Leakage of PLC Ethernet modules of Mitsubishi Q Series added to the Energy Management System of Japan's North Ocean University

Source: Internet
Author: User
Tags unpack

Leakage of PLC Ethernet modules of Mitsubishi Q Series added to the Energy Management System of Japan's North Ocean University

For the safety analysis of the Mitsubishi Q series PLC, refer to the previous article. This is a real case of the control device running on the public network. It is also a case that can be confirmed based on the title.
In theory, if the PLC does not set a password, it can implement remote management operations through programming software, that is, uploading, downloading, and stopping the project.
In this case, we confirm that the web Service open to the relevant address is ecoserver (it should be the same as the small web Energy Monitoring and Management System of Mitsubishi, which is mainly used to monitor the current power usage, after loading java can view the trend chart, etc.) through the open udp port to confirm the PLC model for the Q series PLC (Q12DCCPU-V ).
For the identification method, refer to the previous analysis. For general batch verification, you can use the NMAP-based AUC script in this article.

Web part:

Homepage

Trend chart


 

Measurement Point Information


Information identified using NMAP scripts:


 

 

 

NMAP general-purpose discovery script

Tcp version

 

http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover.nse_.txt



Udp version

 

http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover-udp.nse_.txt-- Nmap Scripting Engine-- required packages for this script-- local bin = require "bin"local nmap = require "nmap"local shortport = require "shortport"local stdnse = require "stdnse"local string = require "string"local table = require "table"--Output Example:--PORT     STATE SERVICE                REASON--5006/udp open  Mitsubishi/Melsoft udp syn-ack--| melsecq-discover:--|_  CPUINFO: Q03UDECPUdescription = [[discovery Mitsubishi Electric Q Series PLC GET CPUINFO]]author = "ICS Security Workspace(plcscan.org)"license = "Same as Nmap--See http://nmap.org/book/man-legal.html"categories = {"discovery","intrusive"}function set_nmap(host, port)port.state = "open"port.version.name = "Mitsubishi/Melsoft Udp"port.version.product = "Mitsubishi Q PLC"nmap.set_port_version(host, port)nmap.set_port_state(host, port, "open") endfunction send_receive(socket, query)local sendstatus, senderr = socket:send(query)if(sendstatus == false) then    return "Error Sending getcpuinfopack"endlocal rcvstatus,response = socket:receive()if(rcvstatus == false) thenreturn "Error Reading getcpuinfopack"endreturn responseendportrule = shortport.port_or_service(5006, "Melsoft/TCP", "udp")action = function(host,port)local getcpuinfopack = bin.pack("H","57000000001111070000ffff030000fe03000014001c080a080000000000000004" .. "0101" .. "010000000001")local responselocal output = stdnse.output_table()local sock = nmap.new_socket()local constatus,conerr = sock:connect(host,port)if not constatus then    stdnse.print_debug(1,      'Error establishing connection for %s - %s', host,conerr      )    return nilendresponse  = send_receive(sock, getcpuinfopack)local mel, pack_head = bin.unpack("C", response, 1)--local mel, space_id = bin.unpack("C", response, 55)local offset = 0if ( pack_head == 0xd7) then--if ( space_id == 0x20) thenlocal mellocal mel, cpuinfo = bin.unpack("z", response, 42 + offset)output["CPUINFO"] = string.sub(cpuinfo, 1, 16)set_nmap(host, port)sock:close()return output--endelsesock:close()    return nilendend

Solution:

Internal systems and external devices should not be external

 

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.