OT/ICS Security Tools

Tools

Specialized tools for ICS security testing, from protocol analyzers to PLC exploitation frameworks and lab simulation platforms.

Protocol-Specific Tools

Modbus Tools

pymodbus

Full Modbus protocol implementation in Python. Supports TCP, RTU, ASCII.

bash 
pip install pymodbus

modbus-cli

Command-line tool for quick Modbus testing and enumeration.

bash 
pip install modbus-cli

mbtget

Simple Modbus/TCP client. Good for quick reads.

bash 
apt install mbtget

ModbusPal

Java-based Modbus slave simulator for lab testing.

bash 
# Download from SourceForge

Siemens S7 Tools

snap7

Open-source S7 communication library. Python bindings available.

bash 
pip install python-snap7

s7scan

S7 network scanner and enumeration tool.

bash 
git clone https://github.com/klsecservices/s7scan

EtherNet/IP (Allen-Bradley) Tools

pycomm3

Python library for Allen-Bradley PLC communication.

bash 
pip install pycomm3

cpppo

EtherNet/IP CIP protocol implementation.

bash 
pip install cpppo

OPC UA Tools

bash 
# Python OPC UA
pip install opcua
pip install asyncua

# GUI Client
pip install opcua-client-gui

# OPC UA security scanner
git clone https://github.com/SCADACS/OPC-UA-Checker

ICS Exploitation Frameworks

Metasploit ICS Modules

Built-in modules for ICS exploitation and enumeration.

bash 
msfconsole
search type:auxiliary modbus
search type:auxiliary scada
search type:exploit ics

ISF (Industrial Security Framework)

Exploitation framework specifically for ICS.

bash 
git clone https://github.com/dark-lbp/isf

Metasploit ICS Modules

bash 
# Modbus modules
use auxiliary/scanner/scada/modbus_findunitid
use auxiliary/scanner/scada/modbusclient
use auxiliary/scanner/scada/modbusdetect

# S7 modules
use auxiliary/scanner/scada/s7_enumerate
use auxiliary/admin/scada/s7_control

# BACnet modules
use auxiliary/scanner/scada/bacnet_info

# EtherNet/IP modules
use auxiliary/scanner/scada/ethernetip_info

# DNP3 modules  
use auxiliary/scanner/scada/dnp3_enumerate

# Running example
use auxiliary/scanner/scada/modbus_findunitid
set RHOSTS 192.168.100.0/24
run

Network Analysis

Wireshark

Essential for ICS traffic analysis. Has dissectors for most ICS protocols.

bash 
apt install wireshark

Zeek (Bro)

Network analysis with ICS protocol support.

bash 
apt install zeek

NetworkMiner

Network forensics with protocol parsing.

bash 
# Download from netresec.com

Grassmarlin

NSA tool for passive ICS network mapping.

bash 
git clone https://github.com/nsacyber/GRASSMARLIN

Lab Simulators

Virtual PLCs

Tool Description Cost
OpenPLC Open-source PLC runtime (IEC 61131-3) Free
CODESYS Industrial PLC development system Free trial
Siemens PLCSim Official Siemens S7 simulator Commercial
Factory I/O 3D factory simulation for PLC training $$$

Complete ICS Labs

bash 
# GRFICSv2 - Virtual ICS/SCADA testbed
# Includes: HMI, PLCs, Process Simulation
git clone https://github.com/Fortiphyd/GRFICSv2
cd GRFICSv2
vagrant up

# SWaT Dataset - Water treatment simulation data
# Used for ICS anomaly detection research
# https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/

# DVCP - Damn Vulnerable Chemical Process
# Simple process simulation for learning
git clone https://github.com/satejnik/DVCP-VAM

# ConPot - ICS/SCADA honeypot (can be used as lab)
pip install conpot
conpot --template default

Vulnerability Scanners

Nmap ICS Scripts

Built-in scripts for ICS protocol detection.

bash 
ls /usr/share/nmap/scripts/*scada*
ls /usr/share/nmap/scripts/*modbus*
ls /usr/share/nmap/scripts/*s7*

Redpoint

Digital Bond's ICS enumeration scripts for Nmap.

bash 
git clone https://github.com/digitalbond/Redpoint

Asset Discovery

bash 
# Shodan CLI for ICS discovery
pip install shodan
shodan init YOUR_API_KEY

# Search for ICS devices
shodan search port:502
shodan search port:102
shodan search "Siemens S7"

# Download results
shodan download results port:502 country:US

# Censys for ICS
pip install censys
censys search "protocols: modbus"

Tool Installation Script

bash 
#!/bin/bash
# ICS Pentesting Tools Installation Script
# Run on Kali Linux

echo "[*] Installing ICS/OT pentesting tools..."

# Update system
sudo apt update

# Python libraries for ICS protocols
pip3 install pymodbus
pip3 install python-snap7
pip3 install pycomm3
pip3 install opcua asyncua
pip3 install BAC0
pip3 install scapy
pip3 install shodan censys

# Nmap (should be installed)
sudo apt install -y nmap

# Wireshark
sudo apt install -y wireshark tshark

# Clone repositories
mkdir -p ~/ics-tools
cd ~/ics-tools

# s7scan
git clone https://github.com/klsecservices/s7scan

# ISF - Industrial Security Framework
git clone https://github.com/dark-lbp/isf

# Redpoint Nmap scripts
git clone https://github.com/digitalbond/Redpoint
sudo cp Redpoint/*.nse /usr/share/nmap/scripts/

# GRFICSv2 (requires vagrant)
git clone https://github.com/Fortiphyd/GRFICSv2

# ConPot honeypot
pip3 install conpot

# OpenPLC
git clone https://github.com/thiagoralves/OpenPLC_v3
cd OpenPLC_v3
./install.sh linux
cd ..

# GRASSMARLIN
git clone https://github.com/nsacyber/GRASSMARLIN

echo "[+] Installation complete!"
echo "[*] Remember to configure Wireshark for non-root capture:"
echo "    sudo dpkg-reconfigure wireshark-common"
echo "    sudo usermod -aG wireshark $USER"

Resources

Certifications

Consider ICS-specific certifications: GICSP (SANS), GRID (SANS), or ISA/IEC 62443 certificates for comprehensive OT security knowledge.

Related Topics

OT/ICS Security

ICS Reconnaissance

All Cheatsheets
← Safety Considerations Back to OT/ICS Overview →