Industrial control penetration framework ISF: PLC password detection

Category: Tag:

Series of articles:

How much do you know about typical attack methods in industrial control?

Industrial control experiment box: industrial control safety demonstration and protection suggestions

Industrial Control Penetration Framework ISF: Information Collection

Industrial control penetration framework ISF: Siemens S7-300PLC cracking and protection ideas

 

1:Introduction

In the previous article “Information Collection“, we talked about how to use the ISF framework to discover industrial control equipment, so some people will ask, what can be done after discovering industrial control equipment? There are many answers, such as: Is the viewing device password protected? Can it be cracked with password protection? What can be done after cracking? In order for everyone to learn the safety offensive and defense related to industrial control step by step, we need to learn some knowledge about industrial control first. In this article, we will talk about the basic knowledge related to brute force, and prepare for the follow-up brute force.

First of all, in order to make industrial machines relatively “smart”, a device that can control these machines is needed to control it, and this device should have versatility and reusability. This is a PLC type device. A general logic control device that can be rewritten repeatedly. People can write some programs and download them to the PLC, and then the PLC can read these programs to achieve the “intelligent” control effect.

Well, after everyone knows the basic functions of the PLC, there will be an eternal problem. Generally useful things will involve safety issues. Since you can program the PLC to control the equipment, there will be people with ulterior motives. I also want to control it, so here is the protection mechanism of the PLC. The protection mechanism of PLC is the same as our usual method, which is to protect it by setting a password.

After understanding these basic knowledge, let us take a look at how the PLC password is set, and how to protect the PLC after setting. Still the same as before, we use the industrial control experiment box to demonstrate, the physical map of the experiment box is as follows:

Note: The functions and connections of each device in the experiment box will not be introduced here. Those who don’t know can read the series of articles.

Connect PLC

After the experiment box is powered on, use a network cable to interconnect the computer and the experiment box, and then you can use “STEP 7-MicroWIN SMART” to configure the PLC, download the programming software, and write programs. (Different manufacturers and different types of PLC require different control software, our PLC model is SMART200)

Click “PLC”-“Find CPU” to scan to a PLC device (Why is scanning CPU instead of PLC? Please search by yourself)

After the PLC is identified by scanning, click “OK” and the software is successfully connected to the plc. The current interface is the PLC programming interface.

 

Password configuration

Double-click “CPU ST20” to open the “System Block” setting page. In the “Security” tab, you can set the password in the password setting option. The password protection is divided into 4 levels. The default password level of S7-200 SMART CPU is “Complete Permission” (level 1):

Full authority (level 1): Provides unlimited access to all functions of the CPU.

Read permission (level 2): ​​Users can read and write CPU data and upload programs without restrictions. A password is required to download programs, force memory locations, or program memory cards.

Lowest authority (level 3): Users can read and write CPU data and upload programs without restriction. A password is required for uploading or downloading programs, forcing memory locations, or programming memory cards.

Upload is not allowed (level 4): This level of password protection will prevent the program from uploading (even if the correct password is entered). This option does not allow comparison of items. The protection mode of other CPU functions is the same as that of the lowest authority password.

After knowing the relevant knowledge of PLC password protection, we randomly find a password level (here we use read-only), after setting the password, download the program to the PLC, and then download the program again, you need to enter the password (the above password protection level says However, you need to enter the password when downloading the read-only level), the result is shown in the following figure:

PLC password protection detection

Don’t talk nonsense, just look at the picture:

Is it very simple? If you want to verify other password protection levels, you can re-modify the PLC password protection level through the above steps, and then verify through the s7_200_password_check module in the ISF. Speaking of this module, there is no s7_200_password_check module in the ISF project clone from github mentioned in the previous article. Where did you get this module?

ISF module added

The ISF project in github does not have the module that we will talk about today. This is why we developed this framework. It is a set of attack frameworks. You can add different functional modules according to your own research results on PLC. Finally, Integrating all attack modules into this framework, we can have a powerful industrial control attack tool.

Next, we will explain through the above case, how to add a PLC password detection module to ISF, Iet’s go!

First, you need to create two files in the module directory of ISF (example: /home/one/soft/isf/module/exploits/Siemens) with arbitrary names (example: s7_200_password_check.py, s7_200_password_check.xml)

xml file

<?xml version="1.0"?>

    <t:config id="7f1a1992802517842c14ddfd1a2e3a6b"
          name="s7_200_password_check"
          version="1.1.0"
          configversion="1.1.0.0"
          author="one"
          xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
          xmlns:t='tc0'>
    <t:inputparameters>
    <t:parameter name="TargetIp" description="The Target ip address " type="IPv4"/>
    <t:parameter name="TargetPort" description="The Target Port" type="U16" default="102"/>

    </t:inputparameters>
</t:config>

Code explanation:

id: It can be the md5 value of this module name, or you can copy my current value, and then change a few characters as needed

name: The name here is the name of the module when the ISF framework is used, and also the name of the py file

TargetIp and TargetPort: are the parameters you need for this module

py file

The xml file is used to configure the parameters of the py file and the associated ISF framework. The module that actually completes the scanning or attack function is written in py. Let’s see how the s7_200_password_check.py module is written.

#encoding:utf-8
import socket
import time
from core.exploit import *

class Check_passwd(BaseExploit):
    register_info = {
        'ID': 'ICF-2020-F0010009',
        'Name': 's7-200 inspection',
        'Author': 'one',
        'License': ISF_LICENSE,
        'Create_Date': '2020-06-04',
        'Description': '''Can display password status''',
    }
    register_options = [
        mkopt_rport(102)
    ]       

    def exploit(self,*args,**kwargs):
        self.ip = self.TargetIp
        self.default_port = int(self.TargetPort)
        if self.default_port != 102:
            return False
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.connect((self.ip, self.default_port))
            pp = "0300001611e00000000100c0010ac1020100c2020101".decode("hex")
            sock.send(str(pp))
            data = sock.recv(1024)

            pp = "0300001902f08032010000662100080000f0000001000101e0".decode("hex")
            sock.send(str(pp))
            data = sock.recv(1024)
            time.sleep(0.1)
            pp = "0300001f02f080320100000004000e00000401120a100200020000030005d0".decode("hex")
            sock.send(str(pp))
            data = sock.recv(1024)
            data2 = data.encode("hex")
            str_tmp = data2[-1:]
            print data2
            if str_tmp == '1':
                print "Full read!"
                return True
            elif str_tmp == '2':
                print("Read only!")
                return False
            elif str_tmp == '3':
                print('Least privilege!')
                return False
            elif str_tmp == '4':
                print("Upload not allowed!")
                return False
            else:
                print("Abnormal state!")
                return False
        except Exception as e:
            print e,"Execution error"
            return False
MainEntry(Check_passwd, __name__)

Code explanation:

import: Three imports

Check_passwd: When building a module, you must use classes instead of functions, and secondly, you must inherit BaseExploit

exploit: This method is used to perform scanning or attack after configuring various parameters in the ISF

pp: Don’t care about the data sent here, follow-up articles will slowly teach you how to parse the PLC protocol

str_tmp: After sending 3 sets of data with sock and receiving the return value, take out the last digit for judgment. Seeing this, everyone should be able to understand what the 1234 of the above 4 password protection levels means.

MainEntry: Send the parameters received by the ISF framework to the current class, and then display the test results

to sum up

Okay, that’s all for today. Isn’t it simple?

 

Reviews

There are no reviews yet.

Be the first to review “Industrial control penetration framework ISF: PLC password detection”

Your email address will not be published. Required fields are marked *