Industrial Internet reappears
-
- Modbus protocol:
- MMS protocol:
- S7Comm protocol:
- ISC Industrial Internet Competition Topic Recurrence:
-
-
- Modbus protocol analysis:
- Configuration software security analysis:
- Industrial protocol analysis 1:
- Industrial protocol analysis 2:
- Special industrial control flow:
- Abnormal project file:
- Abnormal traffic analysis:
- Simple Modbus protocol analysis:
- modbus:
- Industrial control configuration analysis:
- S7 protocol malicious attack analysis:
- Analysis of host computer communication anomalies:
- Hacker's carelessness:
- Industrial control protocol data analysis:
-
Modbus protocol:
Modbus
It has a high market share and a high frequency of questions. It is considered the most common question
because this protocol is also one of the most common protocols in the field of industrial control. There are three main categories:
-
Modbus/RTU:
-
Slave address
1B
+ function code1B
+ data fieldxB+CRC
value2B
-
Maximum length
256B
, so the maximum length of the data field252B
-
Modbus/ASCII:
-
Derived from
Modbus/RTU
, use to0123456789ABCDEF
represent the original slave address, function code, data field, and add start and end markers, so the length is doubled -
Start mark:
(0x3A)1B
+slave address2B
+function code2B
+data fieldxB+LRC
value2B+
end mark\r\n2B
-
The maximum length
513B
, because the data fieldRTU
is the largest in252B
, soASCII
the largest in504B
-
Modbus/TCP:
-
The slave address is no longer needed, use it instead
UnitID
; it is no longer neededCRC/LRC
becauseTCP
it comes with built-in verification -
Transmission identifier
2B+
protocol identifier2B
+ length2B
+ slaveID 1B
+ function code1B
+ data fieldxB
Function code:
MMS protocol:
For the TCP protocol in the industrial control field, sometimes Wireshark will parse the response packet into the TCP protocol, which affects the question. If continuous request packets appear when filtering mms, consider Wireshark parsing error, delete the filter conditions and check manually
initiate(可以理解为握手)
initiate-RequestPDU
initiate-ResponsePDU
confirmed(可以理解为交互,即传数据)
confirmed-RequestPDU
confirmed-ResponsePDU
Usually the situation is:
1轮initiate:即发送1个initiate-RequestPDU,接收1个initiate-ResponsePDU
n轮confirmed:直到会话主动关闭或被动断开即confirmed-RequestPDU和confirmed-ResponsePDU交替发送和接收
Commands during interaction are called confirmedService
common confirmedService
ones:
Object operations:
-
getNameList (1)
-
read (4)
-
write (5)
-
getVariableAccessAttributes (6)
-
getNamedVariableListAttributes (12)
File operations:
fileOpen 打开文件(72)
fileRead 读取文件(73)
fileClose 关闭文件(74)
fileDirectory 文件目录(77)
S7Comm protocol:
S7Comm(S7 Communication)
It is a Siemens proprietary protocol and S7
one of the Siemens communication protocol suites.
S7Comm
The agreement contains three parts:
Header
: Mainly descriptive information of data, including length information,PDU
reference and message type constants, and the most important thing isPDU
the type to be indicated.Parameter
PDU
: Parameter, there will be different parameters with different types.Data
: Data, which is an optional field to carry data, such as memory values, block codes, firmware data, etc.
Protocol ID:
[1b] Protocol constant, always set to 0x32
Message Type: [1b] The general type of message (sometimes called ROSCTR type), the rest of the message depends heavily on the Message Type and function code.
0x01- Job Request
: Requests sent by the master (e.g. read/write memory, read/write blocks, start/stop devices, communication settings)
0x02- Ack
: Simple acknowledgments sent by the slave without data fields (never seen it sent by S300/S400 devices)
x03- Ack-Data
: Confirmation with optional data fields, containing reply to job request
0x07- Userdata
: extension of original protocol, parameter field containing request/response id, (for programming/debugging, SZL reading, security functions, time setting, cyclic reading… )
Reserved
: [2b] Always set to 0x0000 (but may be ignored)
PDU reference: [2b] Generated by the master, incremented with each new transfer, used by the link in response to its requests, Little-Endian (Note: This is the behavior of WinCC, Step7 and other Siemens programs, it may be randomly generated Afterwards, the PLC just copies it into the reply)
Parameter Length
: [2b] Length of parameter field, Big-EndianData Length
: [2b] Length of data field, Big-Endian
In fact, you only need to remember his signature code to know what he did (in the exception, it is different):
0x01,硬件错误
0x03,想访问的东西不让访问
0x05,地址越界了
0x06,你请求的数据类型和请求的”东西“的数据类型不一致
Data reading/writing (0x04 and 0x05):
Function code:
area type:
ISC Industrial Internet Competition Topic Recurrence:
Modbus protocol analysis:
2019-Industrial Information Security Skills Competition-Shenzhen Station-Modbus Protocol Analysis
Hackers entered the control network of a factory through the external network, and then attacked the operator station system in the industrial control network, ultimately disrupting normal business through the industrial control protocol. We got the network traffic packets where the operator stood before and after the attack. We need to analyze the clues in the traffic to find the FLAG. The format is flag{}
Generally, this kind of question is to use a script to extract and then view the function codes of common protocols and then analyze it further.
Here is Moudbus
the protocol and Modbus/TCP
the script to extract
import pyshark
def get_code():
captures = pyshark.FileCapture("Modbus.pcap")
func_codes = {
}
for c in captures:
for pkt in c:
if pkt.layer_name == "modbus":
func_code = int(pkt.func_code)
if func_code in func_codes:
func_codes[func_code] += 1
else:
func_codes[func_code] = 1
print(func_codes)
if __name__ == '__main__':
get_code()
The four function codes all appeared 702 times, but the 16 (preset multiple registers) function code only appeared twice. Therefore, we guessed that there may be key data in the traffic related to the 16 function code, so we ran the script analysis and the 16 function code Relevant traffic, extracted data, script and running results are as follows:
import pyshark
def find_flag():
cap = pyshark.FileCapture("Modbus.pcap")
idx = 1
for c in cap:
for pkt in c:
func_code = int(pkt.func_code)
if pkt.layer_name == "modbus" and if func_code == 16:
payload = str(c["TCP"].payload).replace(":", "")
print(hex_to_ascii(payload))
print("{0} *".format(idx))
idx += 1
def hex_to_ascii(payload):
data = payload
flags = []
for d in data:
_ord = ord(d)
if (_ord > 0) and (_ord < 128):
flags.append(chr(_ord))
return ''.join(flags)
if __name__ == '__main__':
find_flag()
Convert the hexadecimal string to the corresponding ASII code online to get TheModbusProtocolIsFunny!
flag{TheModbusProtocolIsFunny!}
Configuration software security analysis:
2019-Industrial Information Security Skills Competition-Shenzhen Station-Configuration Software Security Analysis
Some configuration software will configure and connect a lot of PLC device information. We have written the flag field in the SCADA project. Please obtain the project flag. The flag format is flag{}.
Put it in 010
and find that PK
the header is modified zip
with the suffix. Because there are many files, put it directly kali
and use it grep
to filter and find flag
.
grep -r "flag" ./
flag{D076-4D7E-92AC-A05ACB788292}
Industrial protocol analysis 1:
2019-Industrial Information Security Skills Competition-Shenzhen Station-Industrial Protocol Analysis 1
There are anomalies in the industrial network. Try to analyze the PCAP traffic packets to find out the abnormal points in the traffic data and get the FLAG. The format is flag{}
This is MMS
a protocol that filters first, and then in ctrl +F
the search, there is a directory flag
first , and then the file 77
is opened.flag.txt
Use filter rules (mms) && (mms.fileRead == 87504092)
to find 1800
serial numbers
When using filtering rules to view the echo packet, (frame.number == 1801)
it is filtered because it is an echo packet.1801
data
When I see a string of data, Base64
I just want to think of converting the image and then extracting it.
iVBORw0KGgoAAAANSUhEUgAAAdAAAABiCAYAAADgKILKAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAABzXSURBVHhe7Z2Js11Fncfn75maqZmaqZkaS0elXAp1GHRUhGFAQHYQFQRFBWQRiBoBWQyyKaBsxo0tCAgkQHayQEL2jSxAyEoSIAHOvM/JPTPn9fv1Od19+9z3bvh+qr5FkXe77z33ntO/7l//fr/+m0IIIYQQ0ciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAl0ZkDff78oNm/ZV8xfuK2Y8fxrxex5W4vlK3cVe/Ye6L1CCCGEGF6yGtC33n63uOPuNcW/fHJG8bcffsarf/3UjNLAVtz/h/Xm6/h3IYQQYiKSzYBufePt4thT55qG0NXxp8/ttTqIDGj/vP3Oe+VKf/L1y4qTzppffOq/ni/+6bDpxY+ve7n3irHw/VrKzdsjE6tFL24v7p26rrhs0pLy8x3+pZnFhz/zbDnZ+th/PFd86auzi3MuWFhcc+Py4qFpG4s1694cNcmKYf/+94oXFm4rbr1zdXHe9xcVn/+fWcVHPvv/7/WVk+YU371kcXHbyN9nzd1a7JVXRHxAeGdknFi2Ylfx+FNbiql/3lA8MPK8/+XJzcXLy3eWz80wcdxpc4t//sSMciw55Zz5xXW/WF4+zwcODO46shhQBqCjvzbHNIKWfnjVS72WB2HQtl7XxWB+KDJz9tbiM1+eaX6HTQbUej3KxZKXdxRXTV5aehys92kThm/u/Dd6vbXD9sDd960tPvH558z+fGKicfmPl5RGW4hBsnDx9lGT10q5YTuNyemHDn/WfAYQk8xf3LqyeGPb271W3bLl1X2l0bP01PRXe6/ygwG1ruOLx88uFr+0o/eqbsliQPlhrAvxiZVBHW4Y63Vd3EiHGtOe2Gx+d5XGw4CuWLWrOPv8BWbfsXp25uu9XptZMDIQ+SYRoXrksU293oToFp6Rc7+3yLwPUS7ee+/94r6p64t//Ph0830sYWSffGZLr4duwLt0wcWLzfdHGNE2fAYU/f1HpxezR1ajXdO3Ad24aW/xdx+xL+LIY2cV0597rdj95v7yh9y9e3/pysOFUEcGNA1mcKyerO/us0fNLF2iv/vjht6rx2K1Q6ngAvrlHau890OKdu3a3+vdz2NPbs7ynq++tq/XoxDd8MrGvaUHzrr/6srBu+++X1w5eanZf4gwvF2BXbDes1KIAWXhdta3FxSHHWl7nNiueXNP+/jRD30b0Ft+tcr88J/7ysxi+/YwV4AMaBpTbls55js75uQ5xcpVu3uvaMZtWymFnbveKc449wWzv1SxV9rG3BfeyGI8+d6E6IrXt75VDvisjKz7z1UOMEJW3zF68un8K9E9ew6U+5bW+1UKMaAVrGbJ9vj0F58f088fH3ql96pu6NuAEvzhfmjEDCMUGdA08PXXv69/+Nj0cq8jlHrbumLZsfOdoD3wE8+cV9zzwLrS3cpqjz1LghrwUODJwBiyh0lAAK8norsJ2n3yC2Mfmkpfv2BBOQDQ9959B8pgph073iknGLi+L5+05P/2Z2+/a/S2ghA52LV7f3Hrr1eXwS7u/dmkfmla4bG4mfqnDaU3kBiDm+9YVfzbp+3Px/OBpysnN94yduLvKsaAVry4ZMeYfggi7JK+DCgrTPcDo3//3LNRkVAyoPGQMuR+X0SWxuC2rxQDRunkrx80eD5d+MPFwaviig0b9xSbNu/t/Z/NXfesNd+P/Z6/PtMehAAYcaIRyVEWIjd4Uax7tE39wGTRWo0hDIqVi8/E252QVyJyPhfs/YZ4jFIMKBBhX++HbIQu6cuAWhYfff/yF3uvCEMGNB5r8tK2YnNx21eK4Wc3LDP7QAQjPPNsuCciBvbUfYMEq0shJgKkSln36FfPmFemWvk8eP1wz+/WmX1iXDCuPja8sse7Ul67vv8IdfZk8ULV+/3a2fPNgMNUA0o0fb0fvHJd0pcBfXrGq6M+bCVcFjHIgMaDa8j9vnhwYnDbVwpl/oJtZnvExv7qtXGrzhhWrdltvu9RJ85Jzh8VIjdLl+0cdX/iPmVbgQkg5DagBPL5tjVw2bbx69+uMdv+fMqK3ivSYT/S7Ze8zRMco4pSDShZB/V+cEF3SV8G9M+PbBz1YSs1RX5ayIDGw2zO/b64+WNw21cK4cDI+2OsrPa4UEnM7hLC7K33nnL7qt4rhBh/eE7JSybHkqIFbHnUyW1AMUhWf6d/64XeK5ohnoFVm9uez99PoQVyS90cVAwnk13yvev/jlINKC7qej9HHD2r95du6MuAYijrH7ZSbOSTDGgargvzhl/GzRLrbesKgT1Gqy2i4lDXsG9pvTdBSkJMJJ6f/bo3HSu3AaVwidXfE0+FR9N+77IXzT4I/kvFSt2ZOedgnqaVhpJqQL98wujv89RvhE0cUunLgPoM33gaUGY0zHZwV7BKeXBklcznmfb45jLijIiyrlx89EvEJxFwvx8Z4Pn8vO9LS3eU0aa5YVZZ/75+ct2y3l/CqLetKwRfcASBCIMoCeYzoKkP3kSHqGXuK6InmaCwz4sbO/Re5jdZ8vLO8n4kv4/VEFswg8h95d4nXuLhaZvKz86zwUqJKOpQSAOhqMYfHnyl7IPnmmozuZ8rVmDsTfL9Mm48+OjG8n2pUoXXJTc5DShuYcsYEbQTkk9dQUERtw/0q9/EebgqGHfdvtj7rO5dKwI45TmmPzcv/uIfja56l5soA9qW/Nqm8y+yQ4r7NaC4SbjpybOigIDVV124DNgvzJVki1uGh833MCDqvhIuTjGJihtuXjHmdTGRtKRh1Nte/TN/1SGLetu62li3/k2zHaKowSDwrYBx2XQx0HXBFT8Zu1pwXdBMBM88z1/VicCQ52b5qzVhELjvcMFZ7REFN2Jd7gScWH3VB2qiPUkP8r03rn6eWT6jBQMi1WRO+6Y/v5iI/7vvXVtGpaeC4SHYrS2PGRckv9mCRduCJy5t5DSg6zfYvwmBOzGsWWs/39wnsfC7UFDH7Yu8zQqrGEyKASUX3e2HMbZLht6AMpD6wq/bxN5ETK1VC2bW1g3iEwnEhHKDVSWEKLJQ3A1zSoPFUG9bVxusAKx2zCT37UsfyGJoMuKscIYBCv+7n33StQcnQUwKb7q1PV+uEgNFFZhSwRGCHz8irC4wq5SY2AVWrlY/m7YcTD1atXp3OZmxXuOKZ8KtQ0x97ZCKPZX++5S55So1ltdef2uMJydE/Y4bFTkNqC+oM9aI4K2wCj6wCIidODCBcvv5xncWjurH/TtKMaBECrv9dL2lM/QGlFJOVttQMXBwXSlwikFoZZG6uBEp6fUdoxYkM/JQfvrz0QMwq5EY6m3raoOZqNXu0qvz5Yu1wQPomzjxm3RRQSU37Fm7n52cWa4NQ+r+rU31IDK2L1IqNBEYGML2HWNn+4h8WlYw3OPW330iX68qYk6lGlx81uuahDGKcQuTZ+xLhWoSK6amdJAYchpQ0tisvnCdx+LuJVaKKTS/bmRF7AYk4XVg7KtT/3ulFAPKqtbthzG6S4begOI6tdoiaiFWx3pZf69E7pP7o7bhm+2FigHCzYlClEYMxR2Aud4Y6m3ragL3qC9X7NHHB1uMnYHB+hyVmGCQ7jNR4VAF9zMT9MD+nvvvIcJgYrzwiqRM7JA1wFlg5Kz2jBExHpm6LrnypXIVzThh/T1E1Qq+DfZOWbVafSC+P8YOa3+OIJtc5DSgbg5kJba3Yvn2D+zfYLlTx9wHv6O1uMHd7uK+BqUYUCbNbj9UN+uSKAOK24xSa5V8pwnw7/XXVfJV+O/HgFauJAYPfvRH/rKp/Jz1QBZ+TGZDFDq3QrRRzEPB/k/ToeHlHusD68o8SQKIOJqHmztkUIspKefOOOk/hnrbupogSMpqgyrX9KCg2pWVQ1YXkwoCZnKtGHJCUIb7edkvdI9/I9Gc54frwO3fNCHEq/Gfx4w2YASWXHvT8jIAiepNbV6bkMozb701thIWcmuc1t+b+7XJaCGrMAclGRl46QMPTZtbmue/jT89bE+8Mf4cD8j5uhU7RlbbRNJi4BlnHv9rvlVNTgPq2ysO+T5cJl1je0CqyNk2iIVw25L2ZgV9ua9DKQbUWkwRaNclUQbUpR/DV6fffu4cGRTayr5VEADgM2QhdWRxrzUFdWAAfVGoFBawcp7qiol0w0jX27IyjKHetq4mLDdJpXqA1KBgzy1kn49gE77b0AMOBgFG0fqslTiejdWkC9fsy8F1xfmOGDsX9vB89U95PnDRNsE9brWtC8PpTlyYzLr3rU8YMyKHXVj9XnSFf3+Ua27DLfmGcDtvfaP5/iBQJ+d9ntOA+rY0tiXc89ZBFYiDuNsgmMd6Jq17GdzXoRQDykH8bj8p++IxHBIGNJbrp4zde0KEyLcxZ97YkOxKv7m/fcOaoIWmA58ZVENxb3Iexhjqbetqgnwyqw0r8tgAg1ysXL07+BBtJhl8bzzk481vR+4X6zMiBqCmCR21gnG3Wm0rtZV2nPG8f0umbaDElW+1q9RmxHwrnEq4T5sGPwy4z/tAtZ+me9FXwzsm/iAXOQ2oL9o5JbDPV5GIlXsbbnAjYjvFh/talGJArSISXR+S/4E0oOSPWe+Hi6YN394AbjE3CtKHzwghBtUQeC93o59BKYZ627qa8O05E4wxnpDfG1O4mxUpe7bjZfTBd9+jEDehNVBVOvbUuWUkbxNcu+8ggBBjYrVDIbnATA6stpVCAvvY37Laoibjy1aD1SZm8pqLnAbUF5vQ9ltY+LwjuNGbYJXptmFy2xSL4L4epRhQApzcfrqOyP9AGlD2NKz3a4tixRVitUNLXrbdExbs3VkJzyjkmjGeVgCKz0Xiw21fqQnfb4VrerxhoCC/1zeQWOLgA+t0ikHg+y4ZcEJOMyJH0mqPQgvq+yZE7Ke1YbVDoZG8FFS32uO6DpmMsgpmImT10RQ4w8lAVhtfkGOX5DSgVj8oZZJ4/+/jx2SeP+tYw7aTkdzXoxQDCq5rn/sDD1VXfCANKAEC1vuRKN2EFeWFMLyxN+mPfmqX3PJdMwMKqxL28aybNLaMH7h9VGrCVwGIQW+iwD4Wbvq26OtKDOTj4dL13ffcGyGw6rbao9AzHH2rsZDf02qHQiPa3TSsSjEVtS681C471+SCZg/TaoOowjNIchpQX9pSzNGSFd4VaMOKzjoFhtq0bWOj2walGlA8D9y79b4IHMW7yGQxNIo4lEPWgPJFUl2ElRqrjONPn1u6GZuiZ1ETnEhgtYk9fQYIfLL68l0zszvr9axWSHtImWVa/aEmrI161Db5GA/wNOASD9kfJX2kydVFdDe/TayaKvzwd+uzWKH+Fr6JIAqtxkTlIKt9yCkWVjsUWl7P9wyEbmOAL9ilba/uWxfaucyIil5twUS5yGlAfWNbPaI4FF9Oqe97xSXven74/5DAzHqbSqkGFPjtyHqwJhT99GtxSBlQSvMxy/C5hkLUhC/8n1qZscRes2VACTShtmnTwN+E21+lJkjJsdogK9pzIkCpRarstCX3NwXd+Aa6NjXdw/3e90yarPYoFN/EDLVhtUGh9Hv94FsptfVBdK/VrhLeC/aBSVnrkpwG1HeMWUwd3ArKP1p9WUXpuQ+t3F1qLofgtkP9Gjo8MPSRu1+XQ8KA4t4kgrap3meomiC6z2rDnkossdfcNNDhQq5KqMVg9YWasIIEKpFrO5EhyOCb3/WvPBg0fZVWJqIBBas9isFqj9qw2qBQclx/P32EptNQn7qr4/lyGlBfjm2oO7+Oz73OvruLVWCHILbQib3bFvVj6LAFvnz/2AM32hh6A8p+BrUVrfYpasLnIglxU7ikXDOuMfLQCDF3UxiIfIwtqF1vX1cTvhqoiOpMEx32gzihwfr8yFc7UwZ0LFYbFEqO6++nD1ZOBMv49g5dMfhSozcnOQ2ozy2dYvwpKWn15e4hkpPrFs9A1DHmNwiR2xaxpeK+LiRQ0zpkgpgRjDzpSyHBaTEMtQHFYDTVzGRfjv0MqmIsG/nhycEkJ4pBNOXGtV6P6DeWfr87KwKT/ckY3PaVmuAGdA/GrTQeeXQp4Gr+wnH27+87P5DBiXsmVuyd+uj3HgCrPYrBao/asNqgUHJcf44+8KpYhRUsMRjnTM7nHrHeJwWrihMKSQlyYQVp9eUWZfAdbN+F2tKMSNtyT+Pi9+oyyn6oDeiNt9gBBCzf+bKbZospN64vPYKk9lhyfHfuKRKUcYuh3rauNqwi+Ijk92E5SowcUOsaWNnnnqX6yHEPWO1RDFZ71IbVBoWS4/pz9AHctxQetyLcXfGaiVhM3vddEB0bA/e/NdZRucp9Nppy2nOrzYBa6UldHyoxtAYUv75Vko9/CykgnHLj+vZAFyac1J6SZ+Vym5MLiislhnrbutrw5Q4ia49kIoLXwPr8yHc+ZW5yPD9WexSD1R61YbVBoeS4/hx91MGtSw5p27YQdbVzkNOAzvMUlsCdGoOv3jVBlC4TyYBanyX2kJBYhtaA+qLvQupgQsqNS1Frq01IeSsXX6msmO+O0oH1tqy8Y6i3rauNpn1QXKApKTWDpqkUXcyRTf2Q4/mx2qMYrPaoDasNCiXH9efowwdF5X11lknzybEKzWlAmfhZfRGdG/NM+iLtrUnDRDKgBA+5bVK212IYWgPqSymhYHsIKTcuxtlqQ55pLJxsb/UV8925oea4H2Oot60rBF9JQzQMZ3Gyf259dkRgxCDI8fxY7VEMVnvUhtUGhZLj+nP00QQnmbin41RixdcvOQ0o+PYuQ8dF8JWItA4R5zliwtmPrPe6avLSMa9rC+CytmU4ZLtLhtaA+maGoUnDHHNltW+CI42sNhiuHS2nV9Rhs9uXsxXz3bkFudmDjKHetq4Qmk5lIZ0o9HSc8cJXzo37alDkeH6s9igGqz1qw2qDQslx/Tn6aMMXa/Hgo3FBexa5Dah1RB4KPeWJnGkrHZAMhK6OBHTfC6WksWDg3X5iy5vGMrQG1Bd6HpJ71FTIuglmQL5UlpiDsCm8YPWBYr47ymTV23IOZAz1tnWFgEvonAv8+0TUxu3afdIPN3m8CT+4It9hyW3keH6s9igGqz1qw2qDQslx/Tn6aMMXadpU1i6U3AaUlabVH9W4QgqdEEhltaeyT1dY75diQDn70+0nJQI5hqE1oL5UCvIk28DYWW1RG74EY4KXQmY71Fz1BSOhmO/OTZym3xjqbesKhSotTfVmWRGnnIYfSkoBC1i6bKc30XqQ7uccz4/VHsVgtUdtWG1QKDmuP0cfbbDStN4j5GzMNnIbUPAdrM1h6k2wQPCNTV2u5Kz3SzGgnGHr9kPAY5cMrQE95Rw7/5PI1CY4ysw3eKK2FAaiunwHclMqbv4Cv8Eg+KatzGDMd+fWeOUA4hjqbeuKgTq8Vh91XT5pSbFmbdxeBJGATW2qgAlW4ZzRGlIwm1UzM1JfST9qJePCGhQ5nh+rPYrBao/asNqgUHJcf2ofbDGEBNY0eVpynPLRhQH1ndLDuOWb0LKtRLSu1Q6DHBOEFIv1nikGlLHbHdtvvyu+TnkMQ2tAfYWo+QI5WNWFL5cZoy8goFKIC5hoNKttJdyAuGnJDyXdZtGL28ui123vjWK+O3evwgozb6Letq4YeLBuuNkusu+KyQN7MUQ34m5hQkFwAMaS2qS4yqbcvqo47rSDK2uK9/twD4NmT5tTTFgtMEmiT4pK8/1TwQR324meA5grWXU+uyTH82O1RzFY7VEbVhsUSo7rT+mDe/aIo2eVk3Aq1/gS7ZlM+Vz9bJe0TbZD6MKAcn1nn28HWeIxoi50tZ/Ja5kINJW47KqMYYX1nqml/Phd6v1MujbujORYhtaAMjA2rSQvuHhxeZgqxdaZhRx1YlilkZB9Akrq+Q4iDtWZ59k3eOh3x43vroRDj8GqqLetKxYGEo5Ts/rqRxhcH9feNLZQdD+6cvLS8jsdJDmeH6s9isFqj9qw2qBQclx/Sh94NuqvZRxh8kmwEEUHSJeggpkvUBER8ZmDLgwoMIGk8IHVN+KaqcblC6asxIS2a6z3TTWgZ5w72n2Nh6pLhtaAgltIIFTcNL5jkELPhSTqtlopxYo9WF8xAmaHITA7dttyTTG47SulwlmKMYdZt4lAMUovumDo3JlmP7ps0pLgwtc5yfH8WO1RDFZ71IbVBoWS4/pT+rDOrYwRxeVzrD6hKwMKeOJ8200hYhGScpZoLNZ7pxpQt871MSfP6f2lG4bagPLj+g7U9Yl9LlwWCxbZaRjM3ELh+LRLr15i9mOJWR8PLwbAZ0BDN70x4G7bmHMUwW1fqR/4/nyl/lL00tKxwQt8702rg1DhzuIeyzUYxpLj+bHaoxis9qgNqw0KJcf1p/TRj/eInO+cx/Z1aUCB7ZKQrSNXjGsp54imYL1/qgF1gzyJd+iSoTaggBFlJdrkzq1E8QIq8gMDvfUa9itjISey6YBe8kQJpKkn9foM6LQnNvde0QzX4bYNzfWqcNtXygH7JrhFU1ekzJyZ6fvOY8SIPjByf/gGoCbh2sIFnHLMU05yPD9WexSD1R61YbVBoeS4/pQ+MCqxRpToVFI8crv5uzagQOBj6IlVLDC6uM4mrM+RakAZc+r9YBe6pC8DyiDJjeoqdtM5Rz8EpLB3wV4G0anMuqgNy+Y4Je/clSWzK+s9+znTklUhEaFEpjK449JcsHi7GaTgK0VoBUBZWJV0Lrkyrualdf0oJ7hg+U7Yh8ZbwKkXBD9VriUmF/xOJ501v5z13n3v2vL1GMgQeNBJXXp42qZy9klgCOkz1YQKA467lwGE/ZyZc7Z2lhAeS4773mqPYrDaozasNiiUHNffTx9Mzij/xn1Hgfhqz5CtA+4h9tPYFiGyvitXJqf1WJ+/C/hOeAZ41qprZZzk2tnzJUJ9UKvOOtb1N2UzNHGCEyhIwZou6cuAinSIDqv/0JVWRYTGuzlbPBScjyqEEB80WGnXx0NEClKXyICOE5brhplvzP7K5OvHFnXgINyJssISQohBgPfPOhvad0B+LmRAxwH2Qt0fGpGnGAOHhFv9HHbkc+UKF9c17lAhhDjUeOzJzWV1JaLorZQdtodyHn5uIQM6DpCv6f7YiOIQsfhOoa/EyQpCCHGo0ZZGeO/UblefIAM6YNiot35sROWiWAhuuOZGf1EBGVAhxKGIz4CyFcbKdBCRxDKgiVAyjvM4if4NgVzDh6Zt9KbbpJwpWocC6Rxv5tbHlQEVQhyKuAaUoMrrp6zoK5MiFhnQROp5n6TO3Dd1fbFw8fbS506VIIozE8zDgbwYzqYi8iT0p6w+LZh1UU2J/las2lVs2jKxz+UUQogUKMlIURxSFHe/OT7ZBzKgCZDXGVK4IVS56moKIYQYHDKgCVDJxDKEKaLgghBCiOFDBjQBcossYxgj/PXzXlCKiRBCDCsyoIlwQjvlrz50uH04s0/Hnjq3DEAa5MHNQggh8iMD2icH3n2/WLlqd1kE/tY7VxdXTV5a1nw9/6JF5X8paECR96dnvDruxcuFEELkQwZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhIimKP4XBcAIzFfvoBoAAAAASUVORK5CYII=
PS: If you cannot copy it, you can use strings
the extraction command as follows:
strings test.pcap |grep ".png"
flag{ICS-mms104}
Industrial protocol analysis 2:
The name of the data packet is UDP
data. It is estimated that this is a test point. First filter it and len
find that the length is somewhat repeated. Let’s sort it out.
It seems that these are not repeated. 105
It seems that you can see flag
the logo 131
and 137
the following seems to be string extraction and transcoding ASCII
.
666c61677b37466f4d3253746b6865507a7d
PS: The actual flag
hexadecimal 16
system is: 666c6167
You can probably know it after seeing this change. You can remember it.
flag{7FoM2StkhePz}
Special industrial control flow:
In a certain 10-segment industrial control network, there is abnormal data in the industrial protocol. Please look for the flag through the data in the traffic. The format is flag{}
S7comm
Industrial control traffic directly filters the protocols, then sorts them and keeps pressing (down key) until this one is found.
Then the transcoding is the same as the above question flag
.
69735f6e6f745f7265616c
flag{is_not_real}
Abnormal project file:
2020-Zhijiang Cup-Abnormal Engineering Files
There is currently a project file that has been modified by a hacker attack. Emergency personnel are asked to find traces of the hacker attack. The flag format is: flag{}.
The file is a bit large, just strings
check the coordination xargs
and grep
use search flag
.
strings $(find . | xargs) | grep flag
flag{854P_l5q2_9Y4a_30Yw}
Abnormal traffic analysis:
2020-Zhijiang Cup-Abnormal Traffic Analysis
For anomalies that exist in industrial networks, try to analyze the PACP traffic packets to find out the abnormal points in the traffic data and get the FLAG. The flag format is flag{}.
Modbus
The protocol here is MMS
the same as the question above. There are related echo packets in the data packets and TCP
pictures inside them.
Not found here, put it directly and kali
use it to strings
directly search for relevant image features png
.jpg
strings 9.pcap |grep ".jpg" #下次可以直接先搜 搜不到在数据包里面找
Transfer pictures online Base64
: https://tool.jisuapi.com/base642pic.html
flag{4eSyVERxvt70}
Simple Modbus protocol analysis:
2020-Zhijiang Cup-Simple Modbus Protocol Analysis
The chemical workshop distillation tower controller program error occurs due to improper operation by the operator. Please analyze the error program to find the error point and obtain the flag. The flag format is flag{}.
There seems to be no industrial control protocol in it, so we can use it directly strings
to search for relevant information.666c6167
PS: Why is it search 666c6167
? This is also mentioned above. It is flag
the ASCII
value.
666c61677b44477377546667793147443233366673327366463264736b4c6e677d
flag{DGswTfgy1GD236fs2sfF2dskLng}
modbus:
2020-Zhijiang Cup-Modbus
An industrial control equipment in the factory workshop assembly line was attacked by unknown persons. According to the traceability analysis of the attack behavior, it was found that the attacker uploaded programs to the equipment. Please assist the operation and maintenance personnel to find the evidence based on the network data traffic and find the flag. The flag format is flag{ }.
Modbus
The protocol directly filters and then groups the byte stream to search for the 666c
found flag
identifier. Just continue searching. '
It’s a bit hard to find the old way of strings
filteringstrings 6.pcap | grep -E "^.{10}$"
.为匹配任意内容
^为匹配开头
{
10}匹配的数量
$为匹配结尾
666c61677b => flag{
3138676854 => 18ghT
317772337d => 1wr3}
flag{18ghT1wr3}
Industrial control configuration analysis:
2020-Zhijiang Cup-Industrial Control Configuration Analysis
gk
Add zip
a suffix to the file, decompress it and .PCZ
use the tool to control 7.1
the version I am using.
Then restore the file and run it to see it flag
.
PS: There is a link here on the tool website so that everyone can reproduce it (conscience blogger!!!)
flag{NxdzzOE3qqqqHk6lqOXM}
S7 protocol malicious attack analysis:
2020-Zhijiang Cup-S7 Protocol Malicious Attack Analysis
One day, the Siemens PLC used in the desulfurization process in the vulcanization workshop suddenly shut down. After investigation by factory personnel, it was found that the PLC had multiple abnormal behaviors during this time period. Please assist the investigators to find out the relevant behaviors of the PLC. The flag is the abnormal behavior data packet. The first four digits plus the last four digits are in the format of flag{}.
S7comm
Industrial control protocols use tcp.stream eq 0
analytical 0
flowsS7 Communication
1321
The bars are abnormal data. stop
The first four digits and the last four digits are concatenated.
flag{3201414d}
Analysis of host computer communication anomalies:
2020-Zhijiang Cup-Host computer communication abnormality analysis
An assembly line in the production workshop is running abnormally, and the upper computer SCADA system has not turned on the alarm function, resulting in the inability to query the abnormal conditions of the control equipment. Please find the problem based on the communication flow between the configuration software and the control equipment. The flag is the data content of the abnormal data packet, and the flag format is is flag{}.
Filter found an exception S7somm
in 6847
this article ,data
Return code
The return is Hardware error(0x01)
a hardware error, which is introduced in the above protocol.
flag{010400100100}
Hacker's carelessness:
2019-Industrial Information Security Skills Competition-Harbin Station-Hacker’s Carelessness
A hacker accidentally left such a file after the intrusion. Please analyze the file to trace the source and find the hacker's mailbox. The flag format is flag{email account}
Put 010 png
the file to modify the suffix, the words visible in the picture WATCHIN YUR SCREENZ
,
github
Search for known graphs from this gcat
program
flag{[email protected]}
Industrial control protocol data analysis:
2020-Industrial Information Security Skills Competition-Huzhou Station-Industrial Control Protocol Data Analysis
The operation and maintenance personnel discovered that the intranet control system was breached in an industrial control environment. The attachment is a message captured from the site. Please analyze the message to find out what information the hacker obtained? The flag format is: flag{}.
Screening S7comm
protocol Data
found binaries 01100110
inf
Continue using filter rules:(s7comm) && (s7comm.param.func == 0x05) && (s7comm.header.rosctr == 1)
011001100110110001100001011001110111101101100110011011000110000101100111010111110110100101110011010111110110100001100101011100100110010101111101
flag{flag_is_here}