Cracker of AB PLC

8/3/2019 Cracker of AB PLC

http://slidepdf.com/reader/full/cracker-of-ab-plc 1/4

Jonweb Technology Trade CO., LTD.http://fa.jonweb.net , http://Allen-Bradley.5130cn.com Kindly offer Factory Automation Parts with lower price.

Address: Rm 902, ShangDi Garden 23#, HaiDian District , Beijing, China (ZIP: 100085)

地址：北京市海淀区上地佳园 23号楼 902室（邮政编码：100085）

电话 / TEL： +8610-6298 8280 / 8636 0099 传真 / FAX： +8610-6298 5883

CRACKING THE ALLEN BRADLEY “KEYWORD”

A Technique to discover the password or “keyword” stored in Allen-Bradley SLC series PLC’s

Written By Aisha Liang.

Application Software required:

RSLogix 500

RSLinx

Comlite 32 (Available free from http://www.japanfa.com/jiemi )

NOTE:

This technique is intended as a work around when you have been left with a

password protected PLC and the original installer has gone bust!

Introduction

The keywords within an Allen-Bradley processor consists of a string of up to tencharacters in the range 0-9 for the main password and the same again for the

master password. If a keyword has been set within the processor, it is required

in order to read the program from the PLC to be able to monitor / modify the

program. If you haven’t got the key, you can’t get in.

Rockwells China technical support have been asked if it is possible to identify

or get round the keyword, their answer is no, you must clear the PLC memory

and start again. Not very good if you do not have the original code to begin with!

I recently found a way of finding the keyword in Mitsubishi processors, therefore

the next logical step was to try the SLC processor. I thought it would be more

difficult, I was wrong!

(Note that ComLite32 does not work with NT/2000 – I used W98)

Setting The Keyword

SLC Processor

I had a distinct advantage over some users, whereby I did not have a protected

PLC to crack, I had an unprotected one which I could set any keyword in it so I

knew what I was looking for. On the SLC processor, using Logix 500, I set the

http://fa.jonweb.net/jiemi

http://fa.jonweb.net/


http://allen-bradley.5130cn.com/





























http://www.japanfa.com/jiemi


































电话 / TEL： +8610-6298 8280 / 8636 0099 传真 / FAX： +8610-6298 5883

main password to "0123456789" and the master password to "5555566666",

downloaded it to the processor, then closed the file. I started ComLite32 to

monitor com1 in single line mode. I then did a “who active - go online" into ablank project. When “No Matching File Found" dialog is shown, switch to

ComLite and start logging. Switch back to Logix and hit the "Create New File"

button. A dialog then appears asking for the passowrd, at this point type in any

keyword (e.g. 123456), the dialog will appear again (because the keywords

don’t match), you can try this three times. At this point, switch back to ComLite

and see what you’ve got. It will appear something like this:

The red data is what your PC is sending, Blue data is sent from the PLC.It looks like the PC sends a command to the PLC asking for the keyword, the

PLC then sends it back and Logix compares the two, if they match, it allows you

to continue. The red <todo> looks like a request for data, the plc then sends

back data (blue) which inlcudes the tow passwords. The strange thing is that

the PC again sends a request for data, this time the PLC sends another packet

back, this time a different length, but still includes the passwords. Thus even if

you are not sure where to look, it makes it easier to spot two sets of passwords.

From the picture above we get this pattern twice:

























































电话 / TEL： +8610-6298 8280 / 8636 0099 传真 / FAX： +8610-6298 5883

30 31 32 33 34 35 36 37 38 39 35 35 35 35 35 36 36 36 36 36

Translate it into the ASCII character and you get 0123456789 5555566666

Lets try that again, this time using different passwords

Matching pattern of data this time was:

30 36 30 32 34 35 33 34 32 33 34 34 35 35 36 36 37 37 38 38

Translated to ASCII character gives 0602453234 4455667788

OK, so which one is which?

The first set is the main password, the second is the master password.Thus the main password was 0602453234 and the master password was

4455667788

The packets that the PC sends each time appear to be different, but the start

and end of each packet is quite close.

This is all fine for ten digit passwords that we tried above, but, each password

can be UP TO ten digits long, how does this appear?

















































电话 / TEL： +8610-6298 8280 / 8636 0099 传真 / FAX： +8610-6298 5883

Same sequence, same results, only difference this time is that if you only have

five digits in your password, the remaining five "spaces" are null - given as 00h

- the ASCII code for a NUL

As seen previously, when the PC sends a request, the data is not always the

same, so I was looking for a pattern which may make discovering the password

easier. The only pattern that I can ascertain (new ideas are welcome) is that:

After the first packet of data, starting in this instance at 10 06 10 02 01 00 0F 00

- the first passwords first digit starts 33 characters after the transmit ends,

following that there is another send of data from the PC, in the PLC's response

the first passwords first digit starts 11 characters after the transmit ends.

See the "Mitsubishi Keyword Method"

AnS PLC & FX-PLC http://fa.jonweb.net/jiemi .

What's Next?? Siemens password protection?

Ideas & Comments are welcome at [email protected] .

To Purchase the Allen-Bradley Parts? http://Allen-Bradley.5130cn.com .



















mailto:[email protected]











Cracker of AB PLC

Documents

Transcript of Cracker of AB PLC