Series of articles：
In the previous article, we briefly introduced several industrial control attack methods. Among them, the industrial control SOCKET proxy is the process of using industrial control equipment as a proxy server to penetrate the intranet. For details, please refer to “How much do you know about typical attack methods in industrial control?” “. So today we will introduce the specific use of the industrial control penetration framework ISF. A follow-up article will introduce the specific practical operation of the SOCKET proxy module in the ISF in industrial control attacks.
Statement: The ISF framework is a set of industrial control penetration framework based on my self-developed open source framework. It is only used for industrial control safety teaching and safety research of the company’s experiment box products.
The framework is mainly developed in Python language, and a framework suitable for industrial control vulnerability exploitation is developed by integrating the Fuzzbunch attack framework of the NSA tool released by ShadowBroker. Since the Fuzzbunch attack framework is only applicable to Python2.6, many core functions are encapsulated into DLLs, which are called through functions, which is not convenient for later porting and use. However, the command line of Fuzzbunch is indeed very convenient to use, so there is now this framework suitable for industrial control vulnerability exploitation, named isf.
|Environmental description||Software name/version|
|operating system||Centos8 x64|
Note: If you want to install on the windows platform, in addition to the other two dependencies: pypiwin32, dnet==1.12, there is no difference between the use of the windows platform and the linux platform.
Command line start:
The installation mentioned here is actually the installation and configuration of the environment required by the tool. When the running environment is configured, you only need to download the tool from the website [https://github.com/w3h/isf] and then in the project directory Just run python2 isf.py. As shown in the figure below, the installation is successful
The framework can be operated not only through the command line, but also through the WEB mode. The operation through the WEB mode can achieve the effect of deploying only one environment and multiple people at the same time, and other people do not need to install and configure , You only need to have a set of industrial control agent framework through the browser.
There are two types of WEB startup, one is to deploy through docker container, and the other is to run directly on the host. The two methods are essentially the same, but the running host is different.
If you don’t understand docker, please look down at the host deployment chapter
mkdir -p /root/isfdocker cd /root/isfdocker wget https://github.com/w3h/isf/raw/master/docker/Dockerfile docker build -t isf:v1 . # Build a isf:v1 docker container and install related dependencies using Dockerfile docker run --net=host isf:v1 butterfly.server.py --host='0.0.0.0' –unsecure #or The new version of docker uses the following command docker run --network=host isf:v1 butterfly.server.py --host='0.0.0.0' –unsecure
After running the above command, enter http://192.168.223.129:57575 in the browser (replace ip here with your own) and enter the default password: 123456 to log in, as shown in the following figure:
If you deploy through the docker method above, you only need to execute the command, and all the required dependencies will be installed through the Dockerfile. If you want to use the WEB console directly on the host to access, you need to install butterfly dependencies, command pip2 instll butterfly, after installation, through butterfly.server.py –host=”0.0.0.0″ –port = “55555” Start the WEB console. Then it is accessed through a browser in the same way as docker.
–host=”0.0.0.0″ is enabled on all network cards
–port=”55555″ Access through port 55555 (default is 57575)
Regardless of whether it is the docker method or the host method, as long as it can run normally, the use will be exactly the same as the “command line startup” method in the above chapter. After the introduction of various installation methods, let’s take a look at the specific functions of isf and how to use it.
Although the tool is not big, it has a lot of functions, so one chapter cannot fully grasp all its functions, we decided to divide the use of the tool into multiple chapters to explain.
First of all, use the help command to see what are the functions of isf:
It is so versatile! Don’t worry, through the following chapters, we will explain the purpose of each command one by one.
Today we will use an example to demonstrate the simple usage of this framework and its practical role in the industrial control system.
You can view the available modules by adding the tab key to use. The current version has 9 functional modules. If you are an expert in industrial control security, you can also enrich the attack points of the framework by adding various exp to the framework.
Let’s test it through plcscan first
After entering use plcscan, it prompts us whether to set the variable, choose yes, because we have not set the value of targetIp, how does it know which target to scan? So after pressing Enter, we are prompted to enter target Ip.
Here we take the industrial control experiment box developed by ourselves as the attack target, and scan the relevant information of the target system in the experiment box. The following picture is a schematic diagram of the industrial control experiment box:
Enter the target system IP address (192.168.1.100), as shown in the figure below:
Because our tool only integrates Siemens and modbus devices, so it requires you to select the brand of the target device, here we choose 0, that is, directly press enter.
You will need to set the port number of the target system later. Siemens defaults to 102. Just press Enter here. There are a few more parameters in the back, presumably many people don’t know what these parameters are. Don’t worry about it for now. Later, as you understand the industrial control system, you will know the meaning of each parameter. Here we choose all the defaults. .
When the last press enter is typed, the system will list all the parameters you just input, if there is no error, press Enter to start scanning.
After the scan result, the system will return the detailed information of the target device, or fail.
Here we have successfully identified the detailed information of the target system, such as the brand is Siemens, the model is S7-200, etc. Speaking of this, some people may ask, what can be done after identifying the information of the target system? After knowing the brand, model and other information of the target system, you can use open or undisclosed vulnerabilities to attack.
Today I just took you to know the installation and simple use of this tool. Please refer to the follow-up article for more usage methods.