当前位置:网站首页>Lua script Wireshark plug-in to resolve third-party private protocols

Lua script Wireshark plug-in to resolve third-party private protocols

2022-07-25 23:51:00 wespten

One 、 Industrial control private agreement

There are many standards for communication protocols in industrial control systems , There are also numerous private agreements , If you have ever used configuration software , You will find out , In the first step, in addition to connecting devices, Ethernet / Serial and other methods , Basically, each company has its own private communication protocol .

  The picture above shows , some SCADA Software driven configuration interface .

As we all know, common industrial control protocols do not encrypt in the process of transmission 、 There is no certification on the agreement , Often through protocol analysis , And form some test cases to achieve the effect of abnormal operation for the equipment supporting the protocol in a specific operating environment .

Such as forced operation of physical output ( Use FINS The agreement attacks Omron (Omron)PLC The physical (I/O) Output )、 Upload and download the program 、 Reset the device status, etc . In this process, in addition to some official agreement documents , image wireshark It also supports a large number of industrial control protocols , You can easily understand the functions of some fields in the Protocol 、 Orders, etc .

Private agreement classification

In many public or private agreements can be divided into the following categories :

Standard agreement : An international standard or recognized standard agreement , Such as Modbus、DNP3、IEC104 etc. .

Private public : Only the manufacturer's own equipment supports and provides the official agreement documents , Such as Omron FINS agreement 、 Mitsubishi Melsec Agreements, etc .

Private is not public : It is only supported by the manufacturer's own equipment and the official does not provide the agreement documents , Such as S7、 Siemens PPI agreement 、GE SRTP etc. .

Two 、 Use Wireshark Analyze common industrial control protocols

Wireshark It is a powerful open source traffic and protocol analysis tool , In addition to traditional network protocol decoding , It also supports the analysis and decoding of many mainstream and standard industrial control protocols . For this reason, I sorted Wireshark The source code involves protocols related to automatic control packet dissection Implementation code path , For your reference and your own retention .

Protocol type brief introduction Source download
Siemens S7 Siemens PLC Supported communication protocols https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-s7comm.c
MMS(IEC61850) Transmission and distribution communication protocol https://github.com/wireshark/wireshark/tree/master/asn1/mms
GOOSE(IEC61850) Transmission and distribution communication protocol https://github.com/wireshark/wireshark/tree/master/asn1/goose
SV(IEC61850) Transmission and distribution communication protocol https://github.com/wireshark/wireshark/tree/master/asn1/sv
Modbus Industrial control standard agreement https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-mbtcp.c
OPC DA Industrial control standard agreement https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-dcom.c
FF HSE Foundation Fieldbus Ethernet communication protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-ff.c
IEC 104 Transmission and distribution communication protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-iec104.c
Ethernet POWERLINK Open Real-time Ethernet communication https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-epl.c
OPC UAOPC A new generation of standards https://github.com/wireshark/wireshark/tree/master/plugins/opcua/opcua.c
HART-IP High speed addressable remote sensor protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-hartip.c
CoAP Lightweight application layer protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-coap.c
Omron FINS Omron PLC Supported protocols https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-omron-fins.c
openSAFETY Open source security application protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-opensafety.c
EGD(Ethernet Global Data)GE Fanuc by PLC Developed protocols https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-egd.c
DNP3 Distributed network protocol , Mainly used in the power industry https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-dnp.c
Sinec H1 Siemens PLC Supported communication protocols https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-h1.c
Profinet Open industrial Ethernet protocol https://github.com/wireshark/wireshark/tree/master/plugins/profinet/
EtherCAT Germany Beckhoff Open Real-time Ethernet protocol promoted by the company https://github.com/wireshark/wireshark/tree/master/plugins/ethercat/
SERCOS III Real time Ethernet protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-sercosiii.c
RTPS Real time streaming protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-rtps.c
TTEthernet Real time Ethernet protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-tte.c
CDT Telecontrol protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-cdt.c
EtherNet/IP Industrial communication protocol (Industrial Protocol), It's a kind of CIP How to implement , Designed by Rockwell Automation https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-etherip.c
CIP General industrial agreement https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-cip.c
CIP Safety General industrial agreement for safety https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-cipsafety.c
DeviceNet A kind of CIP How to implement , from Allen-Bradley Designed by the company https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-devicenet.c
BACnet Building automation network data communication protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-bacnet.c
KNXnet/IP Residential and building control standards https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-knxnetip.c
Lontalk Ashram's LonWorks The communication protocol used by the technology https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-lon.c
CANopen Control LAN Protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-canopen.c
SAE J1939 A kind of CAN Variants , Suitable for agricultural vehicles and commercial vehicles https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-j1939.c
USITT DMX512-A Light control data transmission protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-dmx.c
BSSAP/BSAP from Bristol Babcock Inc Developed communication protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-bssap.c
Gryphon Vehicle communication protocol https://github.com/wireshark/wireshark/tree/master/plugins/gryphon
ZigBee Open wireless protocol https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-zbee.h

3、 ... and 、wireshark Import third party plug-ins

Together Industrial control Flow analysis CTF topic , Right s7commplus Analyze the flow of . Find out Wireshark I won't support it s7comm-plus Protocol resolution , You need to download the plug-in yourself .

wireshark How to import s7comm-plus plug-in unit ?

s7comm-plus Plug in download address :S7comm Wireshark dissector plugin download | SourceForge.net

You can also move to :

(573 Bar message ) wireshark analysis s7comm-plus plug-in unit - Network basic document resources -CSDN library

Installation mode

take zip Unzip the file and put s7comm-plus.dll Copy the dynamic library to wireshark Install under directory plugins/epan Under the table of contents , restart wireshark that will do .

Four 、 Use Wireshark analysis opcDA/opcUA agreement

1、Wireshark Can't parse opcDA This floor .

2、Wireshark Can't parse opcUA This floor .

resolvent :

edit ——  Preferences ——  senior ( It can also be in protocols Found in opcua To change , It is more convenient to search here ).

add to opcua The port of ——  confirm (OK).

Then select opcua That's all right. .

5、 ... and 、Lua scripting Wireshark plug-in unit

When analyzing the flow of industrial control equipment , adopt Wireshark The built-in protocol decoding plug-in can parse some open protocol data formats , But many manufacturers will not disclose private message formats considering security and product uniqueness . This requires reverse engineering or consulting relevant documents to understand the data format of communication protocol , To write Wireshark Protocol decoding plug-in to analyze unknown industrial network communication data message format .

Protocol analysis

We take the upper computer flow of a domestic industrial control equipment as an example , as follows :

Use Wireshark The captured flow is as follows , It can be seen that the data message is based on TCP Agreed , The port of the lower computer is 500. 

Because the upper computer is C# Written , It can be used dnSpy Quickly navigate to its protocol parsing logic code , By means of static analysis and dynamic debugging, the message format of communication between upper computer and lower equipment is analyzed .

The simple format of the message is as follows , Only the header of message format is analyzed here , But for industrial network communication data analysis , It is enough to identify the business operation corresponding to the message .

Writing a plug-in

Lua Script

For now Wireshark Come on ,C/C Language and Lua Scripting is the mainstream language for plug-ins , about C/C For languages like languages , It is undeniable that it has very high performance , But its compilation configuration is more troublesome , Recompile every change , and Lua Although script parsing efficiency is not as high as the former , But its grammar and modification are very simple , Can improve development efficiency . therefore , Here's the choice Lua As a language for writing plug-ins .

Wireshark Does the software support Lua Check method of plug-in script : start-up Wireshark, In turn, click ” help ”,” About Wireshark“ menu , In the open dialog box ”Wireshark” Look at the version information on the tab , If it is shown as below With Lua, This version supports Lua plug-in unit .

Writing a plug-in

1. Start writing Lua plug-in unit , First, simply define the protocol name and protocol description . 

Echo_protocol=Proto("Echo_500","Echo_500 protocol")

2. Add the name of each field according to different message field types .

pktid = ProtoField.uint32("Echo_500.ID", "ID", base.DEC)
pktlen = ProtoField.uint32("Echo_500.length", "length", base.DEC)
station=ProtoField.uint32("Echo_500.station", "station", base.DEC)
cmd = ProtoField.uint32("Echo_500.cmd", "cmd", base.DEC,cmd_desc)
address = ProtoField.uint32("Echo_500.address", "address", base.DEC)
subcmd = ProtoField.uint32("Echo_500.subcmd", "subcmd", base.DEC,subcmd_desc)
operate = ProtoField.uint32("Echo_500.operate", "operate", base.DEC,operate_desc)
subaddress = ProtoField.uint32("Echo_500.subaddress", "subaddress", base.DEC)
datalen = ProtoField.uint32("Echo_500.datalen", "datalen", base.DEC)
data = ProtoField.bytes("Echo_500.Data", "Data")

3. Build a parser function , According to the offset and size of each field , Display each field .

function Echo_protocol.dissector(buffer,pinfo,tree)
    local length=buffer:len()
    if length<14 then return end
    pinfo.cols.protocol=Echo_protocol.name
    local subtree=tree:add(Echo_protocol,buffer(),"Echo Protocol Data")
    subtree:add(pktid,buffer(0,4))
    subtree:add(pktlen,buffer(4,2))
    subtree:add(station,buffer(6,1))
    subtree:add(cmd,buffer(7,1))
    subtree:add(address,buffer(8,1))
    subtree:add(subcmd,buffer(9,1))
    sub_cmd=buffer(9,1):uint()
    subtree:add(operate,buffer(10,1))
    Operate=buffer(10,1):uint()
    subtree:add(subaddress,buffer(11,2))
    subtree:add(datalen,buffer(13,1))
    if length>14 then
        local databuf=buffer(14,length-14)
        local data_subtree=subtree:add(data,databuf)
    end
end

4. Finally, add the written parser to TCP 500 On port .

local tcp_port=DissectorTable.get("tcp.port")
tcp_port:add(500, Echo_protocol)

The plug-in code is as follows :

--Etrol plugin 
local subcmd_desc={
    [1]="SYSCOM",
    [2]="SCANCOM",
    [3]="EVENCOM",
    [4]="PIDCOM",
    [5]="PIDPARA",
    [6]="SYSMSG",
    [7]="HARTCOM",
    [8]="SYSRESET",
    [17]="DNP3DBCOM",
    [18]="DNP3CHN0COM",
    [19]="ZIGBEECOM",
    [20]="DNP3OTHER",
}
local operate_desc={
    [0]="CLRMOD",
    [1]="READCOM",
    [2]="WRITECOM",
    [4]="WRITEFLASH",
}
local cmd_desc={
    [137]="read/write",
    [144]="PROG_update",
}
Echo_protocol=Proto("Echo_500","Echo_500 protocol")
pktid = ProtoField.uint32("Echo_500.ID", "ID", base.DEC)
pktlen = ProtoField.uint32("Echo_500.length", "length", base.DEC)
station=ProtoField.uint32("Echo_500.station", "station", base.DEC)
cmd = ProtoField.uint32("Echo_500.cmd", "cmd", base.DEC,cmd_desc)
address = ProtoField.uint32("Echo_500.address", "address", base.DEC)
subcmd = ProtoField.uint32("Echo_500.subcmd", "subcmd", base.DEC,subcmd_desc)
operate = ProtoField.uint32("Echo_500.operate", "operate", base.DEC,operate_desc)
subaddress = ProtoField.uint32("Echo_500.subaddress", "subaddress", base.DEC)
datalen = ProtoField.uint32("Echo_500.datalen", "datalen", base.DEC)
data = ProtoField.bytes("Echo_500.Data", "Data")
hex=function(num) return string.format("%#x",num) end
Echo_protocol.fields={pktid,pktlen,station,cmd,address,subcmd,operate,subaddress,datalen,data}
function Echo_protocol.dissector(buffer,pinfo,tree)
    local length=buffer:len()
    if length<14 then return end
    pinfo.cols.protocol=Echo_protocol.name
    local subtree=tree:add(Echo_protocol,buffer(),"Echo Protocol Data")
    subtree:add(pktid,buffer(0,4))
    subtree:add(pktlen,buffer(4,2))
    subtree:add(station,buffer(6,1))
    subtree:add(cmd,buffer(7,1))
    subtree:add(address,buffer(8,1))
    subtree:add(subcmd,buffer(9,1))
    sub_cmd=buffer(9,1):uint()
    subtree:add(operate,buffer(10,1))
    Operate=buffer(10,1):uint()
    subtree:add(subaddress,buffer(11,2))
    subtree:add(datalen,buffer(13,1))
    if length>14 then
        local databuf=buffer(14,length-14)
        local data_subtree=subtree:add(data,databuf)
    end
end
local tcp_port=DissectorTable.get("tcp.port")
tcp_port:add(500, Echo_protocol)

Running plug-ins

in order to Wireshark Load the compiled plug-in , Need to open Wireshark Home directory init.lua file , Make sure disable_lua The value of is false, It turns on lua. At the same time, save the prepared plug-in as echo_500.lua Put it in Wireshark Home directory , stay init.lua Add... To the last line of the file dofile(DATA_DIR…“echo_500.lua”), Load custom plug-ins in this way .

restart Wireshark, Recapture packets , You can see that the protocol has been parsed successfully . It's recognized here that this is a SYSMSG command , Used to read device status .

After every script change , You can use the shortcut key “Ctrl+Shift+L” Reload script , You don't need to restart every time Wireshark Software .

summary

By writing plug-ins to parse third-party private agreements , Help us better understand the interaction between the upper computer and the lower computer . Of course , Some industrial control traffic may be more complex than the examples in this article , It may contain fields such as encryption and signature , It takes longer to reverse analyze , Just understand the message format of protocol data , So it's natural to write plug-ins .

原网站

版权声明
本文为[wespten]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/206/202207252349573940.html

边栏推荐

猜你喜欢

随机推荐