Listen to this Post

Introduction:
The convergence of Information Technology (IT) and Operational Technology (OT) has created a dangerous new attack surface. Network forensics in an industrial environment requires more than just standard tools; it demands an understanding of proprietary, often undocumented, industrial protocols like Siemens’ S7. A new wave of specialized scripts, like the “Pcapper” tool highlighted by a leading OT/ICS expert, is empowering security professionals to parse packet captures (PCAPs) with surgical precision, uncovering malicious commands and risky behavior that would otherwise remain invisible.
Learning Objectives:
- Understand the architecture of the Siemens S7comm protocol and how to detect anomalies within its traffic.
- Learn to deploy and utilize command-line tools for OT/ICS network forensics, including
tshark,editcap, and specialized industrial scanners. - Develop a practical methodology for building a home OT/ICS lab to practice attack detection and incident response.
You Should Know:
1. Getting Hands-On with Industrial Protocol Analysis
The foundation of OT forensics is the ability to capture and analyze traffic from industrial cells without disrupting fragile controllers. My analysis could not locate Pascal Ackerman’s specific `Pcapper` script due to the repository being missing. However, the core concept involves using “vibe-coded” scripts to parse packet captures, specifically for the S7 protocol used by Siemens PLCs. The goal is to detect capable equipment and identify risky commands with a simple command like pcapper s7-1200-hmi.pcap --s7.
Step‑by‑Step Guide: Setting Up an S7 Analysis Environment on Linux
This guide will create a dedicated analysis environment to parse industrial PCAPs for threats.
- Install Core Tools: The first step is to install Wireshark’s command-line utilities, which are the backbone of PCAP analysis.
sudo apt update sudo apt install wireshark tshark -y
`tshark` is the command-line version of Wireshark, perfect for scripting and automation. `editcap` and `mergecap` are used for manipulating capture files.
-
Enhance Wireshark with S7 Dissectors: To properly decode S7 traffic, you need the official plugins. The `s7commwireshark` project provides essential dissectors. Clone and integrate it into your Wireshark source build.
git clone https://github.com/JuergenKosel/wireshark.git wireshark cd wireshark git checkout s7commwireshark git submodule update --init
Follow Wireshark’s build instructions to compile the tool with these dissectors. This allows for deep packet inspection of S7 commands.
-
Capture Live Industrial Traffic (Safely): Before an incident, you need a baseline. Use `tcpdump` on a Linux gateway connected to a mirror port on your OT switch to non-intrusively capture traffic.
sudo tcpdump -i eth0 -s 1514 -C 100 -G 3600 -w 'ot_baseline_%Y%m%d_%H%M%S.pcap'
This command splits PCAPs into 100MB files, rotating every hour, preventing a single file from becoming too large to analyze.
-
Parse Captures for S7 Events: After capturing a sample (e.g.,
sample.pcap), use `tshark` to filter solely for S7 traffic and output it to a new file.tshark -r sample.pcap -Y "s7comm" -w s7_only_traffic.pcap
You can then use `tshark -V -r s7_only_traffic.pcap` to get a verbose, human-readable output of all S7 packets, which is invaluable for hunting for malicious read/write requests.
-
Create a Timeline of S7 Commands: The developer mentioned adding an `–timeline` function. You can replicate this using `tshark` to create a sorted timeline of S7 communications.
tshark -r sample.pcap -Y "s7comm" -T fields -e frame.time_epoch -e ip.src -e ip.dst -e s7comm.param.func
This outputs a list of timestamps, source/destination IPs, and the specific S7 function codes (e.g., read, write, compress), allowing you to map out the entire operational sequence.
-
Detecting Exploits and Risky Behavior in OT/ICS Networks
Identifying a PLC is only half the battle. The real value lies in detecting when an attacker is interacting with it. Risky behavior includes unauthenticated access, default credential usage, or writing unauthorized logic to a controller. This requires using specialized, high-performance scanners that implement safe probing mechanisms.
Step‑by‑Step Guide: Deploying an OT/ICS Network Scanner for Vulnerability Detection
- Install a SCADA Scanner: Tools like `otscan` or the `scada-scanner` are built specifically for this task. Clone and install `scada-scanner` from its repository.
git clone https://github.com/geeknik/scada-scanner.git cd scada-scanner pip install -r requirements.txt
This is a high-performance, asynchronous scanner that detects major industrial protocols like Modbus, S7, DNP3, and BACnet.
-
Run a Non-Intrusive Asset Inventory: You can safely scan a CIDR range to identify all ICS assets. The `–safe-mode` flag restricts the scan to non-intrusive probes, minimizing the risk to fragile controllers.
python scada_scanner.py -c 192.168.1.0/24 --safe-mode -o ics_assets.json
-
Perform Deep S7 Device Fingerprinting: To get detailed information about a specific Siemens PLC, you can use `nmap` with its S7 script.
nmap -p 102 --script s7-info 192.168.1.100
The `–script s7-info` script can identify the PLC’s exact model, firmware, and module type. This information can be cross-referenced with a CVE database for known vulnerabilities.
-
Check for Default Credentials and Open Ports: Many OT devices are deployed with default credentials or unnecessary services exposed. `otscan` has a built-in module to test for over 60 known default credentials across various vendor devices.
Use otscan to scan for specific risks like open Telnet or FTP on certain hosts Not a direct command, but a function of the tool otscan scan --target 192.168.1.100 --check-creds
Additionally, use `nmap` to scan for risky services that should not be present in a segmented OT environment.
nmap -sV -p 21,22,23,80,443,3389 192.168.1.0/24 --open
-
Use Windows Tools for On-the-Ground Forensics: On a Windows engineering workstation, you can capture traffic without installing third-party tools using
netsh. Run an elevated Command Prompt and start a trace.netsh trace start capture=yes tracefile=c:\ot-trace.etl persistent=yes maxsize=100
Reproduce the issue, then stop the trace with
netsh trace stop. Convert the resulting `.etl` file to `.pcapng` using Microsoft’s `etl2pcapng` tool for analysis in Wireshark. -
Building Your Own OT/ICS Cyber Lab on a Budget (to Practice)
You cannot defend what you do not understand. Building a home lab is essential for hands-on cybersecurity training without risking live infrastructure. A budget-friendly lab can be built almost entirely using free virtualization tools and open-source software.
Step‑by‑Step Guide: Constructing a Virtual ICS Test Range
- Set Up Docker for Quick Honeypot Deployment: Docker allows you to spin up realistic, low-interaction ICS honeypots in seconds. Use `conpot` to simulate a variety of industrial devices.
Install Docker sudo apt update && sudo apt install docker.io -y sudo systemctl enable --now docker Run Conpot, exposing common ICS ports (e.g., Modbus 502, S7 102) sudo docker run -d -p 80:80 -p 102:102 -p 502:502 -p 161:161/udp honeytrap/conpot
-
Simulate a PLC with OpenPLC: OpenPLC is a fully functional, open-source Programmable Logic Controller that can be used to simulate a real industrial process. It’s perfect for a safe target.
git clone https://github.com/thiagoralves/OpenPLC_v3.git cd OpenPLC_v3 ./install.sh
-
Monitor Your Lab with Command-Line Tools: With your honeypot and PLC running, capture the traffic to analyze it.
Capture all Modbus traffic on the Docker bridge network to a PCAP file tshark -i docker0 -Y "modbus" -w honeypot_traffic.pcap
-
Use Pre-Built Virtual Platforms (Easiest Method): If building from scratch seems daunting, use a pre-configured platform like Labshock or GRFICS. GRFICS provides a full virtualized ICS environment, including a simulated chemical plant and a CCTV network, allowing you to practice attacks in a highly realistic setting.
What Undercode Say:
- Proactive OT Security is Forensics-Driven: The rising tide of threats against industrial infrastructure means that blue teams must proactively hunt for threats using deep packet analysis of obscure protocols like S7. Tools like `Pcapper` represent a shift toward specialized, community-driven forensic tooling.
- Accessibility is Key to Building a Pipeline: The existence of free tools (
scada-scanner,otscan) and low-cost lab platforms (Docker, OpenPLC, GRFICS) is democratizing OT/ICS security. This allows a new generation of IT security professionals to cross-train into industrial defense, filling a critical skills gap without the need for expensive hardware. - Command-Line Mastery is Non-Negotiable: Real-world ICS incident response is often done through a terminal, as many industrial networks are air-gapped and cannot support a full GUI. Mastery of CLI tools like
tshark,tcpdump, and `netsh` is mandatory for any serious OT/ICS threat hunter.
Prediction:
The future of industrial cyber warfare will be defined by a “protocol arms race.” As tools like `Pcapper` make S7 and other proprietary ICS protocols easier to analyze, attackers will respond by developing custom, obfuscated command and control (C2) channels that hide within legitimate traffic. This will force the development of AI-driven network detection and response (NDR) systems for OT networks capable of not just parsing packet structure, but also analyzing behavioral anomalies and command sequences in near real-time. The line between niche scripting and professional security appliance will blur completely, making open-source intelligence a frontline defense for critical infrastructure.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Pascal Ackerman – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


