Attacking PLCs by PLC in deep

CHENG LEI

GEWU LAB@NSFOCUS

chengleim19@Hotmail.com

Introduction of PLCs Attacking

Siemens PLC Protocol

Schneider PLC Protocol

Rockwell AB PLC Protocol

Attacking PLCs by PLC

• Replay attacks have been widely used in PLC attacks.

• Get the communication sequence packets with the help of Wireshark

S7-300

• S7-200,S7-300,S7-400 using the S7Comm protocol

S7-1500

S7-1200

• S7-1200v3.0 using the early S7CommPlus protocol

• S7-1200v4.0, S7-1500 using the current encrypted S7CommPlus protocol

• The current S7CommPlus protocol including the S7CommPlus Connection packets and S7CommPlus Function packets has a similar structure.

• 1. First Connection Setup Request• 2. Frist Connection Setup Response• 3. Second Connection Setup Request• 4. Function Packet—Stop PLC

• Using reverse debugging techniques, we found these encryption is calculated by TIA Portal through a file named OMSp_core_managed.dll

1. Connection packet encryption

Input parameter for this encryption is a random value array generated by

the PLC in the first connection response packet.

Using XOR (we call this Encryption1), the first encryption can be calculated with the input

parameter Value Array.

Encryption1 First EncryptionValue Array

（1） First encryption in the connection packet

（2）Second encryption in the connection packet

Using the result of the first encryption as input parameter, the second encryption is

calculated through a more complex Siemens-private algorithm.

Encryption2 Second EncryptionFirst Encryption

2. Function packet encryption

A fixed field array with Session ID is the input parameter. A complex algorithm (we call

this Encryption3) is used to calculated the encryption result as follow:

Encryption3 Function Encryption

ConstanArray

(with Session ID)

ModBus/TCP

Port: 502

Function Code : 90

Unity Pro

1. Get Session ID2. Run PLC Packet3. Stop PLC Packet4. Write DO Value

For DO Value Write Packet, the first byte is the Session ID, the second byte is the function code, 0x50 means write digital value, the 22nd byte is the address and the 29th byte is the value.

EtherNet/IP&CIP

Port: 44818

RSLogix

1. EtherNet/IP Connection Packet

The EtherNet/IP connection is shown above, it has 4 ENIP packets, with the “Command” 0x0001(Unknown),

0x0004(ListServices), 0x0064(ListInterfaces) and 0x0065(Register Session). There is a Session ID in the

response packet of Register Session Request packet, as shown below

2. CIP Connection Packet

When EtherNEt/IP successfully connected, then send a CIP Connection Manager packet, as shown below

After sending the CIP CM request packet, the PLC will send a CIP CM response packet, as shown below

The O->T Network Connection will play the part as Session ID in the following CIP function packet

Following the CIP connection Manager connection is the CIP connection, there

are totally 6 packets in this CIP connection procedure.

Every Connection packet use the O->T Network Connection ID and Originator

Serial Number from CIP Connection Manager Response packet, as shown in

the red box and blue box of the figure below. Every CIP Packet use Sequence

Count as the sequence of the communication, as shown in the green box below.

3. Run PLC packet

The red box is the O->T

Network Connection ID and the

blue box is the Originator Serial

Number both in the CIP

Connection Manager

Response packet. The green

box is the Sequence Count.

The yellow one “0x55, 0x01”is

the run PLC function code.

4. Stop PLC Packet

The red box is the O->T

Network Connection ID

and the blue box is the

Originator Serial Number

both in the CIP Connection

Manager Response packet.

The green box is the

Sequence Count. The

yellow one “0xf1, 0x01”is

the stop PLC function code.

5. Write Digital Value packet

The red box is the O->T

Network Connection ID and the

blue box is the Originator Serial

Number both in the CIP

Connection Manager Response

packet. The green box is the

Sequence Count. The yellow

one is the function code. Purple

one is the address and orange

one is the value.

• TCP, Port 502, Port 44818

– All Schneider PLCs use port 502 for

TCP communication

– All AB PLCs use port 44818 for TCP

communication

• TCON、TDISCON

– TCON：To establish TCP connection

with other device

– TDISCON：Disconnect the

established TCP connections.

• TCP

– Using the Modbus protocol and

the CIP protocol to play replay

attack to the PLCs inside the net

• TSEND, TRCV

– TSEND：Send TCP data

– TRCV：Receive TCP data

• Packets message in DB block

– Leave the detecting and attacking

packets message in DB block.

PLC detection and finally send the PLCs’ information like IP and Port to C&C server.

Attacking Schneider and AB PLCs.

THANK YOU