A Python-based exploitation framework for industrial control systems, similar to Metasploit but focused on ICS/SCADA protocols.
Disclaimer: Usage of ICSSploit for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
git clone https://github.com/nopgadget/icssploit.git
cd icssploit
pip install -r requirements.txt
python main.py# Start the framework
python main.py
# Show available modules
show all
# Use an exploit module
use exploits/plcs/siemens/s7_300_400_plc_control
set target 192.168.1.100
run
# Use a scanner
use scanners/s7comm_scan
set target 192.168.1.0/24
run
# Use a client for direct protocol interaction
use client/s7
set target 192.168.1.100
set port 102
run- PLC Control: Start/stop/reset industrial controllers
- System Vulnerabilities: Target CVE vulnerabilities in ICS systems
- Network Scanners: Discover ICS devices on networks
- Protocol Scanners: Identify supported protocols and services
- Device Fingerprinting: Gather detailed device information
- Brute Force: Password attacks against ICS devices
- Default Credentials: Test common default passwords
- 8 Supported Protocols: Direct interaction with industrial protocols
- Module-like Interface: Use clients exactly like exploitation modules
- Real-time Communication: Send/receive messages and control devices
| Protocol | Client | Scanner | Exploits | Default Port |
|---|---|---|---|---|
| Modbus TCP | ✅ | ✅ | ✅ | 502 |
| S7comm | ✅ | ✅ | ✅ | 102 |
| S7comm Plus | ✅ | - | - | 102 |
| DNP3 | ✅ | ✅ | - | 20000 |
| BACnet | ✅ | ✅ | - | 47808 |
| EtherNet/IP (CIP) | ✅ | ✅ | - | 44818 |
| OPC UA | ✅ | ✅ | - | 4840 |
| WDB (VxWorks) | ✅ | ✅ | ✅ | 17185 |
| Profinet DCP | - | ✅ | ✅ | - |
| 0MQ (ZeroMQ) | ✅ | ✅ | ✅ | 5555 |
- PLC Control: Control logic controllers (start/stop/reset)
- VxWorks: Target VxWorks-based systems
- QNX: Exploit QNX real-time systems
- Schneider: Schneider Electric device exploits
- Network Discovery: Find ICS devices on networks
- Protocol Detection: Identify supported protocols
- Device Enumeration: Gather device information
- Brute Force Attacks: Password attacks against ICS authentication
- Default Credentials: Test common factory passwords
The unified client system allows direct protocol interaction:
# List available clients
show client
# Use a client (like using a module)
use client/modbus
set target 192.168.1.100
set port 502
options
run
# Send protocol-specific commands
send read_coils 1 10
receive
call discover_devices
# Return to main menu
backAll clients support the same interface as modules: set, options, run, check, back.
- Client Management System - Comprehensive client usage guide
- DNP3 Client - DNP3 protocol client (IEEE 1815)
- Modbus TCP Client - Modbus protocol client
- S7 Client - Siemens S7 protocol client
- WDB RPC Client - VxWorks debugging client
- S7comm Scanner - Scan for Siemens PLCs
- VxWorks Scanner - Scan for VxWorks devices
- Profinet DCP Scanner - Discover Profinet devices
- Modbus Scanner - Scan for Modbus devices
- BACnet Scanner - Discover BACnet devices
- OPC UA Scanner - Find OPC UA servers
- 0MQ Scanner - Discover ZeroMQ endpoints
- S7 Brute Force - Siemens PLC password attacks
- SNMP Brute Force - SNMP community string attacks
- Profinet Set IP - Change device IP addresses
- Creating Modules - Write custom modules
- Loading Extra Modules - Load external modules
- Python 3.10 (recommended for full functionality)
- Python 3.9+ (minimum supported)
- Note: Python 3.11+ has compatibility issues with pydnp3 library
- scapy
- paramiko
- pymodbus[serial]
- opcua
- pysnmp
- pyzmq
- beautifulsoup4
- telnetlib3
- colorama
- Windows: pyreadline3 (for tab completion)
- requests (for HTTP-based modules)
- python-nmap (for network scanning)
- pydnp3 (for enhanced DNP3 support - requires build from source)
For full functionality including DNP3 support:
# Create Python 3.10 environment (conda)
conda create -n icssploit python=3.10 -y
conda activate icssploit
# Install dependencies
pip install -r requirements.txt
# Install build tools for pydnp3 (optional but recommended)
conda install cmake make gcc_linux-64 gxx_linux-64 -y # Linux
# or
brew install cmake make gcc # macOS
# Build pydnp3 for enhanced DNP3 support
./scripts/build_pydnp3.shpip install -r requirements.txtpip install scapy paramiko pymodbus opcua pysnmp pyzmq colorama beautifulsoup4 telnetlib3
# Add pyreadline3 on WindowsNote: Most ICSSploit functionality uses standard TCP/UDP sockets and does not require packet capture libraries.
Packet capture is only needed for these specific modules:
scanners/enip_scan- EtherNet/IP device discoveryscanners/profinet_dcp_scan- Profinet device discoveryexploits/plcs/siemens/profinet_set_ip- Profinet IP configurationexploits/misc/fake_dhcp_server- DHCP server simulation
If you plan to use these modules and encounter "No libpcap provider available" warnings:
Linux/macOS:
# Usually not needed - Scapy works with built-in backends
conda install conda-forge::libpcap # Only if requiredWindows:
# Install Npcap (recommended)
# Download from: https://nmap.org/npcap/
# Install with "Install Npcap in WinPcap API-compatible mode" checkedImportant: These warnings can usually be safely ignored. All clients and most scanners work perfectly without packet capture libraries.
- Original Project: Based on routersploit
- Original Fork: Revived version of isf
- Fork Maintainer: nopgadget
- Version: 0.2.0
- License: See LICENSE file
- ICS-CERT Advisories
- NIST Cybersecurity Framework
- Industrial Control Systems Cyber Emergency Response Team
- Modbus Protocol Specification
- S7 Communication Protocol
- BACnet Protocol
- EtherNet/IP Specification
- OPC UA Specification