针对三菱Q系列PLC的安全分析可以参照前文,而这个就是一个控制设备跑在公网的切实的案例,同样也是本次能根据title确认的一个案例。 理论上PLC如果没设置密码是可通过编程软件是实现远程管理操作,即工程上载和 下载 ,停止运行等。 该案例中确认了涉事地址开放的web服务为ecoserver(应该同为三菱的小型web能源监控管理系统,主要用来监视当前电力使用情况,加载java后可以查看趋势图等)通过开放的udp端口确认了PLC型号为Q系列PLC(Q12DCCPU-V)。 识别方式可以参照上一篇分析,通用批量验证的话可以使用文中的基于NMAP的nse脚本。
Web部分截图: 首页
趋势图
测点信息
利用NMAP脚本识别的信息:
NMAP通用型发现脚本 tcp版本
http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover.nse_.txtudp版本
http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover-udp.nse_.txt -- Nmap Scripting Engine -- required packages for this script -- local bin = require "bin" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local table = require "table" --Output Example: --PORT STATE SERVICE REASON --5006/udp open Mitsubishi/Melsoft udp syn-ack --| melsecq-discover: --|_ CPUINFO: Q03UDECPU description = [[ discovery Mitsubishi Electric Q Series PLC GET CPUINFO ]] author = "ICS Security Workspace(plcscan.org)" license = "Same as Nmap--See http://nmap.org/book/man-legal. html " categories = {"discovery","intrusive"} function set_nmap(host, port) port.state = "open" port.version.name = "Mitsubishi/Melsoft Udp" port.version.product = "Mitsubishi Q PLC" nmap.set_port_version(host, port) nmap.set_port_state(host, port, "open") end function send_receive(socket, query) local sendstatus, senderr = socket:send(query) if(sendstatus == false) then return "Error Sending getcpuinfopack" end local rcvstatus,response = socket:receive() if(rcvstatus == false) then return "Error Reading getcpuinfopack" end return response end portrule = shortport.port_or_service(5006, "Melsoft/TCP", "udp") action = function(host,port) local getcpuinfopack = bin.pack("H","57000000001111070000ffff030000fe03000014001c080a080000000000000004" .. "0101" .. "010000000001") local response local output = stdnse.output_table() local sock = nmap.new_socket() local constatus,conerr = sock:connect(host,port) if not constatus then stdnse.print_debug(1, 'Error establishing connection for %s - %s', host,conerr ) return nil end response = send_receive(sock, getcpuinfopack) local mel, pack_head = bin.unpack("C", response, 1) --local mel, space_id = bin.unpack("C", response, 55) local offset = 0 if ( pack_head == 0xd7) then --if ( space_id == 0x20) then local mel local mel, cpuinfo = bin.unpack("z", response, 42 + offset) output["CPUINFO"] = string.sub(cpuinfo, 1, 16) set_nmap(host, port) sock:close() return output --end else sock:close() return nil end end修复方案 :
内部 系统 和外部设备还是不应该对外
查看更多关于日本北海道大学能源管理系统加三菱Q系列PLC以太的详细内容...
声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://www.haodehen.cn/did15347