IEC-104 File Transfer Extraction

Did you know that the SCADA protocol IEC 60870-5-104 (IEC-104) can be used to transfer files? This file transfer feature is primarily used for retrieving disturbance data from electric grid protection devices, such as protective relays, but can in practice be used to transfer any type of data.

In this video I demonstrate how IEC-104 file transfers can be extracted from network traffic with NetworkMiner.

The network traffic that was captured with NetworkMiner in this video can be downloaded here: NM_2022-12-13T14-16-00.pcap

The IEC-104 software used in the video was the IEC 104 RTU Server Simulator and IEC 104 Client Simulator from FreyrSCADA.

Posted by Erik Hjelmvik on Monday, 09 January 2023 09:00:00 (UTC/GMT)

Tags: #IEC-104#SCADA#NetworkMiner#ICS#PCAP

Short URL: https://netresec.com/?b=231efae

X / twitter

NETRESEC on X / Twitter: @netresec

Mastodon

NETRESEC on Mastodon: @netresec@infosec.exchange