追踪ICS扫描者(Trace ICS Scanner)

简介

如今针对互联网的探测性扫描越发增多,暴露在公网的PLC、嵌入式设备等作为互联网的一部分,也会因为一些识别方式的公开和研究的人员不断增多,导致针对设备的探测也会越来越多。在扫描识别这块国外的Shodan是较早着眼针对工控协议(如西门子S7PLC的TCP102端口,MODBUS设备的TCP502端口,DNP3设备的20000端口等)进行探测的组织,而国内这块CNCERT似乎已经开始了首轮的探测性扫描。如下便主要分享一些快捷监听方式和一些扫描组织的情报。

tips分享

在不使用类似conpot这种工控蜜罐和协议仿真程序的情况下我们可以使用短小精干的netcat来完成无交互的端口监听,完成对方扫描时发送的第一帧报文的接收分析,这样也可以帮助我们了解对方使用的识别方式和扫描来源,同样也可以辅助我们收集对方识别的方式。

如下图我们可以使用nc循环监听特定的工控协议端口,收取对方的测试报文(建议使用-o参数输出hex文件)。
nc-honeypot-mode1

如下为IEC104协议运行在的TCP2404端口,并收到了测试帧的请求,根据IEC104的协议标准如果是真实设备收到图中报文后则会回复68 04 83 00 00 00,同我们可以新建Soketserver,并填充报文,进到下一个对方发送逻辑,辅助我们完成交互逻辑。

谁在扫描?

通过对工控协议运行端口的监听、或是使用协议仿真器收集到的一些扫描日志,我们可以遍历到一些来自Shodan节点的IP,根据ICS/SCADA Honeypot Log收集到的扫描识别日志来看与下面列出的各个节点的IP都还是有较高的匹配度的。
(如下IP建议黑名单)

census1.shodan.io 198.20.69.74
census2.shodan.io 198.20.69.98
census3.shodan.io 198.20.70.114
census4.shodan.io 198.20.99.130
census5.shodan.io 93.120.27.62
census6.shodan.io 66.240.236.119
census7.shodan.io 71.6.135.131
census8.shodan.io 66.240.192.138
census9.shodan.io 71.6.167.142
census10.shodan.io 82.221.105.6
census11.shodan.io 71.6.165.7
census12.shodan.io 71.6.165.200
rim.census.shodan.io 85.25.43.94
pacific.census.shodan.io 85.25.103.50
atlantic.census.shodan.io 188.138.9.50
scanner1.labs.rapid7.com 198.143.173.162
scanner2.labs.rapid7.com 71.6.216.34

如下日志显示了在9月底收到了来自国内的扫描,这也是自6六月底在外网发布TCP102端口以来首次收到国内的识别请求,近期国内IP如下:

2014-09-26 03:18:04 [202.108.211.63] Client added
2014-09-26 03:18:04 [202.108.211.63] Client added
2014-09-26 03:18:04 [202.108.211.63] Client disconnected by peer
2014-09-26 03:18:04 [202.108.211.63] The client requires a PDU size of 480 bytes
2014-09-26 03:18:04 [202.108.211.63] Client disconnected by peer
2014-09-26 03:18:04 [202.108.211.63] Client added
2014-09-26 03:18:04 [202.108.211.63] The client requires a PDU size of 480 bytes
2014-09-26 03:18:04 [202.108.211.63] Read SZL request, ID:0x0011 INDEX:0x0001 --> OK
2014-09-26 03:18:04 [202.108.211.63] Read SZL request, ID:0x001c INDEX:0x0001 --> OK
2014-09-26 03:18:04 [202.108.211.63] Client disconnected by peer
2014-11-07 23:52:49 [114.113.55.198] Client added
2014-11-07 23:52:49 [114.113.55.198] The client requires a PDU size of 480 bytes
2014-11-07 23:52:50 [114.113.55.198] Client disconnected by peer
2014-11-07 23:52:50 [114.113.55.198] Client added
2014-11-07 23:52:50 [114.113.55.198] The client requires a PDU size of 480 bytes
2014-11-07 23:52:51 [114.113.55.198] Read SZL request, ID:0x0011 INDEX:0x0001 --> OK
2014-11-07 23:52:51 [114.113.55.198] Read SZL request, ID:0x001c INDEX:0x0001 --> OK
2014-11-07 23:52:51 [114.113.55.198] Client disconnected by peer
2014-11-08 14:26:14 [114.113.55.198] Client added
2014-11-08 14:26:14 [114.113.55.198] The client requires a PDU size of 480 bytes
2014-11-08 14:26:14 [114.113.55.198] Client disconnected by peer
2014-11-08 14:26:14 [114.113.55.198] Client added
2014-11-08 14:26:15 [114.113.55.198] The client requires a PDU size of 480 bytes
2014-11-08 14:26:15 [114.113.55.198] Read SZL request, ID:0x0011 INDEX:0x0001 --> OK
2014-11-08 14:26:15 [114.113.55.198] Read SZL request, ID:0x001c INDEX:0x0001 --> OK
2014-11-08 14:26:15 [114.113.55.198] Client disconnected by peer
2014-11-09 20:00:50 [202.108.211.63] Client added
2014-11-09 20:00:50 [202.108.211.63] Client disconnected by peer
2014-11-09 20:00:51 [202.108.211.63] Client added
2014-11-09 20:00:51 [202.108.211.63] The client requires a PDU size of 480 bytes
2014-11-09 20:00:51 [202.108.211.63] Client disconnected by peer
2014-11-09 20:00:52 [202.108.211.63] Client added
2014-11-09 20:00:52 [202.108.211.63] The client requires a PDU size of 480 bytes
2014-11-09 20:00:52 [202.108.211.63] Read SZL request, ID:0x0011 INDEX:0x0001 --> OK
2014-11-09 20:00:52 [202.108.211.63] Read SZL request, ID:0x001c INDEX:0x0001 --> OK
2014-11-09 20:00:53 [202.108.211.63] Client disconnected by peer
Connected by 202.108.211.62
Received =  array('B', [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
Connected by 202.108.211.62
Received =  array('B', [0, 0, 0, 0, 0, 5, 0, 43, 14, 1, 0, 0, 0])
ID= 0,  Fun.Code= 43,  Address= 3585, Bytes= 0
Fri Nov 07 16:13:02 2014: ADR:3585 Reg:0

乌龙?

lab.cert.org.cn 202.108.211.124
追影高级威胁检测系统 202.108.211.26
应急修复系统 202.108.211.34:8080
高级可持续威胁(APT)安全监测系统 202.108.211.92
SSL VPN 202.108.211.98

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *