forked from NozomiNetworks/tricotools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtriconex_honeypot.py
289 lines (248 loc) · 10.4 KB
/
triconex_honeypot.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
'''
Triconex Honeypot emulating arbitrary modules (PoC)
date : April, 4th 2018
author : Alessandro Di Pinto (@adipinto)
author : Andrea Arteaga
author : Younes Dragoni (@ydragoni)
author : James Brine (@referefref)
contact : secresearch [ @ ] nozominetworks [ . ] com
'''
import sys
import time
import socket
import struct
import argparse
try:
import crcmod
except ImportError:
print("[-] Please install the module 'crcmod' (eg, pip install crcmod)")
sys.exit(1)
def build_slot(leds0, leds1, model, color):
slotfmt = '<' + 32*'B'
return struct.pack(slotfmt, leds0, leds1, model, color,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
# Construct slots
mps = {
'active' : build_slot(0x15, 0x21, 0xf0, 0x01),
'passive': build_slot(0x02, 0x01, 0xf0, 0x02)
}
slotsdesc = {
'empty': build_slot(0, 0, 0, 0),
'com' : build_slot(5, 33, 55, 1),
'do' : build_slot(5, 16, 20, 1),
'di' : build_slot(5, 32, 11, 1),
'him' : build_slot(5, 22, 53, 1),
'ddo' : build_slot(0x4F, 0x21, 0x5C, 0x2)
}
def build_packet(triconId, funccode, seq, data):
# Subheader without checksum
datalength = len(data)+10
subheader = struct.pack('<BBBBHHH', 1, 0, funccode, seq, 0, 0, datalength)
# Compute checksum
checksum = datalength
for c in subheader:
checksum += c
for c in data:
checksum += c
# Header and subheader with checksum
header = struct.pack('<BBH', 5, triconId, datalength)
subheader = struct.pack('<BBBBHHH', 1, 0, funccode, seq, 0, checksum, datalength)
# Entire packet, except CRC
packet = header + subheader + data
# Compute CRC
crc = cf(packet)
packet += struct.pack('<H', crc)
return packet
def build_chassis_status_response(triconId=0, seq=0, node=2, projname='FIRSTPROJ', activemp=0,
mpmodel=1, slots=['com']):
# Project segment
data = struct.pack('<HBBHHHIIIHIIccccccccccI', 2, 0xFF, 0x00, 1, 4, 3,
int(time.time()-24*3600),
200, 200, 181, 0, 1,
projname[0],
projname[1],
projname[2],
projname[3],
projname[4],
projname[5],
projname[6],
projname[7],
projname[8],
b'\0',
int(time.time()))
# Memory segment
data += struct.pack('<BBBBIIII', 0x56, 0x02, 0x00, 0x00, 8340703, 8251952, 0x1b, 0x32)
# MPS segment
for i in range(3):
data += mps['active' if i == activemp else 'passive']
# Unknown segment
data += struct.pack('<HH', 0xa6, 1024)
# Slots segment
for i in range(3):
data += mps['active' if i == activemp else 'passive']
for s in slots:
data += slotsdesc[s] if s in slotsdesc else build_slot(*s)
for i in range(13-len(slots)):
data += slotsdesc['empty']
return build_packet(triconId, 119, seq, data)
def build_CP_status_response(triconId=0, seq=0):
data = struct.pack('<HBBBBBBB', 1,
0x0, # loadIn
0x0, # modIn
0xd, # loadState
0x0, # singleScan
0x1, # cpValid
0x1, # keyState
0x1 # runState
)
data += struct.pack('<BBBBB', 0x0, 0x0, 0x50, 0x80, 0x0)
data += struct.pack('<IIIII',
0x00800000, # my: 8388608
0x00400000, # us: 4194304
0x00600000, # ds: 6291456
0x00fe5000, # heap_min: 16666624
0x00ffafff # heap_max: 16756735
)
data += struct.pack('<BBBBBBBBBBBB', 0x0, 0x20, 0x0, 0x20,
0x0, 0x20, 0x0, 0x0,
0x0, 0x00, 0x0, 0x0
)
data += struct.pack('<BBBBBBBBBBBB', 0x14, 0x1b, 0x00, 0x00,
0xc8, 0x00, 0xc8, 0x00,
0xba, 0x00, 0x5c, 0x98
)
data += struct.pack('<HH', 4, 3) # Minor, major
data += struct.pack('<I', time.time()) # Timestamp
data += struct.pack('<cccccccccc', 'E', 'C', 'C', 'E', 'C', 'C', 'A', 'H', 'H', b'\0')
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBBBB', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
data += struct.pack('<BBBBBB' , 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 )
return build_packet(triconId, 108, seq, data)
def debug(fc, printc, *args, **kwargs):
lines = (2, 2, 1, 1, 1, 1, 2, 2, 2, 0)
if fc == 108:
packet = build_CP_status_response(*args, **kwargs)
elif fc == 119:
packet = build_chassis_status_response(*args, **kwargs)
lines += (2, 2, 2, 2, 2, 4, 8, 2, 4, 4, 10, 4, 0) \
+ (4, 4, 4, 0) \
+ (8, 0) \
+ (32, 32, 32, 0) \
+ (4, 0) \
+ (32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 0) \
+ (2, 0)
else:
print('Function code', fc, 'not supported')
if printc:
print('{\n ', end='')
for i, c in enumerate(packet):
end = ',\n ' if i%16 == 15 else (',' if i != len(packet)-1 else '')
print('0x%02x'%c + end, end='')
if len(packet)%16 != 15:
print()
print('}')
else:
i = 0
for l in lines:
iend = i+l
while i < iend:
print('%02x' % packet[i], end=' ')
i += 1
print()
while i < len(packet):
print('%02x' % packet[i], end=' ')
i += 1
print()
print(len(packet), 'bytes')
def f_crc16(data):
cf = crcmod.mkCrcFun(0x18005, rev=True, initCrc=0x0000, xorOut=0)
return cf(data)
def checksum(data, init=0):
summ = init
for i in data:
summ += i
return summ & 0xFFFF
def udp_send(data, addr, port):
sock.sendto(data, (addr, port))
def build_tricon_attached(triconId=0, seq=0, string=b'\x03\x00\x33\x0a\x04\x00'):
return build_packet(triconId, 0x6a, seq, string)
if __name__ == "__main__":
suppmods = list(slotsdesc.keys())
parser = argparse.ArgumentParser(
description="Triconex Honeypot emulating arbitrary modules (PoC)\nSupported modules: %s\n\nAuthors:\n\tAlessandro Di Pinto (@adipinto)\n\tAndrea Arteaga\n\tYounes Dragoni (@br4zzor)" %', '.join(suppmods),
formatter_class=argparse.RawDescriptionHelpFormatter
)
parser.add_argument("-l", metavar="HONEY_IP", dest="honeyip", help="Honeypot IP address", default="0.0.0.0")
parser.add_argument("-p", metavar="HONEY_PORT", dest="honeyport", help="Honeypot port", default=1502, type=int)
parser.add_argument("-s1", metavar="SLOT1", dest="slot1", help="Module to emulate on slot 1", default="empty", choices=suppmods)
parser.add_argument("-s2", metavar="SLOT2", dest="slot2", help="Module to emulate on slot 2", default="empty", choices=suppmods)
parser.add_argument("-s3", metavar="SLOT3", dest="slot3", help="Module to emulate on slot 3", default="empty", choices=suppmods)
parser.add_argument("-s4", metavar="SLOT4", dest="slot4", help="Module to emulate on slot 4", default="empty", choices=suppmods)
args = parser.parse_args()
UDP_REMOTE = None
UDP_IP = args.honeyip
UDP_PORT = args.honeyport
print("[*] Binding the honeypot to the address %s:%d" % (UDP_IP, UDP_PORT))
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((UDP_IP, UDP_PORT))
except socket.error:
print("[-] Error binding to the specified address")
sys.exit(2)
# Print info about modules
print("[*] Slot 1 module set to: %s" % args.slot1)
print("[*] Slot 2 module set to: %s" % args.slot2)
print("[*] Slot 3 module set to: %s" % args.slot3)
print("[*] Slot 4 module set to: %s" % args.slot4)
cf = crcmod.mkCrcFun(0x18005, rev=True, initCrc=0, xorOut=0)
try:
while True:
data, addr = sock.recvfrom(1024)
dport = addr[1]
UDP_REMOTE = addr[0]
mcode, chan, dlen, crc16 = struct.unpack("<BBHH", data[0:6])
# CONNECT REQUEST
if mcode == 0x1:
print("[*] CONNECT REQUEST")
# CONNECT REPLY
udp_send(b"\x02\x00\x00\x00\x01\xb8", UDP_REMOTE, dport)
# COMMAND REPLY
elif mcode == 0x5:
# Get the function code
fcode, pseq = struct.unpack("<BB", data[6:8])
if fcode == 0xD:
print("[*] ATTACH REQUEST")
udp_send(build_tricon_attached(), UDP_REMOTE, dport)
elif fcode == 0x13:
#time.sleep(5)
print("[*] GET CP STATUS")
udp_send(build_CP_status_response(seq=pseq), UDP_REMOTE, dport)
elif fcode == 0x18:
print("[*] GET CHASSIS STATUS")
udp_send(
build_chassis_status_response(
seq=pseq,
mpmodel=0,
activemp=2,
slots=['com', args.slot1, 'empty', args.slot2, 'empty', args.slot3, 'empty', args.slot4]
),
UDP_REMOTE,
dport
)
else:
print("[-] UNKNOWN: %s" % hex(fcode))
except KeyboardInterrupt:
print("[*] Execution interrupted by the user")
sys.exit(0)