SCADA PenTest Suite

Version 1.2 | Author: encrypter15 | Email: encrypter15@gmail.com | License: BSD

Welcome to the SCADA PenTest Suite, an all-in-one penetration testing framework designed to assess the security of Supervisory Control and Data Acquisition (SCADA) systems. Whether you’re testing cameras, doors, alarms, PLCs, or other industrial control systems, this tool provides a modular, extensible platform to identify vulnerabilities, ensure compliance, and enhance the security of critical infrastructure.

Overview

The SCADA PenTest Suite is a Python-based tool developed for security researchers and penetration testers to evaluate the security of SCADA systems. It supports a wide range of protocols and vendors, including Siemens (S7), Rockwell Automation (EtherNet/IP), Schneider Electric (Modbus), DNP3, OPC UA, and more. The suite is built with a modular design, allowing users to test specific components of SCADA systems, such as PLCs, HMIs, and industrial networks, while providing advanced features like asynchronous testing, compliance reporting, and real-time monitoring.

Key Features

Modular Design: Test multiple SCADA components with extensible modules (e.g., PLCs, HMIs, sensors).
Cross-Vendor Protocol Support: Compatible with Siemens (S7), Rockwell (EtherNet/IP), Schneider (Modbus), DNP3, OPC UA, and more.
Advanced Reporting: Export results in CSV, JSON, and graphical formats using Matplotlib.
Robust Error Handling: Handles multi-threaded scans and device timeouts gracefully.
Asynchronous Testing: Built with Python’s asyncio for efficient, non-blocking operations.
Exploit Verification: Safely verify the exploitability of identified vulnerabilities.
Protocol Replay and Injection: Test for replay and MITM attacks by capturing and modifying protocol traffic.
Compliance Audit Templates: Generate reports for NERC-CIP, IEC 62443, NIST 800-82, and ISO 27001.
Real-Time Dashboard: Monitor test progress with a terminal-based dashboard.
Automated Remediation Suggestions: Provides actionable remediation advice for identified vulnerabilities.
NVD API Integration: Dynamically fetch the latest CVEs for SCADA vendors.
Custom Test Profiles: Use predefined profiles for quick, deep, or compliance-focused scans.
SCADA Protocol Fingerprinting: Identify protocols like Modbus, DNP3, and S7 through traffic analysis.
Encrypted Protocol Support: Test OPC UA with TLS and S7 Secure Communication.
Logging and Audit Trail: Detailed logging for forensic analysis and compliance.

Installation

Follow these step-by-step instructions to install and set up the SCADA PenTest Suite on your system. The suite is compatible with Linux, macOS, and Windows, but Linux is recommended for optimal performance.

Prerequisites

Operating System: Linux (Ubuntu 20.04+ recommended), macOS, or Windows 10+.
Python: Version 3.8 or higher. Install Python from python.org.
Git: Required to clone the repository. Install Git using your package manager (e.g., sudo apt install git on Ubuntu).
Nmap: Required for network enumeration. Install Nmap using your package manager (e.g., sudo apt install nmap on Ubuntu).
Administrative Privileges: Some features (e.g., packet capture) may require root privileges.

Step 1: Clone the Repository

Clone the SCADA PenTest Suite repository from GitHub to your local machine.

git clone https://github.com/encrypter15/scada-pentest-suite.git
cd scada-pentest-suite

Step 2: Install Dependencies

The suite requires several Python libraries to function. Install them using pip.

pip install python-nmap matplotlib snap7 cpppo pymodbus pydnp3 opcua requests beautifulsoup4 scapy

Note: On Linux, you may need to install libpcap for scapy to work properly:

sudo apt install libpcap-dev

If you encounter permission issues, use pip install --user or set up a virtual environment:

python -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate
pip install python-nmap matplotlib snap7 cpppo pymodbus pydnp3 opcua requests beautifulsoup4 scapy

Step 3: Verify Installation

Run a simple test to ensure the suite is installed correctly.

python scada_suite.py --target 127.0.0.1 --module enum --simulate

This command runs a simulated enumeration test on localhost. If successful, you’ll see output indicating the test results.

Step 4: (Optional) Set Up Simulators

For testing without a live SCADA system, set up simulators for various protocols:

Modbus: Use ModRSsim2 (download here).
OPC UA: Use Prosys OPC UA Simulation Server (download here).
DNP3: Use OpenDNP3 test harness (GitHub).
EtherNet/IP: Use a simulator like EIPSim (GitHub).

Configure these simulators to run on localhost or a specific IP address for testing.

Use Cases

The SCADA PenTest Suite is designed for a variety of use cases in industrial cybersecurity. Below are some common scenarios where the suite can be applied.

1. Vulnerability Assessment of SCADA Systems

Scenario: A power plant operator needs to identify vulnerabilities in their SCADA system before a regulatory audit.

Solution: Use the ics_vuln module to scan for known vulnerabilities and the power_plant module to test turbine control systems.

python scada_suite.py --target 192.168.1.100 --module ics_vuln --verify-exploit --report json

Outcome: The suite identifies CVEs like CVE-2017-14462 in Allen-Bradley devices and verifies exploitability, providing a detailed report with remediation suggestions.

2. Compliance Audit for NERC-CIP

Scenario: An electric utility must ensure compliance with NERC-CIP standards (e.g., CIP-007 for system security).

Solution: Use the nerc_cip module with the --compliance flag.

python scada_suite.py --target 192.168.1.0/24 --module nerc_cip --compliance nerc_cip --log

Outcome: The suite generates a compliance report highlighting non-compliant areas (e.g., open Telnet ports) and logs all actions for audit purposes.

3. Testing for Replay Attacks in Water Treatment

Scenario: A water treatment facility wants to test if their SCADA system is vulnerable to replay attacks.

Solution: Use the protocol_replay module with the --replay flag.

python scada_suite.py --target 192.168.1.106 --module protocol_replay --replay --dashboard

Outcome: The suite captures Modbus traffic, replays it, and identifies if the system accepts replayed commands, with live monitoring via the dashboard.

4. Deep Scan of a Manufacturing Plant

Scenario: A manufacturing plant needs a thorough security assessment of its SCADA network.

Solution: Use the deep_scan profile to run multiple modules.

python scada_suite.py --target 192.168.1.0/24 --profile deep_scan --report csv --log

Outcome: The suite runs a comprehensive scan, testing S7, Modbus, OPC UA, and more, generating CSV reports and detailed logs.

5. Testing Encrypted OPC UA in Industrial Automation

Scenario: An industrial automation system uses OPC UA with TLS, and the operator needs to test its security.

Solution: Use the opc_ua module with the --encrypted flag.

python scada_suite.py --target 192.168.1.100 --module opc_ua --encrypted --report json

Outcome: The suite tests the OPC UA server over TLS, identifying issues like anonymous access vulnerabilities.

Usage

The SCADA PenTest Suite is command-line driven, with a variety of options to customize testing. Below are detailed usage examples and explanations of all available flags.

Basic Command Structure

The basic syntax for running the suite is:

python scada_suite.py --target <IP_ADDRESS> --module <MODULE_NAME>

Required Flags:

--target: The IP address or subnet to test (e.g., 192.168.1.100 or 192.168.1.0/24).
--module: The module to run (e.g., s7, modbus, ics_vuln).

Available Flags

Flag	Description	Example
`--report`	Output format for reports (json, csv, graph). Default: json.	`--report csv`
`--simulate`	Run in simulation mode (no real device interaction).	`--simulate`
`--verify-exploit`	Verify exploitability of vulnerabilities (used with `ics_vuln`).	`--verify-exploit`
`--replay`	Capture and replay protocol traffic (used with `protocol_replay`).	`--replay`
`--inject`	Inject modified protocol packets (used with `protocol_replay`).	`--inject`
`--compliance`	Generate a compliance report (options: `nerc_cip`, `iec62443`, `nist80082`, `iso27001`).	`--compliance nerc_cip`
`--dashboard`	Enable a real-time terminal-based dashboard.	`--dashboard`
`--profile`	Use a custom test profile (e.g., `quick_scan`, `deep_scan`).	`--profile quick_scan`
`--encrypted`	Test encrypted protocols (used with `opc_ua`, `s7_secure`).	`--encrypted`
`--log`	Enable detailed logging to `pentest_suite.log`.	`--log`
`--update-cve`	Update the CVE database from the NVD API (used with `ics_vuln`).	`--update-cve`

Example Commands

Basic Vulnerability Scan:

python scada_suite.py --target 192.168.1.100 --module ics_vuln --report json

Compliance Audit with Logging:

python scada_suite.py --target 192.168.1.0/24 --module nerc_cip --compliance nerc_cip --log

Deep Scan with Dashboard:

python scada_suite.py --target 192.168.1.0/24 --profile deep_scan --dashboard --report csv

Replay Attack Test:

python scada_suite.py --target 192.168.1.106 --module protocol_replay --replay --report json

Encrypted OPC UA Test:

python scada_suite.py --target 192.168.1.100 --module opc_ua --encrypted --report json

Detailed Directions

Below are detailed instructions for using the SCADA PenTest Suite in various scenarios, including setup, execution, and result analysis.

1. Preparing Your Environment

Before running tests, ensure your environment is properly configured:

- Network Access: Ensure you have network access to the target SCADA system. For multi-target scans, use a subnet (e.g., 192.168.1.0/24).
- Permissions: Obtain explicit permission from the system owner before testing. Unauthorized testing may violate laws and regulations.
- Simulators: If testing on a live system is not possible, set up simulators (see Installation Step 4).
- Root Privileges: Some features (e.g., packet capture with protocol_replay) require root privileges. Run the suite with sudo if necessary:

sudo python scada_suite.py --target 192.168.1.100 --module protocol_replay --replay

2. Running a Basic Test

Start with a simple enumeration test to verify connectivity and identify devices.

python scada_suite.py --target 192.168.1.100 --module enum --report json

Expected Output: A JSON file in the reports directory with details of open ports, services, and detected protocols (e.g., Modbus, S7).

3. Performing a Vulnerability Scan

Use the ics_vuln module to scan for known vulnerabilities and verify exploitability.

python scada_suite.py --target 192.168.1.100 --module ics_vuln --verify-exploit --update-cve --report json

Steps:

The suite updates the CVE database from the NVD API.
It scans the target using Nmap to identify services and versions.
It matches the results against the CVE database to find vulnerabilities.
It attempts to verify exploitability for each CVE (e.g., CVE-2017-14462).
Results are saved in a JSON file with remediation suggestions.

4. Testing for Replay Attacks

Use the protocol_replay module to test for replay vulnerabilities.

sudo python scada_suite.py --target 192.168.1.106 --module protocol_replay --replay --inject --dashboard --log

Steps:

The suite captures packets from the target (e.g., Modbus traffic on port 502).
It replays the captured packets to test for replay vulnerabilities.
It injects modified packets to simulate a MITM attack.
The dashboard displays live results, and logs are saved to pentest_suite.log.

5. Generating a Compliance Report

Run a compliance audit for IEC 62443.

python scada_suite.py --target 192.168.1.0/24 --module nerc_cip --compliance iec62443 --report csv

Steps:

The suite runs the nerc_cip module to test network security, configuration management, and logging.
It maps results to IEC 62443 requirements (e.g., SR 3.2 for authentication).
A compliance report is generated in the reports directory, detailing compliance status and issues.

6. Using Custom Profiles

Run a deep scan using the deep_scan profile.

python scada_suite.py --target 192.168.1.0/24 --profile deep_scan --dashboard --report csv

Steps:

The suite loads the deep_scan profile from profiles.json.
It runs all specified modules (S7, Modbus, DNP3, etc.) with a 30-second timeout per target.
The dashboard displays live progress, and results are saved as CSV files.

7. Analyzing Results

After running tests, results are saved in the reports directory. Here’s how to analyze them:

JSON Reports: Open JSON files in a text editor or JSON viewer to see detailed test results, including vulnerabilities and response times.
CSV Reports: Import CSV files into a spreadsheet tool (e.g., Excel) to analyze test data in tabular form.
Graphical Reports: View PNG files generated by the --report graph option to visualize response times and vulnerability counts.
Compliance Reports: Review TXT files for compliance status, non-compliant areas, and remediation suggestions.
Logs: Check pentest_suite.log for a detailed audit trail of all actions.

Troubleshooting

Here are solutions to common issues you might encounter:

Error: “Module not found”
- Cause: A required Python library is missing.
- Solution: Ensure all dependencies are installed (see Installation Step 2).
Error: “Permission denied” when capturing packets
- Cause: Packet capture requires root privileges.
- Solution: Run the command with sudo.
Error: “Connection timed out”
- Cause: The target device is not reachable.
- Solution: Verify network connectivity and ensure the target is online.
Dashboard not displaying
- Cause: Terminal does not support curses.
- Solution: Run the suite in a compatible terminal (e.g., Linux terminal, not Windows CMD).

Frequently Asked Questions (FAQ)

Below are answers to common questions about the SCADA PenTest Suite. Click on a question to expand the answer.

What operating systems are supported by the SCADA PenTest Suite?

The SCADA PenTest Suite is compatible with Linux (Ubuntu 20.04+ recommended), macOS, and Windows 10+. However, Linux is the preferred platform for optimal performance, especially for features like packet capture that require root privileges. On Windows, some features (e.g., the real-time dashboard) may not work as expected in certain terminals like CMD; use a Linux-based terminal emulator like WSL (Windows Subsystem for Linux) or Git Bash for better compatibility.

Do I need root privileges to run the suite?

Root privileges are required for certain features, such as packet capture and replay/injection with the protocol_replay module, because these operations involve low-level network access. To use these features, run the suite with sudo:

sudo python scada_suite.py --target 192.168.1.100 --module protocol_replay --replay

For other modules (e.g., s7, modbus, ics_vuln), root privileges are not typically required unless you encounter permission issues with network scanning.

Can I test the suite without a live SCADA system?

Yes! The SCADA PenTest Suite supports a --simulate flag to run tests in simulation mode, which generates placeholder results without interacting with real devices. Additionally, you can set up SCADA protocol simulators to test the suite in a controlled environment. Recommended simulators include:

Modbus: ModRSsim2 (download here).
OPC UA: Prosys OPC UA Simulation Server (download here).
DNP3: OpenDNP3 test harness (GitHub).
EtherNet/IP: EIPSim (GitHub).

Configure these simulators to run on localhost (e.g., 127.0.0.1) and specify the appropriate port for your target protocol.

How do I update the CVE database?

The SCADA PenTest Suite integrates with the National Vulnerability Database (NVD) API to fetch the latest CVEs for SCADA vendors. To update the CVE database, use the --update-cve flag with the ics_vuln module:

python scada_suite.py --target 192.168.1.100 --module ics_vuln --update-cve --report json

This command queries the NVD API for vulnerabilities related to known SCADA vendors (e.g., Allen-Bradley, Siemens) and updates the cve_database.json file. Ensure you have an internet connection, as this feature requires API access. If the API request fails (e.g., due to rate limits), the suite will use the existing local database.

What compliance standards are supported?

The SCADA PenTest Suite supports compliance reporting for the following standards:

NERC-CIP: North American Electric Reliability Corporation Critical Infrastructure Protection (e.g., CIP-007 for system security).
IEC 62443: Industrial cybersecurity standard (e.g., SR 3.2 for authentication).
NIST 800-82: Guide to Industrial Control Systems security (e.g., AC-3 for access control).
ISO 27001: Information security management (e.g., A.12.6.1 for vulnerability management).

To generate a compliance report, use the --compliance flag with the desired standard:

python scada_suite.py --target 192.168.1.0/24 --module nerc_cip --compliance iec62443

The suite maps test results to specific requirements of the chosen standard and generates a detailed report in the reports directory.

How do I create a custom test profile?

Custom test profiles allow you to define which modules to run and their parameters (e.g., timeout). Profiles are stored in the profiles.json file in the root directory. To create a new profile:

1. Open profiles.json in a text editor.
2. Add a new profile entry in JSON format. For example:

"custom_scan": {
    "modules": ["enum", "modbus", "hmi"],
    "timeout": 15
}

1. Save the file.
2. Run the suite with the new profile:

python scada_suite.py --target 192.168.1.100 --profile custom_scan --report json

The suite will run the specified modules (enum, modbus, hmi) with a 15-second timeout per target. You can create as many profiles as needed for different testing scenarios.

Why am I seeing “Connection timed out” errors?

A “Connection timed out” error typically indicates that the target device is not reachable. Here’s how to troubleshoot:

Verify Network Connectivity: Ping the target to ensure it’s online: ping 192.168.1.100.
Check Firewall Settings: Ensure your firewall allows outbound connections to the target ports (e.g., 502 for Modbus, 4840 for OPC UA).
Confirm Target Configuration: Verify the target device is configured to accept connections on the expected port.
Use Simulation Mode: If the target is unavailable, run the test in simulation mode: --simulate.

If the issue persists, check the pentest_suite.log file for detailed error messages (enable logging with --log).

Can I test encrypted SCADA protocols?

Yes, the SCADA PenTest Suite supports testing encrypted protocols like OPC UA with TLS. Use the --encrypted flag with the opc_ua module:

python scada_suite.py --target 192.168.1.100 --module opc_ua --encrypted --report json

For S7 Secure Communication, use the s7_secure module with the same flag. Note that the snap7 library used for S7 does not natively support TLS; in a production environment, you would need a library that supports S7 over TLS. The suite will simulate encrypted communication for testing purposes.

How do I view the real-time dashboard?

The real-time dashboard displays test progress in the terminal using the curses library. To enable it, use the --dashboard flag:

python scada_suite.py --target 192.168.1.100 --module modbus --dashboard

The dashboard shows the target, module, compliance status, and recent test results. It requires a terminal that supports curses (e.g., Linux terminal, macOS Terminal, or WSL on Windows). If the dashboard does not display, try running the suite in a different terminal or disable the flag.

What should I do if a test causes a device to crash?

If a test (e.g., fuzzing or exploit verification) causes a device to crash, take the following steps:

Stop the Test Immediately: Press Ctrl+C to terminate the suite.
Check Logs: Review pentest_suite.log (if logging was enabled) to identify the test that caused the crash.
Restart the Device: Follow the manufacturer’s instructions to reboot the affected device.
Adjust Test Parameters: Reduce the intensity of tests (e.g., fewer fuzzing iterations) or use simulation mode to avoid impacting live systems.
Contact Support: If the issue persists, contact the author at encrypter15@gmail.com with details of the crash.

Warning: Always test in a controlled environment or with explicit permission, as some tests (e.g., DoS exploit verification) can disrupt operations.

How do I contribute to the SCADA PenTest Suite?

The SCADA PenTest Suite is an open-source project, and contributions are welcome! To contribute:

Fork the Repository: Visit github.com/encrypter15/scada-pentest-suite and click the “Fork” button.
Clone Your Fork: git clone https://github.com/yourusername/scada-pentest-suite.git
Create a Branch: git checkout -b feature/your-feature-name
Make Changes: Add new features, fix bugs, or improve documentation.
Commit Changes: git commit -m "Add your feature description"
Push to Your Fork: git push origin feature/your-feature-name
Submit a Pull Request: Go to the original repository and create a pull request from your branch.

Please include a detailed description of your changes and ensure your code follows the project’s coding style. The author will review your contribution and provide feedback.

Contact and Support

For questions, bug reports, or feature requests, contact the author:

Email: encrypter15@gmail.com
GitHub: github.com/encrypter15/scada-pentest-suite

Contributions are welcome! Fork the repository, make your changes, and submit a pull request.

Disclaimer

This tool is intended for authorized security testing only. Use it responsibly and with explicit permission from system owners. The author is not responsible for misuse or damage caused by this software.