// the find
klsecservices/s7scan
The tool for enumerating Siemens S7 PLCs through TCP/IP or LLC network
s7scan enumerates Siemens S7 PLCs (300/400/1500 series) over both TCP/IP and LLC, pulling firmware version, hardware version, network config, and protection settings via the S7 Read SZL protocol. It's aimed at ICS/OT security auditors doing inventory or pre-assessment recon on industrial networks. Think Nmap, but speaking S7 instead of TCP.
1. LLC transport support via Scapy is the real differentiator — most tools only do TCP/IP, but many factory networks still run LLC at Layer 2, and you can't enumerate them without it. 2. Protection configuration extraction (key switch position, read/write access rights) is genuinely useful for audit work — it tells you immediately which PLCs are wide open. 3. The S7 protocol implementation is hand-rolled and documented against the official Siemens SFC manual, not reverse-engineered guesswork. 4. Includes a plcserver.py test stub, so you can validate behavior without touching real PLCs.
1. Python 2 only — it's 2026, Python 2 has been dead for six years, and this hasn't been touched since 2018. Scapy moved on; running this today requires hunting down an ancient environment. 2. Bundles pre-built WinPcap binaries (including kernel drivers) committed directly to the repo — that's a supply chain problem sitting in your tree that most security teams will flag immediately. 3. No output formats: no JSON, no CSV, no XML. Results go to stdout only, so integrating this into any pipeline means screen-scraping. 4. The COTP TSAP scan is sequential with no parallelism, so scanning a large /24 is slow — the TODO.md even flags this but it was never addressed.