This document provides an overview of industrial control systems (ICS) and Programmable Logic Controllers (PLCs). It discusses the components of ICS, including sensors, actuators, HMIs, PLCs, and more. It also covers the MODBUS protocol commonly used in ICS, providing details on its master/slave architecture and function codes. The document concludes by discussing tools used in the workshop, such as Kali Linux, MBTGET, PLCSCAN, and Metasploit modules, to analyze MODBUS communications, perform reconnaissance on PLCs, and attack standard services and protocols.

1. Industrial
control systems
Pentes&ng PLCs 101

2. Who am I?
Arnaud
soullié
Senior security auditor
interests
§ Windows Ac+ve Directory
Can a Windows AD be secured ? JSSI 2014
(French, sorry)
§ SCADA stuff
§ Wine tas+ng
(we’re not going to talk about it today)
@arnaudsoullie

3. LAB PREREQUISITE
What’s in the lab vm?
LAB KALI LINUX
ADDITIONAL TOOLS
SCRIPTS AND FILE EXAMPLES
§ MODBUSPAL
§ MBTGET
§ PLCSCAN
§ SNAP7
§ …
§ PCAP SAMPLES
§ SCRIPTS
SKELETONS
§ …

4. AGENDA
1
2
3
ICS Introduction
MODBUS protocol
Attacking plcs

5. ICS Introduction

6. What is an Industrial Control System (ICS)?
Group WAN
Corporate network
Corporate IT
Production
management
ERP server
Supervision network / SCADA
Data Historian / Scada
server
Maintenance
laptops
Supervision
consoles
Production network
RTUs
PLCs
ICS
PLC
Wireless industrial
networks
Corporate IS handle data
≠
ICS handle interfaces data with physical world

7. A bit of vocabulary
ICS (Industrial Control System)
=
IACS (Industrial Automa4on and Control Systems)
~=
SCADA (Supervisory Control And Data Acquisi4on)
~=
DCS (Distributed Control System)
Nowadays, people tend to say “SCADA” for anything related to ICS

8. ICS COMPONENTS
§ Sensors and actuators: allow interac=on with the
physical world (pressure sensor, valves, motors,
…)
§ Local HMI: Human-­‐Machine Interface, permits
the supervision and control of a subprocess
§ PLC: Programmable Logic Controller : manages
the sensors and actuators
§ Supervision screen: remote supervision of the
industrial process
§ Data historian: Records all the data from the
produc=on and Scada networks and allows
expor=ng to the corporate IS (to the ERP for
instance)

9. SCADA SECURITY AWARENESS TIMELINE (SIMPLIFIED)
Who cares ?
<2011
September 5, 2014

10. SCADA SECURITY AWARENESS TIMELINE (SIMPLIFIED)
Who cares ?
OMG !
OMG !
STUXNET !!!
2011
<2011
September 5, 2014

11. SCADA SECURITY AWARENESS TIMELINE (SIMPLIFIED)
2011 Under control
Who cares ?
OMG !
OMG !
STUXNET !!!
<2011
One day ?
September 5, 2014

12. WHAT IS WRONG WITH CURRENT ICS security?
Network
segmentation
security
supervision
Organization &
awareness
Vulnerability
management
third paRty
management
security
In protocols

13. ICS-­‐CERT listed over 250 a6acks on ICS in 2013
59% of a6acks targeted the energy sector
79 a6acks successfully compromised the target
57 a6acks did not succeed in compromising the target
120 a6acks were not idenHfied/invesHgated

14. What is
A PLC?
§ Real-­‐+me digital computer used for automa+on
§ Replaces electrical relays
§ Lots of analogue or digital inputs & outputs
§ Rugged devices (immune to vibra+on, electrical noise, temperature, dust, …)
What’s inside ? Siemens S7-1200

15. PLC
programming
§ “Ladder Logic” was the first programming language for PLC, as it mimics the real-­‐life
circuits
§ IEC 61131-­‐3 defines 5 programming languages for PLCs
§ LD: Ladder Diagram
§ FBD: Func+on Block Diagram
§ ST: Structured Text
§ IL: Instruc+on List
§ SFC: Sequen+al Func+on Chart
Ladder diagram example Structured text example
(* simple state machine *)
TxtState := STATES[StateMachine];
CASE StateMachine OF
1: ClosingValve();
ELSE
;; BadCase();
END_CASE;
Instruction list example
LD Speed
GT 1000
JMPCN VOLTS_OK
LD Volts
VOLTS_OK LD 1
ST %Q75

16. Finding scada systems on the internet
I

17. § Shodan is a search engine dedicated to find devices exposed to the Internet
§ It regularly scans the whole Internet IPV4 range (~4,3 billions IPs)
§ Results are par+ally free (you have to pay to export the results)
What can you find?
§ All kinds of connected devices
§ PLCs
§ Webcams
§ Smart-­‐things (fridge, TV, …)
§ Things you can’t even imagine…
§ Example ICS report :
hgps://www.shodan.io/report/l7VjfVKc
ALTERNATIVES?
§ Scan the Internet yourself
(Zmap, Massscan)
§ Other online services/surveys

18. FUNNy things you can find on teh interwebs
It’s not just webcams.
This is a crematorium.
On the internet.

19. MODBUS Protocol

20. Modbus
protocol
§ Serial communica+on protocol invented in 1979 by Schneider Electric
§ Developed for industrial applica+on
§ Royalty-­‐free
§ Now one of the standards for industrial communica+ons
HOW it works
§ Master / Slave protocol
§ Master must regularly poll the slaves to get
informa+on
§ Modbus addresses are 8 bits long, so only 247
slaves per master
§ There is no object descrip+on: a request returns
a value, without any context or unit
Security anyone?
§ Clear-­‐text
§ No authen+ca+on

21. Modbus
protocol
§ Modbus was originally made for serial communica+ons
§ However it is now ooen used over TCP
MODBUS/TCP FRAME FORMAT
Name
Length
FuncHon
TransacHon idenHfier
2
For synchronizaHon between server & client
Protocol idenHfier
2
Zero for Modbus/TCP
Length field
2
Number of remaining bytes in this frame
Unit idenHfier
1
Slave address (255 if not used)
FuncHon code
1
FuncHon codes as in other variants
Data bytes or command
n
Data as response or commands

22. Modbus
protocol
§ The most common Modbus func+ons allow to read and write data from/to a PLC
§ Other func+ons, such as file read and diagnos+cs func+ons also exist
§ Undocumented Modbus func+on codes can also be used to perform specific ac+ons
COMMONLY USED MODBUS function codes
FuncHon name
FuncHon
code
Read coils
1
Write single coil
5
Read holding registers
3
Write single register
6
Write mulHple registers
16
Read/Write mulHple registers
23

23. Modbus
protocol
ALL documented MODBUS function codes (from wikipedia) h,p://en.wikipedia.org/wiki/Modbus

24. Lab Session #1: Analyzing a Modbus communication with Wireshark
§ Launch Wireshark
§ Open “modbus1.pcap”
§ Try to understand what’s going on
§ What’s the value of register #123 at the end?

25. Lab session #2: ModbusPal
§ Modbuspal is a modbus simulator
$ > java –jar ModbusPal.jar
§ Add a modbus slave
§ Set some register values
§ Query it with:
§ MBTGET Perl script
§ Metasploit module
§ Analyze traffic with Wireshark

26. Lab session #2: ModbusPal + MBTGET
§ Mbtget is a perl script to perform Modbus/tcp queries
$ > cd toolz
$ > ./mbtget -h
§ Read requests
§ Coils (1 bit)
$ > ./mbtget –r1 –a 0 –n 8 127.0.0.1
§ Words (8 bits)
$ > ./mbtget –r3 –a 0 –n 8 127.0.0.1
§ Write requests
§ Coils (1 bit)
$ > ./mbtget –w3 #{VALUE} –a 0 –n 8 127.0.0.1
§ Words (8 bits)
$ > ./mbtget –w6 #{VALUE} –a 0 –n 8 127.0.0.1

27. Lab session #2: ModbusPal + METASPLOIT
§ A simple modbus client that I developed
§ Can perform read and write operaHons on coils and registers
§ Included in msf’s trunk so you already have it J
§ Launch msf console
$ > msfconsole
msf > use auxiliary/scanner/scada/modbusclient
msf auxiliary(modbusclient) > info
§ Play!
msf auxiliary(modbusclient) > set ACTION

28. Attacking
plcs
Never do this
on LIVE production systems
Attacking
plcs
Never do this
on LIVE production systems

29. Lab session #3 : Reconnaissance
§ ObjecHve : IdenHfy all exposed services on a device or a
range of devices
§ Oken the first step in a pentest
§ We will use two tools
§ Nmap: The world’s finest port scanner
§ PLCSCAN: A reconnaissance tool dedicated to PLCs
§ PLCs IP addresses
§ 192.168.0.50: Siemens S7-­‐1200
§ 192.168.0.5: Schneider m340

30. Lab session #3 : Reconnaissance (Nmap)
§ The de-­‐facto tool for port scanning but can be really dangerous
on ICS
§ Two stories from NIST SP800-­‐82
§ A ping sweep broke for over 50 000$ in product at a semi-­‐conductor factory
§ The blocking of gas distribu>on for several hours a?er a pentester went slightly off-­‐
perimeter during an assessment for a gas company
§ Nmap useful setup for ICS scanning
§ Reduce scanning speed! Use « --scan-delay=1 » to scan one port at a
Hme
§ Perform a TCP scan instead of a SYN scan / do not perform UDP scan
§ Do not use fingerprinHng funcHons, and manually select scripts (do not use “–
sC”)

31. Lab session #3 : Reconnaissance (PLCSCAN)
§ h6ps://code.google.com/p/plcscan/
by SCADAStrangeLove (h6p://scadastrangelove.org/)
§ Scans for ports 102 (Siemens) and 502 (Modbus) and tries
to pull informaHon about the PLC (modules, firmware
version,…)
§ Not exhausHve since not all PLCs use Modbus or are
Siemens
§ What if I told you there was another way… SNMP ?

32. Lab session #4 : Attacking standard services
§ Most PLCs have standard interfaces, such as HTTP and FTP
§ Lets’ say security was not the first thing in mind when
introducing these features …
§ Schneider M340
§ Connect to the webserver
§ Default password
§ Hardcoded password ?
§ Take a look at Java applets !

33. Lab session #5 : Attacking ICS protocols
§ Modbus
§ Scan for registry values using mbtget
§ Python / Ruby / Perl / PHP, your call !
§ Siemens S7-­‐1200
§ python s7-read-new.py 192.168.0.50
§ python s7-write-outputs.py 192.168.0.50 11111
§ UnauthenHcated acHons
§ STOP/RUN
msf > use auxiliary/admin/scada/modicon_command
§ Logic download/upload
msf > use auxiliary/admin/scada/modicon_stux_transfer

34. What can we do about it ?
It’s difficult, but not all hope is lost.
Network segmentation Patch when you can
§ Do not expose your ICS on
the Internet
§ Do not expose all of your
ICS on your internal
network
§ Use DMZ / Data diodes to
export data from ICS to
corporate network
§ Patching once a year
during plant
maintenance is
beYer than doing
nothing
Apply corporate best
practices
§ Change default
passwords
§ Disable unused services
Security supervision
§ IPS have signatures for
ICS
§ Create your own
signatures, it is not that
difficult
Y U NO SECURE ICS ?
THE COST IS TOO DAMN HIGH !

35. TOOLZ used during the workshop
§ Kali Linux: h6p://www.kali.org/
§ MBTGET: h6ps://github.com/sourceperl/mbtget
§ PLCSCAN: h6ps://code.google.com/p/plcscan/
§ METASPLOIT MODULES
§ Modbusclient: included in Metasploit
§ modicon_stux_transfer_ASO (not totally finished):
h6ps://github.com/arnaudsoullie/metasploit-­‐framework/
blob/modicon_stux_transfer/modules/auxiliary/admin/
scada/modicon_stux_transfer.rb
§ Scripts for the Siemens
§ Snap7: h6p://snap7.sourceforge.net/
§ Py. wrapper: h6ps://pypi.python.org/pypi/python-­‐snap7/
§ The actual scripts: h6ps://github.com/arnaudsoullie/scan7

36. www.solucom.fr
Contact
Arnaud SOULLIE
Senior consultant
arnaud.soullie[AT]solucom.fr