- This topic has 25 replies, 4 voices, and was last updated 1 year, 3 months ago by
.
-
Posts
-
After trying all the methods, still not working.
Then I downloaded the ScadaTestClient again, this time running it, then it worked.
There is a windows warning about the unsigned application this time, never popup before, then after clicking yes, it can run. not sure if it is relevant.
finally found the issue, in the password field of the xml, can not use the password copy from user table.
need to use the password generated from the Project Tools -> Encrypt Password.
I am confused with the encrypted password meaning for the API.
for the HelloWorld Project, default ScadaComm account
Plain test pw = scada
pw from user table = F9A226BC671CB198C7D83ADEA0B1F2B8
pw from encrypt password tool = B9D0F030265751578B00E9801C69320C
secrete key = 0E063D581B1DB27B8E984993DED65CE99284A706756C706C7F3B12C44BD55D4Dfor the API 0x0002 login, a field say encrypted password, does it mean the pw from encrypt password tool? or I need to do AES encryption again using pw from encrypt password tool with secrete key
Comparing the network traffic, I found a mismatch of the protocol document.
for the 0x0002 function,
for the field of username, password, instance,
actually should be
length of username (2bytes),
username,
length of password (2bytes),
password
length of instance (2bytes),
instanceYou right. The Users table contains the password hash, while XML files contains encrypted passwords. Hash cannot be decrypted. Encrypted password can be decrypted. You can encrypt password with Administrator user interface.
In the protocol, a string is encoded as
Bytes 0…1 – the string length in bytes
Bytes 2…N – the UTF-8 encoded charactersCould you specify what should be updated in the document?
I get most command done except the login…
use wireshark captured 3 login data, the “Encrypted Password String Bytes” are different each time.
02003d000000cce90c32cd62e16f020009005363616461436f6d6d20004244383437323932323946453046443831343932394339393445354132393430000000000000 02003d000000e7bc670599955ad1020009005363616461436f6d6d20004343464338394230304237383246353231344434343837434431304341354545000000000000 02003d0000006c50d7e367885fa3020009005363616461436f6d6d20003631453934424138324433453145363036323643313743374236383633334339000000000000So the string bytes should be not directly the “Encrypted Password encrypt password tool”.
Some further encryption operation has been done to the password before packing it into bytes.
Is there any instruction on this?
> the “Encrypted Password String Bytes” are different each time
Yes. The protection algorithm encrypts password differently. Otherwise, someone can sniff packets and login.Check the ScadaClient and ClientBase source code.
Since there doesn’t seem to be any mention of the session id, it may be worth mentioning that the password encryption is initialized with the sess_id.
Here is how I did it in my current client.
def Encrypt(s: str, sec_key, sess_id) -> str: ct = EncryptBytes(s.encode("UTF8"), sec_key, sess_id) return binascii.b2a_hex(ct).decode("ascii").upper() def EncryptBytes(bstr:bytes, secretKey, sess_id): # generate iv from sess_id iv = bytearray(IVSize) sessBuf = struct.pack("q",sess_id) sessBufLen = len(sessBuf) for i in range(0, IVSize): iv[i] = sessBuf[i % sessBufLen] #print("gen_iv=") #hexdump(iv) # encrypt byets padder = padding.PKCS7(128).padder() cipher = Cipher(algorithms.AES(secretKey), modes.CBC(iv)) encr = cipher.encryptor() bstr = padder.update(bstr) + padder.finalize() ct = encr.update(bstr) + encr.finalize() return ct
- You must be logged in to reply to this topic.