CTF Industrial Control Industrial Internet (ISC) recurrence summary WP (super detailed)

Modbus protocol:

ModbusIt has a high market share and a high frequency of questions. It is considered the most common question
because this protocol is also one of the most common protocols in the field of industrial control. There are three main categories:

• Modbus/RTU：

• Slave address 1B+ function code 1B+ data field xB+CRCvalue2B

• Maximum length 256B, so the maximum length of the data field252B

• Modbus/ASCII：

• Derived from Modbus/RTU, use to 0123456789ABCDEFrepresent the original slave address, function code, data field, and add start and end markers, so the length is doubled

• Start mark: （0x3A）1B+slave address 2B+function code 2B+data field xB+LRCvalue 2B+end mark\r\n2B

• The maximum length 513B, because the data field RTUis the largest in 252B, so ASCIIthe largest in504B

• Modbus/TCP：

• The slave address is no longer needed, use it instead UnitID; it is no longer needed CRC/LRCbecause TCPit comes with built-in verification

• Transmission identifier 2B+protocol identifier 2B+ length 2B+ slave ID 1B+ function code 1B+ data fieldxB

Function code:

MMS protocol:

For the TCP protocol in the industrial control field, sometimes Wireshark will parse the response packet into the TCP protocol, which affects the question. If continuous request packets appear when filtering mms, consider Wireshark parsing error, delete the filter conditions and check manually

initiate（可以理解为握手）

initiate-RequestPDU

initiate-ResponsePDU

confirmed（可以理解为交互，即传数据）

confirmed-RequestPDU

confirmed-ResponsePDU

Usually the situation is:

1轮initiate：即发送1个initiate-RequestPDU，接收1个initiate-ResponsePDU

n轮confirmed：直到会话主动关闭或被动断开即confirmed-RequestPDU和confirmed-ResponsePDU交替发送和接收

Commands during interaction are called confirmedServicecommon confirmedServiceones:

Object operations:

• getNameList (1)

• read (4)

• write (5)

• getVariableAccessAttributes (6)

• getNamedVariableListAttributes (12)

File operations:

1. fileOpen 打开文件(72)
2. fileRead 读取文件(73)
3. fileClose 关闭文件(74)
4. fileDirectory 文件目录(77)

S7Comm protocol:

S7Comm（S7 Communication）It is a Siemens proprietary protocol and S7one of the Siemens communication protocol suites.

S7CommThe agreement contains three parts:

• Header: Mainly descriptive information of data, including length information, PDUreference and message type constants, and the most important thing is PDUthe type to be indicated.
• ParameterPDU: Parameter, there will be different parameters with different types.
• Data: Data, which is an optional field to carry data, such as memory values, block codes, firmware data, etc.

• Protocol ID： [1b] Protocol constant, always set to 0x32

Message Type: [1b] The general type of message (sometimes called ROSCTR type), the rest of the message depends heavily on the Message Type and function code.

0x01- Job Request: Requests sent by the master (e.g. read/write memory, read/write blocks, start/stop devices, communication settings)
0x02- Ack: Simple acknowledgments sent by the slave without data fields (never seen it sent by S300/S400 devices)
x03- Ack-Data: Confirmation with optional data fields, containing reply to job request
0x07- Userdata: extension of original protocol, parameter field containing request/response id, (for programming/debugging, SZL reading, security functions, time setting, cyclic reading… )

Reserved: [2b] Always set to 0x0000 (but may be ignored)

PDU reference: [2b] Generated by the master, incremented with each new transfer, used by the link in response to its requests, Little-Endian (Note: This is the behavior of WinCC, Step7 and other Siemens programs, it may be randomly generated Afterwards, the PLC just copies it into the reply)

• Parameter Length: [2b] Length of parameter field, Big-Endian
• Data Length: [2b] Length of data field, Big-Endian

In fact, you only need to remember his signature code to know what he did (in the exception, it is different):

• 0x01，硬件错误
• 0x03，想访问的东西不让访问
• 0x05，地址越界了
• 0x06，你请求的数据类型和请求的”东西“的数据类型不一致

Data reading/writing (0x04 and 0x05):

Function code:

area type:

ISC Industrial Internet Competition Topic Recurrence:

Modbus protocol analysis:

2019-Industrial Information Security Skills Competition-Shenzhen Station-Modbus Protocol Analysis

Hackers entered the control network of a factory through the external network, and then attacked the operator station system in the industrial control network, ultimately disrupting normal business through the industrial control protocol. We got the network traffic packets where the operator stood before and after the attack. We need to analyze the clues in the traffic to find the FLAG. The format is flag{}

Generally, this kind of question is to use a script to extract and then view the function codes of common protocols and then analyze it further.

Here is Moudbusthe protocol and Modbus/TCPthe script to extract

import pyshark
def get_code():
     captures = pyshark.FileCapture("Modbus.pcap")
     func_codes = {
    
    }
     for c in captures:
         for pkt in c:
             if pkt.layer_name == "modbus":
                 func_code = int(pkt.func_code)
                 if func_code in func_codes:
                     func_codes[func_code] += 1
                 else:
                     func_codes[func_code] = 1
     print(func_codes)
if __name__ == '__main__':
 get_code()

The four function codes all appeared 702 times, but the 16 (preset multiple registers) function code only appeared twice. Therefore, we guessed that there may be key data in the traffic related to the 16 function code, so we ran the script analysis and the 16 function code Relevant traffic, extracted data, script and running results are as follows:

import pyshark

def find_flag():
    cap = pyshark.FileCapture("Modbus.pcap")
    idx = 1
    for c in cap:
        for pkt in c:
            func_code = int(pkt.func_code)
            if pkt.layer_name == "modbus" and if func_code == 16:
                payload = str(c["TCP"].payload).replace(":", "")
                print(hex_to_ascii(payload))
                print("{0} *".format(idx))
        idx += 1
def hex_to_ascii(payload):
    data = payload
    flags = []
    for d in data:
        _ord = ord(d)
        if (_ord > 0) and (_ord < 128):
            flags.append(chr(_ord))
    return ''.join(flags)

if __name__ == '__main__':
    find_flag()

Convert the hexadecimal string to the corresponding ASII code online to get TheModbusProtocolIsFunny!

flag{TheModbusProtocolIsFunny!}

Configuration software security analysis:

2019-Industrial Information Security Skills Competition-Shenzhen Station-Configuration Software Security Analysis

Some configuration software will configure and connect a lot of PLC device information. We have written the flag field in the SCADA project. Please obtain the project flag. The flag format is flag{}.

Put it in 010and find that PKthe header is modified zipwith the suffix. Because there are many files, put it directly kaliand use it grepto filter and find flag.

grep -r "flag" ./

flag{D076-4D7E-92AC-A05ACB788292}

Industrial protocol analysis 1:

2019-Industrial Information Security Skills Competition-Shenzhen Station-Industrial Protocol Analysis 1

There are anomalies in the industrial network. Try to analyze the PCAP traffic packets to find out the abnormal points in the traffic data and get the FLAG. The format is flag{}

This is MMSa protocol that filters first, and then in ctrl +Fthe search, there is a directory flagfirst , and then the file 77is opened.flag.txt

Use filter rules (mms) && (mms.fileRead == 87504092)to find 1800serial numbers

When using filtering rules to view the echo packet, (frame.number == 1801)it is filtered because it is an echo packet.1801

dataWhen I see a string of data, Base64I just want to think of converting the image and then extracting it.

iVBORw0KGgoAAAANSUhEUgAAAdAAAABiCAYAAADgKILKAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAABzXSURBVHhe7Z2Js11Fncfn75maqZmaqZkaS0elXAp1GHRUhGFAQHYQFQRFBWQRiBoBWQyyKaBsxo0tCAgkQHayQEL2jSxAyEoSIAHOvM/JPTPn9fv1Od19+9z3bvh+qr5FkXe77z33ntO/7l//fr/+m0IIIYQQ0ciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAnIgAohhBAJyIAKIYQQCciACiGEEAl0ZkDff78oNm/ZV8xfuK2Y8fxrxex5W4vlK3cVe/Ye6L1CCCGEGF6yGtC33n63uOPuNcW/fHJG8bcffsarf/3UjNLAVtz/h/Xm6/h3IYQQYiKSzYBufePt4thT55qG0NXxp8/ttTqIDGj/vP3Oe+VKf/L1y4qTzppffOq/ni/+6bDpxY+ve7n3irHw/VrKzdsjE6tFL24v7p26rrhs0pLy8x3+pZnFhz/zbDnZ+th/PFd86auzi3MuWFhcc+Py4qFpG4s1694cNcmKYf/+94oXFm4rbr1zdXHe9xcVn/+fWcVHPvv/7/WVk+YU371kcXHbyN9nzd1a7JVXRHxAeGdknFi2Ylfx+FNbiql/3lA8MPK8/+XJzcXLy3eWz80wcdxpc4t//sSMciw55Zz5xXW/WF4+zwcODO46shhQBqCjvzbHNIKWfnjVS72WB2HQtl7XxWB+KDJz9tbiM1+eaX6HTQbUej3KxZKXdxRXTV5aehys92kThm/u/Dd6vbXD9sDd960tPvH558z+fGKicfmPl5RGW4hBsnDx9lGT10q5YTuNyemHDn/WfAYQk8xf3LqyeGPb271W3bLl1X2l0bP01PRXe6/ygwG1ruOLx88uFr+0o/eqbsliQPlhrAvxiZVBHW4Y63Vd3EiHGtOe2Gx+d5XGw4CuWLWrOPv8BWbfsXp25uu9XptZMDIQ+SYRoXrksU293oToFp6Rc7+3yLwPUS7ee+/94r6p64t//Ph0830sYWSffGZLr4duwLt0wcWLzfdHGNE2fAYU/f1HpxezR1ajXdO3Ad24aW/xdx+xL+LIY2cV0597rdj95v7yh9y9e3/pysOFUEcGNA1mcKyerO/us0fNLF2iv/vjht6rx2K1Q6ngAvrlHau890OKdu3a3+vdz2NPbs7ynq++tq/XoxDd8MrGvaUHzrr/6srBu+++X1w5eanZf4gwvF2BXbDes1KIAWXhdta3FxSHHWl7nNiueXNP+/jRD30b0Ft+tcr88J/7ysxi+/YwV4AMaBpTbls55js75uQ5xcpVu3uvaMZtWymFnbveKc449wWzv1SxV9rG3BfeyGI8+d6E6IrXt75VDvisjKz7z1UOMEJW3zF68un8K9E9ew6U+5bW+1UKMaAVrGbJ9vj0F58f088fH3ql96pu6NuAEvzhfmjEDCMUGdA08PXXv69/+Nj0cq8jlHrbumLZsfOdoD3wE8+cV9zzwLrS3cpqjz1LghrwUODJwBiyh0lAAK8norsJ2n3yC2Mfmkpfv2BBOQDQ9959B8pgph073iknGLi+L5+05P/2Z2+/a/S2ghA52LV7f3Hrr1eXwS7u/dmkfmla4bG4mfqnDaU3kBiDm+9YVfzbp+3Px/OBpysnN94yduLvKsaAVry4ZMeYfggi7JK+DCgrTPcDo3//3LNRkVAyoPGQMuR+X0SWxuC2rxQDRunkrx80eD5d+MPFwaviig0b9xSbNu/t/Z/NXfesNd+P/Z6/PtMehAAYcaIRyVEWIjd4Uax7tE39wGTRWo0hDIqVi8/E252QVyJyPhfs/YZ4jFIMKBBhX++HbIQu6cuAWhYfff/yF3uvCEMGNB5r8tK2YnNx21eK4Wc3LDP7QAQjPPNsuCciBvbUfYMEq0shJgKkSln36FfPmFemWvk8eP1wz+/WmX1iXDCuPja8sse7Ul67vv8IdfZk8ULV+/3a2fPNgMNUA0o0fb0fvHJd0pcBfXrGq6M+bCVcFjHIgMaDa8j9vnhwYnDbVwpl/oJtZnvExv7qtXGrzhhWrdltvu9RJ85Jzh8VIjdLl+0cdX/iPmVbgQkg5DagBPL5tjVw2bbx69+uMdv+fMqK3ivSYT/S7Ze8zRMco4pSDShZB/V+cEF3SV8G9M+PbBz1YSs1RX5ayIDGw2zO/b64+WNw21cK4cDI+2OsrPa4UEnM7hLC7K33nnL7qt4rhBh/eE7JSybHkqIFbHnUyW1AMUhWf6d/64XeK5ohnoFVm9uez99PoQVyS90cVAwnk13yvev/jlINKC7qej9HHD2r95du6MuAYijrH7ZSbOSTDGgargvzhl/GzRLrbesKgT1Gqy2i4lDXsG9pvTdBSkJMJJ6f/bo3HSu3AaVwidXfE0+FR9N+77IXzT4I/kvFSt2ZOedgnqaVhpJqQL98wujv89RvhE0cUunLgPoM33gaUGY0zHZwV7BKeXBklcznmfb45jLijIiyrlx89EvEJxFwvx8Z4Pn8vO9LS3eU0aa5YVZZ/75+ct2y3l/CqLetKwRfcASBCIMoCeYzoKkP3kSHqGXuK6InmaCwz4sbO/Re5jdZ8vLO8n4kv4/VEFswg8h95d4nXuLhaZvKz86zwUqJKOpQSAOhqMYfHnyl7IPnmmozuZ8rVmDsTfL9Mm48+OjG8n2pUoXXJTc5DShuYcsYEbQTkk9dQUERtw/0q9/EebgqGHfdvtj7rO5dKwI45TmmPzcv/uIfja56l5soA9qW/Nqm8y+yQ4r7NaC4SbjpybOigIDVV124DNgvzJVki1uGh833MCDqvhIuTjGJihtuXjHmdTGRtKRh1Nte/TN/1SGLetu62li3/k2zHaKowSDwrYBx2XQx0HXBFT8Zu1pwXdBMBM88z1/VicCQ52b5qzVhELjvcMFZ7REFN2Jd7gScWH3VB2qiPUkP8r03rn6eWT6jBQMi1WRO+6Y/v5iI/7vvXVtGpaeC4SHYrS2PGRckv9mCRduCJy5t5DSg6zfYvwmBOzGsWWs/39wnsfC7UFDH7Yu8zQqrGEyKASUX3e2HMbZLht6AMpD6wq/bxN5ETK1VC2bW1g3iEwnEhHKDVSWEKLJQ3A1zSoPFUG9bVxusAKx2zCT37UsfyGJoMuKscIYBCv+7n33StQcnQUwKb7q1PV+uEgNFFZhSwRGCHz8irC4wq5SY2AVWrlY/m7YcTD1atXp3OZmxXuOKZ8KtQ0x97ZCKPZX++5S55So1ltdef2uMJydE/Y4bFTkNqC+oM9aI4K2wCj6wCIidODCBcvv5xncWjurH/TtKMaBECrv9dL2lM/QGlFJOVttQMXBwXSlwikFoZZG6uBEp6fUdoxYkM/JQfvrz0QMwq5EY6m3raoOZqNXu0qvz5Yu1wQPomzjxm3RRQSU37Fm7n52cWa4NQ+r+rU31IDK2L1IqNBEYGML2HWNn+4h8WlYw3OPW330iX68qYk6lGlx81uuahDGKcQuTZ+xLhWoSK6amdJAYchpQ0tisvnCdx+LuJVaKKTS/bmRF7AYk4XVg7KtT/3ulFAPKqtbthzG6S4begOI6tdoiaiFWx3pZf69E7pP7o7bhm+2FigHCzYlClEYMxR2Aud4Y6m3ragL3qC9X7NHHB1uMnYHB+hyVmGCQ7jNR4VAF9zMT9MD+nvvvIcJgYrzwiqRM7JA1wFlg5Kz2jBExHpm6LrnypXIVzThh/T1E1Qq+DfZOWbVafSC+P8YOa3+OIJtc5DSgbg5kJba3Yvn2D+zfYLlTx9wHv6O1uMHd7uK+BqUYUCbNbj9UN+uSKAOK24xSa5V8pwnw7/XXVfJV+O/HgFauJAYPfvRH/rKp/Jz1QBZ+TGZDFDq3QrRRzEPB/k/ToeHlHusD68o8SQKIOJqHmztkUIspKefOOOk/hnrbupogSMpqgyrX9KCg2pWVQ1YXkwoCZnKtGHJCUIb7edkvdI9/I9Gc54frwO3fNCHEq/Gfx4w2YASWXHvT8jIAiepNbV6bkMozb701thIWcmuc1t+b+7XJaCGrMAclGRl46QMPTZtbmue/jT89bE+8Mf4cD8j5uhU7RlbbRNJi4BlnHv9rvlVNTgPq2ysO+T5cJl1je0CqyNk2iIVw25L2ZgV9ua9DKQbUWkwRaNclUQbUpR/DV6fffu4cGRTayr5VEADgM2QhdWRxrzUFdWAAfVGoFBawcp7qiol0w0jX27IyjKHetq4mLDdJpXqA1KBgzy1kn49gE77b0AMOBgFG0fqslTiejdWkC9fsy8F1xfmOGDsX9vB89U95PnDRNsE9brWtC8PpTlyYzLr3rU8YMyKHXVj9XnSFf3+Ua27DLfmGcDtvfaP5/iBQJ+d9ntOA+rY0tiXc89ZBFYiDuNsgmMd6Jq17GdzXoRQDykH8bj8p++IxHBIGNJbrp4zde0KEyLcxZ97YkOxKv7m/fcOaoIWmA58ZVENxb3Iexhjqbetqgnwyqw0r8tgAg1ysXL07+BBtJhl8bzzk481vR+4X6zMiBqCmCR21gnG3Wm0rtZV2nPG8f0umbaDElW+1q9RmxHwrnEq4T5sGPwy4z/tAtZ+me9FXwzsm/iAXOQ2oL9o5JbDPV5GIlXsbbnAjYjvFh/talGJArSISXR+S/4E0oOSPWe+Hi6YN394AbjE3CtKHzwghBtUQeC93o59BKYZ627qa8O05E4wxnpDfG1O4mxUpe7bjZfTBd9+jEDehNVBVOvbUuWUkbxNcu+8ggBBjYrVDIbnATA6stpVCAvvY37Laoibjy1aD1SZm8pqLnAbUF5vQ9ltY+LwjuNGbYJXptmFy2xSL4L4epRhQApzcfrqOyP9AGlD2NKz3a4tixRVitUNLXrbdExbs3VkJzyjkmjGeVgCKz0Xiw21fqQnfb4VrerxhoCC/1zeQWOLgA+t0ikHg+y4ZcEJOMyJH0mqPQgvq+yZE7Ke1YbVDoZG8FFS32uO6DpmMsgpmImT10RQ4w8lAVhtfkGOX5DSgVj8oZZJ4/+/jx2SeP+tYw7aTkdzXoxQDCq5rn/sDD1VXfCANKAEC1vuRKN2EFeWFMLyxN+mPfmqX3PJdMwMKqxL28aybNLaMH7h9VGrCVwGIQW+iwD4Wbvq26OtKDOTj4dL13ffcGyGw6rbao9AzHH2rsZDf02qHQiPa3TSsSjEVtS681C471+SCZg/TaoOowjNIchpQX9pSzNGSFd4VaMOKzjoFhtq0bWOj2walGlA8D9y79b4IHMW7yGQxNIo4lEPWgPJFUl2ElRqrjONPn1u6GZuiZ1ETnEhgtYk9fQYIfLL68l0zszvr9axWSHtImWVa/aEmrI161Db5GA/wNOASD9kfJX2kydVFdDe/TayaKvzwd+uzWKH+Fr6JIAqtxkTlIKt9yCkWVjsUWl7P9wyEbmOAL9ilba/uWxfaucyIil5twUS5yGlAfWNbPaI4FF9Oqe97xSXven74/5DAzHqbSqkGFPjtyHqwJhT99GtxSBlQSvMxy/C5hkLUhC/8n1qZscRes2VACTShtmnTwN+E21+lJkjJsdogK9pzIkCpRarstCX3NwXd+Aa6NjXdw/3e90yarPYoFN/EDLVhtUGh9Hv94FsptfVBdK/VrhLeC/aBSVnrkpwG1HeMWUwd3ArKP1p9WUXpuQ+t3F1qLofgtkP9Gjo8MPSRu1+XQ8KA4t4kgrap3meomiC6z2rDnkossdfcNNDhQq5KqMVg9YWasIIEKpFrO5EhyOCb3/WvPBg0fZVWJqIBBas9isFqj9qw2qBQclx/P32EptNQn7qr4/lyGlBfjm2oO7+Oz73OvruLVWCHILbQib3bFvVj6LAFvnz/2AM32hh6A8p+BrUVrfYpasLnIglxU7ikXDOuMfLQCDF3UxiIfIwtqF1vX1cTvhqoiOpMEx32gzihwfr8yFc7UwZ0LFYbFEqO6++nD1ZOBMv49g5dMfhSozcnOQ2ozy2dYvwpKWn15e4hkpPrFs9A1DHmNwiR2xaxpeK+LiRQ0zpkgpgRjDzpSyHBaTEMtQHFYDTVzGRfjv0MqmIsG/nhycEkJ4pBNOXGtV6P6DeWfr87KwKT/ckY3PaVmuAGdA/GrTQeeXQp4Gr+wnH27+87P5DBiXsmVuyd+uj3HgCrPYrBao/asNqgUHJcf44+8KpYhRUsMRjnTM7nHrHeJwWrihMKSQlyYQVp9eUWZfAdbN+F2tKMSNtyT+Pi9+oyyn6oDeiNt9gBBCzf+bKbZospN64vPYKk9lhyfHfuKRKUcYuh3rauNqwi+Ijk92E5SowcUOsaWNnnnqX6yHEPWO1RDFZ71IbVBoWS4/pz9AHctxQetyLcXfGaiVhM3vddEB0bA/e/NdZRucp9Nppy2nOrzYBa6UldHyoxtAYUv75Vko9/CykgnHLj+vZAFyac1J6SZ+Vym5MLiislhnrbutrw5Q4ia49kIoLXwPr8yHc+ZW5yPD9WexSD1R61YbVBoeS4/hx91MGtSw5p27YQdbVzkNOAzvMUlsCdGoOv3jVBlC4TyYBanyX2kJBYhtaA+qLvQupgQsqNS1Frq01IeSsXX6msmO+O0oH1tqy8Y6i3rauNpn1QXKApKTWDpqkUXcyRTf2Q4/mx2qMYrPaoDasNCiXH9efowwdF5X11lknzybEKzWlAmfhZfRGdG/NM+iLtrUnDRDKgBA+5bVK212IYWgPqSymhYHsIKTcuxtlqQ55pLJxsb/UV8925oea4H2Oot60rBF9JQzQMZ3Gyf259dkRgxCDI8fxY7VEMVnvUhtUGhZLj+nP00QQnmbin41RixdcvOQ0o+PYuQ8dF8JWItA4R5zliwtmPrPe6avLSMa9rC+CytmU4ZLtLhtaA+maGoUnDHHNltW+CI42sNhiuHS2nV9Rhs9uXsxXz3bkFudmDjKHetq4Qmk5lIZ0o9HSc8cJXzo37alDkeH6s9igGqz1qw2qDQslx/Tn6aMMXa/Hgo3FBexa5Dah1RB4KPeWJnGkrHZAMhK6OBHTfC6WksWDg3X5iy5vGMrQG1Bd6HpJ71FTIuglmQL5UlpiDsCm8YPWBYr47ymTV23IOZAz1tnWFgEvonAv8+0TUxu3afdIPN3m8CT+4It9hyW3keH6s9igGqz1qw2qDQslx/Tn6aMMXadpU1i6U3AaUlabVH9W4QgqdEEhltaeyT1dY75diQDn70+0nJQI5hqE1oL5UCvIk28DYWW1RG74EY4KXQmY71Fz1BSOhmO/OTZym3xjqbesKhSotTfVmWRGnnIYfSkoBC1i6bKc30XqQ7uccz4/VHsVgtUdtWG1QKDmuP0cfbbDStN4j5GzMNnIbUPAdrM1h6k2wQPCNTV2u5Kz3SzGgnGHr9kPAY5cMrQE95Rw7/5PI1CY4ysw3eKK2FAaiunwHclMqbv4Cv8Eg+KatzGDMd+fWeOUA4hjqbeuKgTq8Vh91XT5pSbFmbdxeBJGATW2qgAlW4ZzRGlIwm1UzM1JfST9qJePCGhQ5nh+rPYrBao/asNqgUHJcf2ofbDGEBNY0eVpynPLRhQH1ndLDuOWb0LKtRLSu1Q6DHBOEFIv1nikGlLHbHdtvvyu+TnkMQ2tAfYWo+QI5WNWFL5cZoy8goFKIC5hoNKttJdyAuGnJDyXdZtGL28ui123vjWK+O3evwgozb6Letq4YeLBuuNkusu+KyQN7MUQ34m5hQkFwAMaS2qS4yqbcvqo47rSDK2uK9/twD4NmT5tTTFgtMEmiT4pK8/1TwQR324meA5grWXU+uyTH82O1RzFY7VEbVhsUSo7rT+mDe/aIo2eVk3Aq1/gS7ZlM+Vz9bJe0TbZD6MKAcn1nn28HWeIxoi50tZ/Ja5kINJW47KqMYYX1nqml/Phd6v1MujbujORYhtaAMjA2rSQvuHhxeZgqxdaZhRx1YlilkZB9Akrq+Q4iDtWZ59k3eOh3x43vroRDj8GqqLetKxYGEo5Ts/rqRxhcH9feNLZQdD+6cvLS8jsdJDmeH6s9isFqj9qw2qBQclx/Sh94NuqvZRxh8kmwEEUHSJeggpkvUBER8ZmDLgwoMIGk8IHVN+KaqcblC6asxIS2a6z3TTWgZ5w72n2Nh6pLhtaAgltIIFTcNL5jkELPhSTqtlopxYo9WF8xAmaHITA7dttyTTG47SulwlmKMYdZt4lAMUovumDo3JlmP7ps0pLgwtc5yfH8WO1RDFZ71IbVBoWS4/pT+rDOrYwRxeVzrD6hKwMKeOJ8200hYhGScpZoLNZ7pxpQt871MSfP6f2lG4bagPLj+g7U9Yl9LlwWCxbZaRjM3ELh+LRLr15i9mOJWR8PLwbAZ0BDN70x4G7bmHMUwW1fqR/4/nyl/lL00tKxwQt8702rg1DhzuIeyzUYxpLj+bHaoxis9qgNqw0KJcf1p/TRj/eInO+cx/Z1aUCB7ZKQrSNXjGsp54imYL1/qgF1gzyJd+iSoTaggBFlJdrkzq1E8QIq8gMDvfUa9itjISey6YBe8kQJpKkn9foM6LQnNvde0QzX4bYNzfWqcNtXygH7JrhFU1ekzJyZ6fvOY8SIPjByf/gGoCbh2sIFnHLMU05yPD9WexSD1R61YbVBoeS4/pQ+MCqxRpToVFI8crv5uzagQOBj6IlVLDC6uM4mrM+RakAZc+r9YBe6pC8DyiDJjeoqdtM5Rz8EpLB3wV4G0anMuqgNy+Y4Je/clSWzK+s9+znTklUhEaFEpjK449JcsHi7GaTgK0VoBUBZWJV0Lrkyrualdf0oJ7hg+U7Yh8ZbwKkXBD9VriUmF/xOJ501v5z13n3v2vL1GMgQeNBJXXp42qZy9klgCOkz1YQKA467lwGE/ZyZc7Z2lhAeS4773mqPYrDaozasNiiUHNffTx9Mzij/xn1Hgfhqz5CtA+4h9tPYFiGyvitXJqf1WJ+/C/hOeAZ41qprZZzk2tnzJUJ9UKvOOtb1N2UzNHGCEyhIwZou6cuAinSIDqv/0JVWRYTGuzlbPBScjyqEEB80WGnXx0NEClKXyICOE5brhplvzP7K5OvHFnXgINyJssISQohBgPfPOhvad0B+LmRAxwH2Qt0fGpGnGAOHhFv9HHbkc+UKF9c17lAhhDjUeOzJzWV1JaLorZQdtodyHn5uIQM6DpCv6f7YiOIQsfhOoa/EyQpCCHGo0ZZGeO/UblefIAM6YNiot35sROWiWAhuuOZGf1EBGVAhxKGIz4CyFcbKdBCRxDKgiVAyjvM4if4NgVzDh6Zt9KbbpJwpWocC6Rxv5tbHlQEVQhyKuAaUoMrrp6zoK5MiFhnQROp5n6TO3Dd1fbFw8fbS506VIIozE8zDgbwYzqYi8iT0p6w+LZh1UU2J/las2lVs2jKxz+UUQogUKMlIURxSFHe/OT7ZBzKgCZDXGVK4IVS56moKIYQYHDKgCVDJxDKEKaLgghBCiOFDBjQBcossYxgj/PXzXlCKiRBCDCsyoIlwQjvlrz50uH04s0/Hnjq3DEAa5MHNQggh8iMD2icH3n2/WLlqd1kE/tY7VxdXTV5a1nw9/6JF5X8paECR96dnvDruxcuFEELkQwZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhEhABlQIIYRIQAZUCCGESEAGVAghhIimKP4XBcAIzFfvoBoAAAAASUVORK5CYII=

PS: If you cannot copy it, you can use stringsthe extraction command as follows:

strings test.pcap |grep ".png"

flag{ICS-mms104}

Industrial protocol analysis 2:

The name of the data packet is UDPdata. It is estimated that this is a test point. First filter it and lenfind that the length is somewhat repeated. Let’s sort it out.

It seems that these are not repeated. 105It seems that you can see flagthe logo 131and 137the following seems to be string extraction and transcoding ASCII.

666c61677b37466f4d3253746b6865507a7d

PS: The actual flaghexadecimal 16system is: 666c6167You can probably know it after seeing this change. You can remember it.

flag{7FoM2StkhePz}

Special industrial control flow:

In a certain 10-segment industrial control network, there is abnormal data in the industrial protocol. Please look for the flag through the data in the traffic. The format is flag{}

S7commIndustrial control traffic directly filters the protocols, then sorts them and keeps pressing (down key) until this one is found.

Then the transcoding is the same as the above question flag.

69735f6e6f745f7265616c

flag{is_not_real}

Abnormal project file:

2020-Zhijiang Cup-Abnormal Engineering Files

There is currently a project file that has been modified by a hacker attack. Emergency personnel are asked to find traces of the hacker attack. The flag format is: flag{}.

The file is a bit large, just stringscheck the coordination xargsand grepuse search flag.

strings $(find . | xargs) | grep flag

flag{854P_l5q2_9Y4a_30Yw}

Abnormal traffic analysis:

2020-Zhijiang Cup-Abnormal Traffic Analysis

For anomalies that exist in industrial networks, try to analyze the PACP traffic packets to find out the abnormal points in the traffic data and get the FLAG. The flag format is flag{}.

ModbusThe protocol here is MMSthe same as the question above. There are related echo packets in the data packets and TCPpictures inside them.

Not found here, put it directly and kaliuse it to stringsdirectly search for relevant image features png.jpg

strings   9.pcap  |grep ".jpg"      #下次可以直接先搜 搜不到在数据包里面找

Transfer pictures online Base64: https://tool.jisuapi.com/base642pic.html

flag{4eSyVERxvt70}

Simple Modbus protocol analysis:

2020-Zhijiang Cup-Simple Modbus Protocol Analysis

The chemical workshop distillation tower controller program error occurs due to improper operation by the operator. Please analyze the error program to find the error point and obtain the flag. The flag format is flag{}.

There seems to be no industrial control protocol in it, so we can use it directly stringsto search for relevant information.666c6167

PS: Why is it search 666c6167? This is also mentioned above. It is flagthe ASCIIvalue.

666c61677b44477377546667793147443233366673327366463264736b4c6e677d

flag{DGswTfgy1GD236fs2sfF2dskLng}

modbus：

2020-Zhijiang Cup-Modbus

An industrial control equipment in the factory workshop assembly line was attacked by unknown persons. According to the traceability analysis of the attack behavior, it was found that the attacker uploaded programs to the equipment. Please assist the operation and maintenance personnel to find the evidence based on the network data traffic and find the flag. The flag format is flag{ }.

ModbusThe protocol directly filters and then groups the byte stream to search for the 666cfound flagidentifier. Just continue searching. '

It’s a bit hard to find the old way of stringsfilteringstrings 6.pcap | grep -E "^.{10}$"

.为匹配任意内容
^为匹配开头
{
    
    10}匹配的数量
$为匹配结尾

666c61677b => flag{
    
    
3138676854 => 18ghT
317772337d => 1wr3}

flag{18ghT1wr3}

Industrial control configuration analysis:

2020-Zhijiang Cup-Industrial Control Configuration Analysis

gkAdd zipa suffix to the file, decompress it and .PCZuse the tool to control 7.1the version I am using.

Then restore the file and run it to see it flag.

PS: There is a link here on the tool website so that everyone can reproduce it (conscience blogger!!!)

ForceControl download:

flag{NxdzzOE3qqqqHk6lqOXM}

S7 protocol malicious attack analysis:

2020-Zhijiang Cup-S7 Protocol Malicious Attack Analysis

One day, the Siemens PLC used in the desulfurization process in the vulcanization workshop suddenly shut down. After investigation by factory personnel, it was found that the PLC had multiple abnormal behaviors during this time period. Please assist the investigators to find out the relevant behaviors of the PLC. The flag is the abnormal behavior data packet. The first four digits plus the last four digits are in the format of flag{}.

S7commIndustrial control protocols use tcp.stream eq 0analytical 0flowsS7 Communication

1321The bars are abnormal data. stopThe first four digits and the last four digits are concatenated.

flag{3201414d}

Analysis of host computer communication anomalies:

2020-Zhijiang Cup-Host computer communication abnormality analysis

An assembly line in the production workshop is running abnormally, and the upper computer SCADA system has not turned on the alarm function, resulting in the inability to query the abnormal conditions of the control equipment. Please find the problem based on the communication flow between the configuration software and the control equipment. The flag is the data content of the abnormal data packet, and the flag format is is flag{}.

Filter found an exception S7sommin 6847this article ,data

Return codeThe return is Hardware error（0x01）a hardware error, which is introduced in the above protocol.

flag{010400100100}

Hacker's carelessness:

2019-Industrial Information Security Skills Competition-Harbin Station-Hacker’s Carelessness

A hacker accidentally left such a file after the intrusion. Please analyze the file to trace the source and find the hacker's mailbox. The flag format is flag{email account}

Put 010 pngthe file to modify the suffix, the words visible in the picture WATCHIN YUR SCREENZ,

githubSearch for known graphs from this gcatprogram

flag{[email protected]}

Industrial control protocol data analysis:

2020-Industrial Information Security Skills Competition-Huzhou Station-Industrial Control Protocol Data Analysis

The operation and maintenance personnel discovered that the intranet control system was breached in an industrial control environment. The attachment is a message captured from the site. Please analyze the message to find out what information the hacker obtained? The flag format is: flag{}.

Screening S7commprotocol Datafound binaries 01100110inf

Continue using filter rules:(s7comm) && (s7comm.param.func == 0x05) && (s7comm.header.rosctr == 1)

011001100110110001100001011001110111101101100110011011000110000101100111010111110110100101110011010111110110100001100101011100100110010101111101

flag{flag_is_here}