References and resources¶

Tools, documentation, and lab material to support research and hands-on analysis in the context of Anvil. This page prioritises practical investigation of OT/ICS devices, protocols, and environments over abstract compliance or vendor marketing.

Binary and firmware analysis¶

Tools for dissecting executables, firmware images, protocol handlers, and embedded artefacts. These are foundational and reused across all later stages.

• Ghidra: full reverse-engineering suite with decompiler

• radare2: low-level reverse engineering and analysis framework

• Cutter: graphical frontend for radare2

• ImHex: hex editor with pattern language for binary formats

• binspector: binary structure and filesystem inspection

Industrial protocol specifications and references¶

Authoritative protocol documentation used to understand wire formats, state machines, and implementation assumptions.

• Modbus protocol specifications

• IEC 61850 standard hub

• IEC 60870 SCADA telecontrol overview

• DNP3 protocol overview

• MQTT protocol specification

• OPC UA specifications

Cross-protocol tool collections¶

Curated collections of tools, scripts, PCAPs, and research material spanning multiple protocols and vendors. These are useful as starting points and comparison baselines.

• Awesome Industrial Protocols

• Alhasawi ICS/OT Security resources

• ICS Pentesting Tools

• Awesome ICS Security

• Awesome Industrial Control System Security

Protocol-specific tooling¶

Libraries, scanners, and test tools focused on individual OT/ICS protocols. Useful for both benign experimentation and hostile interaction.

Modbus¶

Libraries:

• pymodbus – Parse Modbus frames, decode function codes, registers, exceptions – Useful for understanding firmware-embedded protocol handling

• scapy.contrib.modbus – Low-level frame inspection and crafting (offline PCAP analysis)

Emulators / simulators:

• mbserver (libmodbus) – Minimal Modbus TCP server for controlled testing

• ModbusPal – Simple register-based simulator, good for sanity-checking assumptions

Modbus function codes, exception responses, and register layouts are often hard-coded in firmware and excellent static identifiers.

• pymodbus

• modbus-cli

Siemens S7¶

Libraries:

• python-snap7 – Parses S7 protocol structures – Useful for understanding SZL, setup comm, and read/write behaviour without touching real PLCs

Emulators / simulators:

• snap7-server (from snap7) – Controlled S7 server for offline testing

• PLCsim (vendor tool, optional, licensed) – Only if already available; never required

S7 implementations often leak vendor-specific constants, block structures, and error strings inside firmware.

• snap7

• s7scan

OPC UA¶

Libraries:

• opcua / freeopcua (Python) – Parses nodesets, services, and security configuration

• open62541 – Reference implementation used by many vendors

Emulators / simulators:

• open62541 server

• freeopcua server

OPC UA stacks embed:

• default namespaces

• certificate subjects

• endpoint URLs

• distinctive node hierarchies.

All of these are extractable statically and later detectable passively.

• open62541

• opcua-asyncio

IEC 60870-5-104¶

• lib60870

• iec104 tools

DNP3¶

Libraries:

• pydnp3 (wrapper around OpenDNP3) – Frame parsing and structure inspection

Emulators / simulators:

• OpenDNP3 outstation simulator – Offline only, for protocol understanding

DNP3 implementations are conservative, repetitive, and therefore fingerprintable.

• opendnp3

MQTT¶

Libraries:

• paho-mqtt – Topic parsing, client ID formats, message structures

Emulators / brokers:

• mosquitto (offline broker) – For testing topic structures extracted from firmware or mobile apps

Topics, client IDs, and default brokers are often hard-coded and reused across product lines.

• mosquitto

• mqtt-pwn

UPnP / SSDP¶

Libraries:

• miniupnpc

• scapy SSDP support

Emulators:

• Simple SSDP responder scripts (Python)

UPnP device descriptions and service UUIDs are among the most reliable static fingerprints in consumer devices.

TLS / Certificates¶

Libraries:

• cryptography (Python)

• pyOpenSSL

Tools:

• openssl

• step-cli (for inspection, not generation)

Embedded devices routinely ship with:

• reused private keys

• predictable serial numbers

• vendor-specific certificate templates

These are gold for passive identification. They exist so that firmware artefacts can be understood, classified, and handed to the Fingerprint Forge as static identifiers.

If a protocol interaction is required to learn something, it stays inside a VM, simulator, or emulated device and goes absolutely nowhere near the public network.

Sandboxes, simulators, and testbeds¶

Controlled environments for experimentation without touching real infrastructure. These support protocol interaction, fault injection, and attack simulation.

• MiniCPS article and MiniCPS code: CPS/ICS network emulation

• ICSSIM framework article and ICSSIM code: modular ICS security simulation

• LICSTER low-cost ICS testbed article and LICSTER code– reproducible educational testbed

Operational labs, honeypots, and deception¶

Tools that model or expose realistic industrial services, often used to observe attacker behaviour or test detection logic.

• Conpot: multi-protocol ICS honeypot

• GasPot: gas station honeypot

• GridPot: power grid honeypot

• OpenPLC: open PLC runtime for lab environments

• PLCBlaster article: PLC protocol stress and test framework

Traffic captures and empirical data¶

Realistic protocol traffic is essential for understanding baseline behaviour and deviations.

• ICS protocol PCAPs and dissections

Analysis, context, and comparative reading¶

Background material that connects protocols, implementations, and real-world usage patterns.

• ICS Digest Review of industrial protocols

• INCIBE ICS protocol and network security guide (PDF)

• OPC UA security analysis (academic)