Exposing HMS HICP Protocol + 0Day 'light' + SCADA_SHODAN
rootedcons dengan konten barunya menyajikan sebuah protocol M2M yang dikembangkan oleh perusahaan swedia hms 0day terkait ditunjjukan sistematic SCADA dengan bantuan shodan.protocol ini tidak begitu di publish.
protocol ini tidak begitu di publish
1st PART "HMS HICP Protocol
Kode (asm)
.text:100027AF ; int __cdecl HICP_SendModuleScan() . teks: 100027AF; int __cdecl HICP_SendModuleScan ()
.text:100027AF public ?HICP_SendModuleScan@@YAHXZ . teks: 100027AF publik? HICP_SendModuleScan @ @ YAHXZ
.text:100027AF ?HICP_SendModuleScan@@YAHXZ proc near . teks: 100027AF? HICP_SendModuleScan @ @ YAHXZ proc dekat
.text:100027AF push ebp . teks: 100027AF push EBP
.text:100027B0 mov ebp , esp . text: 100027B0 MOV EBP, esp
.text:100027B2 call sub_10002175 . text: 100027B2 panggilan sub_10002175
.text:100027B7 pop ebp . teks: pop EBP 100027B7
.text:100027B8 retn . text: 100027B8 retn
.text:100027B8 ?HICP_SendModuleScan@@YAHXZ endp . teks: 100027B8? HICP_SendModuleScan @ @ YAHXZ endp
.text:100027AF public ?HICP_SendModuleScan@@YAHXZ . teks: 100027AF publik? HICP_SendModuleScan @ @ YAHXZ
.text:100027AF ?HICP_SendModuleScan@@YAHXZ proc near . teks: 100027AF? HICP_SendModuleScan @ @ YAHXZ proc dekat
.text:100027AF push ebp . teks: 100027AF push EBP
.text:100027B0 mov ebp , esp . text: 100027B0 MOV EBP, esp
.text:100027B2 call sub_10002175 . text: 100027B2 panggilan sub_10002175
.text:100027B7 pop ebp . teks: pop EBP 100027B7
.text:100027B8 retn . text: 100027B8 retn
.text:100027B8 ?HICP_SendModuleScan@@YAHXZ endp . teks: 100027B8? HICP_SendModuleScan @ @ YAHXZ endp
C code
sprintf(&Dest, "Module Scan");
to.sa_family = AF_INET;
*(_WORD *)&to.sa_data[0] = htons(HICP_PORT); // 3250 UDP
*(_DWORD *)&to.sa_data[2] = htonl(IP_BROADCAST);
v1 = strlen(&Dest);
if ( sendto(s, &Dest, v1 + 1, 0, &to, 16) != -1 )
kita lihat proses pengiriman routing paket UDP(user Datagram Protocol)broadcast yang berisi data string/modul scan ke port 3.250 HICP, berikutnya akan diberi respon balasan setelah diterima.
berikut adalah parameter yang dikonfigurasi pada protokol ini serta kemungkinan yang terjadi:
+ "Protokol versi = 1,10;" # Obvious
+”fb type = EVIL-DEVICE; ” # Device Type + "Fb type = EVIL-DEVICE;" # Device Type
+”module version = 0.66.6; ” # ... + "Module version = 0.66.6;" # ...
+”mac = 00-30-11-00-CA-FE; ” # MAC + "Mac = 00-30-11-00-CA-FE;" # MAC
+”ip = 192.168.1.252; ” # ... + "Ip = 192.168.1.252;" # ...
+”sn = 255.255.255.0; ” # Network Mask + "Sn = 255.255.255.0;" # Network Mask
+”gw = 192.168.1.1; ” # Gateway + "Gw = 192.168.1.1;" # Gateway
+”dhcp = off; ” # whether the device is using a DHCP server for obtaining the IP address. + "Dhcp = off;" # apakah perangkat ini menggunakan server DHCP untuk mendapatkan alamat IP. (on/off) (on / off)
+”pswd = off; ” # whether the device is using a PASSWORD(on/off) + "Pswd = off;" # apakah perangkat menggunakan PASSWORD (on / off)
+”hn = morroBufalo; ” # hostname (optional) + "Hn = morroBufalo;" # hostname (opsional)
+”dns1 = 192.168.1.33; ” # Primary DNS + "DNS1 = 192.168.1.33;" # Primary DNS
+”dns2 = 192.168.1.34; ” # Secondary DNS (optional) + "Dns2 = 192.168.1.34;" # Secondary DNS (opsional)
+”password = admin; ” # old password (if any, admin by default) + "Password = admin;" # password lama (jika ada, admin secara default)
+”new password = fatbird; ” # new password + "Password baru = fatbird;" # password baru
to.sa_family = AF_INET;
*(_WORD *)&to.sa_data[0] = htons(HICP_PORT); // 3250 UDP
*(_DWORD *)&to.sa_data[2] = htonl(IP_BROADCAST);
v1 = strlen(&Dest);
if ( sendto(s, &Dest, v1 + 1, 0, &to, 16) != -1 )
kita lihat proses pengiriman routing paket UDP(user Datagram Protocol)broadcast yang berisi data string/modul scan ke port 3.250 HICP, berikutnya akan diberi respon balasan setelah diterima.
berikut adalah parameter yang dikonfigurasi pada protokol ini serta kemungkinan yang terjadi:
+ "Protokol versi = 1,10;" # Obvious
+”fb type = EVIL-DEVICE; ” # Device Type + "Fb type = EVIL-DEVICE;" # Device Type
+”module version = 0.66.6; ” # ... + "Module version = 0.66.6;" # ...
+”mac = 00-30-11-00-CA-FE; ” # MAC + "Mac = 00-30-11-00-CA-FE;" # MAC
+”ip = 192.168.1.252; ” # ... + "Ip = 192.168.1.252;" # ...
+”sn = 255.255.255.0; ” # Network Mask + "Sn = 255.255.255.0;" # Network Mask
+”gw = 192.168.1.1; ” # Gateway + "Gw = 192.168.1.1;" # Gateway
+”dhcp = off; ” # whether the device is using a DHCP server for obtaining the IP address. + "Dhcp = off;" # apakah perangkat ini menggunakan server DHCP untuk mendapatkan alamat IP. (on/off) (on / off)
+”pswd = off; ” # whether the device is using a PASSWORD(on/off) + "Pswd = off;" # apakah perangkat menggunakan PASSWORD (on / off)
+”hn = morroBufalo; ” # hostname (optional) + "Hn = morroBufalo;" # hostname (opsional)
+”dns1 = 192.168.1.33; ” # Primary DNS + "DNS1 = 192.168.1.33;" # Primary DNS
+”dns2 = 192.168.1.34; ” # Secondary DNS (optional) + "Dns2 = 192.168.1.34;" # Secondary DNS (opsional)
+”password = admin; ” # old password (if any, admin by default) + "Password = admin;" # password lama (jika ada, admin secara default)
+”new password = fatbird; ” # new password + "Password baru = fatbird;" # password baru
terlihat data dikirim dalam data teks biasa menggunakan protokol UDP, masing-masing paket dipisah dengan ";".
mungkin anda dapat mengunjungi halaman ini untuk lebih jelasnya :reversemode.com anda dapat melihat configurasi mac dan format parameter string yang digunakan
