协议分析 技术分享

使用Wireshark分析工控协议

在工控系统中通信协议存在众多标准,也存在众多私有协议,如果你有过使用组态软件的经历,你便会发现,在第一步连接设备时除连接设备的方式有以太网/串行等方式外,各家基本上都存在自己的私有通信协议。
comm_drivers

上图为,某SCADA软件驱动配置界面

大家都知道普遍的工控协议在传输的过程不加密、协议上无认证,往往可以通过协议分析,并形成一些测试用例针对特定运行环境下支持该协议的设备达到异常运行的效果。如之前提到过的强制操作物理输出(使用FINS协议攻击欧姆龙(Omron)PLC的物理(I/O)输出)、程序的上传下载、重置设备状态等。而这个过程中除官方提供的一些协议文档外,像wireshark也支持了大量的工控协议,可以很方便的了解协议中的一些字段的功能、命令等。

私有协议分类

在众多公开或私有协议中可分为如下几类:
标准协议:国际标准或公认的标准协议,如Modbus、DNP3、IEC104等
私有公开:只有厂商自己设备支持并提供官方协议文档,如Omron FINS协议、三菱Melsec协议等
私有不公开:只有厂商自己设备支持且官方不提供协议文档,如S7、西门子PPI协议、GE SRTP等

使用Wireshark分析常见工控协议

Wireshark是一个强大开源流量与协议分析工具,除了传统网络协议解码外,还支持众多主流和标准工控协议的分析与解码。为此我整理了Wireshark源码中涉及与自控有关的协议的packet dissection实现代码路径,供大家参考和自己留存。

 

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

最新工业控制系统漏洞

ICS-CERT Advisory Feed
Philips iSite and IntelliSpace PACS

This medical device advisory includes mitigations for a weak password Requirements vulnerability in the Philips iSite and IntelliSpace PACS.. . . read more Thu, 08 Nov 2018 09:31:46 EST

Roche Diagnostics Point of Care Handheld Medical Devices (Update A)

This updated medical device advisory is a follow-up to the original advisory titled ICSMA-18-310-01 Roche Point of Care Handheld Medical Devices that. . . read more Tue, 06 Nov 2018 11:08:42 EST

AVEVA InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition)

This advisory includes mitigations for stack-based buffer overflow and empty password in configuration file vulnerabilities in AVEVA’s InduSoft Web. . . read more Thu, 01 Nov 2018 10:15:37 EDT

Schneider Electric Software Update (SESU) (Update A)

This updated advisory is a follow-up to the original advisory titled ICSA-18-305-02 Schneider Electric Software Update that was published November 1,. . . read more Thu, 01 Nov 2018 10:10:16 EDT

Circontrol CirCarLife

This advisory includes mitigations for authentication bypass using an alternate path or channel and insufficiently protected credentials vulnerabiliti. . . read more Thu, 01 Nov 2018 10:05:21 EDT

Fr. Sauter AG CASE Suite

This advisory includes mitigations for an improper restriction of XML External Entity Reference vulnerability in Fr. Sauter AG's CASE Suite softw. . . read more Thu, 01 Nov 2018 10:00:11 EDT

PEPPERL+FUCHS CT50-Ex

This advisory includes mitigations for an improper privilege management vulnerability in the PEPPERL+FUCHS CT50-Ex ecom mobile computer.. . . read more Tue, 30 Oct 2018 12:23:28 EDT

GEOVAP Reliance 4 SCADA/HMI

This advisory includes mitigations for a cross-site scripting vulnerability in GEOVAP's Reliance 4 SCADA/HMI system.. . . read more Thu, 25 Oct 2018 10:05:11 EDT

Advantech WebAccess

This advisory includes mitigations for stack-based buffer overflow, and improper access control vulnerabilities in Advantech's WebAccess.. . . read more Thu, 25 Oct 2018 10:00:11 EDT

Advantech WebAccess

This advisory includes mitigations for stack-based buffer overflow, external control of file name or path, improper privilege management, and path tra. . . read more Tue, 23 Oct 2018 10:10:09 EDT

GAIN Electronic Co. Ltd SAGA1-L Series

This advisory includes mitigations for authentication bypass by capture-relay, improper access control, and improper authentication vulnerabilities in. . . read more Tue, 23 Oct 2018 10:05:48 EDT

Telecrane F25 Series

This advisory includes mitigations for an authentication bypass by capture-replay vulnerability in the Telecrane F25 Series software.. . . read more Tue, 23 Oct 2018 10:00:54 EDT

Omron CX-Supervisor

This advisory includes mitigations for improper restriction of operations within the bounds of a memory buffer, out-of-bounds read, use-after-free, an. . . read more Wed, 17 Oct 2018 08:55:45 EDT

LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA

This advisory includes mitigations for untrusted pointer dereference, out-of-bounds read, integer overflow to buffer overflow, path traversal, out-of-. . . read more Tue, 16 Oct 2018 14:44:39 EDT

NUUO NVRmini2 and NVRsolo

This advisory includes mitigations for stack-based buffer overflow and leftover debug code vulnerabilities in NUUO's NVRmini2 and NVRsolo network. . . read more Thu, 11 Oct 2018 10:10:11 EDT

NUUO CMS

This advisory includes mitigations for use of insufficiently random values, use of obsolete function, incorrect permission assignment for critical res. . . read more Thu, 11 Oct 2018 10:05:11 EDT

Delta Industrial Automation TPEditor

This advisory includes mitigations for out-of-bounds write and stack-based buffer overflow vulnerabilities in the Delta Industrial Automation TPEditor. . . read more Thu, 11 Oct 2018 10:00:20 EDT

GE iFix

This advisory includes mitigations for an unsafe ActiveX control marked safe for scripting vulnerability in a Gigasoft component affecting GE’s iFix. . . read more Tue, 09 Oct 2018 10:30:34 EDT

Siemens SCALANCE W1750D

This advisory includes mitigations for a cryptographic issues vulnerability in Siemens' SCALANCE W1750D direct access point hardware.. . . read more Tue, 09 Oct 2018 10:25:37 EDT

Siemens ROX II

This advisory includes mitigations for improper privilege management vulnerabilities in the Siemens ROX II products.. . . read more Tue, 09 Oct 2018 10:20:19 EDT