SQL Records with Siemens S7-1500 PLC, Intercepted with Wireshark

Pedro Pagán Pallarés 09 Jun, 2024

PLC PLC SIEMENS PLC NETWORKS SQL Vulnerabilities Wireshark

SQL Records with Siemens S7-1500 PLC, Intercepted with Wireshark

This time we will use the blocks from the LSQL library based on the example that Siemens has posted on their page, to register in a SQL database with S7-1500 PLC, later intercepted with Wireshark.

We will do this quickly to focus later on how to capture the packets that the PLC sends to the database and try to gain access to it, similar to what we did with Modbus. We can perform it on a local network, or all on localhost; for the example, it doesn't matter.

1- Writing Variables

In this example, we use a simulated 1515-2 PN to send queries to a database where we want to store historical data of our variables.

1- We instantiate the block "Lsql_Microsoft", generating the associated DB and parameterizing it with the variables from the DB itself. In Siemens' example, everything is prepared for this, and the manual explains it well.

2- We parameterize the connection data, which we will obtain from where we have the database that we want to write to.

We write an appropriate INSERT command according to the structure of the database; in my case, there are 3 temperatures, two pressures, and one date (Timestamp). At this point, it is important to work correctly with the formats, especially with dates.

You can pass fixed values directly or parameterize it with PLC variables (which is the idea); for this, I had to create a function that does all this:

QueryFormat Download

As can be seen, the last lines generate the string that I will pass when I make the corresponding INSERT.

3- We enable the block: the connection with the database is established. If everything goes well, it will respond with Valid=TRUE and error=FALSE.

4- We enable the "Execute_Command" flag so that the data in the INSERT string is sent cyclically.

And we will see that if all goes well, the length of the telegram will change, and the dataReceived will be set to TRUE, confirming the write operation.

5- We confirm the write operation in the database with the Management: in my case, it is on another virtual machine, but it could be on the same host.

2- Analyzing the Frame

Now we will do the same as in the Modbus article, listening to the network card, looking for frames that match the communication we know is taking place.

We will try to see the query that is being passed with our INSERT of values.

We see certain frames with relevant content like "S7-1500", so we filter by the PLC's IP as "Source" and obtain the following:

There are two types of packets from our PLC:

TCP: information related to the protocol and connection establishment.

TDS: packet with the data of our query. If we investigate a little, we will see them at the bottom, with the specific data of that packet.

It can be observed how the query matches what we programmed in Step 1.

3- Database User and Password

We have already discovered one of the frames we sent, but... we can still do something more. When we established the connection with the PLC and activated the Enable flag, the connection with SQL was established, and therefore at that moment, the credentials had to be passed. Can we see them?

We turn off the connection and disconnect the write and leave Wireshark listening. We see that when disconnecting, a special packet comes out:

We activate the connection again and observe the packets:

The packet leaves no room for doubt... TDS7 login. Let's see what's inside....

Surprise. We have the login data for the database where we write, with the username and password in plain text and unencrypted.

Conclusion

A SQL communication from a PLC, if the authentication is not protected and the communications are not encrypted, it is very easy to see the packets sent, and worse still, if encryption is not configured, it is very simple to obtain the login for the database.

Pedro Pagán Pallarés

Industrial Automation Expert and AI Researcher.