简介
如今针对互联网的探测性扫描越发增多,暴露在公网的PLC、嵌入式设备等作为互联网的一部分,也会因为一些识别方式的公开和研究的人员不断增多,导致针对设备的探测也会越来越多。在扫描识别这块国外的Shodan是较早着眼针对工控协议(如西门子S7PLC的TCP102端口,MODBUS设备的TCP502端口,DNP3设备的20000端口等)进行探测的组织,而国内这块CNCERT似乎已经开始了首轮的探测性扫描。如下便主要分享一些快捷监听方式和一些扫描组织的情报。
tips分享
在不使用类似conpot这种工控蜜罐和协议仿真程序的情况下我们可以使用短小精干的netcat来完成无交互的端口监听,完成对方扫描时发送的第一帧报文的接收分析,这样也可以帮助我们了解对方使用的识别方式和扫描来源,同样也可以辅助我们收集对方识别的方式。
如下图我们可以使用nc循环监听特定的工控协议端口,收取对方的测试报文(建议使用-o参数输出hex文件)。
如下为IEC104协议运行在的TCP2404端口,并收到了测试帧的请求,根据IEC104的协议标准如果是真实设备收到图中报文后则会回复68 04 83 00 00 00,同我们可以新建Soketserver,并填充报文,进到下一个对方发送逻辑,辅助我们完成交互逻辑。
谁在扫描?
通过对工控协议运行端口的监听、或是使用协议仿真器收集到的一些扫描日志,我们可以遍历到一些来自Shodan节点的IP,根据ICS/SCADA Honeypot Log收集到的扫描识别日志来看与下面列出的各个节点的IP都还是有较高的匹配度的。
(如下IP建议黑名单)
census1.shodan.io 198.20.69.74 census2.shodan.io 198.20.69.98 census3.shodan.io 198.20.70.114 census4.shodan.io 198.20.99.130 census5.shodan.io 93.120.27.62 census6.shodan.io 66.240.236.119 census7.shodan.io 71.6.135.131 census8.shodan.io 66.240.192.138 census9.shodan.io 71.6.167.142 census10.shodan.io 82.221.105.6 census11.shodan.io 71.6.165.7 census12.shodan.io 71.6.165.200 rim.census.shodan.io 85.25.43.94 pacific.census.shodan.io 85.25.103.50 atlantic.census.shodan.io 188.138.9.50
scanner1.labs.rapid7.com 198.143.173.162 scanner2.labs.rapid7.com 71.6.216.34
如下日志显示了在9月底收到了来自国内的扫描,这也是自6六月底在外网发布TCP102端口以来首次收到国内的识别请求,近期国内IP如下:
2014-09-26 03:18:04 [202.108.211.63] Client added 2014-09-26 03:18:04 [202.108.211.63] Client added 2014-09-26 03:18:04 [202.108.211.63] Client disconnected by peer 2014-09-26 03:18:04 [202.108.211.63] The client requires a PDU size of 480 bytes 2014-09-26 03:18:04 [202.108.211.63] Client disconnected by peer 2014-09-26 03:18:04 [202.108.211.63] Client added 2014-09-26 03:18:04 [202.108.211.63] The client requires a PDU size of 480 bytes 2014-09-26 03:18:04 [202.108.211.63] Read SZL request, ID:0x0011 INDEX:0x0001 --> OK 2014-09-26 03:18:04 [202.108.211.63] Read SZL request, ID:0x001c INDEX:0x0001 --> OK 2014-09-26 03:18:04 [202.108.211.63] Client disconnected by peer 2014-11-07 23:52:49 [114.113.55.198] Client added 2014-11-07 23:52:49 [114.113.55.198] The client requires a PDU size of 480 bytes 2014-11-07 23:52:50 [114.113.55.198] Client disconnected by peer 2014-11-07 23:52:50 [114.113.55.198] Client added 2014-11-07 23:52:50 [114.113.55.198] The client requires a PDU size of 480 bytes 2014-11-07 23:52:51 [114.113.55.198] Read SZL request, ID:0x0011 INDEX:0x0001 --> OK 2014-11-07 23:52:51 [114.113.55.198] Read SZL request, ID:0x001c INDEX:0x0001 --> OK 2014-11-07 23:52:51 [114.113.55.198] Client disconnected by peer 2014-11-08 14:26:14 [114.113.55.198] Client added 2014-11-08 14:26:14 [114.113.55.198] The client requires a PDU size of 480 bytes 2014-11-08 14:26:14 [114.113.55.198] Client disconnected by peer 2014-11-08 14:26:14 [114.113.55.198] Client added 2014-11-08 14:26:15 [114.113.55.198] The client requires a PDU size of 480 bytes 2014-11-08 14:26:15 [114.113.55.198] Read SZL request, ID:0x0011 INDEX:0x0001 --> OK 2014-11-08 14:26:15 [114.113.55.198] Read SZL request, ID:0x001c INDEX:0x0001 --> OK 2014-11-08 14:26:15 [114.113.55.198] Client disconnected by peer 2014-11-09 20:00:50 [202.108.211.63] Client added 2014-11-09 20:00:50 [202.108.211.63] Client disconnected by peer 2014-11-09 20:00:51 [202.108.211.63] Client added 2014-11-09 20:00:51 [202.108.211.63] The client requires a PDU size of 480 bytes 2014-11-09 20:00:51 [202.108.211.63] Client disconnected by peer 2014-11-09 20:00:52 [202.108.211.63] Client added 2014-11-09 20:00:52 [202.108.211.63] The client requires a PDU size of 480 bytes 2014-11-09 20:00:52 [202.108.211.63] Read SZL request, ID:0x0011 INDEX:0x0001 --> OK 2014-11-09 20:00:52 [202.108.211.63] Read SZL request, ID:0x001c INDEX:0x0001 --> OK 2014-11-09 20:00:53 [202.108.211.63] Client disconnected by peer
Connected by 202.108.211.62 Received = array('B', [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) Connected by 202.108.211.62 Received = array('B', [0, 0, 0, 0, 0, 5, 0, 43, 14, 1, 0, 0, 0]) ID= 0, Fun.Code= 43, Address= 3585, Bytes= 0 Fri Nov 07 16:13:02 2014: ADR:3585 Reg:0
乌龙?
lab.cert.org.cn 202.108.211.124 追影高级威胁检测系统 202.108.211.26 应急修复系统 202.108.211.34:8080 高级可持续威胁(APT)安全监测系统 202.108.211.92 SSL VPN 202.108.211.98