infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update phoenix_command.md

bug/bundler_fix
Tijl Deneut 2016-05-28 15:35:00 +02:00
parent 2afcda9d49
commit 2c4b387eb2
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
documentation/modules/auxiliary/admin/scada/phoenix_command.md
View File

@ -2,23 +2,23 @@ PhoenixContact Programmable Logic Controllers are built are using a variant of P
Communicating using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547.
It allows a remote user to read out the PLC Type, Firmware and Build number on port TCP/1962.
And also to read out the CPU State (Running or Stopped) AND start or stop the CPU on
port TCP/20547 (confirmed for the PLC series ILC 15x and 17x)
or TCP/41100 (confirmed for the ILC 39x series)
other series may or may not work, a very big chance that they will
port TCP/20547 (confirmed for the PLC series ILC 15x and 17x)
or TCP/41100 (confirmed for the ILC 39x series)
other series may or may not work, a very big chance that they will
## Vulnerable Application
This is a hardware zero-day vulnerability that CANNOT be patched, the only mittigation is pulling the plug (literally),
adding a separate network in front of it (Firewall, Router, IDS, IPS, network segmentation, etc...)
or not allowing bad people on your network
adding a separate network in front of it (Firewall, Router, IDS, IPS, network segmentation, etc...)
or not allowing bad people on your network .
In general most, if not all, PLC's (computers that control engines, robots, conveyor belts, sensors, camera's, doorlocks, CRACs ...)
have this vulnerability where, using their own tools, remote configuration and programming can be done *WITHOUT* authentication
Investigators and underground hackers are just now creating simple tools to convert the often proprietary protocols into (simple) scripts
have this vulnerability where, using their own tools, remote configuration and programming can be done *WITHOUT* authentication.
Investigators and underground hackers are just now creating simple tools to convert the often proprietary protocols into (simple) scripts.
The most important word here is proprietary. Right now the only thing stopping very bad stuff from happening.
PhoenixContact uses an (unnamed?) low-level protocol for connection, information exchange and configuration of its PLC devices
This script utilises that protocol for finding information and switching the PLC mode from STOP to RUN and vice versa
PhoenixContact uses an (unnamed?) low-level protocol for connection, information exchange and configuration of its PLC devices.
This script utilises that protocol for finding information and switching the PLC mode from STOP to RUN and vice versa
## Verification Steps
@ -106,4 +106,4 @@ msf auxiliary(phoenix_command) > set ACTION START
The module can also just read out the CPU mode and then reverse whatever it finds, RUN becomes STOP, STOP becomes RUN
```
msf auxiliary(phoenix_command) > set ACTION REV
```
```