ETHERNET/IP of the introduction of industrial safety

This article is still the agreement level, the agreement level will translate three, the next one is used in the power system more DNP3. Most of the information quoted in this article can be accessed, with only one writeup on the reversemode.com (Http://reversemode.com/downloads/logix_report_ Basecamp.pdf) requires identity authentication to download, if a friend can download and share.

ETHERNET/IPCompared with Modbus, ETHERNET/IP is a more modern standard protocol. Co-designed by working group Controlnetinternational with Odva in the 1990s. ETHERNET/IP is based on the General Industrial Protocol (Common Industrial PROTOCOL,CIP). CIP is an open industry protocol supported by ODVA, which is used in serial communication protocols such as DeviceNet and ControlNet, and ETHERNET/IP. The U.S. industrial equipment manufacturer Rockwell/allen-bradley has been standardized around ETHERNET/IP, and other manufacturers such as Omron have supported ETHERNET/IP on their devices. ETHERNET/IP has become increasingly popular, especially in the United States. Although ETHERNET/IP is more modern than Modbus, there are still security issues at the protocol level. ETHERNET/IP typically runs through TCP/UDP port 44818. In addition, ETHERNET/IP has another port tcp/udp port 2222. The reason for using this port is that ETHERNET/IP implements both implicit and explicit message delivery methods. An explicit message is called a client/server message, and an implicit message is often referred to as an I/O message.

The ETHERNET/IP is a package for use with the CIP protocol in Ethernet. ETHERNET/IP's CIP frame encapsulates information such as commands, data points, and messages. The CIP frame includes the CIP device configuration file layer, the application layer, the presentation layer, and the session layer four layer. The remainder of the packet is the ETHERNET/IP frame, through which the CIP frames are transmitted over the Ethernet. ETHERNET/IP is shown in the grouping structure 5?12.

The CIP specification has a number of requirements for the packet structure, which means that each device that uses ETHERNET/IP must implement a specification-compliant command. The following is the CIP frame field encapsulated in the ETHERNET/IP header:

• Command

  A two-byte integer that corresponds to a CIP command. The CPI standard requires that the device must be able to receive unrecognized command fields and handle this exception.

• Length

  A two-byte integer that represents the length of the data portion of the packet. For a request message without a data part, this field is 0.

• Session Handle

  The conversation handle (session handle) is generated by the target device and returned to the initiator of the session. The handle will be used for subsequent communication with the target device.

• Status

  The Status field stores the state code returned by the target device execution command. The status code "0" represents the command execution success. In all request messages, the status code is set to "0". Other status codes also include:

-0x0001 Invalid or unsupported command

-0X0002 target device is low on resources, unable to process command

-0x0003 data format is incorrect or data is incorrect

-0x0065 received Invalid data length

• Sender Context

  The sender of the command generates this six-byte value, and the receiver returns the value intact.

• Options

  The value must always be 0, and if not zero, the packet will be discarded.

• Command-specific data

  The field is modified according to the command received/sent.

If the requesting sender is an engineer station, the first command executed in most sessions is the "List Identity" command. As shown in the following packet, the command field is 0x63, which represents the "List Identity" command, and the context is "0x00006a0ebe64". This command is very similar to the Modbus function code 43 and can be used to inquire about device information such as supplier, product, serial number, product code, device type and version number. Use the Python script ethernetip.py found in the GitHub project Pyenip (https://github.com/paperwork/pyenip/blob/master/ ethernetip.py), you can query the information of the ETHERNRT/IP device. By default, this script does not parse some responses, and you need to cancel the comment on the Testenip () function at the bottom of the script before it sends and receives the "listidentity" command. The script is executed.

At the same time, you can use Wireshark to view the request and response packets.

We don't provide scripting code in this example because it has about 1000 lines of code. You can get the script (https://github.com/paperwork/pyenip/blob/605ad6d026865e3378542d4428ec975e7c26d2e4/ethernetip.py) by visiting the GitHub link below.

Device Information Disclosure

• Popularity: 10

• Use Difficulty: 8

• Impact Surface: 3

• Threat Rating: 7

Digital Bond implements a script similar to Pyenip in Project Redpoint that can be used to obtain information from remote devices. The Redpoint script uses the "listidentity" command word mentioned in the previous section and uses the NES scripts to parse the request. This script has an interesting place, its "Conmmand Specific Data" section contains a socket address (IP address and port number). This is the real IP address and port number of the exposed remote device, even if it is behind a NAT device.

With Shodan Search (https://www.shodan.io/search?query=port%3A44818), we found that a large number of devices exposed IP fields were different from the actual scanned IP addresses. So we come to the conclusion that most ETHERNET/IP devices are deployed in the internal network rather than directly exposed to the Internet. As shown in 5?15, using Nmap to scan the Compactlogix control system scan results, you can see the exposed device IP and scan IP mismatch, indicating that the target system is located behind the router or firewall.

Shows some information, including the manufacturer of the device "Rockwell". The manufacturer of the device in the response is a two-byte manufacturer ID that maps a set of vendor lists that support ETHERNET/IP. However, the list of vendors is not public. After delving into the packets captured by Wireshark, we discovered that after the packets were Wireshark resolved, the manufacturer ID was replaced with the manufacturer's name. This indicates that Wireshark has information about how to map the manufacturer ID and name. With some search for Wireshark source code on GitHub, we found the following code snippet that tells us how to parse the manufacturer ID. In the analysis of Industrial Control Protocol, Wireshark is often a powerful and useful resource.

With commands like "List Identity", you can simply replay a packet, with little or no modification to the packet. The session handle is set to 0, which means there is no session generation because the command simply sends the command and receives the system response. To further communicate with the device, you need to send a registration session command (0X65). This command sets the session handle ID, which will be used for subsequent session communication. As shown in 5?16, the request to register a session uses the standard ID "0x00000000", and the target device returns the session handle "0X03A566BB" it generated.

ETHERNET/IP man-In-the- middle attack

• Popularity: 5

• Use Difficulty: 8

• Impact Surface: 8

• Threat Rating: 7

ETHERNET/IP has problems similar to most industrial control protocols. Information and training company Kenexis released an example demonstration of a man-in-the-middle attack against ETHERNET/IP. These examples can be found on their GitHub Project home page (Https://github.com/kenexis/PortableICS-MITM). Unlike Modbus, simple packet replay is not valid for some of the ETHERNET/IP instructions. This makes the attack a little more complicated. However, for most attackers, this difficulty will be negligible as long as the ETHERNET/IP protocol is understood. Once the session handle is determined by negotiation, a man-in-the-middle attack like the previous MODBUS-VCR tool can be implemented by manually changing the serial number.

ETHERNET/IP High-risk command word

• Popularity: 5

• Use Difficulty: 8

• Impact Surface: 8

• Threat Rating: 7

Just as Modicon uses the function code 90来 to terminate the CPU, some ETHERNET/IP devices also support similar command words. Digital Bind's Basecamp project, a Metasploit module was released (HTTPS://WWW.RAPID7.COM/DB/MODULES/AUXILIARY/ADMIN/SCADA/MULTI_CIP_ command) that can be used to terminate a large number of PLCs in a Allen-bradley Controllogix control system, as well as other bad things, such as crashing the Ethernet card.

Digital Bond's Ruben Santamarta in writing Basecamp project writeup "Attacking ControlLogix" (Http://reversemode.com/downloads/logix _report_basecamp.pdf) wrote, "Each packet we send must contain a session handle." That's all, and then we hack the controller. There are no more security mechanisms at the protocol level. "[Translator Note: Reversemode.com on the document I can not download down, have the ability to download friends for sharing]. Ruben points out that the ETHERNET/IP can be easily attacked by simply understanding the session handle. Another key to the effectiveness of this attack is the Allen-bradley implementation of a command word. The Allen-bradley implements the function of terminating the CPU in the NOP (0x00) command.

This command is not documented in the CPI or ETHERNET/IP specification and is a private implementation of the Allen-bradley/rockwell controller. By testing a large number of devices, we found that in some old firmware, not only the Controllogix CPU was terminated, but the device crashed and the hard drive needed to be restarted. For the current model, the PLC must be unplugged and reinserted to run again. In rare cases, the PLC needs to be reprogrammed.

We still insist on consistent advice, if you want to test your ETHERNET/IP device, perform these tests on non-production devices only, and ensure that you have been granted permission to perform exploit on the device, as the consequences of performing these tests on the device are not measurable.

ETHERNET/IP of the introduction of industrial safety