在工控系统中通信协议存在众多标准,也存在众多私有协议,如果你有过使用组态软件的经历,你便会发现,在第一步连接设备时除连接设备的方式有以太网/串行等方式外,各家基本上都存在自己的私有通信协议。
上图为,某SCADA软件驱动配置界面
大家都知道普遍的工控协议在传输的过程不加密、协议上无认证,往往可以通过协议分析,并形成一些测试用例针对特定运行环境下支持该协议的设备达到异常运行的效果。如之前提到过的强制操作物理输出(使用FINS协议攻击欧姆龙(Omron)PLC的物理(I/O)输出)、程序的上传下载、重置设备状态等。而这个过程中除官方提供的一些协议文档外,像wireshark也支持了大量的工控协议,可以很方便的了解协议中的一些字段的功能、命令等。
私有协议分类
在众多公开或私有协议中可分为如下几类:
标准协议:国际标准或公认的标准协议,如Modbus、DNP3、IEC104等
私有公开:只有厂商自己设备支持并提供官方协议文档,如Omron FINS协议、三菱Melsec协议等
私有不公开:只有厂商自己设备支持且官方不提供协议文档,如S7、西门子PPI协议、GE SRTP等
使用Wireshark分析常见工控协议
Wireshark是一个强大开源流量与协议分析工具,除了传统网络协议解码外,还支持众多主流和标准工控协议的分析与解码。为此我整理了Wireshark源码中涉及与自控有关的协议的packet dissection实现代码路径,供大家参考和自己留存。
| 序号 | 协议类型 | 源码下载 | 简介 |
| 1 | Siemens S7 | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-s7comm.c | 西门子PLC支持的通讯协议 |
| 2 | MMS(IEC61850) | https://github.com/wireshark/wireshark/tree/master/asn1/mms | 输配电通讯协议 |
| 3 | GOOSE(IEC61850) | https://github.com/wireshark/wireshark/tree/master/asn1/goose | 输配电通讯协议 |
| 4 | SV(IEC61850) | https://github.com/wireshark/wireshark/tree/master/asn1/sv | 输配电通讯协议 |
| 5 | Modbus | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-mbtcp.c | 工控标准协议 |
| 6 | OPC DA | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-dcom.c | 工控标准协议 |
| 7 | FF HSE | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-ff.c | 基金会现场总线以太网通信协定 |
| 8 | IEC 104 | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-iec104.c | 输配电通讯协议 |
| 9 | Ethernet POWERLINK | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-epl.c | 开放式实时以太网通信 |
| 10 | OPC UA | https://github.com/wireshark/wireshark/tree/master/plugins/opcua/opcua.c | OPC新一代标准 |
| 11 | HART-IP | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-hartip.c | 高速可寻址远程传感器协议 |
| 12 | CoAP | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-coap.c | 轻量应用层协议 |
| 13 | Omron FINS | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-omron-fins.c | 欧姆龙PLC支持的通讯协定 |
| 14 | openSAFETY | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-opensafety.c | 开源安全应用协议 |
| 15 | EGD(Ethernet Global Data) | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-egd.c | GE Fanuc为PLC开发的通讯协定 |
| 16 | DNP3 | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-dnp.c | 分布式网络协议,主要用于电力行业 |
| 17 | Sinec H1 | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-h1.c | 西门子PLC支持的通讯协议 |
| 18 | Profinet | https://github.com/wireshark/wireshark/tree/master/plugins/profinet/ | 开放式的工业以太网通讯协定 |
| 19 | EtherCAT | https://github.com/wireshark/wireshark/tree/master/plugins/ethercat/ | 德国Beckhoff公司推动的开放式实时以太网通讯协定 |
| 20 | SERCOS III | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-sercosiii.c | 实时以太网通讯协定 |
| 21 | RTPS | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-rtps.c | 实时流传输协议 |
| 22 | TTEthernet | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-tte.c | 实时以太网通讯协定 |
| 23 | CDT | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-cdt.c | 远动规约 |
| 24 | EtherNet/IP | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-etherip.c | 工业通讯协定(Industrial Protocol),是一种CIP的实现方式,由罗克韦尔自动化公司所设计 |
| 25 | CIP | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-cip.c | 通用工业协定 |
| 26 | CIP Safety | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-cipsafety.c | 安全通用工业协定 |
| 27 | DeviceNet | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-devicenet.c | 一种CIP的实现方式,由Allen-Bradley公司所设计 |
| 28 | BACnet | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-bacnet.c | 楼宇自动控制网络数据通讯协议 |
| 29 | KNXnet/IP | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-knxnetip.c | 住宅和楼宇控制标准 |
| 30 | Lontalk | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-lon.c | 埃施朗公司的LonWorks技术所使用的通讯协议 |
| 31 | CANopen | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-canopen.c | 控制局域网通讯协定 |
| 32 | SAE J1939 | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-j1939.c | 一种CAN的变种,适用在农业车辆及商用车辆 |
| 33 | USITT DMX512-A | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-dmx.c | 灯光控制数据传输协议 |
| 34 | BSSAP/BSAP | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-bssap.c | 由Bristol Babcock Inc发展的通讯协定 |
| 35 | Gryphon | https://github.com/wireshark/wireshark/tree/master/plugins/gryphon | 车用通讯协定 |
| 36 | ZigBee | https://github.com/wireshark/wireshark/tree/master/epan/dissectors/packet-zbee.h | 开放式的无线通讯协定 |