 Alright. Welcome to our next talk here. I hope you guys had a little bit of a chance to head outside earlier today because it looks like it's been raining for a little bit and our heat wave hopefully is broken. So hopefully the rest of the day is not going to be anywhere near as punishing as yesterday was. But our next talk is up here. We've got Rick Messier up here who's going to be speaking about hacking around ICS SCADA so please welcome him to the stage. Good afternoon. So this kind of started a few months ago. I had to set up some training around ICS not something I had really done much of anything with before. So it was an interesting experience trying to figure out how I was going to do training around ICS and SCADA. So put together this little talk. The idea here is to set you up so that if you had interest in playing around yourself and understanding a little bit more about how industrial control systems work and communicate particularly over networks, you may be able to get up and running a little bit faster. So if you're not familiar, industrial control systems, they're really about finding a way to manage physical systems in a digital way. So you've got manufacturing plants, power distribution and management facilities, chemical processing, a number of water treatment systems for example, a number of physical plants require digital management. And so we've got industrial control systems. They've been around for quite a while. But they've also got a number of problems including poor authentication and when we get into looking at the protocol that is often used in these systems you'll see just how little security is actually embedded into it. And a lot of these systems were really never designed to be put in anything other than a room with an operator sitting in front of it. So as a result the companies that have implemented these often don't have anything along the lines of security policies like maybe changing the default password or anything like that. Then all of a sudden they get this idea of well you know we don't really want to walk into the room to manage these devices anymore. We want to sit at our desktop and keep managing them. So let's just plug them into the network leaving the default password in place which opens them up to remote attacks particularly if somebody can get access to the desktop then they can hop on to these other systems. Often there aren't updates, there's very little monitoring. They're also potentially fragile systems. They may be designed to perform a specific function, don't have high power processors in place, so they may be really easy to attack over a network. They really weren't designed often with networks and particularly open networks in mind. So one of the protocols that's used kind of a de facto protocol for the communicating with these industrial control systems and one of the elements particularly in an industrial control system is a programmable logic controller. That's the device that connects directly to the endpoint within the entire industrial control system and manages the physical device so maybe it's a valve for example. You want to get a read from the valve, you talk to the programmable logic controller and get the value off that valve where maybe you want to open and shut it and so there's a different communication involved there. So Modbus came around in the 1970s, it was originally a serial communication protocol before we started trying to force it over networks it's used to communicate with these programmable logic controllers. Now you can do Modbus over TCP IP or Modbus over UDP. When you are communicating with a programmable logic controller what you're communicating with is a coil which will hold a single bit or you may be communicating with a register which is 16 bits and so there are read-only registers like an input register there's also a holding register which is read-write and you can see a discrete input is really just a read-only coil. So a TCP IP frame for Modbus includes the transaction ID and we'll get a look at this in a moment when we look at Wireshark decode of the Modbus packet. So we've got the transaction ID, the protocol identifier and that would be zero for Modbus over TCP the length field the unit identifier which is a single byte holding a slave address between zero and 255 and then a function code and then whatever data may be associated with it if you've asked for a value to be written out to a register for example you would pass the data along with it. So using Wireshark I pulled a Modbus packet this is kind of what it looks like and you can see the transaction identifier right there the protocol identifier which is zero because we're using TCP the length and then the unit identifier as well. So Modbus fortunately Metasploit to the rescue. Metasploit actually includes several Modbus related modules a couple of them here they're going to take a look at with you shortly is Modbus detect which is really just a scanner that you provide the remote network to the module and it goes off probing whatever port the default port for Modbus is 502 goes off probing for Modbus responses on whatever port you have indicated as I said if you don't set any port it will just default to the well-known port value of 502. So give it a network let it go find all of the hosts that speak Modbus on that particular network once you have found one now you can start playing with it and this is one of the challenges of course with ICS skaters we don't all have ICS skater devices sitting in our basements and little workshop labs at home so there is a bit of a problem with that but there is fortunately a solution but we do have Modbus client if you do have access to or you're doing any sort of testing where the network that may have ICS systems on it that communicate over Modbus you can use the Modbus client to read and write values to the coils and registers save you a lot of hassle so we've got fortunately as I said a solution to the problem of gee I don't have an ICS skater system but I want to work with one a little bit fortunately there is a python module for this called Pi Modbus and that's what we started using when we were doing trying to do emulation of Modbus and skater systems so that we could do a little bit of training around it now if you want to do any sort of testing and play around a little bit with manipulating coils and registers and communicating with it and seeing how Modbus works you can use Pi Modbus this fortunately they've got a number of examples on their documentation site I've paired down their server example here and stripped out all of the comments so you can see the specifics of how their server works you can see it's very simple to write one really the bulk of this is just setting up the data store and then setting up identity values you could leave off the identity values if you wanted the data store just sets up a number of registers for you so that you've got a place to read and write values from and then the real guts of it is just that last line where you're starting up the TCP server to be able to communicate with now this one is set up to run on local host you can of course change that local host value to run on whatever interface that you've got but you can see how easy this is to now I've got an ICS I'm sorry a Modbus server on my network that I can communicate with so let's take a look at how we might actually communicate with that so what I've got here I can make that a little bigger for you so I did I started off here by just doing a scan of my local network on my PC I've got a one of these Modbus servers running in a virtual machine and so I just scanned that network and you can see at the bottom there that I came back with I got a correct Modbus header and it tells me the unit ID is one so I can also find unit IDs because every Modbus connection may have multiple unit IDs associated with it and every unit ID may have a number of registers associated with it so I can now use a different I can read having to type bend over here now I just set my our host here to be 10.37.129.3 make sure I haven't missed anything and I can scan particular unit IDs here anywhere from one to two hundred and fifty four or the default here is one to two hundred and fifty four I'm just going to run that in this case the server I've got set up is going to respond across all of them because that's just how it was configured to do but you can identify different station IDs once you've found a host now you can figure out what unit IDs it's going to respond with and now we can go back and actually manipulate some values here there are quite a few options associated with this one including some that aren't shown here in addition to the options here I've got to be I've got to tell it what I wanted to do so there's an action associated with it so the first thing I want to do is I'm going to set my data to be just the value that we're going to set and then my data address where I'm going to store it and we'll just say that's three I'm going to set my our host and I'm just going to leave the unit number where it is as we saw earlier it's going to respond across all of them the server I've got here so I could communicate with any unit number that I wanted to I should just be able to run this now so now I have just set a value inside one of the registers and in order to make sure that I get that and that I know that it was written I can set my action to be read registers and I'm missing something because I didn't get the value back oh right thank you I knew I was missing something so it's right register but read registers oh you're right okay right register now run thank you I can't I can't see bend over like this okay there we go I should have just written it out right you know this worked about an hour ago when I did it oh I was didn't I do that right right right right right there we go yeah right I was doing registers versus register okay now I can set my action to be read there we go anyway so yeah and that's my that's just where I'm running the virtual machine with with the server running on it so you can use you can use pi modbus to run clients I've written clients using pi modbus that do the read and writes back we did a little just simple script that pulled back all of the values within the server is just an emulation of a human machine interface system so if you want to play around with ICS skater systems pi modbus works pretty well you can use that to emulate and certainly as I mentioned earlier there's a lot of work to be done around securing these devices there's generally no encryption there's no authentication you know at the network level if you send a request and you can get to that device it's going to respond with the value so if you want to do a little bit of work playing around with ICS skater systems this is one way to do it thanks any questions yeah there's I think in terms of the number of devices that are connected to the network you kind of have to pick up the news periodically to see that there are a lot of them there was one a couple of years ago there was an electric company in northern Vermont that they were concerned about because their desktop network had been infiltrated and they had allowed their desktop network to get access but it's it's a big issue with a lot of companies having to be better protected about their desktop network because they are starting to plug these in and they're leaving default passwords on it's kind of baffling