分类 工控设备安全 下的文章
工控设备安全

各品牌PLC通信协议汇总

松下PLC通讯协议mewtocol-commodbus


三菱PLC通讯协议CC-LINK:FX1N、FX1NC、FX2N、FX2NC、FX3U、FX3UC并联连接:FX1S、FX1N、FX1NC、FX2N、FX2NC、FX3U、FX3UC


Rockwell PLC通讯协议DF1(均支持)



GE 90-70/90-30PLC通讯协议SNP以太网协议(非公开协议)


西门子3964R协议MPI、PPI和自由通讯口协议(200)


施耐德(莫迪康)ModbusMODBUS PLUSTCP/IP以太网Unitelway, FIPWAY,FIPIO,AS-I,Interbus-s
欧姆龙Host Link



三菱CC-LINK协议以太网通讯232BD485BD
松下MEWTOCOL



参考链接:http://www.elecfans.com/d/840139.html

阅读全文
2020-01-15 0 条评论 106 次浏览
工控设备安全

MSF上所有的针对工业控制系统的漏洞脚本

VendorSystem / ComponentDefault PortMetasploit

Advantech WebAccessAdvantech WebAccess SQL Injection80auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli

General ElectricGE Proficy Cimplicity WebView substitute.bcl Directory Traversal80auxiliary/admin/scada/ge_proficy_substitute_traversal

SchneiderSchneider Modicon Remote START/STOP Command502auxiliary/admin/scada/modicon_command

SchneiderSchneider Modicon Quantum Password Recovery21auxiliary/admin/scada/modicon_password_recovery

SchneiderSchneider Modicon Ladder Logic Upload/Download502auxiliary/admin/scada/modicon_stux_transfer

Allen-Bradley/RockwellAllen-Bradley/Rockwell Automation EtherNet/IP CIP Commands44818auxiliary/admin/scada/multi_cip_command

PhoenixContact PLCPhoenixContact PLC Remote START/STOP Command1962auxiliary/admin/scada/phoenix_command

BeckhoffTwinCat48899auxiliary/dos/scada/beckhoff_twincat

General ElectricD20 PLC2auxiliary/gather/d20pass

General ElectricD20 PLC69auxiliary/dos/scada/d20_tftp_overflow

7-Technologies7-Technologies IGSS 9 IGSSdataServer.exe DoS12401auxiliary/dos/scada/igss9_dataserver

Digi ADDPDigi ADDP Remote Reboot Initiator2362auxiliary/scanner/scada/digi_addp_reboot

Digi ADDPDigi ADDP Information Discovery2362auxiliary/scanner/scada/digi_addp_version

Digi InternationalAdvance device Discovery Protocol771auxiliary/scanner/scada/digi_realport_serialport_scan

Digi InternationalAdvance device Discovery Protocol771auxiliary/scanner/scada/digi_realport_version

IndusoftInduSoft Web Studio Arbitrary Upload Remote Code Execution4322exploit/windows/scada/indusoft_webstudio_exec

IndusoftIndusoft WebStudio NTWebServer Remote File Access80auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess

Digital BondKoyo DirectLogic PLC Password Brute Force Utility28784auxiliary/scanner/scada/koyo_login

EsMnemonModbus Client Utility502auxiliary/scanner/scada/modbus_findunitid

EsMnemon and Arnaud SoullieModbus Client Utility502auxiliary/scanner/scada/modbusclient

EsMnemonModbus Client Utility502auxiliary/scanner/scada/modbusdetect

Siemens ProfinetSiemens Profinet Scanner
auxiliary/scanner/scada/profinet_siemens

Sielco SistemiWinlog Remote File Access46824auxiliary/scanner/scada/sielco_winlog_fileaccess

KeyHelpKeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability80exploit/windows/browser/keyhelp_launchtripane_exec

TeeChart ProfessionalTeeChart Professional ActiveX Control Trusted Integer Dereference8080exploit/windows/browser/teechart_pro

KingScadaKingScada kxClientDownload.ocx ActiveX Remote Code Execution8080exploit/windows/browser/wellintech_kingscada_kxclientdownload

BACnetOPC Client
exploit/windows/fileformat/bacnet_csv

ScadaTecModbusTag Server ScadaPhone
exploit/windows/fileformat/scadaphone_zip

ABB MicroSCADAABB MicroSCADA wserver.exe Remote Code Execution12221exploit/windows/scada/abb_wserver_exec

Schneider ElectricCitectSCADA20222exploit/windows/scada/citect_scada_odbc

3SSCADA 3S CoDeSys Gateway Server Directory Traversal1211exploit/windows/scada/codesys_gateway_server_traversal

3SSCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow8080exploit/windows/scada/codesys_web_server

AzeoTechDAQ Factory20034exploit/windows/scada/daq_factory_bof

Siemens TechnomatiSiemens FactoryLink 8 CSService Logging Path Param Buffer Overflow7580exploit/windows/scada/factorylink_csservice

Siemens TechnomatiSiemens FactoryLink vrn.exe Opcode 9 Buffer Overflow7579exploit/windows/scada/factorylink_vrn_09

General ElectricGE Proficy CIMPLICITY gefebt.exe Remote Code Execution80exploit/windows/scada/ge_proficy_cimplicity_gefebt

IconicsIconics GENESIS32 Integer Overflow Version 9.21.201.0138080exploit/windows/scada/iconics_genbroker

IconicsICONICS WebHMI ActiveX Buffer Overflow
exploit/windows/scada/iconics_webhmi_setactivexguid

7-TechnologiesIGSS12401exploit/windows/scada/igss9_igssdataserver_listall

7-TechnologiesIGSS12401exploit/windows/scada/igss9_igssdataserver_rename

7-TechnologiesIGSS
exploit/windows/scada/igss9_misc

7-TechnologiesIGSS12397exploit/windows/scada/igss_exec_17

MOXAMOXA Device Manager Tool 2.1 Buffer Overflow
exploit/windows/scada/moxa_mdmtool

ProcyonProcyon Core Server HMI Coreservice.exe Stack Buffer Overflow23exploit/windows/scada/procyon_core_server

DATAC RealWinDATAC RealWin SCADA Server Buffer Overflow910exploit/windows/scada/realwin

DATAC RealWinDATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow910exploit/windows/scada/realwin_on_fc_binfile_a

DATAC RealWinRealWin SCADA Server DATAC Login Buffer Overflow910exploit/windows/scada/realwin_on_fcs_login

DATAC RealWinDATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow912exploit/windows/scada/realwin_scpc_initialize

DATAC RealWinDATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow912exploit/windows/scada/realwin_scpc_initialize_rf

DATAC RealWinDATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow912exploit/windows/scada/realwin_scpc_txtevent

Measuresoft ScadaProMeasuresoft ScadaPro Remote Command Execution11234exploit/windows/scada/scadapro_cmdexe

Sunway ForcecontrolSunway Forcecontrol SNMP NetDBServer.exe Opcode 0x572001exploit/windows/scada/sunway_force_control_netdbsrv

Sielco SistemiSielco Sistemi Winlog Buffer Overflow46823exploit/windows/scada/winlog_runtime

Sielco SistemiSielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.1646824exploit/windows/scada/winlog_runtime_2

YokogawaYokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow20111exploit/windows/scada/yokogawa_bkbcopyd_bof

YokogawaYokogawa CS3000 BKESimmgr.exe Buffer Overflow34205exploit/windows/scada/yokogawa_bkesimmgr_bof

YokogawaYokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow20010exploit/windows/scada/yokogawa_bkfsim_vhfd

YokogawaYokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow20171exploit/windows/scada/yokogawa_bkhodeq_bof

YokogawaYokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow52302auxiliary/dos/scada/yokogawa_logsvr

YokogawaYokogawa BKBCopyD.exe Client20111auxiliary/admin/scada/yokogawa_bkbcopyd_client


阅读全文
2019-12-19 0 条评论 224 次浏览
各类工具使用

smod的使用

https://github.com/qq1209759648/smod-1

#smod smod是一个模块化框架,具有渗透到modbus协议所需的各种诊断和攻击功能。它是使用Python和Scapy的完整Modbus协议实现。该软件可以在python 2.7.x下的Linux / OSX上运行。

随时提出请求,如果您觉得我们可以做得更好。

近年来,基于SCADA(过程控制网络)的系统已从专有的封闭式网络逐渐转移到开源解决方案和支持TCP / IP的网络。这使他们容易遭受传统计算机网络面临的相同安全漏洞。

Modbus / TCP协议用作参考协议,以显示测试台对电力系统协议进行网络攻击的有效性。选择Modbus / TCP是出于以下原因:

  • Modbus仍广泛用于电力系统。

  • modbus / TCP简单易实现。

  • 实用程序可以免费使用modbus协议库,以实现智能电网应用程序。

您可以使用此工具对Modbus协议进行漏洞评估。

## Demo只是一个演示基本内容的演示

root@kali:~/smod# python smod.py 
 _______ < SMOD >
 ------- 
        \   ^__^
         \  (xx)\_______
            (__)\       )\/\
             U  ||----w |
                ||     ||
          --=[MODBUS Penetration Test FrameWork
       --+--=[Version : 1.0.2
       --+--=[Modules : 14
       --+--=[Coder   : Farzin Enddo
          --=[github  : www.github.com/enddoSMOD >help
 Command  Description                                      
 -------  -----------                                      
 back     Move back from the current context               
 exit     Exit the console                                 
 exploit  Run module                                       
 help     Help menu                                        
 show     Displays modules of a given type, or all modules 
 set      Sets a variable to a value                       
 use      Selects a module by name                         SMOD >show modules
 Modules                              Description                             
 -------                              -----------
 modbus/dos/galilRIO                  DOS Galil RIO-47100 
 modbus/dos/writeSingleCoils          DOS With Write Single Coil Function     
 modbus/dos/writeSingleRegister       DOS Write Single Register Function      
 modbus/function/readCoils            Fuzzing Read Coils Function             
 modbus/function/readDiscreteInput    Fuzzing Read Discrete Inputs Function   
 modbus/function/readExceptionStatus  Fuzzing Read Exception Status Function  
 modbus/function/readHoldingRegister  Fuzzing Read Holding Registers Function 
 modbus/function/readInputRegister    Fuzzing Read Input Registers Function   
 modbus/function/writeSingleCoils     Fuzzing Write Single Coil Function      
 modbus/function/writeSingleRegister  Fuzzing Write Single Register Function  
 modbus/scanner/discover              Check Modbus Protocols                  
 modbus/scanner/getfunc               Enumeration Function on Modbus          
 modbus/scanner/uid                   Brute Force UID      
 modbus/sniff/arp                     Arp PoisoningSMOD >

蛮力Modbus UID

SMOD >use modbus/scanner/uidSMOD modbus(uid) >show options
 Name      Current Setting  Required  Description                                 
 ----      ---------------  --------  -----------                                 
 Function  1                False     Function code, Defualt:Read Coils.          
 Output    True             False     The stdout save in output directory         
 RHOSTS                     True      The target address range or CIDR identifier 
 RPORT     502              False     The port number for modbus protocol         
 Threads   1                False     The number of concurrent threads            SMOD modbus(uid) >set RHOSTS 192.168.1.6SMOD modbus(uid) >exploit [+] Module Brute Force UID Start[+] Start Brute Force UID on : 192.168.1.6[+] UID on 192.168.1.6 is : 10SMOD modbus(uid) >

Modbus的枚举功能

SMOD >use modbus/scanner/getfuncSMOD modbus(getfunc) >show options
 Name     Current Setting  Required  Description                                 
 ----     ---------------  --------  -----------                                 
 Output   True             False     The stdout save in output directory         
 RHOSTS                    True      The target address range or CIDR identifier 
 RPORT    502              False     The port number for modbus protocol         
 Threads  1                False     The number of concurrent threads            
 UID      None             True      Modbus Slave UID.                           SMOD modbus(getfunc) >set RHOSTS 192.168.1.6SMOD modbus(getfunc) >set UID 10SMOD modbus(getfunc) >exploit [+] Module Get Function Start[+] Looking for supported function codes on 192.168.1.6[+] Function Code 1(Read Coils) is supported.[+] Function Code 2(Read Discrete Inputs) is supported.[+] Function Code 3(Read Multiple Holding Registers) is supported.[+] Function Code 4(Read Input Registers) is supported.[+] Function Code 5(Write Single Coil) is supported.[+] Function Code 6(Write Single Holding Register) is supported.[+] Function Code 7(Read Exception Status) is supported.[+] Function Code 8(Diagnostic) is supported.[+] Function Code 15(Write Multiple Coils) is supported.[+] Function Code 16(Write Multiple Holding Registers) is supported.[+] Function Code 17(Report Slave ID) is supported.[+] Function Code 20(Read File Record) is supported.[+] Function Code 21(Write File Record) is supported.[+] Function Code 22(Mask Write Register) is supported.[+] Function Code 23(Read/Write Multiple Registers) is supported.SMOD modbus(getfunc) >

模糊读取线圈功能

SMOD >use modbus/function/readCoilsSMOD modbus(readCoils) >show options
 Name       Current Setting  Required  Description                                 
 ----       ---------------  --------  -----------                                 
 Output     True             False     The stdout save in output directory         
 Quantity   0x0001           True      Registers Values.                           
 RHOSTS                      True      The target address range or CIDR identifier 
 RPORT      502              False     The port number for modbus protocol         
 StartAddr  0x0000           True      Start Address.                              
 Threads    1                False     The number of concurrent threads            
 UID        None             True      Modbus Slave UID.                           SMOD modbus(readCoils) >set RHOSTS 192.168.1.6SMOD modbus(readCoils) >set UID 10SMOD modbus(readCoils) >exploit [+] Module Read Coils Function Start[+] Connecting to 192.168.1.6[+] Response is :###[ ModbusADU ]###
  transId   = 0x2
  protoId   = 0x0
  len       = 0x4
  unitId    = 0xa###[ Read Coils Answer ]###
     funcCode  = 0x1
     byteCount = 1L
     coilStatus= [0]SMOD modbus(readCoils) >


阅读全文
2019-12-16 0 条评论 297 次浏览
工控设备安全

IOT危险协议漏洞记录

1.Modus协议port:502

    a.直接进行读写,函数库:pymodnis和rmodbus,渗透人员客户端:modbus-cli

    cmd:modbus read IP %M100 5  #读前五个线圈和寄存器的状态

    仿真器模拟

    b.中间人攻击

        tools:Modbus VCR、Ettercap。#记录modbus协议流量并进行重放

   c.Schneider种终止CPU攻击

    msf模块搜索modicon_command


2.EtherNet/IP 协议 port:44818/2222

   a.信息收集

   b.身份鉴别请求攻击

   c.中间人攻击,example

   d.终止CPU攻击

        msf模块:multi_cip_command   #终止CPU、以太网卡崩溃等


3.DNP3协议(分布式网络协议)port:20000,控制中心为SCADA的主站

   a.模糊测试攻击:Achilles测试平台,模糊测试工具Peach Fuzzer,模糊测试框架

   b.协议鉴别攻击:dnp3-info.nse


4.Siemens S7通信协议

    a.终止CPU运行攻击 s7 300/400/1200  exp1, exp2

    b.协议鉴别攻击   tools:Plcscan/S7-info.nse, Conpot集成蜜罐测试!!

    c.口令暴力破解攻击   s7_1200_brute_offline.py


 nmap script:

    信息收集脚本:

        modicon-info.nse(通过功能码43、90与设备进行通信modbus) 

        ethernetip.py(Ethernet脚本)

        dnp3-info.nse(DNP3脚本信息探测脚本)

        S7-info.nse(西门子S7信息探测脚本)

image.png

image.png

阅读全文
2019-12-09 0 条评论 170 次浏览
工控设备安全

IOT工业控制系统安全笔记

踩点:

    探测:1.https://github.com/leebaird/discover

               2.Maltego

工具:

1. arping:http://github.com/ThomasHabets/arping或github.com/iputils/iputils 推荐星数☆☆☆☆☆

2. Arp-scan简短介绍:http://www.blackmoreops.com/2015/12/31/use-arp-scan-to-find-hidden-devices-in-your-network

这两个是用来扫描某一IP地址是否存在活动主机或设备

3. P0f,什么类型的主机或设备指纹识别:http://lcamtuf.coredump.cx/p0f3   推荐星数☆☆☆☆☆

4. GRASSMARLIN:免费开源,提供工控系统的快照、元数据等。

https://github.com/iadgov/GRASSMARLIN

https://github.com/iadgov/GRASSMARLIN/releases/latest


文献、漏洞查找

漏洞映射:

https://nvd.nist.gov

https://cve.mitre.org

https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03

Http://www.securityfocus.com/

Https://exploit-db.com

威胁情报平台:

ICS-CERT:https://ics-cert.us-cert.gov美国国土安全部

http://www.critical-intelligence.com

Https://www.infragard.org  #不一定开放查找,审核严格

https://www.scadahacker.com

https://www.recordedfuture.com/ics-scada

https://www.cylance.com

http://redtigersecurity.com

https://www.kenexis.com

https://www.loftyperch.com

https://www.langner.com

https://www.dragossecurity.com

http://cyberx-labs.com

http://www.redtridentinc.com

配置审查工具:

Nipper\Nessus\Nexpose

http://www.digitalbond.com/tools/bandolier

https://www.tenable.com/plugins/index.php?view=all&family=SCADA

有助于识别工控系统设备配置和固件中漏洞的工具:Indegy

 


阅读全文
2019-12-08 0 条评论 284 次浏览