All labs

LAB-02 · S7comm · 102/tcp

S7comm exploitation: STOP/RUN abuse and block download

A simulated S7-1200 is reachable on the lab network. Demonstrate the STOP/RUN abuse pattern Stuxnet used as a primitive, then show how the same channel exfiltrates DBs.

Duration

120m

Level

intermediate

ISA SL

SL2 · SL3

Track

ics pentest

Certification path

Objectives

  1. 01Fingerprint a Siemens S7-1200 over TCP/102
  2. 02Send a STOP command using snap7-cli
  3. 03Pull program blocks (DB, OB) for offline analysis

Success criteria

  • Capture the S7comm STOP frame with Wireshark
  • List downloaded blocks in the report
  • Map findings to IEC 62443-3-3 SR 2.4