协议分析 工具分享 技术分享

对西门子S7 PLC块(Blocks)的探索(ICS Discovery Tools Releases)

简介

在西门子S7系列PLC中,用户在通过STEP7以及TIA Portal软件定义的PLC一些功能,在PLC内部主要是以不同的区块存在,已知的区块有如下几种,这里做个简单的介绍:
组织块(OB)(主程序块负责所有FC程序块的调用)
数据块(DB)(用于存放用户和系统定义的变量数据)
程序块(FC)(由用户编写的程序块)
功能块(FB)(由用户编写的专用数据块)
系统程序块(SFC)(调用系统某些功能时自动创建)
系统功能块(SFB)(调用系统某些数据功能时自动创建)
系统数据块(SDB)(由编程软件自动生成主要存放PLC的硬件组态等信息,用户无法直接打开和更改)
同样在工程中也有比较直观的表示,如下图:
S7_Pro
具体详细讲解可以点击这里

“监测”中的发现

早在9月中旬,部署在香港的西门子PLC协议仿真服务端(基于SNAP7西门子通讯库)上,收到了来自土耳其IP比较诡异的读取设备信息请求,捕获的日志如下:

2014-09-16 17:06:33 [178.211.45.210] Client added
2014-09-16 17:06:34 [178.211.45.210] The client requires a PDU size of 480 bytes
2014-09-16 17:06:35 [178.211.45.210] Read SZL request, ID:0x0f1c INDEX:0x0000 --> OK
2014-09-16 17:06:35 [178.211.45.210] Read SZL request, ID:0x001c INDEX:0x0000 --> OK
2014-09-16 17:06:36 [178.211.45.210] Client disconnected by peer
2014-09-16 17:06:36 [178.211.45.210] Client added
2014-09-16 17:06:37 [178.211.45.210] The client requires a PDU size of 240 bytes
2014-09-16 17:06:38 [178.211.45.210] Read SZL request, ID:0x0132 INDEX:0x0004 --> OK
2014-09-16 17:06:38 [178.211.45.210] Client disconnected by peer
2014-09-16 17:06:39 [178.211.45.210] Client added
2014-09-16 17:06:39 [178.211.45.210] The client requires a PDU size of 480 bytes
2014-09-16 17:06:40 [178.211.45.210] Block info requested SDB 2000 --> NOT AVAILABLE
2014-09-16 17:06:40 [178.211.45.210] Client disconnected by peer
2014-09-16 17:21:45 [178.211.45.210] Client added
2014-09-16 17:21:45 [178.211.45.210] The client requires a PDU size of 480 bytes
2014-09-16 17:21:46 [178.211.45.210] Read SZL request, ID:0x0f1c INDEX:0x0000 --> OK
2014-09-16 17:21:47 [178.211.45.210] Read SZL request, ID:0x001c INDEX:0x0000 --> OK
2014-09-16 17:21:47 [178.211.45.210] Client disconnected by peer
2014-09-16 17:21:48 [178.211.45.210] Client added
2014-09-16 17:21:49 [178.211.45.210] The client requires a PDU size of 240 bytes
2014-09-16 17:21:50 [178.211.45.210] Read SZL request, ID:0x0132 INDEX:0x0004 --> OK
2014-09-16 17:21:50 [178.211.45.210] Client disconnected by peer
2014-09-16 17:21:51 [178.211.45.210] Client added
2014-09-16 17:21:51 [178.211.45.210] The client requires a PDU size of 480 bytes
2014-09-16 17:21:52 [178.211.45.210] Block info requested SDB 2000 --> NOT AVAILABLE
2014-09-16 17:21:52 [178.211.45.210] Client disconnected by peer

根据时间顺序交互的逻辑可以判断,该情况不是来自于STEP7以及TIA Portal的这种西门子官方客户端软件,当然明显更像传统公开的识别S7 PLC硬件信息的手段(如PLCScan.py和s7-enumerate.nse),具有不同的地方是对方增加了针对S7 PLC特定的区块进行枚举,该手段不得不说是探测PLC内部状态和支持设备及功能的另一种方法,而LOG中对方想获取的SDB 2000,如果该PLC内有PROFIBUS slaves则SDB 2000块就会存在,同样在列SDB块的LIST时也会发现存在该块,那么就就能获取到SDB2000的Block info。
这种枚举的方式可以在黑盒以及无法解密SDB块(系统数据)的MC7二进制数据的情况下,有效判断PLC内是否存在某些特定子功能、子模块,对于识别紧靠工控协议仿真的蜜罐(conpot)更是必杀。

关于优化S7系列PLC识别的构思和行动

因为digitalbond的Redpoint项目的发起,原先由scadastrangelove开源的基于python的S7系列PLC的识别工具(PLCScan)被移植成了基于nmap的nse脚本,而正因为这些的出现使其批量探测变得也不是那么神秘,甚至越来越多的组织加入到了工控资源的挖掘中,而已digitalbond开源s7-enumerate.nse为例,我们可以在原有基础上,构建对S7系列的其他型号支持和符合S7协议的模糊匹配(因为协议握手差异导致S7-1200无法使用原有的s7-enumerate.nse获取到信息需要重新构建握手报文,其他S7设备需要针对协议进行模糊识别),甚至包括如上的更深层次的探测,例如枚举PLC内各区块的数量等,这样可以有效快速识别当前PLC工作运行逻辑的复杂程度和定位蜜罐。
如下图,在原有基础上增加对块的数量统计(支持S7-300/400):

scan_s7_plc_block1

NMAP NSE脚本获取

Github_ICS Discovery Tools

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

最新工业控制系统漏洞

ICS-CERT Advisory Feed
Fujifilm FCR Capsula X/Carbon X

This medical advisory includes mitigations for uncontrolled resource consumption and improper access control vulnerabilities reported in Fujifilm’s. . . read more Tue, 23 Apr 2019 12:05:43 EDT

Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers

This advisory includes mitigations for an open redirect vulnerability reported in Rockwell Automation’s MicroLogix 1400 and CompactLogix 5370 contro. . . read more Tue, 23 Apr 2019 12:00:33 EDT

Delta Industrial Automation CNCSoft

This advisory includes mitigations for heap-based buffer overflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities reported in Del. . . read more Tue, 16 Apr 2019 10:10:11 EDT

WAGO Series 750-88x and 750-87x

This advisory includes mitigations for a use of hard-coded credentials vulnerability reported in WAGO's 750-88x and 750-87x programmable logic co. . . read more Tue, 16 Apr 2019 10:05:55 EDT

PLC Cycle Time Influences

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in ABB, Phoenix Contact, Schneider Electric, Siemen. . . read more Tue, 16 Apr 2019 10:00:24 EDT

Siemens SIMOCODE pro V EIP

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in Siemens' SIMOCODE pro V EIP low-voltage mot. . . read more Tue, 09 Apr 2019 10:25:33 EDT

Siemens Spectrum Power 4.7

This advisory includes mitigations for a command injection vulnerability reported in Siemens' Spectrum Power 4.7 system.. . . read more Tue, 09 Apr 2019 10:20:24 EDT

Siemens Industrial Products with OPC UA

This advisory includes mitigations for an uncaught exception vulnerability in Siemens' Industrial Products using OPS UA communications protocol.. . . read more Tue, 09 Apr 2019 10:15:11 EDT

Siemens SINEMA Remote Connect

This advisory includes mitigations for incorrect calculation of buffer size, out-of-bounds read, stack-based buffer overflow, and improper handling of. . . read more Tue, 09 Apr 2019 10:10:11 EDT

Siemens RUGGEDCOM ROX II

This advisory includes mitigations for double free, out-of-bounds read, and uncontrolled resource consumption vulnerabilities reported in Siemens'. . . read more Tue, 09 Apr 2019 10:05:16 EDT

Siemens CP, SIAMTIC, SIMOCODE, SINAMICS, SITOP, and TIM

This advisory includes mitigations for an out-of-bounds read vulnerability reported in Siemens' CP, SIAMTIC, SIMOCODE, SINAMICS, SITOP, and TIM p. . . read more Tue, 09 Apr 2019 10:00:56 EDT

Omron CX-Programmer

This advisory includes mitigations for a use after free vulnerability reported in Omron's CX-Programmer PLC software.. . . read more Thu, 04 Apr 2019 10:15:11 EDT

Rockwell Automation Stratix 5400/5410/5700 and ArmorStratix 5700

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in Rockwell Automation's Stratix and ArmorStra. . . read more Thu, 04 Apr 2019 10:10:11 EDT

Rockwell Automation Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700

This advisory includes mitigations for resource management errors and improper input validation vulnerabilities reported in Rockwell Automation's. . . read more Thu, 04 Apr 2019 10:05:19 EDT

Rockwell Automation Stratix 5950

This advisory includes mitigations for an improper input validation vulnerability reported in Rockwell Automation's Stratix 5950 security applian. . . read more Thu, 04 Apr 2019 10:00:23 EDT

Advantech WebAccess/SCADA

This advisory includes mitigations for command injection, stack-based buffer overflow, and improper access control vulnerabilities reported in Advante. . . read more Tue, 02 Apr 2019 10:00:11 EDT

Rockwell Automation PowerFlex 525 AC Drives

This advisory includes mitigations for a resource exhaustion vulnerability reported in Rockwell Automation's PowerFlex 525 AC drive.. . . read more Thu, 28 Mar 2019 10:00:11 EDT

Siemens SCALANCE X

This advisory includes mitigations for an expected behavior violation vulnerability reported in the Siemens SCALANCE X products.. . . read more Tue, 26 Mar 2019 10:15:18 EDT

PHOENIX CONTACT RAD-80211-XD

This advisory includes mitigations for a command injection vulnerability reported in Phoenix Contact's RAD-80211-XD WLAN wireless transceiver.. . . read more Tue, 26 Mar 2019 10:10:11 EDT

ENTTEC Lighting Controllers

This advisory includes mitigations for a missing authentication for critical function vulnerability reported in ENTTEC’s lighting controllers.. . . read more Tue, 26 Mar 2019 10:00:23 EDT