In the previous article in the SCADA Hacking series, we built a sophisticated, low-interaction SCADA honeypot with the conpot.
In this article, we will test the Honeypot we built to see how it looks to someone trying to attack us. It is vital that our HoneyPot looks and acts like an authentic SCADA system if we want to entice attackers to attack the honeypot we built.
Let's use some SCADA hacking/pentesting tools to check how our honeypot would look to an attacker.
Step #1 Scan with nmap
First, let's scan it with nmap. We run Kali. Next, let's use nmap with the -A switch to gather information about its services.
kali> Nmap -A -Pn -p1-1000 192.168.181.186
As you can see in the screenshot above, nmap found port 80 open, but you can also detect the Siemens SIMATIC S7-200 and with other orders. He also found them open tcpwrapped ports 102(S7-200) and 502 (modbus).
To find out if any port UDP is open or more specifically port 161 for the SMNP, we can use an nmap script, the snmp-sysdescr, giving the following command,
kali > Nmap -sU - p161 192.168.181.186 – script snmp-sysdescr
In this case, he found the port UDP 161 open and recognized her as snmp.
Step #2 Scan with Metasploit on Honeypot
As you know, in Metasploit there are numerous utility exploit modules designed for SCADA systems. Let's take a look at some of them and test them in our Honeypot.
First, let's use the modbusdetect module. This module designed to determine if modbus is running on the target.
To launch the module type,
kali > use auxiliary/scanner/scada/modbusdetect
Next, we need to set the IP address of the remote host (RHOST) and then exploit it.
As you can see above, the scanner recognized that modbus is running on Honeypot. So far so good. It looks like an authentic SCADA system.
Next, let's look at the unit modbus_findclientid. This section is designed to list the customer IDs in the SCADA system.
To launch it, type,
kali> use auxiliary/scanner/scada/modbus_findunitid
kali> Show options
Note that we only need to set the RHOST for this scanner.
kali > set RHOST 192.168.181.185
When we type exploit, we see that this scanner will start listing the stationID every customer in the system.
Finally, let's use it modbus client module to write data to a coil.
This module will allow us to write data to the coils or registers of the modbus client. As you can imagine, this could wreak havoc on a SCADA system as it could turn PLCs on or off or change their operation.
kali > use auxiliary/scanner/scad/modbusclient
This section requires that we select the ACTION WRITE_COIL ή WRITE REGISTER. In addition, we must choose the UNIT_NUMBER (the client ID) and finally, the data we want to send to the coil or register. Since here we will send data to the coil, we can only choose 0 or 1 (off or on).
Finally, we type run.
As we can see in the screenshot above, we have successfully changed the data to the selected one coil. As you can imagine, we can go through each coil and change its data.
As you can see, the conpot SCADA honeypot we built looks and reacts just like an authentic SCADA system!
Step #3 Monitor the Honeypot
Ideally, the honeypot should have some sort of intrusion/security monitoring system, such as Snort the Splunk the Suricata or other. Without them, we can still monitor the activities through standard Linux monitoring tools like,
/ var / log / syslog – contains all messages except those related to authentication. Analyzing, I found only kernel and thermald messages. Each line contains: date, hostname, program that produced the message, process ID, and log message.
/var/log/auth.log – contains system authorization information, including user logins via screen and login managers, sudo access requests, authentication mechanism for crontab, system daemon policykit, etc. This log is found on Debian Linux distributions, but some others use it / var / log / secure Instead.
/var/log/btmp – tracks failed login attempts. It is a binary file and can be read with the command last.
/var/log/dpkg.log in the upcoming years, while /var/log/yum.log – contain messages about installations or upgrades for various package managers