Announcement
Project address: https://github.com/MartinxMax/S-Clustr
Update Notice | Content | Progress |
---|---|---|
SIEMENS S7-1200 | Remote control | In progress |
SIEMENS S7-200 SMART | Remote Control | In progress |
Nets3e plug-in | Remote control of photo uploading | Completed |
Developer | Blog | Contact Information | Submission Time | Submit Content | Authorization status |
---|---|---|---|---|---|
ASH_HH | https://blog.csdn.net/m0_53711047/article /details/133691537?spm=1001.2014.3001.5502 | Anonymous | 2023-10-16 21:42:26 | STM32 | Authorized |
Type | Controlled device | Wired | Wireless | 4G | Secure Encryption | Protocol |
---|---|---|---|---|---|---|
Embedded | Arduino | √ | × | √ | × | TCP/IP |
Embedded | Hezhou AIR780e | × | × | √ | × | TCP/IP |
Embedded | ESP8266 | × | √ | × | × | TCP/IP |
Embedded | AT89C51 | × | × | √ | × | TCP/IP |
Embedded | STM32[103fc6t6] | × | × | √ | × | TCP/IP |
PLC | SIEMENS S7-1200 | √ | × | × | √ | TCP/IP |
PLC | SIEMENS S7-200 | √ | × | × | √ | TCP/IP |
Controlled PC Platform | Protocol | Security Encryption |
---|---|---|
Windows | TCP/IP | Optional |
Linux | TCP/IP | Optional |
Mac OS | TCP/IP | Optional |
Server file | Explanation |
---|---|
S-Clustr_Server | Server |
S-Clustr_Client | Hacker |
DebugDevice | Used to simulate embedded device access to the server |
Generate | Generate embedded device program with one click |
Testpc | Windows host access server |
blacklist.conf | Blacklist, mark prohibited Accessed IP group |
Server.conf | Some configuration parameters of the server |
Version. conf | Version information |
Linux_Installer.sh | Linux environment-dependent installation program |
Windows_Installer.bat | Windows environment dependent installation program |
Parameter_Description-EN.xls | [English] About Server Parameter description in .conf |
Parameter_Description-ZH.xls | [Chinese] About parameter description in Server.conf |
Questions and Answers
(Anonymous netizen) asked: What kind of tool is S-Clustr?
Answer: It is a centralized network controller used for one-to-many network control
(Cheshire) Q: What are the usage scenarios and environment of S-Clustr?
Answer: Industrial/intelligent control, large/medium/small computer room control, industrial/traffic power supply control, Botnet control
(Cheshire) Q: How covert is traffic communication?
Answer: Although the process is encrypted, your traffic paths are basically domestic operator lines, so please abide by the law.
(Cheshire) Q: Can the Arduino be replaced with a cheaper development version?
Answer: Absolutely, you can add your development board model in DEV_TYPE and DEV_ENCRYPTION_Server in Server.conf respectively. Or contact the author [https://github.com/MartinxMax] to update your development board program
(Cheshire) Q: Is it possible to avoid middle-in-the-middle and replay attacks?
Answer: Authentication data flow = timestamp + device ID + device status + AES (timestamp + key). In this way, when the server verifies the identity of the hacker, it will try to AES decrypt the timestamp and compare it with the server timestamp. If you are subject to a man-in-the-middle attack that causes data packets to be obtained, even so, other hackers will not be able to conduct a replay attack on your device until they obtain your key.
(Anonymous netizen) asked: What can be done by controlling the PC side?
Answer: For example, when the command is issued, you can crawl the xxx website, open the xxx application, and execute the xxx command
(Anonymous netizen) asked: There are no encryption services for embedded devices on the device side?
Answer: Yes, temporarily consider that adding encryption functions to the embedded device will affect performance. If you have high security requirements for embedded devices, please do not be in the same LAN as the server.
S-Clustr embedded device side
Arduino
Wired LAN Control
Prepare equipment materials (total 50¥)
1.Arduino UNO (17¥)
2.ENC28J60 (28¥)
3.1 channel relay module 5V (3¥)
4. Dupont line (2¥)
mother to mother
Wiring schematic diagram
4G wireless public network remote control
Prepare equipment materials (total 48¥)
1.Arduino UNO (17¥)
2.SIM900A or SIM800A (26¥)
2.1 channel relay module 5V (3¥)
3. Dupont line (2¥)
mother to mother
4. Mobile card
The mobile card is needed here because SIM800A and SIM900A support mobile 2G network, but not China Telecom and China Unicom… However, the board of Hezhou AIR780e tested later should be feasible for China Unicom, which means that there is no need for a SIM series, as it is integrated internally.
Wiring schematic diagram
Here we will simulate the behavior of Arduino controlling the relay after receiving the signal.
Can’t write code?.. Just use Generate.py to generate Arduino code
ESP8266 (WIFI LAN control)
Prepare equipment materials (total 18¥)
1.ESP8266 (13¥)
2.1 channel relay module 5V (3¥)
3. Dupont line (2¥)
mother to mother
Wiring schematic diagram
AIR780E (4G wireless public network remote control) [recommended]
Notes
1. After testing, this development board is indeed faster and more stable than the SIM series.
2. Install Luatools: used to complete program burning
[https://doc.openluat.com/wiki/37?wiki_page_id=4489]
Prepare equipment materials (total 47¥)
1.Air780e development board (42¥)
There is a sim card slot on the back
2.1 channel relay module 5V (3¥)
3. Dupont line (2¥)
mother to mother
Wiring schematic diagram
Burning program
Import the file generated by our Generate into Luatools
Select the underlying core, which is provided in our Output\AIR780E\LuatOS-SoC_V1103_EC618.soc
Complete programming according to the prompts, pay attention to the three keys on the board, namely Start Reset BOOT
AT89C51
Prepare equipment materials (total 42¥)
1.51 microcontroller minimum system development board comes with CH340 downloader (11¥)
2.1 channel relay module 5V (3¥)
3. Dupont line (2¥)
mother to mother
4.SIM900A or SIM800A (26¥)
5. Mobile card
Wiring schematic diagram
Generate generates burning code with one click
python3 Generate.py
Fill in the parameters. The 127.0.0.1 here is wrong. You should enter the public IP address of the server, which is the IP of the server running S-Clustr_Server.py
The output burning code will be in the directory .\Device\Output\model directory
S-Clustr server
Notice:
1. The server must be on the public network. If your server is on the intranet, you can consider port mapping. The hacker-side service defaults to port 9999, and the device-side service defaults to port 10000.
2. The communication between the server and the hacker is highly encrypted throughout the entire process, and the encryption service cannot be turned off if it is forcibly turned on. Secondly, you can decide whether to provide encryption services when the embedded device or controlled PC is connected through the configuration in the Server.conf file.
3. If you do not understand the parameters in the Server.conf file, please read the manual document in detail
4. Each time the server is started, a random length of 12 characters will be used as a key for identity authentication between hackers and controlled devices to prevent other hackers from accessing the control device without authorization. You can specify the key manually (python3 S-Clustr_Server.py -keyh Maptnh -keyv Maptnh)
-Here are two keys for the hacker and the controlled side. The first one is the plaintext key. If you feel it is too sensitive, you can use the second temporary TOKEN as the key to effectively prevent the plaintext key from being cracked.
In this parameter, setting 1 means starting the encryption service of the controlled device. Then the controlled device must provide the identity authentication key to allow access, otherwise it will be denied
5. Effectively prevent man-in-the-middle (MITM) from sniffing and analyzing the communication data packets between the hacker and the server, and further prevent replay attacks and encrypted data from being cracked.
Server-side script parameter analysis
-lh
: Bind to the specified local IP, default 0.0.0.0
-lpv
: Set the local listening address (device side) to the default port 10000
-lph
: Set the local listening address (hacker end) default port 9999
-keyh
: Set the hacker key, the default is a random 12-digit character as the key
-keyv
: Set the device-side key, the default is a random 12-bit character as the key
Server running
python3 S-Clustr_Server.py
S-Clustr Hacker Terminal
Notice:
The client runs interactively, and the operation is similar to the Metasploit penetration testing framework
Analysis of hacker script parameters
After entering, enter help
or ?
or options
to view the parameters that need to be set.
set rhosts
: Set the IP of the server
set rport
: Set the port of the server
set id
: Select the device ID number that needs to be controlled, 0 means selecting all devices
set pwr
: Control device status, start [1], stop [2], query status [3]
The hacker connects to the server
python3 S-Clustr_Server.py
Query the current status of all devices
S-Clustr(V1.0.0)> set rhost 127.0.0.1 [*] rhost => 127.0.0.1 S-Clustr(V1.0.0)> set id 0 [*] id => 0 S-Clustr(V1.0.0)>set pwr 3 [*] pwr => 3
PS: Key must be filled in here, which will determine whether you have permission to access the key element of the server.
In the server, you can choose any one as the key
S-Clustr(V1.0.0)> set key cf5cdc4798a72283a4c0c0b1ef2ef5da [*] key => cf5cdc4798a72283a4c0c0b1ef2ef5da
Query all device status
S-Clustr(V1.0.0)> set id 0 [*] id => 0 S-Clustr(V1.0.0)>set pwr 3 [*] pwr => 3 S-Clustr(V1.0.0)> run [*] Connecting to the server... [*] Attempting to authenticate to the server [127.0.0.1:9999] | Device ID | Device Type | Device State | Device Network | |:-------------:|:-------------:|:-------------:|: ---------------:| | 1 | None | Stopped | Disconnected | | 2 | None | Stopped | Disconnected | | 3 | None | Stopped | Disconnected | | 4 | None | Stopped | Disconnected | | 5 | None | Stopped | Disconnected | | 6 | None | Stopped | Disconnected | | 7 | None | Stopped | Disconnected | | 8 | None | Stopped | Disconnected | | 9 | None | Stopped | Disconnected | | 10 | None | Stopped | Disconnected | |:-------------:|:-------------:|:-------------:|: ---------------:|
We can see that we have successfully connected to the server and the identity authentication is successful
When we set the wrong Key, the server will not be able to authorize you
[Simulate the controlled device to connect to the server] Control all devices through the hacker
All devices are online
Control the startup of all devices
S-Clustr(V1.0.0)> set id 0 [*] id => 0 S-Clustr(V1.0.0)>set pwr 1 [*] pwr => 1 S-Clustr(V1.0.0)> run
Control all devices to stop
S-Clustr(V1.0.0)> set id 0 [*] id => 0 S-Clustr(V1.0.0)>set pwr 2 [*] pwr => 2 S-Clustr(V1.0.0)> run
Case: After receiving the command, the controlled terminal visits www.bing.com and opens the calculator
Enter our controlled terminal KEY
The controlled terminal successfully accessed
Our hacker terminal also successfully queried the device
Control equipment to complete the question requirements
Manual documentation
Parameter_Description-ZH.xls
Parameter_Description-EN.xls