HackAPT-打造中国最专业的黑客入侵技术 - 承接一切黑客渗透测试业务

利用nmap入侵北海道大学

漏洞说明

NMAP通用型发现脚本

tcp版本

http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover.nse_.txt

udp版本

http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover-udp.nse_.txt
-- Nmap Scripting Engine
-- required packages for this script
--
local bin = require "bin"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"

--Output Example:
--PORT STATE SERVICE REASON
--5006/udp open Mitsubishi/Melsoft udp syn-ack
--| melsecq-discover:
--|_ CPUINFO: Q03UDECPU


description = [[
discovery Mitsubishi Electric Q Series PLC
GET CPUINFO
]]


author = "ICS Security Workspace(plcscan.org)"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery","intrusive"}

function set_nmap(host, port)
port.state = "open"
port.version.name = "Mitsubishi/Melsoft Udp"
port.version.product = "Mitsubishi Q PLC"
nmap.set_port_version(host, port)
nmap.set_port_state(host, port, "open")

end

function send_receive(socket, query)
local sendstatus, senderr = socket:send(query)
if(sendstatus == false) then
return "Error Sending getcpuinfopack"
end
local rcvstatus,response = socket:receive()
if(rcvstatus == false) then
return "Error Reading getcpuinfopack"
end
return response
end

portrule = shortport.port_or_service(5006, "Melsoft/TCP", "udp")
action = function(host,port)
local getcpuinfopack = bin.pack("H","57000000001111070000ffff030000fe03000014001c080a080000000000000004" .. "0101" .. "010000000001")
local response
local output = stdnse.output_table()
local sock = nmap.new_socket()
local constatus,conerr = sock:connect(host,port)
if not constatus then
stdnse.print_debug(1,
'Error establishing connection for %s - %s', host,conerr
)
return nil
end
response = send_receive(sock, getcpuinfopack)
local mel, pack_head = bin.unpack("C", response, 1)
-- local mel, space_id = bin.unpack("C", response, 55)
local offset = 0
if ( pack_head == 0xd7) then
-- if ( space_id == 0x20) then
local mel
local mel, cpuinfo = bin.unpack("z", response, 42 + offset)
output["CPUINFO"] = string.sub(cpuinfo, 1, 16)
set_nmap(host, port)
sock:close()
return output
-- end
else
sock:close()
return nil

end


end

漏洞证明

Web部分截图:

首页

趋势图

测点信息

利用NMAP脚本识别的信息:

本文系作者个人观点,转载请注明出处!
喜欢 3

相关文章

更多

本站已经正式停止QQ联系方式,如有任何正在合作的客户或有意合作的客户可以通过  [email protected] 跟我们联系!

邮件24小时在线,通常1-2小时会回复!

error: