Home -> Resources -> Metasploit Modules for SCADA Vulnerabilities

Metasploit Modules for SCADA-related Vulnerabilities

It is important to understand the likelihood that a vulnerability can be exploited on a particular ICS or SCADA system. One factor to use in this evaluation is whether an automated exploit module has been created for the Metasploit Framework. With the recent attention given by security researchers to ICS / SCADA systems, there has been an increased focus on the rapid deployment of these exploit modules that leverage publicly disclosed proof-of-concept (PoC) code.

The list below provides a summary of the current Metasploit Framework modules that have been developed including all information available for a particular system vulnerability.

You can navigate the complete Metasploit Framework Repository by clicking here. This link provides complete details of each of the MSF modules included, how they are used, and change management entries.

Testing (Exploitation) Frameworks

This site focuses primarily on free, open-source tools which can be used by both Black Hat and White Hat security specialists.  However, it is important to know that there are other testing frameworks available, many of which now contain SCADA modules. The list below focuses on those "general purpose" testing frameworks, and does not include special-purpose tools that could be used for a specific application such as exploit web servers or SQL servers.

The list above focuses on those "general purpose" testing frameworks, and does not include special-purpose tools that could be used for a specific application such as exploit web servers or SQL servers.

 

Metasploit Modules (via MSFUpdate / SVN)

Vendor System / Component SCADAhacker
Reference 		Metasploit
Reference		 Disclosure
Date		 Initial MSF
Release Date
7-Technologies IGSS ICS-11-080-03
ICSA-11-132-01A		 exploit/windows/scada/igss9_igssdataserver_listall.rb
exploit/windows/scada/igss9_igssdataserver_rename.rb
exploit/windows/scada/igss9_misc.rb
auxiliary/admin/scada/igss_exec_17.rb		 Mar. 24, 2011
Mar. 24, 2011
Mar. 24, 2011
Mar. 21, 2011		 May 16, 2011
Jun. 9, 2011
May 30, 2011
Mar. 22, 2011
AzeoTech DAQ Factory Click Here exploit/windows/scada/daq_factory_bof.rb Sep. 13, 2011 Sep. 17, 2011
3S CoDeSys Click Here exploit/windows/scada/codesys_web_server.rb Dec. 2, 2011 Dec 13, 2011
BACnet OPC Client ICSA-10-264-01 exploit/windows/fileformat/bacnet_csv.rb Sep. 16, 2010 Nov. 11, 2010
  Operator Workstation n/a exploit/windows/browser/teechart_pro.rb Aug. 11, 2011 Aug. 11, 2011
Beckhoff TwinCat Click Here auxiliary/dos/scada/beckhoff_twincat.rb Sep. 13, 2011 Oct. 10, 2011
General Electric D20 PLC Press Release auxiliary/gather/d20pass.rb Jan. 19, 2012 Jan. 19, 2012
    DigitalBond S4 unstable-modules/auxiliary/d20tftpbd.rb Jan. 19, 2012 Jan. 19, 2012
Iconics Genesis32 ICS-11-080-02 exploit/windows/scada/iconics_genbroker.rb
exploit/windows/scada/iconics_webhmi_setactivexguid.rb		 Mar. 21, 2011
May 5, 2011		 Jul. 17, 2011
May 11, 2011
Measuresoft ScadaPro Click Here exploit/windows/scada/scadapro_cmdexe.rb Sep. 16, 2011 Sep. 16, 2011
Moxa Device Manager ICS-10-293-02
ICSA-10-301-01		 exploit/windows/scada/moxa_mdmtool.rb Oct. 20, 2010 Nov. 6, 2010
RealFlex RealWin SCADA   exploit/windows/scada/realwin.rb Sep. 26, 2008 Sep. 30, 2008
    ICS-11-305-01
ICSA-11-313-01		 exploit/windows/scada/realwin_scpc_initialize.rb
exploit/windows/scada/realwin_scpc_initialize_rf.rb		 Oct. 15, 2010
Oct. 15, 2010		 Oct. 18, 2010
Oct. 18, 2010
      exploit/windows/scada/realwin_scpc_txtevent.rb Nov. 18, 2010 Nov. 24, 2010
    ICS-11-080-04
ICSA-11-110-01		 exploit/windows/scada/realwin_on_fc_binfile_a.rb
exploit/windows/scada/realwin_on_fcs_login.rb		 Mar. 21, 2011
Mar. 21, 2011		 Jun. 19, 2011
Jun. 22, 2011
Scadatec Procyon Click Here exploit/windows/scada/procyon_core_server.rb Sep. 8, 2011 Sep. 12, 2011
ScadaTEC ModbusTagServer
ScadaPhone		 Click Here exploit/windows/fileformat/scadaphone_zip.rb Sep. 12, 2011 Sep. 13, 2011
Schneider Electric CitectSCADA
CitectFacilities		   exploit/windows/scada/citect_scada_odbc.rb Jun. 11, 2008 Nov. 8, 2010
Sielco Sistemi Winlog ICSA-11-017-02 exploit/windows/scada/winlog_runtime.rb Jan. 13, 2011 Jun. 21, 2011
Siemens Technomatix FactoryLink ICS-11-080-01
ICSA-11-091-01		 exploit/windows/scada/factorylink_cssservice.rb
exploit/windows/scada/factorylink_vrn_09.rb		 Mar. 25, 2011
Mar. 21, 2011		 Jun. 24, 2011
Jun. 21, 2011
Unitronics OPC Server n/a exploit/exploits/windows/browser/teechart_pro.rb Aug. 11, 2011 Aug. 11, 2011

Metasploit Modules (Privately Developed and/or Publicly Shared)

Vendor /
Developer		 System / Component SCADAhacker
Reference 		Metasploit Module Author Date
DigitalBond Schneider Modicon Quantum Credential Disclosure pending modiconpass DigitalBond Feb 14, 12
DigitalBond Rockwell Automation ControlLogix Ethernet/IP pending ethernetip-multi DigitalBond Feb 14, 12
DigitalBond Koyo/DirectLOGIC ECOM Bruteforce pending koyobrute DigitalBond Feb 14, 12
SecureState Nmap-like Meterpreter Extension (MSFMap 0.1.0) n/a msfmap Spencer McIntyre Dec 30, 11


Metasploit Modules of Interest

Description Metasploit Module Date Added
Shodan Auxiliary module that uses the Shodan API to query the database and return the first 50 IP addresses.
Shodan API: http://www.shodanhq.com/api_doc
Shodan Filters: http://www.sohdanhg.com/help/filters 		auxiliary/gather/shodan_search.rb Dec 5, 11