Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Ab PLC Password Crack

    Загружено:

    Yos Emite
    10K просмотров9 страниц
    The keywords within an allen-bradley processor consists of a string of up to ten characters. If a keyword has been set within the processor, it is required in order to read the program from the PLC to be able to monitor / modify the program. Rockwells technical support have been asked if it is possible to identify or get round the keyword, their answer is no, you must clear the PLC memory and start again.

    Исходное описание:

    Оригинальное название

    Ab Plc Password Crack

    Авторское право

    © Attribution Non-Commercial (BY-NC)

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    The keywords within an allen-bradley processor consists of a string of up to ten characters. If a keyword has been set within the processor, it is required in order to read the program from the PLC to be able to monitor / modify the program. Rockwells technical support have been asked if it is possible to identify or get round the keyword, their answer is no, you must clear the PLC memory and start again.

    Авторское право:

    Attribution Non-Commercial (BY-NC)
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    10K просмотров9 страниц

    Ab PLC Password Crack

    Загружено:

    Yos Emite
    The keywords within an allen-bradley processor consists of a string of up to ten characters. If a keyword has been set within the processor, it is required in order to read the program from the PLC to be able to monitor / modify the program. Rockwells technical support have been asked if it is possible to identify or get round the keyword, their answer is no, you must clear the PLC memory and start again.

    Авторское право:

    Attribution Non-Commercial (BY-NC)
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 9

    Allen-Bradley SLC Keywords Page 1 of 9

    CRACKING THE ALLEN BRADLEY “KEYWORD”


    A Technique to discover the password or “keyword” stored in Allen-Bradley SLC series PLC’s

    Written By Ian Sullivan

    Application Software required:


    RSLogix 500
    RSLinx
    Comlite 32 (Available free from http://www.rtcomm.com/ )

    NOTE:
    This technique is intended as a work around when you have been left with a password protected PLC and the original installer has gone bust!

    Introduction

    The keywords within an Allen-Bradley processor consists of a string of up to ten characters in the range 0-9 for the main password and the same again
    for the master password. If a keyword has been set within the processor, it is required in order to read the program from the PLC to be able to monitor /
    modify the program. If you haven’t got the key, you can’t get in.
    Rockwells UK technical support have been asked if it is possible to identify or get round the keyword, their answer is no, you must clear the PLC
    memory and start again. Not very good if you do not have the original code to begin with! I recently found a way of finding the keyword in Mitsubishi
    processors, therefore the next logical step was to try the SLC processor. I thought it would be more difficult, I was wrong!
    (Note that ComLite32 does not work with NT/2000 – I used W98)

    Setting The Keyword

    SLC Processor

    I had a distinct advantage over some users, whereby I did not have a protected PLC to crack, I had an unprotected one which I could set any keyword in
    it so I knew what I was looking for. On the SLC processor, using Logix 500, I set the main password to "0123456789" and the master password to

    http://freespace.virgin.net/ian.sullivan/rockwell.htm 06/02/2003
    Allen-Bradley SLC Keywords Page 2 of 9

    "5555566666", downloaded it to the processor, then closed the file. I started ComLite32 to monitor com1 in single line mode. I then did a “who active -
    go online" into a blank project. When “No Matching File Found" dialog is shown, switch to ComLite and start logging. Switch back to Logix and hit the
    "Create New File" button. A dialog then appears asking for the passowrd, at this point type in any keyword (e.g. 123456), the dialog will appear again
    (because the keywords don’t match), you can try this three times. At this point, switch back to ComLite and see what you’ve got. It will appear
    something like this:

    http://freespace.virgin.net/ian.sullivan/rockwell.htm 06/02/2003
    Allen-Bradley SLC Keywords Page 3 of 9

    The red data is what your PC is sending, Blue data is sent from the PLC.
    It looks like the PC sends a command to the PLC asking for the keyword, the PLC then sends it back and Logix compares the two, if they match, it
    allows you to continue. The red <todo> looks like a request for data, the plc then sends back data (blue) which inlcudes the tow passwords. The strange

    http://freespace.virgin.net/ian.sullivan/rockwell.htm 06/02/2003
    Allen-Bradley SLC Keywords Page 4 of 9

    thing is that the PC again sends a request for data, this time the PLC sends another packet back, this time a different length, but still includes the
    passwords. Thus even if you are not sure where to look, it makes it easier to spot two sets of passwords.
    From the picture above we get this pattern twice:
    30 31 32 33 34 35 36 37 38 39 35 35 35 35 35 36 36 36 36 36
    Translate it into the ASCII character and you get 0123456789 5555566666

    Lets try that again, this time using different passwords

    http://freespace.virgin.net/ian.sullivan/rockwell.htm 06/02/2003
    Allen-Bradley SLC Keywords Page 5 of 9

    Matching pattern of data this time was:


    30 36 30 32 34 35 33 34 32 33 34 34 35 35 36 36 37 37 38 38

    http://freespace.virgin.net/ian.sullivan/rockwell.htm 06/02/2003
    Allen-Bradley SLC Keywords Page 6 of 9

    Translated to ASCII character gives 0602453234 4455667788

    OK, so which one is which? The first set is the main password, the second is the master password.
    Thus the main password was 0602453234 and the master password was 4455667788

    The packets that the PC sends each time appear to be different, but the start and end of each packet is quite close.

    This is all fine for ten digit passwords that we tried above, but, each password can be UP TO ten digits long, how does this appear?

    http://freespace.virgin.net/ian.sullivan/rockwell.htm 06/02/2003
    Allen-Bradley SLC Keywords Page 7 of 9

    Same sequence, same results, only difference this time is that if you only have five digits in your password, the remaining five "spaces" are null - given
    as 00h - the ASCII code for a NUL

    http://freespace.virgin.net/ian.sullivan/rockwell.htm 06/02/2003
    Allen-Bradley SLC Keywords Page 8 of 9

    As seen previously, when the PC sends a request, the data is not always the same, so I was looking for a pattern which may make discovering the
    password easier. The only pattern that I can ascertain (new ideas are welcome) is that:
    After the first packet of data, starting in this instance at 10 06 10 02 01 00 0F 00 - the first passwords first digit starts 33 characters after the transmit
    ends, following that there is another send of data from the PC, in the PLC's response the first passwords first digit starts 11 characters after the transmit
    ends.

    See the "Mitsubishi Keyword Method" HERE


    What's Next?? Siemens password protection?

    Ideas & Comments are welcome at navillusi@hotmail.com

    http://freespace.virgin.net/ian.sullivan/rockwell.htm 06/02/2003
    Allen-Bradley SLC Keywords Page 9 of 9

    http://freespace.virgin.net/ian.sullivan/rockwell.htm 06/02/2003

    Вам также может понравиться