 Good morning slash afternoon depending on what time it actually is everyone as he so illusory introduced me. I'm Mark Bristow I am a skater security engineer for a consulting firm who For various reasons of politics decided they do not want to be associated with this talk. So I'm here as an independent researcher My day job is I perform security assessments for lots of commercial and government clients Some of whom are probably actually in this room right now because I saw you a blackout This is really just kind of a personal project that I started putting together at my old company actually and Decided to submit it for talk and now I'm here and by the end of this talk I'm actually going to release it as a free and open-source tool. Well, that's a lie I'm gonna have an upload of the code yet, but because I'm afraid to use the Wi-Fi so So just a quick agenda about what we're going to talk about today I'm gonna start out with just kind of an introduction to skater systems because I'm sure not everyone in this room is a skater security expert They're gonna do like a real quick primer about mod scan Why I built the tool and what kind of problems I'm trying to solve with the tool They're gonna talk about the Modbus protocol, which is really actually pretty important because if you don't understand the actual protocol That I'm talking about here. You're gonna get really confused as to what my tool does I'm gonna go through like a little bit of the history. I'll get over like packet construction Some of the more interesting functionality And then the communication flow and how errors are handled which it comes really important. You'll see that in a little bit They're gonna talk about Modbus TCP which honestly is just a wrapper for Modbus into TCP Although they change the packet structure and the protocol a little bit So I'm going to go over that architecture packet construction and then we're losing packet captures conveniently wire shark actually decodes the Modbus protocol So that's kind of nice Then we're gonna get into the into the demo. I actually have a virtual skater network I had delusions of grandeur of bringing hardware with me at one point, but yeah, that didn't happen So we've got a virtual machine. That's a skater network that we're actually gonna do a live demo And if the demo God smile upon me, hopefully everything will work And then we're just gonna over some project information Q&A if we have any time and like he said I'm thinking we'll be in room 104 after this if you have questions So I can't give a talk without a disclaimer. You know why it's there. Don't be stupid Okay, this tool was not written with the intent of being particularly malicious But you can still do nasty things skater systems think like 1980s technology, okay? I mean literally that's what's going on in most of these places They're really fragile and temperamental and if you run this on some system, you could easily crash it. So If you do you didn't hear it from me Okay, so Like I said, you go over a little primer. What is skater? How many people in this room know what skater is? How many people in this room would bet a beer on their definition of what a skater system was? Yeah, that's what I thought you all know that it's supervisory control and dead acquisition But you have no clue what that actually means based on the number of hands. I saw like three. What's that? Deal Anyway skater systems are basically the long definitions up on the slide But basically it's a system that takes real-time data inputs from various sensors local remote Uses that stuff to make real-time decisions about controlling a process and then goes and controls that process again from local remote locations a Lot of times you also hear the term ICS or industrial control systems used They're virtually synonymous that there is actually some technical differences between the two terms But for the most part they mean the same thing so Now we know what skater is. Where do we find skater? Skater is touching your lives right now the power the lights are on in here Which means a power system is running somewhere out and probably Hoover Dam, right? Guess what Hoover Dam is run by a skater control network Power is one of the biggest ones, but you know you have stuff like water treatment You know that this water bottle was manufactured right and they put water in it because why a skater system did that control? Who hates gas? The price of gas. I know I hate the price of gas Wow, no hands. Come on guys wake up. It's noon Okay, it's four dollars a gallon. What's up with that? That's all piped through pipelines. All those pipelines are controlled with skater control systems In big cities like I'm from Washington, DC and I hate traffic because it sucks up more of my life than I care to admit and Traffic control systems in big cities are typically done by skater So yes, believe it or not in some of those crazy hacker movies like hackers There are some systems that you could actually control the traffic lights if you were so inclined So this is not a comprehensive list of everywhere There's skater, but as you can see like this stuff touches your life a whole lot So this here is kind of what skater looks like Sort of in the conceptual manner from like my experience with dealing with clients Typically have like a big corporate network some type of control network Some field sites down here at the bottom and that whole bunch of stuff running in between You've got all kinds of specialty devices. You got regular servers These big things called PLC's which kind of are the brains of the operation along with the skater application controller Notice how there's different color lines on this on this slide each color here represents a different protocol Skater networks today right are just kind of a big hot hodgepodge of different things You've got TCP IP running all over the place. You've got Modbus serial. You got Modbus TCP You've got Dnp3 all kinds of stuff just running around Which creates a big problem for the asset owners because now they have to deal with all these different protocols What's changing about this picture is it's all going blue Okay, everything is starting to get touched into Standard switch TCP networks. Well, what that means for all of you and us is that well We already know how to break into regular Ethernet networks pretty good, right? So all those proprietary protocols that you know, or the things are supposed to provide the security by obscurity and skater Yeah, they don't matter anymore because we can get in and then Over the TCP break through the routers break through the firewalls and we're done and the other thing too is some of these firewalls Especially my laser pointer that one right there not usually there So, you know, it's great. You own like a web server and all of a sudden you're on the control land and you go really Okay So ModScan and we're not here to talk about like skater architecture. I just need to give you a primer What is ModScan? ModScan is basically a tool that I wrote To detect open Modbus TCP ports and then identify these things called slave ID's because you can't address any device without knowing It's slave ID and then you need to associate that with IP address. Well, that's what ModScan does at least what it does today My original intent was to make this kind of like a reconnaissance tool Something that administrators could use to map out their network think like really really really urgent early versions of like nMap Except it only runs on like one port But basically, you know, it's going for something kind of a general reconnaissance tool is what I was looking for So I keep talking about this Modbus thing. Is it anyone here like actually read the Modbus protocol spec? Wow, I'm impressed like more hands than I thought I'd see Okay. Well, then your guys are gonna be really bored for this part of the presentation. I'm sorry So Modbus is old Okay, Modbus was developed in 1979 by a company called Modicon that doesn't even exist anymore Okay, so we're talking this is literally 1979 early 1980s technology we're dealing with it's pretty basic It is free. It's open source You can go to the Modbus website, which is my references and download the protocol spec if you want to that's kind of how I got started with this whole thing Depending on who you ask it's the most common protocol out there and I'd say that's probably a lie But like a pretty good lie Every almost every major control system network that I've seen has at least some element of Modbus running on it Because it's very very prevalent because it's so old and well established And it's runs Modbus TCP is registered on port 502. So if you ever come port across port 502 That's typically what you're what you're looking at if it's registered and it comes into flavors There's the RTU flavor, which is a binary flavor that I have actually never actually seen deployed Most places are running what's called Modbus ASCII. They're basically the same thing except for the compression format and they use different CRC versus LRC checks. It's not really that big a deal. They're pretty much the same thing So what's a Modbus packet look like? Okay? Modbus packet is broken up into two major sections There's the ADU, which is the entire packet and the PDU, which is the protocol data unit Which is this kind of green stuff going on over here. All right? The only thing that is absolutely written as stone in the spec is that the PDU has to exist To have this thing with the function code and the data That's the only thing that you actually have to have for Modbus Now Modbus serial has this other concept of a slave ID and has error checking on it And as you can see it runs up to 256 bytes Which was actually because this was originally designed in the 70s as a serial protocol and 256 was the maximum Size of an RS-45 packet could be so that's why it's the size that it is So important notes these function codes we're going to get into these function codes and these slave IDs pretty good here function codes are valid 1 through 127 the function codes 128 through 255 are reserved for error codes and we'll get back to error codes like I said, they become important and It's big Indian encoding which is important because if you look at any of the packet captures and you're not thinking about that You'll get confused as to why things don't look like they should so now Who sees any type of security relevant stuff in this packet? Yeah, giggles is about the right thing, right? There's nothing. There's no authentication in here There's no even place for it. You know the inherent protocol has absolutely no if you're on the wire you win You can send commands Modbus uses a master slave relationship Masters don't have to be authenticated. They don't have to authenticate the slaves You just put out your thing and it happens So you make it down to the actual wire on Modbus Pretty much the only thing it's left is you don't know how to address the slaves and that's what mod scan solves for you So basically if you can get to the wire and run my tool you own that skater network fun stuff So I said I get into the function codes a little bit. Here's the function code reference I'm not going to go through all these if you want to read them read the spec. I don't want to waste my time on that Some important things are read coils and like these read functions are basically to read data, right? Which is becomes very useful in a scanner because we don't want to scan with a right because some devices are read only But you can write data to devices Which can be fun if the device is like say a breaker and you want to trip it So you just write, you know switch a bit somewhere and all of a sudden, you know the power goes out in Nevada awesome Another interesting thing here is diagnostics. We'll get into those in just a second Also, where is it a let function code 11 report slave ID. This is actually the default function code for a mod scan Now you might think well, why did you write this tool to? Discover slave IDs if you just ask it for the slave ID and it gives it to you Well, it doesn't because what that does oops went the slide Okay Report slave ID gives you like a human readable like text string So it says hey, I'm like substation number 57 switch to it doesn't give you back the actual addressing slave ID that you need So I don't know why it's called that but that's what they call it if you actually address it with the wrong slave ID And ask it for this code it gives you an error, so Didn't really understand that part So diagnostic codes I said diagnostic codes are pretty interesting code zero is kind of boring. It just is an echo But code one and code four those are pretty interesting because Code one if you were to just continually broadcast Diagnostic code one at a model bus network. What would happen? communication get reset and then what? You're dossing the entire network built right into the protocol for you. Thank you very much Modicon The other thing you can do is use put code for which is force listen only mode Well, why does that matter? Well, most of these I said these control networks, right? They take data in and then make decisions and then use them to do stuff Well, if you cut off the data feed the skater network the skater control system goes. Oh my god Everything just crashed and who knows what happens So that's also a kind of interesting little tidbit that they added and then of course you've got they built in your your obvios cation for you with clear counters indeed diagnostic registers and clear the overrun counters So if you were banging against the bice for a little while and you want to clear all the logs That's built right in the protocol no problems so Now we know what packets look like let's talk about com for a little bit. Okay com for this protocol is again really simple Basically, like I said, you've got a master and a slave Masters are the only one that can start con start communications slaves cannot under any circumstances although some vendors and the truth about Modbuses that some vendors implement things differently. So some have added that functionality, but in the spec only masters can start the talk So basically master sends a request out to a slave slave does something slave responds pretty simple So what happens when I said errors are important for my tool, okay? So what happens when errors occur? It looks just like the last one the master sends out a request That's improperly formatted or something The air is detected at the slave level The slave reports an error back in a special format, which is a little bit different. So you have the slave ID You have this EFN Then you have the error code where the data should be and then you have the error check That EFN is just the function code plus 80 hex Which is why I said earlier that 128 through 255 were reserved because it's the error half of all the actual function codes that are being used This is basically becomes the foundation of how my scanner works So the error codes are defined in the spec I'm not going to go over them They don't really matter The only one that matters is that you'll see in the slides is error code 3 which means a legal data value so So okay kind of recap real quick Valid slaves one through 247, okay, why they didn't run that all the way up to 255. I really have absolutely no idea It fits in one bite, but whatever The slave ID has to be unique on every bus because remember this is serial protocol, right? So if you have to next next to Modbus serial Networks next to each other. They don't care what the other one's doing But on the same bus you can't have two devices the same slave ID. Otherwise. Oh, no two devices are going to respond at the same time You have a race condition. You don't know what's going to happen Masters if you look back in that slide The masters don't announce themselves in any way. They just send something on the wire See, there's no like master ID in this packet. There's just slave ID So masters don't have to authenticate in any fashion And you can only run one request at a time. It's really really highly timing based The good news is that Modbus straight is not really run a whole lot and I've seen it in some systems But it's not everywhere But you could actually really do some if there's someone's running just straight Modbus You can do really nasty things to them pretty easy. It's it's pretty bad So that's Modbus My tool runs on my bus TCP Which I said is basically just a wrapper for Modbus Okay What they did is they had to modify the protocol a little bit because like things like checksum Why do we care the you know TCP IP layer will take care of all the checksum for us. So why are we going to add that? We introduced gateways These become really important because a gateway basically takes a Modbus TCP connection Gives it one IP address and then it'll allow you to attach a whole Ring of slaves to that so you can put up to 247 slaves attached to one gateway Now hiding behind one IP address Which is how a lot of these systems are kind of put together As I said before port 502 is still the port for this But basically everything else is completely unchanged in the protocol the underlying packet is the same So a Modbus TCP architecture looks kind of like that last slide But just a little bit different you got the corporate land then you got the firewall hopefully And then you have your control center Which has all your fun toys in it and that that's where you take all of your VPs and all that kind of stuff And then if you notice we've got blue running over here The blue is all the Modbus TCP connections and that can run throughout the entire network over your regular Ethernet and then occasionally you have your gateways that typically talk to like kind of more legacy devices like Things that are high-capital like generators and those kinds of things transformers They might only speak regular Modbus You just kind of drop a gateway in there so that you can talk to them over the regular network You're seeing from the device vendor standpoint That a lot of vendors are adding Modbus TCP directly into their products So most of this stuff is going away But it's definitely still out there because like I said, they're high capital investment items. They don't turn over very fast so This is a Modbus TCP packet It's broken up again really into two major sections. There's the PDU which is the thing from last time remember I said that's the only thing that you have to have for Modbus. Well, that's unchanged Okay, and then you have this thing which is the Mbap with the Modbus application protocol handler Which has all of your your routing information you have a transaction ID and protocol ID, which for some reason is always zero Always you never change them for any reason. I don't understand why they're there, but Okay, so you just put in zeros for the first couple bits. Yeah. Oh good. Okay, so that guy knows Thank you that guy Yeah, you get a beer too. Oh Sorry, yeah, my bad What he said was that originally they were gonna have multiple protocols that were gonna be attached to this So that's why the protocol ID was there, but that they only ever developed one protocol And so that's why it's always zero did I some eyes appropriately close enough? Okay, good So a more importantly Again still big Indian encoding PDU is the same But you have this kind of additional header here with a length and notice that the slave ID is again in the extra Addressing so that's what it looks like conceptually Let's look at an actual request response going on from something a packet capture. I did a while ago So if you look at the request, this is obviously straight out a wire shark If wire shark will decode this into like more readable format, but I prefer to read it in the hex because I'm a geek So you got your transaction ID protocol ID your length which you actually have to calculate It's not that hard your slave ID and then your function in this particular case. I ran a diagnostic code Zero which is echo and then zero five thirty five which is lead and hex in case anyone doesn't know The request gets sent out by the master and then a response Looks like this Again, you have zero zero zero zero you get your length your slave ID gets returned Then notice since this was a valid response the function code gets returned as the one that was sent in that's important And then since this was diagnostic you get diagnostic code and data So the important part of this is that it looks exactly like the request right because that function code is the only thing That will let you know if there was any type of error or that it came from the slave So what happens when we do something bad? Right, that's what we're all interested in anyway All this stuff stays the same your function now This is the request so the function code we put in a valid function code, but with a diagnostic code of ff Which is not in the spec. Okay, so we're going to send it something that it doesn't expect What happens is is you get your transaction to your protocol ID length slave ID, etc But if you look at the function code and that's actually kind of hard to read on that screen. Sorry That's 88 there, right, so we got that function code back in And they had 80 hex added to it and that's really the key to how this all works because if you Send a request with an invalid slave ID it errors or ignores you right, so if your flow is this if You either error or get it error or ignored when there's an improper ID But when the proper ID is sent you get that function code back now We've got a binary switch so where we can say okay Well if we meet these conditions, it's not the right one if we meet this condition It's the right one and now we have a fundamental basis for how to write do mapping so Back to my tool enough with the boring lesson Basically mod scan will the only required parameter for it is an IP range It'll scan the IP range on whatever port you ask it to although it defaults to 502 You can run my boss on another port if you want to it's your choice When it finds an open port, it's pretty simple. It just does a slave ID brute force It's not very elegant, but it gets the job done and it's surprisingly faster than you might think it would be By default it stops at the first slave ID that it finds That's just because I chose to do it that way to be more efficient But again for gateways that doesn't really fly and we'll take a look at that a little bit And it outputs in just a IP colon port tab slave ID format because that's what I felt like I mean I'm intent on adding like actual like CSVs or something like that to it, but I'm just way too lazy right now to get that done So you get a whole bunch of switches and options on the tool again. It's written in Python But the Python has a nice little options handler beautiful You can set the port the timeout a This is important the aggressive mode. I said before the default mode is it stops at the first slave ID Well in aggressive mode it enumerates the entire address space every time So if it finds a slave ID, it just assumes that it's at a gateway because there's no other way of detecting it And just runs to the entire list So if you're dealing with a place with gateways, you have to pretty much use the aggressive mode You can change the function Why is that important because like I said before Modbus is kind of like Every vendor does their own little special implementations and that kind of stuff of Modbus so Function code 17, which is what I default to that report slave ID one might not actually be implemented on particular devices It's possible So maybe you want to use read the streets or read coils or you know a diagnostic code to do your scanning The principle of the tool will still work if it's the wrong slave ID It'll come back with an error So you can really use any function code You could even use a write function code if you wanted to And it would come back and report all the slave IDs Although you probably just made a really big mess in someone's skidding network But what you do with my tool is your own business Okay If you're using the f you got to use D because now in order to send a properly formatted packet You have to have the right data to back up the function code that you sent So basically if you're going to switch the function you better like read the Modbus spec because you're not going to get it right and It's you know, it's not that hard, but the tool doesn't have a nice way of handling all that I was not running out to make a Modbus client tool This is a scanner and it's pretty you know, it's pretty basic And of course we've got verbose and debug modes Which are mainly for me So demo time Put all this down So as I said before I have a little skidding network that I put together an embutu virtual machine that we can run for the demo Because hardware was just impractical This actually uses a tool I have it kind of running the background called ModSack by a company called Wingpath out in the UK So give them some props. Their tool is actually pretty nice And I'm using it for their demo and they were nice enough to help me out when this stopped working like yesterday Oops and Make sure that my packet captures running Okay, we're good to go so Let's take a look at the tool Find my mouse Okay, so to run the tool There you go. Wow. That was awesome, right? If you're on it with no options It gives you all the options just like every other tool in the world is supposed to do well It works just like you expected to That's the same option list as we saw before so I'm not going to go over it Mod scan in its most basic Interpretation is you want to run it against a single host So let's give that a try and hopefully everything will work. Yeah, it worked Okay, so when you're running against a single one host, I Don't know if I can scroll that there if you can't see it now You'd probably be able to can everyone read that is that big enough font? Okay, so basically we've been running against one host is not particularly interesting it just starts the scan And then when it finds the valid slave ID it tells you the IP address and the slave ID associate with it Like I said, it's just a pretty basic mapping tool. That's really all I was going for Running against one host is pretty uninteresting So we can run it against multiple hosts using slash notation Now this is going to take about 30 seconds to run. I'm doing a slash 26 because it takes On average in my testing it takes about two minutes and nine seconds to do a whole class D Almost exactly every time it's actually kind of cool But that's a lot slower than I want to do for this talk So but it can do any IP address range you want to give it. It'll just suck it up So as you can see we're getting some results here the first one we already saw dot 21 has a slave idea 8 But there's other devices sitting on this network We've got one at dot 22 with a slave idea 30 dot 25 7 etc. Etc. Etc. You can read the slide maybe you can't there you go And then it tells you when the scans done Which originally wasn't in there, but someone decided told me that hey, I don't know when it's finished. It's okay. It's a good point So pretty basic when you're running it with no options. It just will sit there and scan the whole network and map everything out for you now I said before that It has two basic modes operations the aggressive mode and standard mode well as you can see here on Port IP 25 we only have one slavery to come back right well We run this entire network again, but do it in aggressive mode Oops. Oh, okay. I just the one IP there never mind. I changed my demo. Sorry if we run against the Number 25 we actually see that there's four devices sitting behind that so that's obviously a gateway, right? And that's really the difference between the two modes is that this one went through and and tried to enumerate every single slave ID Where's the other one stopped at the first one? So if you want to see it actually working which I don't know about you, but I hate tools that just sit there and like starting And gives you absolutely no status. Well, sometimes you're gonna have to do that There's not a lot you can do with a command line tool But if you want to see it working you just put it in verbose mode And it'll sit there and tell you well it failed to connect all these IPs on port 502 Etc etc etc and it'll sit there and run out and you'll see in a couple seconds here that I'll come up on one That's valid and it gives you the same output as before just verbose mode gives you this extra information So I mentioned to that my tool can support multiple function codes And if that can be important because not every vendor supports the same stuff, right? Well, here's an example of that We're gonna do this. We're gonna do function code We're gonna do function code for so you just do an F for Okay But like I said before we have to push in our own data because now the data that's in there by default won't work anymore So the data has to be entered in Unicode escaped hex So we do this. Oh, I don't thank you. This is why I should just use the copy and paste but I kind of wanted to explain this That's better. Thank you 0-0-0-0 0-0-0-1 Okay, well, what does that mean? Okay? Well, so for reading registers Based on what you do is you say the first the first two bytes There are what address do we want to start at in this case address zero and then the next number is how many addresses? Do you want to read one? Okay, nothing too special about that? Then we're going to just scan one of the devices 16 21 Okay, I'm going to copy and paste it as you can see though You have to know a little bit something about the protocol and actually to do to use the function code Spec otherwise it won't work right and look it looks just like the very first thing we did except for if we come over here to Lose my scooter. Oh there it is Come over here and look at the function codes that we're running We can actually pull up the query Maybe I can't read that from over here, but that should say that's running on function code for but I can't actually see it from over here So I lose for being the presenter and not being able to see the screen But it should have come up and actually showed in the pack capture that yeah, we were really using a different function code So just basically yes, it works So okay function for is not really all that interesting But what happens if we use that diagnostic code function code 8 and do this instead Now instead of just trying to read registers. It just went through and did echo data back Well something that's particularly interesting about function code 8 is that you can do stuff like the reset communications and stuff And I basically just could have doth that as opposed to doing what I was doing So I'm not going to do because it'll break my demo and then I won't be able to do the next thing But as you can see you can kind of use it as a client as well, which is just a nice little feature that I added If you are trying to use it as a client though your debug mode becomes valuable Because when you run it with debug mode enabled You actually get all of the it just prints out all the actual raw packets that got back So you can actually go through and read and see what's going on and do all that kind of stuff Which if you're doing testing is actually really really useful But not something that absolutely everyone's going to want to use the tool with so Because remember the tools objective is to figure that out for you And I did not feel like writing a full-fledged client. Would it be easy to modify the code to make that happen? Yeah, but Yeah, that's not what I was going for with this with the thing and other questions about like the tool because I'm pretty much done the demo part Okay, so if I can find my presentation again So the thing that probably some of you were sitting here waiting for where's the code live It's going to live at modscan.googlecode.com as soon as I like I said get around to uploading it and on a Wi-Fi Probably want to get back to Caesars because I'm not using the internet here. This is my good laptop. No, yeah so Like I said, I kind of developed the tool to kind of be in a network enumeration scanning tool Yes, there's lots of other things you could do with it That's your business like I said It also would actually be useful for doing IDS testing. There actually are modbus IDS Like snort signatures out there and I haven't actually done this But it would be kind of interesting to run my tool against those and kind of see what happens Another thing that you can use it for is asset management Too many of my clients tell me that they don't really know all the gear they have and where it's all addressed and all That kind of stuff which frankly scares me a little bit based on who those clients are so Whatever You could also use it as a really cheap way of issuing a whole lot of bulk commands in a very very noisy way So what are the problems with mod scan like I said, this is a really like alpha product This is the first thing I ever wrote in Python in my entire life. So from a code perspective it sucks It's also the first scanner. I ever wrote so from a scanning perspective. It sucks probably pretty bad, too It's not very effective The port scanning parts of it are really noisy and not really efficient brute-forcing I can't think of a better way to do of it do it Maybe one of you has a better a better theory on this, but it's the only way I could think of enumerating slave IDs Another thing too is it doesn't interpret those error codes. There are some conditions where for example if The if you're trying to read coil zero right and there is no coil zero It's a safe assumption that coil zero exists But if there is no coil zero you'll get an error code in that error message that I'll tell you that yes You actually addressed me properly, but I don't have that particular device So if we was actually interpreting the error codes I could get a lot more I could lower my false My false negative rate, which is something I'd like to do in the future In my enhancements, which is like I said interpret the error codes I'd like to implement it in something like Scapi is anyone in the room familiar with Scapi Anyone give me some good documentation for Scapi Come see me. Oh, it's you. Okay. Yes talk to me talk to me later Because I have not was not able to find any good documentation nor figure it out in less than 10 minutes And therefore that's about my attention span So went on. Yeah, good. I can't hear a word. You're saying Funny you should mention that the con gods decided that Fiodor would sit next to me at lunch on Wednesday and told me all about the fact that he now lets you write plugins for NMAP so that's actually one of the things I might do in the future is Implement an MAP plugin for basically that's a copy of ModScan I don't want to just do it as a plug-in because the next thing I want to do is actually add different protocol support So instead of just doing Modbus do like DnP3 or some of the other skater protocols and kind of make it a little Bit more of a robust scanner again like the the base code for this tool. I wrote in like four hours, so It's pretty basic Another thing I'd really like to do is do fingerprinting Is anyone here from like a skater vendor or have a lot of assets or like a lab? They want to let me borrow for a little while Because the problem with writing a fingerprinting database is you have to actually like have the thing Which is expensive. I mean if anyone knows any about skater like this gear is like in the millions of dollars some of it, so yeah Yeah, I'm thinking my day job would probably really not get along with me if I did that but yeah I thought about that too But also, I'm you know, it's an open-source project if anyone and want to helps wants to help me write it right It make it better. Give me some suggestions. You know, please do contact me Especially if you have gear that I can test Because I would love to be able to do that and and make it much more robust tool So just quick actually wow, I ran short for a change go figure I just wanted to put up my references and some thanks to Kathleen Whelan Jim Kelly and Doug Wilson Who helped me put this presentation or tool together in various various ways and My contact misinformation is here. My blog is one little window.org. I actually share it with Doug Wilson So you can hit us up there send me an email Yeah, whatever so any more questions because I actually have extra time So the question was is there any hope? For a more secure protocol and that's funny because outside of the skated talk at Defcon or sorry a black hat We were having a conversation about how like we as an industry need to get together and start writing a better protocol and start mandating it So the answer is no, but we'd like to see it go that way so Anyone else I can't even really see hands so if anyone else has questions just come see me because I can't really see you at this point I Know I'm sorry. I talked faster