 Thank you, Sean. I appreciate the introduction and welcome everybody. I haven't talked at DEF CON in a couple of years and you know, this is actually it's been a couple months since I've talked for the ICS Village. I'm always appreciative that they keep inviting me back to talk about some of the things that I've been working on and providing me with these opportunities. So I give back every chance that I get. This is your first ICS Village. Please start to get involved. Reach out to them for some of your research with some of the information. Volunteer to talk as well. We want to hear from all of you and I really appreciate it. What I'm here to talk to you about today is the scripts and tools to help your ICS InfoSec journey. And this is just going to be kind of a brief introduction to how to do some of the things or at least how I approach automating some of my tasks and come up with some of the scripts that I use to pull information from devices, whether it's for security research, as I'll keep pointing over here, but you know, ICS Village provided me the Schneider Electric Modicon M221 program watch controller or PLC to do some of my research on. And so when I point down like that, that's what I'm talking about. But whenever I'm doing security research or I'm going onsite to do a security assessment for somebody, I try to automate things as much as possible. And a lot of times I find out that I'm doing it on the fly. And so when Tom asked me to give a talk, I couldn't think of any research that I was doing. But I thought about this, helping people understand how I approach some of my tool development and automating some of my processes. So that's what we're going to talk about. Hi, I'm Don C. Webber, also known as Cutaway. I've been doing information security since 2002 when I got out of the Marine Corps and went back to school. I have been fortunate enough to work on a lot of great teams of a broad background in information security, forensic incident response, penetration testing, security research. And right now I'm doing helping organizations within the industrial control arena to evaluate their programs to understand doing security assessments within their control environment, reviewing their information security programs to protect those environments as well. Some of the things that we're going to be talking about and actually building towards are some of the tools that I use during my assessments. And you can see those out at the Cutaway Security GitHub. You can see that listed here. I'll highlight it. More specifically, we'll at least look at one script from the CutSec tools, some of the things that I've developed to gather information. And that's my goal is to help you if you're just starting out understanding the thought process for coming up with something that you can automate. If you want to do some asset discovery, that's one of the tools that we'll look at. If you're working in this arena and need to gather information about your assets, understanding the firmware of your devices, what version they're running, you can automate some of that information gathering and store that off and make that process repeatable. So that's what we're going to do. We're going to talk about some of the concepts around information gathering and developing a script out of it. We'll develop a script real quick. We'll talk about some device interactions. Not sure. It depends on how fast we'll go. We'll talk about network analysis. And then we'll look at one of the scripts from the CutSec tools. All right. I'm going to go pretty fast because I'm covering only up 25 minutes and we've got a lot of things to cover. So the first thing I want to do is I want to open up a terminal. I've got amusing Kali as you can see here. It's a little bit older version, but it will do for what we're working on here. When I get onto a network, whether it's talking to going to converse with a specific devices management interface, or it's a device out in my client's environment, if I'm on the network, I need to understand how my network devices are configured. So I'm going to run the IP adder. As we can see, I actually want to take off. I want to remove that IP address. So let's go ahead and I believe it's delete. So I'm going to start my IP address or my analysis without having an IP address on my interface. Okay. I've got two interfaces here. This is a virtual machine. So I've got my Ethernet zero, which is bridged with my host operating system. That would be connected possibly to the internet. And so I don't want to connect my clients networks to that. So I usually go with a USB interface as well. And that's what the ETH one is. I've got a USB interface that's attached to this. It's not going to my regular operating system. I can't bridge it to another network. It can only operate on this network. So that's where I start. Then whenever I plug into a device like the PLC that I have here, I have to understand what the management interface is looking for. I need to understand what subnet it's on. Now I can go through the vendor documentation and that is one way to discover it. Another way is to actually query the information because our operators and our engineers, they can change the configuration of those devices, those management interfaces. So they might have done something to keep it from us. And that's what we're going to see here. So one of the things that I start with is when I connect to a device or to a subnet, I just start actually the first thing I do. Let's call that up real quick. The first thing I do is I start a wire shark. And I just start sniffing on the network. And I'm connected directly to a device. So this isn't broadcast and anything. I might start it and stop it, see if that changes. If I was on a regular network, we would see things like address resolution protocol, ARP request. We're going to see broadcast, you know, if it's Ethernet or if it's some type of industrial control protocol like backnet, we're going to see multiple devices communicating over broadcast messages for that protocol. So I would listen to that to see if I can glean information, understand the IP addresses and the types of devices that are out there. In this case, we don't have that. So we have to do that or discovery ourselves. Let's go ahead and close that. In this case, what I want to do is I want to use ARP scan. I need to run it as an administrator. I'm going to run the ARP scan tool. I need to tell it which interface I wanted to go out, which is our Ethernet one. And then I want to tell it which subnet to look for. So I want to identify all of the devices, the endpoints. I need to ask them for their hardware interface for this subnet. And when I run this command, we can see that it's, you know, it starts putting out a warning because I don't have an IP address on my own interface. It tells me what my interface information about my interface is, but it also says that there are no, there were no responses to the ARP request. So in other words, this tool sent a bunch of ARP requests for that subnet, but nothing returned. Well, that's because the device has been configured with a different subnet. When I run it with the 192.168.0 subnet, we can see that something responds. In this case, this is the PLC. It's been assigned the 0.21 IP address. The hardware address for its interface is this right here. And then we can see the manufacturer for that interface as well. Okay. This is how I start my assessments. Now, as I mentioned, the process engineers, they didn't have to keep the default, you know, so this looks like a default address. You know, but they could have changed that. This very easily could be in 192.168.50 or .100. And doing this by hand is really slow. In other words, I wouldn't have been able to find that myself. And so I could click up and, you know, I could tab up and keep doing this myself, but I want to automate this process. And the way we do that is, I mean, first, first we need to start by getting rid of some of that extra information. In other words, we had that warning message. We also had the information about our interface. We don't need all of that information. Okay. I've got all that documented now. So what I want to do is I want to leverage my terminal and some of the things that it is capable of. I want to redirect the warnings. And so the file handle two, I can redirect that into DevNol, which is like the trash can. I can also search for the lines that have the information that I expect. So I should have the information about the subnet and change that to zero and hit enter. Now, this is going to run. Notice I didn't get any warnings or any other information. I have nice clean output. If there is no information coming back. So like the one, there's absolutely nothing coming back. So I know have a nice clean output. Now, remember, I want to automate this. If I don't know the actual subnet, if I wasn't lucky with the first two, then I want to come up with a way to enumerate through all of the subnets. And we do that by looping through things. And so this is just a command right here, leveraging a for loop for I and I is going to be our a variable that we that we keep information in and we're going to keep a list of numbers for zero through five. And then we're going to leverage the dollar sign I and our shell. In this case, it's the ZSH. Our shell is going to replace every dollar sign I with a number. And this is just the syntax for enumerating through so 012345. I could go up to 254 because that would be the max number of subnets. And that's what I want to do, but we're only going to do five here for speed. Okay. And then you can see we have our ARP scan here. And this is our command that we just we just talked about. I include the echo here. The echo with the so this is we understand we need a way to understand that our command is still running. Okay, because a lot of times if we don't have output, some of our output might not happen. And if we don't have something to display, then we might think that it's frozen frozen when sometimes it just takes a lot of time to get a response. And as you can see here, I'm nice clean output. I can redirect that into a file. And I've got so I've collected some good information about this environment. I've created a repeatable process. I can copy and paste this, the command, and I can keep this like in a, you know, a text document like this. And that way I always ensure that I run this command the same way every time. Okay. And that's great. But I still want to automate it a little bit further. I want to actually come up with some type of script. And so that's what we have here. So I've actually got a list. So if I look in the, I've already put everything in the ARP scan. So if I kept this out, we'll see that I've just created a script with the line that the command line that we just had. We have to, it's best if we tell it which shell to go in our for loop here so iterate through zero from zero to five, our echo. This time we want to tell it specifically where our, our program is we don't want to just put our scan or the ARP scan in our script, because now our script is going to check our path. We have issues with our path. It's going to break our script. And so we don't want to do that. So really all I did was when I was writing this, I just did a, a which ARP scan, which tells me which program where the program is actually located. And I just put that in there. Now if we run this command, we have to make it executable. But if we run this command, now we can see that output. And that's not what I expected. What did I mess up here. I should have run correctly. Oops. Oh, I didn't include pseudo in there and we definitely don't want to include pseudo in there. We want to run pseudo. You know, and that's a that, you know, failure is a great tool and I, you know, whenever I'm on site, whenever I'm doing research, there are a lot of times when I do this I don't get the results back that I expected. Well, there could be a reason either I made a mistake in my script, made a mistake in my command line, or I forgot to run it as administrator and we can see that here. I made a mistake in my script. Everything went right went fine, but the error message because I had sent the error message to dev null. I didn't see that result. Okay, so running with pseudo we can see that now we have output that we expect to find and that's great this is exactly what we want. Now we have a repeatable process. Okay, from there, I can just save that out actually actually after this I should go in and store that in the cut sec tool so hopefully that's the I'll remember to do that after we're done here. From there, that's when I want to assign myself, or my interface, an address on this network remember we don't have an address on this network. Let's go ahead and go back. I'm just going to scroll up so right through on the command correctly. So let's add an IP address to our interface so pseudo IP adder, we want to be on the zero subnet so let's give ourselves a dot to. We run the IP adder again, we can see now we have an address on there. And from there we can start looking at that device. Okay, and in this case I want to understand the services that are running on there for PLC. I would expect that they have management interfaces potentially on potentially a web server, usually an FTP server, but there's always some type of service running on there. And so what I'm going to do is I'm going to do an M map we have to be careful with these devices, because they're not like our Windows operating systems are Linux operating systems, they don't handle unusual connections. Well, an end map does make unusual connections to see how the endpoint responds. So we're going to format our end map command to make it save for the device and we can see I do want to run it as an IP adder and that will help with the output. We want to don't ping the device so don't worry about if it doesn't respond to pings, don't resolve so the dash end is don't resolve both of the port numbers and the end points. The ST will be a full TCP, TCP handshake, and it will establish the connection and tear it down. Some devices if you just do a send scan they will hang and nothing else can connect to that until it actually gets a tear down packet for that connection. And that could be have a negative impact on the functionality of that device. Then we're going to look for a specific we're not going to look for all top 1000 ports, we're only going to look for something that for ports that are associated with some of the management interfaces we expect we want to start this and we might scale up, but let's start small. So let's go ahead and do a scan of this right now. And as you can see, it ran. We didn't need to throttle this. It went through and it searched all of those ports. And now we can see that it only has one service that's running. Okay, and this is actually I like this it doesn't have an FTP server on it to serve up the configuration files are the only real way to communicate with these types of devices. You actually have to use a Modbus and it's proprietary Modbus it's associated with Modicon. And that is what allows the communication configuration of the remote configuration and management of these devices. So it actually would have to click over to my window system and run that Schneider Electric software to interact with this. But certainly now we could start interacting with the Modbus on this device. I'm not going to get into that. You guys can go out and find some of that learn how to interact with Modbus. We've got some videos that are out there on the sands ICS concepts YouTube playlist so if you go out so that you can just search for sands ICS concepts, you should. It should come up with some of the videos there's three videos on Modbus enumeration analysis and man and machine in the middle attacks. So you can go out there and check that out. What I wanted to do is, you know, so now I want to talk about more scripting and information gathering. I wanted to, I didn't realize how long I would have. I wanted to talk a lot more about some of the things that I do associated with information discovery with Bioshock, you know, and let's go through that real quick. I want to open this up. I've gone out to the control things website. And you can go out there and there's a repository in the CT samples, and you can download some P caps of different protocols and that's what I've done. I've done. I've gone and downloaded the combined. I've looked in the combined folder and I've downloaded the plant one P cap. And as you can see here this is just a P cap with a lot of different industrial controls and what I can do here is I can search on for things like Modbus traffic. Okay, and this will display this filter this display filter will filter out all of the different things that you can find within this that are associated with the Modbus protocol. And how I script this is I'll start my analysis here, and then I'll start doing things like searching on destination so I will destination port. So I'll click right click on destination port and I'll say prepare as a filter and selected, and then I'll just search for everything that is destination port 502. And we can see that this finds all of the queries so this is just the queries, the client which is requesting information from a device that I know that this is a good filter, and then I can go in and I can take this filter. And I can automate some T shark commands. And I can go back to, I can go and locate the actual P cap and run a command line. Oops, let me copy it over a long time. I can run T shark, which will go out and now I can set up a filter that will search on Modbus search just on the destination port 502. So just the request like we saw in, in wire shark. And then I can tell it hey only spit out the two fields. I want the IP source and the IP destination. Okay, and then sort that information and sort it so that you remove all of the extra occurrences and you only provide me with unique results. So that's the sort you and as we can see here we've got a Modbus client, which is a single server querying a whole bunch of different devices. And so this is how and what I do is I take this command, and I copy it out and I maintain this so that I can repeat this command I don't have to look this up every single time. And while Modbus might be relatively easily, some of the other industrial protocols get a little bit more complex for the information gathering like this. And so this is just a valuable way to do that. I'll take all of this information and I'll take all of these techniques and I'll start to, excuse me, what I'll do is I will create scripts. So let's go ahead and I'm going to look in the cutaway security tools ICS. I've created some discover asset scripts. And if we look at this, we make this a little bit bigger. We can see that I've made a taken Python and I've created a Python script that pool that leverages a Python Modbus module. And I've configured it so that will iterate over any subnet that I provided. And that's what we have here. So we've got a range, which is a list of subnets. Okay, I've got some specific devices that I've gone out and pulled research from the Internet and looked up their Modbus map. Actually, that's what I was showing you up here. Okay, so I went out. So I went out. This is an example of a GE device, a D60 line distance relay. I've went out and gathered the instruction manual. I'll search the instruction manual for the Modbus map. And the Modbus map for these devices, if you interact with this GE device, you can pull things like the serial number, the manufacturer, the modification number, Ethernet MAC address. All of this information is stored in specific locations within the Modbus memory. And then you can go and take that information and generate a script. And as you can see, I've gone through and looked at the memory mappings of several of these GE devices. I've come up with ways to query, get the GE firmware, and it will go out and retrieve that information and bring it back to me and print all of this information out. And I can redirect it into a file. And this is one of the ways that I assist some of my clients with doing asset discovery within their environment. I did all of this by doing this research, by interacting with the devices on the command line first, figuring out the important information to grab, doing additional research, and then finding ways to script this up so that it's a repeatable process. And that's all I wanted to show you. Once again, I appreciate everybody coming out. And I hope that you have a great DEFCON experience, whether you're in person or you're remote. Have a great day, be safe, take care, and we will talk to everybody soon.