Siemens PLC is widely used in industrial control systems. This article mainly uses S7-1200 V3.0.2 firmware version PLC and TIA13 environment to carry out the preliminary analysis of the S7comm-plus encryption protocol and the analysis of the anti-replay attack.
II, Siemens PLC introduction
Siemens PLC is widely used in industrial control systems. Siemens controllers include S7-200, S7-300, S7-400, S7-1200 and S7-1500 versions of Siemens PLC,
S7-200, S7-300, and S7-400 series PLCs use the early Siemens proprietary protocol S7comm for communication. PLCs with S7-1200/1500 series firmware versions below V3.0 use Siemens’ new generation S7comm-Plus protocol for communication, which uses some special coding specifications. The firmware version of the S7-1200/1500 series is above V3.0 and adopts the latest S7comm-Plus protocol. The S7comm-plus protocol introduces a session ID to prevent replay attacks.
To check which models and corresponding firmware versions of the S7 plc series are available, please refer to the figure below.
III, agreement analysis
3.1 Protocol structure
The S7Comm-plus Ethernet protocol is based on the OSI model as follows:
Through packet capture analysis and wireshark source code analysis, we can know that the frame structure of the S7Comm-plus protocol is roughly composed of a header, a data field, and a tail. The head and tail are fixed, and the data field has different frame structures and contents. A big difference. The frame structure diagram is as follows:
3.2 Head and tail analysis
The composition of Header and Trailer is the same, including protocol number, PDU type and data length information. Its structure is shown in the figure below:
The head and tail have the same structure. Protocol id is one byte, PDU type is one byte, Length is two bytes. PDU type defines the type of the frame.
3.3 Data Domain Analysis
The Data field is the most complex and most varied area in the frame structure. Through analysis, the Data field can be divided into three parts: Integrity part, D_header and Data. The specific structure is shown in the figure below:
When the PDU type is 0x01 and 0x02, there is no 32-bit Integrity part in the data packet. When the pdu type is 0x03, there are 32-bit Integrity part in the data packet; there are two reseved and one unknown parts in the data header, for different frames The value is different. From wireshark capture data analysis, the value distribution is as follows:
The structure, content and format of the data part are related to the PDU type and opcode. The data part has many types and is more complicated. For detailed analysis, you can read the wireshark s7comm-plus protocol analysis code.
Four, anti-replay attack analysis
4.1 Environmental installation
(1) PC1 (192.168.10.101): Install software TIA13, used to connect S71200 plc equipment, and start and stop PLC CPU control, mainly used for packet capture analysis, Botu software adds the correct PLC equipment, and configures the PLC network Address to ensure that the connection is successful, as shown below:
The following content is visible to members
[wc_pay_can_read id=’2026,2029,2030′ tishi=’You do not have permission to read this content, click here to become a member and refresh this page to read it’]
(2) PLC (192.168.10.53): 6ES7 214-1AG31-0xB0 V3.0.2, as shown below:
(3) pc2 (192.168.10.100): This host is mainly used for replay attack experiments.
4.2 Packet capture analysis
(1) In offline mode, click the stop and start buttons of Botu software to perform packet capture analysis.
Return the session id, and bring the session id with every subsequent request to prevent replay attacks.
Both Stop and start cpu start and stop packets are 121 bytes long, and the operation success response data packet is 84 bytes
Information leakage, I don’t know why it’s designed this way, and I need to return device information.
(2) Session id calculation method, s7comm_plus+0x80, the 24th bit of s7comm_plus data packet +0x80, as shown in the following figure:
(3) Stop cpu instruction analysis, mainly AddressList and ValueList, the value is 00000034019077000801, if the value is modified to 00000034019077000803, it is the start cpu instruction
Five, implement replay attacks
After the above analysis, as long as the session id is obtained, and the session id is added each time the plc is requested, the S7comm-plus anti-replay attack can be bypassed. The following verification code is written, and the packet is captured and analyzed to observe the phenomenon:
Run the above code, the replay attack is successful, when stop, the plc RUN/STOP light turns yellow, when it starts cpu, the RUN/STOP light turns green, as shown below:
The analysis of replay attack packet capture is as follows:
Two problems were found during the experiment. When the COTP connection is completed, the first S7comm-plus CreateObject packet sent can obtain information about the plc, causing information leakage. The CPU model and firmware version can be released. Attackers can use This information carries out further attacks. In addition, when the TIA13 software is connected to the PLC online, the start-stop script fails, which should be the reason why the PLC only allows one engineer station client to connect.