CN111327636B - S7-300PLC private protocol reverse method relating to network security - Google Patents

S7-300PLC private protocol reverse method relating to network security Download PDF

Info

Publication number
CN111327636B
CN111327636B CN202010160469.7A CN202010160469A CN111327636B CN 111327636 B CN111327636 B CN 111327636B CN 202010160469 A CN202010160469 A CN 202010160469A CN 111327636 B CN111327636 B CN 111327636B
Authority
CN
China
Prior art keywords
s7comm
protocol
interactive
data packet
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN202010160469.7A
Other languages
Chinese (zh)
Other versions
CN111327636A (en
Inventor
赵金雄
张驯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northwestern Polytechnical University
Original Assignee
Northwestern Polytechnical University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northwestern Polytechnical University filed Critical Northwestern Polytechnical University
Priority to CN202010160469.7A priority Critical patent/CN111327636B/en
Publication of CN111327636A publication Critical patent/CN111327636A/en
Application granted granted Critical
Publication of CN111327636B publication Critical patent/CN111327636B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention provides an S7-300PLC proprietary protocol reverse method relating to network security, which comprises the steps of establishing a communication session based on S7comm with a PLC by using Step7, capturing a request-response data packet sequence corresponding to each interactive behavior, analyzing interactive logic, field meanings and filling specifications of the S7comm protocol according to a protocol standard and a corresponding relation between the interactive behavior and the data packet sequence, expanding function codes of an S7 service interactive frame in a Conpot according to a reverse analysis result of the S7comm protocol, and judging the accuracy of a reverse result according to the correctness of a response of an S7comm service simulation unit to each interactive request. The invention greatly improves the reverse efficiency of the private protocol of Siemens S7-300PLC equipment and greatly improves the reliability of the reverse result of the protocol.

Description

S7-300PLC private protocol reverse method relating to network security
Technical Field
The invention relates to the field of industrial control system safety research, in particular to a reverse method for simulating a PLC private protocol.
Background
A PLC (Programmable Logic device) is an underlying control device in a critical infrastructure, and its safety relates to stable operation of the entire control system. The S7 series PLC produced by German Siemens company has small volume, high speed, network communication capability and higher reliability, and is quite widely applied in the industrial control field of China. In recent years, as the traditional industry starts to upgrade the informationization, digitization and intellectualization industries, the information security problem of the industrial control system is more prominent while the informatization level is improved. The way that the PLC is attacked by the hacker is diversified day by day, the number of various trojan horse and virus variants is continuously increased, and the safe and stable operation of an industrial control system and the safety of lives and properties of personnel are threatened.
The honeypot technology is used as an active detection technology of security threats, and attracts an attacker to invade by setting a virtual system with a bait property, captures and analyzes threat behaviors of the attacker, so that tools and methods used by an attacker are known, and a defender is helped to master the security threats. The honeypot technology is applied to the field of safety protection of industrial control systems, and a honeypot system oriented to Siemens S7-300PLC is developed, so that threat perception capability and emergency response capability of industrial enterprises can be effectively improved.
The communication between the Siemens S7-300PLC and the outside is based on the S7comm protocol proprietary to the enterprises, and the honeypot system facing the PLC equipment needs to support the S7comm protocol service types as many as possible, so that the simulation degree of the PLC honeypot system is improved, the detention time of an attacker is prolonged, and more threat behavior data are captured.
Therefore, in the field of industrial control system safety research, it is important to master a reverse method of a private industrial control protocol. On one hand, researchers can conveniently review the rationality of the protocol specification from the perspective of the safety of the protocol communication process; on the other hand, the simulation degree of the PLC honeypot system can be effectively assisted to be improved based on the reverse result of the private industrial control protocol.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides an S7-300PLC proprietary protocol reverse method related to network security. The method is based on typical Siemens PLC host computer software Step7, open source honeypot frame Conpot and common network packet capturing tool Wireshark, and can effectively verify the reliability of the protocol reverse result.
The technical scheme adopted by the invention for solving the technical problem comprises the following steps:
s1, establishing a communication session with the PLC based on S7comm by using Step 7;
s2, an interactive experiment stage, namely capturing a request-response data packet sequence corresponding to each interactive behavior;
and S3, a reverse analysis stage, namely analyzing the interactive logic, the meaning of each field and the filling specification of the S7comm protocol according to the standard of the S7comm protocol and the corresponding relation between the interactive behavior and the data packet sequence, and specifically comprising the following steps of:
by establishing communication session connection between devices based on S7comm, using a network packet capturing tool Wireshark to record interactive sequence data corresponding to each protocol interactive behavior, analyzing and integrating according to the corresponding relation between the captured interactive sequence data and the interactive behavior and according to the S7comm protocol standard, restoring S7comm communication interactive sequence logic, and extracting key feature fields and filling specifications of the fields;
the restoration process of the communication interaction sequence logic comprises the following steps:
1) the S7comm protocol supports the client and the server to carry out various different service operations, including the steps that the client tries to establish communication connection with the server, reads and writes specific information of the server, uploads/downloads NC programs and PLC controls and stops sending information; each service operation request of the client is sent to the server by a section of request data packet sequence, the server extracts a function request code representing the actual operation intention from a specific field of the request data packet carrying the actual operation intention in the request data packet sequence, the server feeds back a response data packet corresponding to the operation result to the client after the specific operation intention of the client is determined, the response data packet is packaged with a corresponding function code representing the response to which service operation request, and the package of the response data packet also conforms to the S7comm protocol specification;
2) analyzing interactive sequence data corresponding to each protocol interactive behavior on the basis of the step 1): according to the corresponding relation between the protocol interactive behaviors and the interactive sequence data, when Step7 software is used for executing a communication establishment request, Wireshark captures a data packet, interactive sequence data corresponding to the communication establishment behavior is obtained from the data packet, the time sequence of each request-response data packet in the interactive sequence data represents the interactive logic for completing the behavior, which data packets are fixed and invariable and which data in the packets are variable in the interactive sequence are checked, and then the data packets containing variable fields are further processed;
3) deducing the position of the representative S7comm function code in the data packet according to the encapsulation specification of the network data packet and the S7comm protocol data packet, extracting the function code corresponding to the behavior, and then performing multiple experiments of the interactive behavior by matching with Step7 and real PLC equipment to continuously refine the range and the function meaning of each fixed field and each variable field in the S7comm protocol data packet;
finally, recording the analyzed interactive logic and the filling specification of each field to form a protocol reverse analysis result;
s4, a test verification preparation stage: according to the reverse analysis result of the S7comm protocol, expanding the function code of the S7 service interaction framework in the Conpot, wherein the specific expanding step is as follows:
the main body of the S7 service interaction framework in the concot is a network communication program module, which is responsible for simulating a server side of the S7comm protocol and interacting with a requester using the S7comm protocol as a communication mode, but the implemented program logic of the framework only supports establishing a communication session based on the S7comm protocol with the requester, and cannot effectively respond to subsequent S7comm protocol requests, which indicates that the S7comm protocol service is not widely implemented;
on the basis, the generated protocol reverse analysis results are combed, and the generated protocol reverse analysis results comprise S7comm communication interaction sequence logic and filling specifications of the extracted characteristic fields, so that program implementation logic of each S7comm protocol service and related data packet unpacking and packaging processes is designed according to the S7comm protocol service and the extracted characteristic fields, and the program implementation logic is added to an S7 service interaction framework which is already implemented in the Conpot one by one to perfect an original program module, so that more S7comm protocol requests are supported to be responded, and the subsequent test and verification of the protocol reverse results are facilitated;
s5, testing and verifying: establishing a communication session connection with the S7comm service simulation unit by using Step7, and judging the accuracy of a reverse result according to the correctness of the response of the S7comm service simulation unit to each interactive request; the specific operation steps are as follows:
the first target is: when the Step7 upper computer software is used for initiating the function code of the communication establishment request to the real PLC equipment, if the Step7 receives the response data packet with the correct format, the successful establishment of the communication connection is prompted on a software interface, and the responses of other types of function codes have different forms of feedback on the Step7 client. Based on the point, when the S7comm service simulation unit receives the S7comm protocol interaction request, responding according to the pre-designed program interaction logic, if the feedback result of the corresponding function code displayed by the Step7 client side is consistent with the feedback result of the real PLC equipment, indicating that the interaction request response is correct, indicating that the reverse result is accurate, and ending the operation;
and a second target: if the Step7 client does not normally display the feedback result of the corresponding function code or the displayed feedback result is inconsistent with the real PLC equipment, indicating that the interaction request response is wrong; then capturing a data packet sequence in an interaction process by using a Wireshark packet capturing tool, acquiring a corresponding data packet sequence from real PLC equipment by means of a communication equipment request and a communication equipment response mode, and forming an error report by comparing and marking key characteristic fields and filling specifications thereof, wherein, for example, whether the ranges of fixed fields, function code numbers and variable fields in a response data packet returned by an S7comm service simulation unit are consistent with the response data packet returned by the real PLC equipment or not, so that the feedback error of a field is indicated as that the range of the field is misjudged in the packaging process or that packaged data is unreasonable, and the like, so that the problems existing in the realized interaction logic and response data packaging process are corrected on the basis, and the range, the function meaning and the packaging specification of each field in the function code data packet in a reverse result analysis report are updated;
s6, iteratively executing S1 to S5 until the feedback result of the S7comm service simulation unit displayed in the Step7 client to a certain service operation request is consistent with the real PLC equipment, which shows that the reverse result of the service is basically correct, and the iteration is terminated; and sequentially performing reverse analysis and correctness verification on each service contained in the S7comm protocol by using a reverse scheme consisting of a closed loop of the five steps S1 to S5, wherein the analysis process is detailed in the step S3.
When the communication session based on S7comm with the PLC is established by using Step7 in S1, the PC IP provided with the upper computer software Step7 and the network packet capturing tool Wireshark needs to be configured in the same network segment as the S7-300 PLC.
In S2, the request-response packet sequence corresponding to each interactive action is captured by the Wireshark packet capturing tool.
The method has the beneficial effect that the reverse efficiency of the S7-300PLC equipment private protocol for Siemens can be greatly improved by analyzing the corresponding relation between the specific S7comm protocol interaction behavior and the interaction data. Meanwhile, an S7 interaction service framework of the open source honeypot Conpot is introduced, and an S7 service simulation unit is constructed by combining the reverse result obtained by artificial analysis and is used for verifying the accuracy of the protocol reverse result. For the problems existing in the reverse result, the difference between the S7 service simulation unit and the real device response data can be compared to assist in quickly correcting the reverse result, and the reliability of the protocol reverse result is greatly improved. In addition, although the Siemens S7 series PLC devices all adopt the S7comm protocol as the application layer communication protocol, the data content and the packaging format of the application layer of the Siemens S7 series PLC devices are different due to different product models, and the Siemens S7-300PLC device is also suitable for other industrial control devices which carry out communication based on the S7comm protocol standard besides supporting the protocol reverse process of the Siemens S7-300 PLC.
Drawings
Fig. 1 is a siemens S7comm protocol reverse scenario framework of the present invention.
Fig. 2 is a packet header format diagram of the S7comm protocol of the present invention.
Fig. 3 is a communication flow diagram of the S7comm protocol of the present invention.
Detailed Description
The invention is further illustrated with reference to the following figures and examples.
An S7-300PLC proprietary protocol reverse method relating to network security, comprising the steps of:
s1, establishing a communication session with the PLC based on S7comm by using Step 7;
s2, an interactive experiment stage, namely capturing a request-response data packet sequence corresponding to each interactive behavior;
and S3, a reverse analysis stage, namely analyzing the interactive logic, the meaning of each field and the filling specification of the S7comm protocol according to the standard of the S7comm protocol and the corresponding relation between the interactive behavior and the data packet sequence, and specifically comprising the following steps of:
by establishing communication session connection between devices based on S7comm, using a network packet capturing tool Wireshark to record interactive sequence data corresponding to each protocol interactive behavior, analyzing and integrating according to S7comm protocol standard according to the corresponding relation between the captured interactive sequence data and the interactive behavior (if the session connection establishment process has specific interactive sequence data, the interactive sequence data is not consistent with the interactive sequence data in the session connection disconnection process), restoring S7comm communication interactive sequence logic, and extracting key feature fields and filling specifications of each field;
the restoration process of the communication interaction sequence logic comprises the following steps:
1) the S7comm protocol supports the client and the server to carry out various different service operations, including the steps that the client tries to establish communication connection with the server, reads and writes specific information of the server, uploads/downloads NC programs and PLC controls and stops sending information; each service operation request of the client is sent to the server by a request data packet sequence, and the server extracts a function request code representing an actual operation intention from a specific field of a request data packet carrying the intention in the request data packet sequence, as shown in table 2, the function code of Read service operation is 4. After the specific operation intention of the client is determined, the server feeds back a response data packet corresponding to the operation result to the client, wherein the response data packet is encapsulated with a corresponding function code (shown in table 1) which represents a response to which service operation request, and the encapsulation of the response data packet also follows the S7comm protocol specification;
2) analyzing interactive sequence data corresponding to each protocol interactive behavior on the basis of 1): according to the corresponding relation between the protocol interactive behaviors and the interactive sequence data, when Step7 software is used for executing a communication establishment request, Wireshark captures a data packet, interactive sequence data corresponding to the communication establishment behavior is obtained from the data packet, the time sequence of each request-response data packet in the interactive sequence data represents the interactive logic for completing the behavior, which data packets are fixed and invariable and which data in the packets are variable in the interactive sequence are checked, and then the data packets containing variable fields are further processed;
3) deducing the position of the representative S7comm function code in the data packet according to the encapsulation specification of the network data packet and the S7comm protocol data packet, extracting the function code corresponding to the behavior, and then performing multiple experiments of the interactive behavior by matching with Step7 and real PLC equipment to continuously refine the range and the function meaning of each fixed field and each variable field in the S7comm protocol data packet;
finally, the analyzed interactive logic and the filling specification of each field are properly recorded to form a protocol reverse analysis result, as shown in table 1:
TABLE 1 field resolution of Read function code response packets
Figure GDA0002975430460000051
Figure GDA0002975430460000061
The function meaning and field range of each field of the response data packet of the Read function code of the client are completely recorded, and the analysis results of the response data packets of other function codes are similar to the function meaning and field range and are not detailed. Table 2 is a list of S7comm function codes contained in the analysis results:
TABLE 2 functional code mapping relationship of S7comm protocol
Function code Name (R) Description of the invention
0 Diagnostics Diagnosis of
4 Read Reading
5 Write Writing
26 Request_download Requesting download
27 Download_block Download module
28 End_download End of download
29 Start_upload Start uploading
30 Upload Upload to
31 End_upload End upload
40 PLC_control PLC control
41 PLC_Stop PLC stop
240 Setup_communication Establishing communication
S4, a test verification preparation stage: according to the reverse analysis result of the S7comm protocol, expanding the function code of the S7 service interaction framework in the Conpot, wherein the specific expanding step is as follows:
the main body of the S7 service interaction framework in the concot is a network communication program module, which is responsible for simulating a server side of the S7comm protocol and interacting with a requester using the S7comm protocol as a communication mode, but the implemented program logic of the framework only supports establishing a communication session based on the S7comm protocol with the requester, and cannot effectively respond to subsequent S7comm protocol requests, which indicates that the S7comm protocol service is not widely implemented;
on the basis, the generated protocol reverse analysis results are combed, and the generated protocol reverse analysis results comprise S7comm communication interaction sequence logic and filling specifications of the extracted characteristic fields, so that program implementation logic of each S7comm protocol service and related data packet unpacking and packaging processes is designed according to the S7comm protocol service and the extracted characteristic fields, and the program implementation logic is added to an S7 service interaction framework which is already implemented in the Conpot one by one to perfect an original program module, so that more S7comm protocol requests are supported to be responded, and the subsequent test and verification of the protocol reverse results are facilitated;
s5, testing and verifying: establishing a communication session connection with the S7comm service simulation unit by using Step7, and judging the accuracy of a reverse result according to the correctness of the response of the S7comm service simulation unit to each interactive request; the specific operation steps are as follows:
the first target is: when the Step7 upper computer software is used for initiating the function code of the communication establishment request to the real PLC equipment, if the Step7 receives the response data packet with the correct format, the successful establishment of the communication connection is prompted on a software interface, and the responses of other types of function codes have different forms of feedback on the Step7 client. Based on the point, when the S7comm service simulation unit receives the S7comm protocol interaction request, responding according to the pre-designed program interaction logic, if the feedback result of the corresponding function code displayed by the Step7 client side is consistent with the feedback result of the real PLC equipment, indicating that the interaction request response is correct, indicating that the reverse result is accurate, and ending the operation;
and a second target: if the Step7 client does not normally display the feedback result of the corresponding function code or the displayed feedback result is inconsistent with the real PLC equipment, indicating that the interaction request response is wrong; then capturing a data packet sequence in an interaction process by using a Wireshark packet capturing tool, acquiring a corresponding data packet sequence from real PLC equipment by means of a communication equipment request and a communication equipment response mode, and forming an error report by comparing and marking key characteristic fields and filling specifications thereof, wherein, for example, whether the ranges of fixed fields, function code numbers and variable fields in a response data packet returned by an S7comm service simulation unit are consistent with the response data packet returned by the real PLC equipment or not, so that the feedback error of a field is indicated as that the range of the field is misjudged in the packaging process or that packaged data is unreasonable, and the like, so that the problems existing in the realized interaction logic and response data packaging process are corrected on the basis, and the range, the function meaning and the packaging specification of each field in the function code data packet in a reverse result analysis report are updated;
s6, iteratively executing S1 to S5 until the feedback result of the S7comm service simulation unit displayed in the Step7 client to a certain service operation request is consistent with the real PLC equipment, which shows that the reverse result of the service is basically correct, and the iteration is terminated; and sequentially performing reverse analysis and correctness verification on each service contained in the S7comm protocol by using a reverse scheme consisting of a closed loop of the five steps S1 to S5, wherein the analysis process is detailed in the step S3.
When the communication session based on S7comm with the PLC is established by using Step7 in S1, the PC IP provided with the upper computer software Step7 and the network packet capturing tool Wireshark needs to be configured in the same network segment as the S7-300 PLC.
In S2, the request-response packet sequence corresponding to each interactive action is captured by the Wireshark packet capturing tool.
Example 1
The communication principle of the S7 protocol and some known protocol package specifications are as follows:
the S7comm protocol is a proprietary unpublished protocol integrated inside Siemens S7 series PLC and belongs to one of TCP/IP protocol families. The communication method runs in an application layer, and is used for communication between Siemens equipment or with the outside after special optimization. A common communication mode of the S7comm protocol is an ethernet-based client/server mode: the PLC device serves as a server, receives an external access request data packet, executes corresponding service, and returns a response data packet; and the external requester is used as a client, communicates with the PLC, sends the request data packet and receives the response data packet.
The data packet communicated based on the S7comm protocol is encapsulated by using a plurality of protocols, and the S7 application layer data is encapsulated and transmitted by the TCP/IP layer after being encapsulated by the COTP protocol and the TPKT protocol, as shown in fig. 2.
As shown in fig. 3, the communication flow between the S7comm protocol server and the client is divided into three steps. The first step is to establish a COTP connection through handshaking between a client and a server; the second step is to carry out S7 communication setting; and thirdly, performing response interaction of the S7 service, and finally generating a response message based on the specific S7 service by the service end.
As shown in fig. 1, the protocol reverse process of siemens S7-300PLC is divided into three stages of interaction experiment, reverse analysis and test verification, which are specifically described as follows:
and (5) an interactive experiment stage. Establishing a session connection between the upper computer software Step7 and Siemens S7-300PLC equipment, capturing interactive data corresponding to each operation behavior executed based on the upper computer software by using a Wireshark packet capturing tool, and properly storing the interactive data.
And (5) a reverse analysis stage. And restoring S7comm communication interaction sequence logic according to the corresponding relation between the captured interaction sequence data and the interaction behaviors and combining with the standard specification of the S7comm protocol disclosed on the network, extracting key characteristic fields and filling specifications of the fields, and forming a protocol reverse analysis result.
And (5) testing and verifying. And adding the generated protocol reverse analysis result including the grasped S7comm communication interaction sequence logic and the extracted filling specifications of each characteristic field to an S7 service interaction framework in the Conpot, and constructing an S7comm service simulation unit with higher interaction capacity. And then, trying to establish a communication session connection with the S7comm service simulation unit by using the upper computer software Step7, executing various operations contained in the reverse result, and checking whether the operation result is correct. And if the data is incorrect, comparing the data with the captured interactive data of the real PLC equipment, and correcting the reverse result.
According to the protocol reverse process of Siemens S7-300PLC, the specific operation steps are as follows:
1) configuring a PC IP (Internet protocol) provided with upper computer software Step7 and a network packet capturing tool Wireshark in the same network segment as the S7-300PLC, and establishing a communication session based on S7comm with the PLC by using Step 7;
2) entering an interactive experiment stage, capturing a request-response data packet sequence corresponding to each interactive behavior by using a Wireshark packet capturing tool, and storing;
3) then, entering a reverse analysis stage, combining the known S7comm protocol standard and the corresponding relation between the interactive behavior and the data packet sequence, carrying out artificial analysis on the interactive logic, the field meanings and the filling specification of the S7comm protocol, and recording the protocol reverse analysis result;
4) expanding function codes of an S7 service interaction framework in the Conpot based on the reverse analysis result of the S7comm protocol, supporting the response of more S7 service interaction requests, and constructing an S7comm service simulation unit with higher interaction capacity;
5) and configuring the PC IP and the host IP of the S7comm service simulation unit in the same network segment, establishing a communication session with the S7comm service simulation unit by using Step7, trying to execute each interactive request contained in a reverse result, and if a correct response can be obtained, indicating that the reverse result is accurate. If the correct response cannot be obtained, capturing the data packet sequence in the interactive process by using a Wireshark packet capturing tool, comparing the data packet sequence with the data packet sequence of the real equipment, and correcting the problem existing in the implemented interactive logic or response data packet packaging process;
6) for a plurality of private protocol services supported by the S7comm, the steps 1) to 5) can be executed iteratively, and each service is analyzed in a reverse direction one by one, so that the efficiency and the accuracy of a reverse process can be greatly improved.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block or blocks.
The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Claims (3)

1. An S7-300PLC proprietary protocol reverse method relating to network security, characterized by comprising the following steps:
s1, establishing a communication session with the PLC based on S7comm by using Step 7;
s2, an interactive experiment stage, namely capturing a request-response data packet sequence corresponding to each interactive behavior;
and S3, a reverse analysis stage, namely analyzing the interactive logic, the meaning of each field and the filling specification of the S7comm protocol according to the standard of the S7comm protocol and the corresponding relation between the interactive behavior and the data packet sequence, and specifically comprising the following steps of:
by establishing communication session connection between devices based on S7comm, using a network packet capturing tool Wireshark to record interactive sequence data corresponding to each protocol interactive behavior, analyzing and integrating according to the corresponding relation between the captured interactive sequence data and the interactive behavior and according to the S7comm protocol standard, restoring S7comm communication interactive sequence logic, and extracting key feature fields and filling specifications of the fields;
the restoration process of the communication interaction sequence logic comprises the following steps:
1) the S7comm protocol supports the client and the server to carry out various different service operations, including the client trying to establish communication connection with the server, reading and writing specific information of the server, uploading/downloading an NC program and sending PLC control and stop information, wherein the NC program is a digital control program; each service operation request of the client is sent to the server by a section of request data packet sequence, the server extracts a function request code representing the actual operation intention from a specific field of the request data packet carrying the actual operation intention in the request data packet sequence, the server feeds back a response data packet corresponding to the operation result to the client after the specific operation intention of the client is determined, the response data packet is packaged with a corresponding function code representing the response to which service operation request, and the package of the response data packet also conforms to the S7comm protocol specification;
2) analyzing interactive sequence data corresponding to each protocol interactive behavior on the basis of the step 1): according to the corresponding relation between the protocol interactive behaviors and the interactive sequence data, when Step7 software is used for executing a communication establishment request, Wireshark captures a data packet, interactive sequence data corresponding to the communication establishment behavior is obtained from the data packet, the time sequence of each request-response data packet in the interactive sequence data represents the interactive logic for completing the behavior, which data packets are fixed and invariable and which data in the packets are variable in the interactive sequence are checked, and then the data packets containing variable fields are further processed;
3) deducing the position of the representative S7comm function code in the data packet according to the encapsulation specification of the network data packet and the S7comm protocol data packet, extracting the function code corresponding to the behavior, and then performing multiple experiments of the interactive behavior by matching with Step7 and real PLC equipment to continuously refine the range and the function meaning of each fixed field and each variable field in the S7comm protocol data packet;
finally, recording the analyzed interactive logic and the filling specification of each field to form a protocol reverse analysis result;
s4, a test verification preparation stage: according to the reverse analysis result of the S7comm protocol, expanding the function code of the S7 service interaction framework in the Conpot, wherein the specific expanding step is as follows:
the main body of the S7 service interaction framework in the concot is a network communication program module, which is responsible for simulating a server side of the S7comm protocol and interacting with a requester using the S7comm protocol as a communication mode, but the implemented program logic of the framework only supports establishing a communication session based on the S7comm protocol with the requester, and cannot effectively respond to subsequent S7comm protocol requests, which indicates that the S7comm protocol service is not widely implemented;
on the basis, the generated protocol reverse analysis results are combed, and the generated protocol reverse analysis results comprise S7comm communication interaction sequence logic and filling specifications of the extracted characteristic fields, so that program implementation logic of each S7comm protocol service and related data packet unpacking and packaging processes is designed according to the S7comm protocol service and the extracted characteristic fields, and the program implementation logic is added to an S7 service interaction framework which is already implemented in the Conpot one by one to perfect an original program module, so that more S7comm protocol requests are supported to be responded, and the subsequent test and verification of the protocol reverse results are facilitated;
s5, testing and verifying: establishing a communication session connection with the S7comm service simulation unit by using Step7, and judging the accuracy of a reverse result according to the correctness of the response of the S7comm service simulation unit to each interactive request; the specific operation steps are as follows:
the first target is: when the Step7 upper computer software is used for initiating the function codes of the communication establishment request to the real PLC equipment, if Step7 receives a response data packet with a correct format, the successful establishment of the communication connection is prompted on a software interface, and the responses of other types of function codes have different forms of feedback on the Step7 client; based on the point, when the S7comm service simulation unit receives the S7comm protocol interaction request, responding according to the pre-designed program interaction logic, if the feedback result of the corresponding function code displayed by the Step7 client side is consistent with the feedback result of the real PLC equipment, indicating that the interaction request response is correct, indicating that the reverse result is accurate, and ending the operation;
and a second target: if the Step7 client does not normally display the feedback result of the corresponding function code or the displayed feedback result is inconsistent with the real PLC equipment, indicating that the interaction request response is wrong; then capturing a data packet sequence in an interaction process by using a Wireshark packet capturing tool, acquiring a corresponding data packet sequence from real PLC equipment by means of a communication equipment request and a communication equipment response mode, and forming an error report by comparing and marking key characteristic fields and filling specifications thereof, wherein, for example, whether the ranges of fixed fields, function code numbers and variable fields in a response data packet returned by an S7comm service simulation unit are consistent with the response data packet returned by the real PLC equipment or not, so that the feedback error of a field is indicated as that the range of the field is misjudged in the packaging process or that packaged data is unreasonable, and the like, so that the problems existing in the realized interaction logic and response data packaging process are corrected on the basis, and the range, the function meaning and the packaging specification of each field in the function code data packet in a reverse result analysis report are updated;
s6, iteratively executing S1 to S5 until the feedback result of the S7comm service simulation unit displayed in the Step7 client for a certain service operation request is consistent with the real PLC equipment, indicating that the reverse result of the service is correct, and terminating the iteration at this moment; and sequentially carrying out reverse analysis and correctness verification on each service contained in the S7comm protocol by utilizing a reverse scheme formed by a closed loop of the five steps from S1 to S5.
2. The S7-300PLC proprietary protocol reverse method relating to network security of claim 1, wherein:
when the communication session based on S7comm with the PLC is established by using Step7 in S1, the PC IP provided with the upper computer software Step7 and the network packet capturing tool Wireshark needs to be configured in the same network segment as the S7-300 PLC.
3. The S7-300PLC proprietary protocol reverse method relating to network security of claim 1, wherein:
in S2, the request-response packet sequence corresponding to each interactive action is captured by the Wireshark packet capturing tool.
CN202010160469.7A 2020-03-10 2020-03-10 S7-300PLC private protocol reverse method relating to network security Expired - Fee Related CN111327636B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010160469.7A CN111327636B (en) 2020-03-10 2020-03-10 S7-300PLC private protocol reverse method relating to network security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010160469.7A CN111327636B (en) 2020-03-10 2020-03-10 S7-300PLC private protocol reverse method relating to network security

Publications (2)

Publication Number Publication Date
CN111327636A CN111327636A (en) 2020-06-23
CN111327636B true CN111327636B (en) 2021-05-07

Family

ID=71173254

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010160469.7A Expired - Fee Related CN111327636B (en) 2020-03-10 2020-03-10 S7-300PLC private protocol reverse method relating to network security

Country Status (1)

Country Link
CN (1) CN111327636B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113132366B (en) * 2021-04-07 2023-03-21 深圳市奇虎智能科技有限公司 Method, system, storage medium and computer device for interactive protocol reversal
CN114338104B (en) * 2021-12-15 2023-04-25 北京六方云信息技术有限公司 Security gateway analysis function verification method, device, equipment and storage medium
CN117111489A (en) * 2023-08-25 2023-11-24 哈尔滨工程大学 Simulation method of PLC (programmable logic controller) equipment, storage medium and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506484A (en) * 2014-11-11 2015-04-08 中国电子科技集团公司第三十研究所 Proprietary protocol analysis and identification method
CN107070888A (en) * 2017-03-09 2017-08-18 北京聚睿智能科技有限公司 Gateway security management method and equipment
CN108429739A (en) * 2018-02-12 2018-08-21 烽台科技(北京)有限公司 A kind of method, system and the terminal device of identification honey jar
CN108600193A (en) * 2018-04-03 2018-09-28 北京威努特技术有限公司 A kind of industry control honey jar recognition methods based on machine learning
CN108737417A (en) * 2018-05-16 2018-11-02 南京大学 A kind of vulnerability checking method towards industrial control system
CN108769022A (en) * 2018-05-29 2018-11-06 浙江大学 A kind of industrial control system safety experiment platform for penetration testing

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9954903B2 (en) * 2015-11-04 2018-04-24 Monico Monitoring, Inc. Industrial network security translator
US10805324B2 (en) * 2017-01-03 2020-10-13 General Electric Company Cluster-based decision boundaries for threat detection in industrial asset control system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506484A (en) * 2014-11-11 2015-04-08 中国电子科技集团公司第三十研究所 Proprietary protocol analysis and identification method
CN107070888A (en) * 2017-03-09 2017-08-18 北京聚睿智能科技有限公司 Gateway security management method and equipment
CN108429739A (en) * 2018-02-12 2018-08-21 烽台科技(北京)有限公司 A kind of method, system and the terminal device of identification honey jar
CN108600193A (en) * 2018-04-03 2018-09-28 北京威努特技术有限公司 A kind of industry control honey jar recognition methods based on machine learning
CN108737417A (en) * 2018-05-16 2018-11-02 南京大学 A kind of vulnerability checking method towards industrial control system
CN108769022A (en) * 2018-05-29 2018-11-06 浙江大学 A kind of industrial control system safety experiment platform for penetration testing

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种面向S7 协议的工控系统入侵检测模型;田峥等;《信息网络安全》;20191130;第8-13页 *
多样化环境下的移动目标防御方法探究;赵金雄等;《电力信息与通信技术》;20180515;第1-5页 *

Also Published As

Publication number Publication date
CN111327636A (en) 2020-06-23

Similar Documents

Publication Publication Date Title
CN111327636B (en) S7-300PLC private protocol reverse method relating to network security
CN109582588B (en) Test case generation method and device and electronic equipment
CN108600193B (en) Industrial control honeypot identification method based on machine learning
US7827531B2 (en) Software testing techniques for stack-based environments
CN106484611B (en) Fuzzy test method and device based on automatic protocol adaptation
CN112988485B (en) Simulation test method and device for electric power Internet of things equipment
CN112650077A (en) PLC honeypot system based on industrial control service simulation, implementation method and simulation equipment
CN110932918A (en) Log data acquisition method and device and storage medium
CN111049784A (en) Network attack detection method, device, equipment and storage medium
CN107579792B (en) Multi-model in-orbit satellite engineering parameter parallel analysis method
CN115720233A (en) Industrial equipment control method and device and computer readable storage medium
Tacliad et al. DoS exploitation of allen-bradley's legacy protocol through fuzz testing
CN104836831B (en) A kind of object method of servicing for Internet of Things
CN112311627B (en) Universal power protocol testing method and system based on protocol description file in XML format
CN114444076A (en) Stain analysis method and device
CN108363922B (en) Automatic malicious code simulation detection method and system
CN109656922B (en) Data processing method and device
CN112699000A (en) Data processing method and device, readable storage medium and electronic equipment
CN107317811A (en) A kind of simulation PLC implementation method
CN112838938B (en) Test system of Internet of things platform
CN114363059A (en) Attack identification method and device and related equipment
CN112199229A (en) Data processing method, device, equipment and storage medium
CN115695504B (en) Internet of things platform communication method, device, equipment and storage medium
CN111949542B (en) Extraction method and device for generated data of regression test or pressure test
JP2020123203A (en) Dataset verification device, program and method therefor, and dataset verification system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210507

CF01 Termination of patent right due to non-payment of annual fee