协议分析 工具分享 技术分享

西门子S7-1200 PLC识别指南与工具脚本分享(ICS Discovery Tools Releases)

简介

S7-1200是西门子SIMATIC S7系列的一款小型、紧凑、模块化的PLC,西门子S7-1200系列PLC的CPU模块一般自集成了以太网接口,硬件形态如下图。1200支持以太网进行管理,同时支持较多的以太网服务,如WEB服务器,SNMP,PROFINET等,这为设备的识别和发现都提供了很好的基础,同样为攻击者也开放了更多的入口,根据ICS-CERT和CVE漏洞库曾经的多个漏洞报告显示s7-1200上一些应用均存在过拒绝服务等。因为s7-1200对以太网的支持,免不了因为一些原因暴露在公网,在互联网上针对该设备的查找可以关键字和协议在ISO-TSAP(TCP/102端口)WEB服务(默认80端口)SNMP服务(UDP/161)进行检索。
s7-1200-jpg

服务介绍

TCP/102 ISO-TSAP

西门子S7-1200的TCP/102端口主要用于设备管理和数据通讯,因为一些特性的改变导致1200在通讯协议上和西门子S7-300、400有所不同,如rack和slot(机架和cpu号)默认为0,1,导致在COTP组包时目的地址不一样导致通讯失败,例如使用以前公开过的plcscan和nmap下的s7-enumerate.nse无法再获取到设备信息。读取S7-1200的SZL信息需要构造如下请求报文:

  ---
  -- add S7-1200 packet 
  -- by Z-0ne   plcscan.org
  -- Based on S7COMM Protocol analysis plugin.
  --
  ---
  -- S7-1200 PLC usage Rack 0 Slot 1
  local COTP_0x0000 = bin.pack("H","0300001611e00000000100c0010ac1020100c2020301")
  -- Setup communication 0xf0
  local Setup_comm = bin.pack("H","0300001902f080320100000c0000080000f0000001000101e0")
  -- Request SZL functions Read SZL ID=0X0011
  local Req_SZL_0x0011 = bin.pack("H","0300002102f080320700000d00000800080001120411440100ff09000400110000")
  -- response is used to collect the packet responses

NMAP脚本下载:s7-enumerate.nse(在Digital Bond原件脚本上增加了对S7-1200的支持,减少原有判断,增加模糊识别S7系列其他型号,S7-1200、S7-300测试通过)
识别S7-1200如下图:
s7-enumerate-s71200
识别S7-300如下:
s7-enumerate-s7300
规则识别未知S7设备如下图:
s7-enumerate-s7unkonew
在TCP/102端口上还有另一种极不推荐的识别方式如下:

-- 
-- Based on TIA Portal software.
--  soft handshake Methods one
	local connectpack = bin.pack("H","030000231ee00000000600c1020600c20f53494d415449432d524f4f542d4553c0010a")
--  soft handshake Methods two
--	local connectpack = bin.pack("H","0300001611e00000000800c1020600c2020600c0010a")
-- send local connection packet(IE NIC and session)
	local gethwinfo = bin.pack("H","030000e502f080720100d631000004ca00000001"..
									"00000120360000011d00040000000000a1000000"..
									"d3821f0000a38169001515536572766572536573"..
									"73696f6e5f31433943333932a3822100152c313a"..
									"3a3a362e303a3a5443502f4950202d3e2042726f"..
									"6164636f6d204e65744c696e6b2028544d29202e"..
									"2e2ea38228001500a38229001500a3822a001516"..
									"4846504654385246375052474837595f34313831"..
									"3731a3822b000401a3822c001201c9c392a3822d"..
									"001500a1000000d3817f0000a381690015155375"..
									"62736372697074696f6e436f6e7461696e6572a2"..
									"a20000000072010000")

NMAP脚本下载:s71200-enumerate-old.nse(注意同时间内对同一设备使多次使用该脚本扫描将会导致PLC连接堵塞,无响应或其他意想不到的情况)

识别S7-1200如下图:

s71200-enumerate-1

SNMP服务

西门子S7-1200的SNMP服务同样主要用于对设备的状态、连接等进行监控,可以通过对UDP的161端口进行探测,设备在sysDescr系统描述上会有详细的型号标注和固件版本以及串号等。
特征:

sysDescr:.1.3.6.1.2.1.1.1.0
SNMP Output:
Siemens, SIMATIC S7, CPU-1200, 6ES7 212-1HD30-0XB0 SZVA3YUXXXXXX  , 1, V.1.0.1, SZVA3YUXXXXXX

查询样例:Shodan

WEB服务

西门子S7-1200系统内嵌的WEB服务器主要用于设备的状态监控,如缓冲区日志、设备运行状态等,网页CGI程序后缀为.mwsl,比较好辨别。
特征:

GET / HTTP/1.1
HTTP/1.1 302 Object Moved
Content-Type:text/html
Content-Length: 0
Location: /Default.mwsl

查询样例:Shodan

PROFINET

西门子S7-1200支持PROFINET,扫描计算机可以使用组播方式请求网络内PROFINET设备,同网络内的西门子设备会主动响应。
工具地址:Github

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

最新工业控制系统漏洞

ICS-CERT Advisory Feed
Fujifilm FCR Capsula X/Carbon X

This medical advisory includes mitigations for uncontrolled resource consumption and improper access control vulnerabilities reported in Fujifilm’s. . . read more Tue, 23 Apr 2019 12:05:43 EDT

Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers

This advisory includes mitigations for an open redirect vulnerability reported in Rockwell Automation’s MicroLogix 1400 and CompactLogix 5370 contro. . . read more Tue, 23 Apr 2019 12:00:33 EDT

Delta Industrial Automation CNCSoft

This advisory includes mitigations for heap-based buffer overflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities reported in Del. . . read more Tue, 16 Apr 2019 10:10:11 EDT

WAGO Series 750-88x and 750-87x

This advisory includes mitigations for a use of hard-coded credentials vulnerability reported in WAGO's 750-88x and 750-87x programmable logic co. . . read more Tue, 16 Apr 2019 10:05:55 EDT

PLC Cycle Time Influences

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in ABB, Phoenix Contact, Schneider Electric, Siemen. . . read more Tue, 16 Apr 2019 10:00:24 EDT

Siemens SIMOCODE pro V EIP

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in Siemens' SIMOCODE pro V EIP low-voltage mot. . . read more Tue, 09 Apr 2019 10:25:33 EDT

Siemens Spectrum Power 4.7

This advisory includes mitigations for a command injection vulnerability reported in Siemens' Spectrum Power 4.7 system.. . . read more Tue, 09 Apr 2019 10:20:24 EDT

Siemens Industrial Products with OPC UA

This advisory includes mitigations for an uncaught exception vulnerability in Siemens' Industrial Products using OPS UA communications protocol.. . . read more Tue, 09 Apr 2019 10:15:11 EDT

Siemens SINEMA Remote Connect

This advisory includes mitigations for incorrect calculation of buffer size, out-of-bounds read, stack-based buffer overflow, and improper handling of. . . read more Tue, 09 Apr 2019 10:10:11 EDT

Siemens RUGGEDCOM ROX II

This advisory includes mitigations for double free, out-of-bounds read, and uncontrolled resource consumption vulnerabilities reported in Siemens'. . . read more Tue, 09 Apr 2019 10:05:16 EDT

Siemens CP, SIAMTIC, SIMOCODE, SINAMICS, SITOP, and TIM

This advisory includes mitigations for an out-of-bounds read vulnerability reported in Siemens' CP, SIAMTIC, SIMOCODE, SINAMICS, SITOP, and TIM p. . . read more Tue, 09 Apr 2019 10:00:56 EDT

Omron CX-Programmer

This advisory includes mitigations for a use after free vulnerability reported in Omron's CX-Programmer PLC software.. . . read more Thu, 04 Apr 2019 10:15:11 EDT

Rockwell Automation Stratix 5400/5410/5700 and ArmorStratix 5700

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in Rockwell Automation's Stratix and ArmorStra. . . read more Thu, 04 Apr 2019 10:10:11 EDT

Rockwell Automation Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700

This advisory includes mitigations for resource management errors and improper input validation vulnerabilities reported in Rockwell Automation's. . . read more Thu, 04 Apr 2019 10:05:19 EDT

Rockwell Automation Stratix 5950

This advisory includes mitigations for an improper input validation vulnerability reported in Rockwell Automation's Stratix 5950 security applian. . . read more Thu, 04 Apr 2019 10:00:23 EDT

Advantech WebAccess/SCADA

This advisory includes mitigations for command injection, stack-based buffer overflow, and improper access control vulnerabilities reported in Advante. . . read more Tue, 02 Apr 2019 10:00:11 EDT

Rockwell Automation PowerFlex 525 AC Drives

This advisory includes mitigations for a resource exhaustion vulnerability reported in Rockwell Automation's PowerFlex 525 AC drive.. . . read more Thu, 28 Mar 2019 10:00:11 EDT

Siemens SCALANCE X

This advisory includes mitigations for an expected behavior violation vulnerability reported in the Siemens SCALANCE X products.. . . read more Tue, 26 Mar 2019 10:15:18 EDT

PHOENIX CONTACT RAD-80211-XD

This advisory includes mitigations for a command injection vulnerability reported in Phoenix Contact's RAD-80211-XD WLAN wireless transceiver.. . . read more Tue, 26 Mar 2019 10:10:11 EDT

ENTTEC Lighting Controllers

This advisory includes mitigations for a missing authentication for critical function vulnerability reported in ENTTEC’s lighting controllers.. . . read more Tue, 26 Mar 2019 10:00:23 EDT