利用工控PLC实现Socket代理,突破内网!

在万物互联以及智能制造的大潮中,越来越多的工控设备开始连接到互联网,这就将曾经“貌似安全”的工控系统暴露在公众视野内。而这些暴露在公网的工控设备存在各种隐患,我们甚至可以利用它实现Socke代理来突破内网,本文介绍并且演示了这种新型的攻击方式。

引言

很多人都认为,工控设备都运行在封闭的网络中,不会与公网相连,不会遭受到遇到网络安全问题。事实上,随着工业化与信息化结合的不断紧密,工业控制系统越来越多地采用标准化通信协议和软硬件,并通过互联网来实现远程控制和操作,打破了原有系统的封闭性和专有性,造成病毒、木马、信息泄露等网络安全问题向工控领域迅速扩散,直接影响大量工控相关基础设施安全。

在Shodan上简单的搜索了一下Siemens的设备,就可以发现世界范围内暴露在公网上的设备,而且暴露在公网上的设备在不断增多。

下图是相隔1个月时间的截图,第一张在2017/12/10日左右,第二张截图为2018/1/16,可以看到,在一个月的时间内,暴露在公网上的Siemens设备就增加了接近200个,随着智能家居,物联网的发展,暴露在公网的工控设备会越来越多。

1

2

当然,有些人会指出:“暴露在互联网上,并不意味着工控设备直接与外网连接,有可能中间部署了防火墙。退一步来说,我们可能会把不重要的工控设备暴露在外网,即便他们被攻击了,也不会影响我们内网中其他没有暴露的工控设备。”

事实上,作为直接与现场设备交互的工控PLC设备,也可以被我们用来做手脚。今天就介绍一下我们实验室最新的研究成果——PLC代理服务器。

 

代理服务器原理

代理(英语:Proxy),也称网络代理,是一种特殊的网络服务,它允许一个网络终端(一般为客户端)通过这个服务与另一个网络终端(一般为服务器)进行非直接的连接。

提供代理服务的电脑系统或其它类型的网络终端称为代理服务器(英文:Proxy Server)。一个完整的代理请求过程为:客户端首先与代理服务器创建连接,接着根据代理服务器所使用的代理协议,请求对目标服务器创建连接、或者获得目标服务器的指定资源。

传统的代理服务器都是真正的服务器,可以处理大流量,多连接的主机电脑,而我们今天要讲的是使用PLC来实现一个代理服务器。

3

上图是一家工厂的网络拓扑图,内网有很多台PLC,在与外网连接的路径上部署了一道防火墙,以避免PLC暴露在外网。但总会有个别的PLC会通过端口映射的形式与外网连接,但只开放固定的端口。比如图中的PLC A,它的某个端口可以被外网访问的到,但是其他的PLC没有做端口映射,也就不能被直接访问。

这时候,如果我们首先将一段特殊的程序注入到PLC A当中,让其成为一个代理服务器,并且通过反连的形式连接我们的攻击主机。

这样做可以达到两个目的:

  1.  反连的形式让我们绕过防火墙的阻拦;
  2.  将PLC A变成代理服务器后,我们就可以通过这个代理服务器访问内网的资源,甚至去间接攻击其他PLC设备。

Siemens PLC代理服务器实现方法

下面我们就以Siemens 1200 PLC作为案例,讲解我们是如何用这款PLC实现的代理服务器。在Siemens 1200中,存在Tsend和Trcv两个模块,分别可以控制PLC的网卡进行发送数据和接收数据。这部分内容我们有专门的文章进行讲解。《西门子S7-300、1212C、1215C TRCV命令的使用比较

Tsend和Trev模块图

4

收发模块的参数介绍:

5

PLC的Tsend和Trcv模块,每个只能单独连接一个IP,PORT,因此我们使用3组网卡收发模块(虽然使用多组收发模块,但是用一个网卡实现通讯,只是在程序编写的时候多次使用Tsend和Trcv模块),实现了PLC代理服务器的功能。我们使用了SR0,SR1以及SR2三组收发模块,它们的功能如下:

  • SR0:与外网连接,设置需要代理设备的ip和port
  • SR1:与外网连接,获取代理转发数据
  • SR2:与内网连接,获取内网转发数据

6

当PLC被攻击后,PLC会反连外网的攻击电脑的两个端口,其中一个连接SR0用来控制PLC代理连接内网,另一个连接SR1的数据被PLC代理发送给PLC连接到内网的设备。PLC与内网只有一个连接SR2,PLC将收发的数据先保存到自身的缓存中,再转发给另一端,类似于中间人。

攻击演示

我们使用ISF框架完成了PLC 代理服务器的增量下载。ISF框架介绍:本框架主要使用Python语言开发,通过集成ShadowBroker释放的NSA工具Fuzzbunch攻击框架,开发一款适合工控漏洞利用的框架。由于Fuzzbunch攻击框架仅适用于Python2.6,很多核心的功能都封装成了DLL,通过函数进行调用,不便于后期的移植和使用。

1.登录ISF框架后,出现工匠安全实验室的Logo,如图所示:

1

2.使用Siemens_1200_Proxy模块

2

3.配置变量:

  • 配置需要攻击的PLC的ip地址、端口、然后选择Inject
  • 接下来isf就开始开始增量下载PLC代理服务器程序到PLC
  • 在下载的过程中,PLC会先进入stop模式,下载完成后会重启,变回run模式

执行成功示意图:

3

4.接下来我们需要设置PLC连接的设备ip和端口,输入prompt再次配置变量,这次我们在设置完ip,port后,选择2,也就是Set Proxy IP/Port 选项来设置需要连接的设备ip和端口,设置完成如图所示。我们设置了访问168.1.12的80端口。

4

5.使用浏览器查看PLC的88端口,查看是否实现了代理过程,发现我们可以通过192.168.1.14来访问192.168.1.12的80端口,演示示意图如下:

5

6.更新代理配置项,让PLC代理访问192.168.1.17的80端口,打开浏览器访问192.168.1.14的88端口,查看是否可以代理访问192.168.1.17,演示过程如下:

6

7.我们在浏览器中输入了同样的网址,结果展示了两个不同的页面,说明我们的PLC完成了Socket代理的功能!演示完毕,清空PLC中的代理服务器的过程:

7

以上,就是我们使用ISF框架完成的PLC代理服务器的增量下载以及清除的演示过程。

结语

在万物互联以及智能制造的大潮中,越来越多的工控设备开始连接到互联网,这就将曾经“貌似安全”的工控系统暴露在公众视野内。近年来爆发于传统信息安全的事件波及到工控系统就是最好的印证。

随着《工业控制系统信息安全行动计划(2018-2020年)》的发布,工控系统安全吸引了更多人的目光,国家和企业的关注,会引领更多人投入到这个有意义的事业中。

本文从工业控制系统最常见的PLC着手,将PLC“改造”为一台代理服务器,然后以PLC代理服务器为跳板,渗透到内网当中。这种攻击形式隐蔽性很强,而且可以在现实世界中实施,因此,不论是工厂或是企业,都应该了解这种攻击方式,采取相应的防范对策。

原创作者:Dark_Alex,转载请注明来自 工匠安全实验室

发表评论

电子邮件地址不会被公开。 必填项已用*标注

评论列表(14条)

  • br4zzor
    br4zzor 2018年2月27日 18:39

    Great article @Dark_Alex!
    Are you planning to share the exploit module on the main git repo, otherwise can I ask for it for researching purpose?
    Thanks for your availability.

    • Dark_Alex
      Dark_Alex 2018年3月1日 11:27

      Thanks,We can talk about it in email.Email:[email protected]@sina.com

    • Dark_Alex
      Dark_Alex 2018年3月1日 11:28

      oh,sorry.This is the right address:[email protected]

      • br4zzor
        br4zzor 2018年3月6日 16:28

        Thanks for your reply, I’ve sent you an email: [email protected]

      • stevencheong
        stevencheong 2018年4月10日 21:39

        @Dark_Alex!

        Thanks for sharing the article. Any chance to be able to download those video capture files for education purposes? Thanks

  • Sannycelry 2018年12月10日 07:28

    Make a more new posts please 🙂

    Sanny

  • kd shoes 2019年3月18日 12:44

    I am just writing to let you understand what a helpful discovery my friend’s princess had using your site. She learned several details, including what it’s like to possess an incredible helping mindset to let other individuals really easily have an understanding of certain tricky subject matter. You truly surpassed our own expected results. I appreciate you for offering those warm and helpful, healthy, edifying not to mention easy tips on this topic to Sandra.
    kd shoes [url=http://www.kevindurant-shoes.us.com]kd shoes[/url]

  • coach outlet store 2019年3月19日 17:37

    I’m commenting to let you understand of the terrific experience my cousin’s princess experienced reading your web site. She figured out many pieces, most notably how it is like to possess an incredible giving mood to have the mediocre ones quite simply fully grasp a number of complex matters. You really surpassed our desires. Many thanks for imparting these powerful, dependable, explanatory and also unique thoughts on that topic to Lizeth.
    coach outlet store

  • louboutin shoes 2019年3月21日 03:03

    I would like to express some thanks to you for bailing me out of this particular crisis. As a result of looking out through the world wide web and finding methods which are not powerful, I figured my life was well over. Existing without the answers to the issues you’ve solved by means of this article is a serious case, as well as the kind which could have adversely damaged my career if I had not encountered the blog. That skills and kindness in playing with all the stuff was invaluable. I’m not sure what I would have done if I hadn’t discovered such a thing like this. I can at this moment look forward to my future. Thanks very much for your expert and sensible help. I will not be reluctant to suggest your web sites to any person who ought to have guidelines about this topic.
    louboutin shoes

  • paul george shoes 2019年3月22日 08:08

    I simply wanted to post a word in order to say thanks to you for those marvelous tactics you are writing on this website. My extensive internet look up has at the end of the day been compensated with good tips to talk about with my company. I ‘d assert that we visitors actually are truly lucky to live in a great website with very many outstanding people with useful strategies. I feel pretty privileged to have seen your weblog and look forward to so many more brilliant moments reading here. Thanks again for everything.
    paul george shoes

  • yeezy sneakers 2019年3月23日 18:24

    Thanks for all your work on this blog. Kate loves engaging in internet research and it’s really easy to see why. A number of us know all about the powerful method you produce priceless things by means of the website and even welcome contribution from some other people about this topic while our own girl is undoubtedly being taught a lot. Take advantage of the remaining portion of the new year. You have been carrying out a stunning job.
    yeezy sneakers

  • yeezy 2019年3月23日 23:54

    Thanks for all your labor on this website. Betty take interest in making time for investigations and it’s really easy to understand why. I hear all concerning the powerful medium you provide advantageous items by means of this web site and in addition invigorate response from some others on that article so our own girl is truly becoming educated a great deal. Take pleasure in the rest of the new year. You are doing a useful job.
    yeezy

  • adidas tubular 2019年3月25日 03:23

    I precisely desired to appreciate you again. I am not sure the things I would have used without the actual techniques contributed by you over such a subject. It absolutely was a horrifying situation in my circumstances, however , being able to view this well-written strategy you dealt with it forced me to weep for happiness. I am happy for this work and thus have high hopes you comprehend what a powerful job you happen to be accomplishing instructing the rest through a web site. Probably you have never encountered all of us.
    adidas tubular

  • nike cortez 2019年3月26日 07:27

    I wanted to compose you one little bit of word to be able to thank you so much over again on the unique knowledge you have documented here. It is so strangely open-handed of people like you to allow openly what exactly most people could have distributed for an e book to help make some dough for their own end, primarily considering that you could have done it in case you decided. The points in addition worked as the good way to be certain that other people have the identical dream much like my very own to know the truth more and more in respect of this matter. I am certain there are lots of more pleasant periods ahead for folks who browse through your blog.
    nike cortez

联系我们

18620368203

在线咨询:点击这里给我发消息

邮件:[email protected]

QR code