Il libro, Hacking Exposed Industrial Control Systems: ICS e SCADA Security Secrets & Soluzioni, copre la scoperta di PLC, scansione, modifica, intrusione, malware e molto bene.
Per i PLC che si collegano a Modbus basati su TCP / IP o alle comunicazioni Step7, in particolare, il libro menziona molti modi per controllare i PLC attraverso la rete senza utilizzare le app fornite dal fornitore.
Ad esempio, con Modbus TCP, si può usare modbus-cli per controllare i PLC inclusa la lettura o la modifica della memoria (ad es. , bobine, registri). Se si desidera scoprire dispositivi Modbus TCP, è possibile utilizzare lo script Nmap NSE, modbus-discover e per condurre operazioni a livello di pacchetto usa Wireshark (o tshark) per l'acquisizione e modbus-vcr per man-in-the-middle attacchi.
Altri strumenti come plcscan scopriranno i dispositivi Modbus TCP e Step7 (s7comm). Lo s7-info script Nmap NSE fornirà ulteriori informazioni sui dispositivi s7comm trovati.
Hacking Exposed Industrial Control Systems copre anche Stuxnet in varie profondità con collegamenti a molti altri documenti come Symantec's w32-Stuxnet Dossier e BlackHat 2011 Talk di Dillon Beresford su Sfruttamento del PLC S7 . Ecco le basi che il libro riassume:
Stuxnet’s total composition consisted of three modules: one worm and
two payloads. Stuxnet was traditionally introduced into an environment
via a USB flash drive or external hard drive. Immediately on insertion
of the infected media, Stuxnet’s worm capability laterally looked for
any system with Siemens Step7 software running. Stuxnet performed this
search by using techniques such as peer-to-peer RPC
(https://en.wikipedia.org/wiki/Peer-to-peer) to help bypass the
system’s possibility of not being Internet connected. If Step7 was not
found on any laterally connected system, Stuxnet went dormant for a
period of time before rescanning the environment. In the event that
Step7 was identified, a combination of one or both payloads were
executed.
Of the two payloads contained within Stuxnet, one attacked the Siemens
S7-315-2 PLC, which was primarily being used in high-frequency drives
controlling Iranian centrifuges. The other payload, which is less
known, performed a Man-in-The-Middle (MiTM) attack within the PLC. The
payload took any input going to the PLC’s I/O modules and faked them
so any logic within the PLC worked off incorrect logic. The payload
then told the PLC what to do, instead of the PLC listening to the
logic on the system itself. This was the first time any known malware
hid modified PLC code, making Stuxnet the first “PLC rootkit”
e su Siemens S7comms:
S7comms, or Step 7 communications, is a Siemens protocol implemented
on an ISO protocol that is not open and has very tight controls. For
the 200/300 families of PLCs, you can find some basic information
about the protocol via a Wireshark dissector that is only partially
implemented.
includendo una traccia di pacchetti di S7 in azione con Wireshark:
Illibroforniscemoltealtrerisorsechehofornitoquiinsiemeadaltreperulterioreriferimento-
- DispositiviICSsuShodan- link
- Attacco Step7 (ad es. script brute-force) - link
- ScadaStrangeLove SCADAPASS - link
- link
- link
- link
- link