Leakage of PLC Ethernet modules of Mitsubishi Q Series added to the Energy Management System of Japan's North Ocean University
For the safety analysis of the Mitsubishi Q series PLC, refer to the previous article. This is a real case of the control device running on the public network. It is also a case that can be confirmed based on the title.
In theory, if the PLC does not set a password, it can implement remote management operations through programming software, that is, uploading, downloading, and stopping the project.
In this case, we confirm that the web Service open to the relevant address is ecoserver (it should be the same as the small web Energy Monitoring and Management System of Mitsubishi, which is mainly used to monitor the current power usage, after loading java can view the trend chart, etc.) through the open udp port to confirm the PLC model for the Q series PLC (Q12DCCPU-V ).
For the identification method, refer to the previous analysis. For general batch verification, you can use the NMAP-based AUC script in this article.
Web part:
Homepage
Trend chart
Measurement Point Information
Information identified using NMAP scripts:
NMAP general-purpose discovery script
Tcp version
http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover.nse_.txt
Udp version
http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover-udp.nse_.txt-- Nmap Scripting Engine-- required packages for this script-- local bin = require "bin"local nmap = require "nmap"local shortport = require "shortport"local stdnse = require "stdnse"local string = require "string"local table = require "table"--Output Example:--PORT STATE SERVICE REASON--5006/udp open Mitsubishi/Melsoft udp syn-ack--| melsecq-discover:--|_ CPUINFO: Q03UDECPUdescription = [[discovery Mitsubishi Electric Q Series PLC GET CPUINFO]]author = "ICS Security Workspace(plcscan.org)"license = "Same as Nmap--See http://nmap.org/book/man-legal.html"categories = {"discovery","intrusive"}function set_nmap(host, port)port.state = "open"port.version.name = "Mitsubishi/Melsoft Udp"port.version.product = "Mitsubishi Q PLC"nmap.set_port_version(host, port)nmap.set_port_state(host, port, "open") endfunction send_receive(socket, query)local sendstatus, senderr = socket:send(query)if(sendstatus == false) then return "Error Sending getcpuinfopack"endlocal rcvstatus,response = socket:receive()if(rcvstatus == false) thenreturn "Error Reading getcpuinfopack"endreturn responseendportrule = shortport.port_or_service(5006, "Melsoft/TCP", "udp")action = function(host,port)local getcpuinfopack = bin.pack("H","57000000001111070000ffff030000fe03000014001c080a080000000000000004" .. "0101" .. "010000000001")local responselocal output = stdnse.output_table()local sock = nmap.new_socket()local constatus,conerr = sock:connect(host,port)if not constatus then stdnse.print_debug(1, 'Error establishing connection for %s - %s', host,conerr ) return nilendresponse = send_receive(sock, getcpuinfopack)local mel, pack_head = bin.unpack("C", response, 1)--local mel, space_id = bin.unpack("C", response, 55)local offset = 0if ( pack_head == 0xd7) then--if ( space_id == 0x20) thenlocal mellocal mel, cpuinfo = bin.unpack("z", response, 42 + offset)output["CPUINFO"] = string.sub(cpuinfo, 1, 16)set_nmap(host, port)sock:close()return output--endelsesock:close() return nilendend
Solution:
Internal systems and external devices should not be external