    verified: true
+    shodan-query: "Device Identification: Schneider Electric"
+  tags: ics,modicon,schneider,detect,network,tcp
+
+tcp:
+  - inputs:
+      - data: "000000000005002b0e0200"
+        type: hex
+        read: 200
+        name: info
+      - data: "000f0000000d005a002000140064000000f600"
+        type: hex
+        read: 200
+        name: note
+      - data: "000400000005005a000300"
+        type: hex
+        read: 200
+        name: info
+
+    host:
+      - "{{Hostname}}"
+    port: 502
+    read-size: 1024
+
+    matchers:
+      - type: word
+        part: raw
+        words:
+          - "Schneider Electric"
+
+    extractors:
+      - type: regex
+        group: 1
+        regex:
+          - "Schneider Electric    ([A-Z 0-9a-z.]+)"

network/honeypot/cpppo-ethernetip-cip-honeypot.yaml

@@ -0,0 +1,27 @@
+id: cpppo-ethernetip-cip-honeypot
+
+info:
+  name: CPPPO Ethernet/IP CIP Honeypot Default Configuration - Detect
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detected devices responding with the default configuration signature of the CPPPO (Python-based) Ethernet/IP CIP parser honeypot.This indicates systems likely running the default Conpot honeypot configuration for ICS using the Common Industrial Protocol (CIP) over Ethernet/IP.
+  reference:
+    - https://github.com/claroty/enip-stack-detector
+  tags: ics,cip,honeypot,network,tcp
+
+tcp:
+  - inputs:
+      - data: "63000000000000000000000000000000c1debed100000000"
+        type: hex
+
+    host:
+      - "{{Hostname}}"
+    port: 44818
+    read-size: 1024
+
+    matchers:
+      - type: word
+        part: info
+        words:
+          - "63003c00000000000000000000000000c1debed10000000001000c00360001000002af1200000000000000000000000001000e003600140b60311a066c0014313735362d4c36312f42204c4f47495835353631ff"

network/honeypot/snap7-honeypot-default-config.yaml

@@ -0,0 +1,35 @@
+id: snap7-honeypot-default-config
+
+info:
+  name: Snap7 Honeypot Default Configuration - Detect
+  author: biero-el-corridor
+  severity: info
+  description: |
+    Detected honeypot instances using default snap7 (S7comm protocol) configurations by analyzing response patterns to S7comm requests.These signatures indicate systems likely running in research or security testing environments rather than production ICS.
+  reference:
+    - https://github.com/sefcom/honeyplc
+    - https://medium.com/@biero-llagas/simple-use-of-the-python-snap7-lib-now-with-real-honeypot-11a2979baaf0
+  tags: ics,s7comm,detect,honeypot,network,network,tcp
+
+tcp:
+  - inputs:
+      - data: "0300001611e00000001400c1020100c2020102c0010a"
+        type: hex
+      - data: "0300001902f08032010000000000080000f0000001000101e0"
+        type: hex
+      - data: "0300002102f080320700000000000800080001120411440100ff09000400110001"
+        type: hex
+      - data: "0300002102f080320700000000000800080001120411440100ff09000400110001"
+        type: hex
+      - data: "0300002102f080320700000000000800080001120411440100ff090004001c0001"
+        type: hex
+
+    host:
+      - "{{Hostname}}"
+    port: 102
+    read-size: 512
+
+    matchers:
+      - type: binary
+        binary:
+          - "0300001611d00014000100c1020100c2020102c0010a0300001b02f080320300000000000800000000f0000001000101e00300009902f080320700000000000c007c000112081284010000000000ff09007800110000001c0004000136455337203331352d32454831342d304142302000c000040001000636455337203331352d32454831342d304142302000c0000400010007202020202020202020202020202020202020202000c0560302060081426f6f74204c6f61646572202020202020202020000041200909"