协议分析 工控安全 技术分享

追踪ICS扫描者(Trace ICS Scanner)

简介

如今针对互联网的探测性扫描越发增多,暴露在公网的PLC、嵌入式设备等作为互联网的一部分,也会因为一些识别方式的公开和研究的人员不断增多,导致针对设备的探测也会越来越多。在扫描识别这块国外的Shodan是较早着眼针对工控协议(如西门子S7PLC的TCP102端口,MODBUS设备的TCP502端口,DNP3设备的20000端口等)进行探测的组织,而国内这块CNCERT似乎已经开始了首轮的探测性扫描。如下便主要分享一些快捷监听方式和一些扫描组织的情报。

tips分享

在不使用类似conpot这种工控蜜罐和协议仿真程序的情况下我们可以使用短小精干的netcat来完成无交互的端口监听,完成对方扫描时发送的第一帧报文的接收分析,这样也可以帮助我们了解对方使用的识别方式和扫描来源,同样也可以辅助我们收集对方识别的方式。

如下图我们可以使用nc循环监听特定的工控协议端口,收取对方的测试报文(建议使用-o参数输出hex文件)。
nc-honeypot-mode1

如下为IEC104协议运行在的TCP2404端口,并收到了测试帧的请求,根据IEC104的协议标准如果是真实设备收到图中报文后则会回复68 04 83 00 00 00,同我们可以新建Soketserver,并填充报文,进到下一个对方发送逻辑,辅助我们完成交互逻辑。

谁在扫描?

通过对工控协议运行端口的监听、或是使用协议仿真器收集到的一些扫描日志,我们可以遍历到一些来自Shodan节点的IP,根据ICS/SCADA Honeypot Log收集到的扫描识别日志来看与下面列出的各个节点的IP都还是有较高的匹配度的。
(如下IP建议黑名单)

如下日志显示了在9月底收到了来自国内的扫描,这也是自6六月底在外网发布TCP102端口以来首次收到国内的识别请求,近期国内IP如下:

乌龙?

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

最新工业控制系统漏洞

ICS-CERT Advisory Feed
Philips iSite and IntelliSpace PACS

This medical device advisory includes mitigations for a weak password Requirements vulnerability in the Philips iSite and IntelliSpace PACS.. . . read more Thu, 08 Nov 2018 09:31:46 EST

Roche Diagnostics Point of Care Handheld Medical Devices (Update A)

This updated medical device advisory is a follow-up to the original advisory titled ICSMA-18-310-01 Roche Point of Care Handheld Medical Devices that. . . read more Tue, 06 Nov 2018 11:08:42 EST

AVEVA InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition)

This advisory includes mitigations for stack-based buffer overflow and empty password in configuration file vulnerabilities in AVEVA’s InduSoft Web. . . read more Thu, 01 Nov 2018 10:15:37 EDT

Schneider Electric Software Update (SESU) (Update A)

This updated advisory is a follow-up to the original advisory titled ICSA-18-305-02 Schneider Electric Software Update that was published November 1,. . . read more Thu, 01 Nov 2018 10:10:16 EDT

Circontrol CirCarLife

This advisory includes mitigations for authentication bypass using an alternate path or channel and insufficiently protected credentials vulnerabiliti. . . read more Thu, 01 Nov 2018 10:05:21 EDT

Fr. Sauter AG CASE Suite

This advisory includes mitigations for an improper restriction of XML External Entity Reference vulnerability in Fr. Sauter AG's CASE Suite softw. . . read more Thu, 01 Nov 2018 10:00:11 EDT

PEPPERL+FUCHS CT50-Ex

This advisory includes mitigations for an improper privilege management vulnerability in the PEPPERL+FUCHS CT50-Ex ecom mobile computer.. . . read more Tue, 30 Oct 2018 12:23:28 EDT

GEOVAP Reliance 4 SCADA/HMI

This advisory includes mitigations for a cross-site scripting vulnerability in GEOVAP's Reliance 4 SCADA/HMI system.. . . read more Thu, 25 Oct 2018 10:05:11 EDT

Advantech WebAccess

This advisory includes mitigations for stack-based buffer overflow, and improper access control vulnerabilities in Advantech's WebAccess.. . . read more Thu, 25 Oct 2018 10:00:11 EDT

Advantech WebAccess

This advisory includes mitigations for stack-based buffer overflow, external control of file name or path, improper privilege management, and path tra. . . read more Tue, 23 Oct 2018 10:10:09 EDT

GAIN Electronic Co. Ltd SAGA1-L Series

This advisory includes mitigations for authentication bypass by capture-relay, improper access control, and improper authentication vulnerabilities in. . . read more Tue, 23 Oct 2018 10:05:48 EDT

Telecrane F25 Series

This advisory includes mitigations for an authentication bypass by capture-replay vulnerability in the Telecrane F25 Series software.. . . read more Tue, 23 Oct 2018 10:00:54 EDT

Omron CX-Supervisor

This advisory includes mitigations for improper restriction of operations within the bounds of a memory buffer, out-of-bounds read, use-after-free, an. . . read more Wed, 17 Oct 2018 08:55:45 EDT

LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA

This advisory includes mitigations for untrusted pointer dereference, out-of-bounds read, integer overflow to buffer overflow, path traversal, out-of-. . . read more Tue, 16 Oct 2018 14:44:39 EDT

NUUO NVRmini2 and NVRsolo

This advisory includes mitigations for stack-based buffer overflow and leftover debug code vulnerabilities in NUUO's NVRmini2 and NVRsolo network. . . read more Thu, 11 Oct 2018 10:10:11 EDT

NUUO CMS

This advisory includes mitigations for use of insufficiently random values, use of obsolete function, incorrect permission assignment for critical res. . . read more Thu, 11 Oct 2018 10:05:11 EDT

Delta Industrial Automation TPEditor

This advisory includes mitigations for out-of-bounds write and stack-based buffer overflow vulnerabilities in the Delta Industrial Automation TPEditor. . . read more Thu, 11 Oct 2018 10:00:20 EDT

GE iFix

This advisory includes mitigations for an unsafe ActiveX control marked safe for scripting vulnerability in a Gigasoft component affecting GE’s iFix. . . read more Tue, 09 Oct 2018 10:30:34 EDT

Siemens SCALANCE W1750D

This advisory includes mitigations for a cryptographic issues vulnerability in Siemens' SCALANCE W1750D direct access point hardware.. . . read more Tue, 09 Oct 2018 10:25:37 EDT

Siemens ROX II

This advisory includes mitigations for improper privilege management vulnerabilities in the Siemens ROX II products.. . . read more Tue, 09 Oct 2018 10:20:19 EDT