SCADA Hacking: Monitoring Tests of SCADA HoneyPot

In the previous article in the SCADA Hacking series, we built a sophisticated, low-interaction SCADA honeypot with the conpot.

In this article, we will test the Honeypot we built to see how it looks to someone trying to attack us. It is vital that our HoneyPot looks and acts like an authentic SCADA system if we want to entice attackers to attack the honeypot we built.

honey9

Let's use some hacking tools/ SCADA to check how our honeypot would look to an attacker.

Step #1 Scan with nmap

First, let's scan it with nmap. We run Kali. Next, let's use nmap with the -A switch to gather information about its services.

kali> Nmap -A -Pn -p1-1000 192.168.181.186

honey

As you can see in the screenshot above, nmap found port 80 open, but you can also detect the Siemens SIMATIC S7-200 and with other orders. He also found them open tcpwrapped ports 102(S7-200) and 502 (modbus).

To find out if any port UDP is open or more specifically port 161 for the SMNP, we can use an nmap script, the snmp-sysdescr, giving the following command,

kali > Nmap -sU - p161 192.168.181.186 – script snmp-sysdescr

honey1

In this case, he found the port UDP 161 open and recognized her as snmp.

Step #2 Scan with Metasploit on Honeypot

As you know, in Metasploit there are numerous utility exploit modules designed for SCADA systems. Let's take a look at some of them and test them in our Honeypot.

First, let's use the modbusdetect module. This module designed to determine if modbus is running on the target.

To launch the module type,

kali > use auxiliary/scanner/scada/modbusdetect

Next, we need to set the IP address of the remote host (RHOST) and then exploit it.

honey2 honey3

As you can see above, the recognized that modbus is running on Honeypot. So far so good. It looks like an authentic SCADA system.

Next, let's look at the unit modbus_findclientid. This section is designed to list the customer IDs in the SCADA system.

To launch it, type,

kali> use auxiliary/scanner/scada/modbus_findunitid

and then,

kali> Show options

honey4

Note that we only need to set the RHOST for this scanner.

kali > set RHOST 192.168.181.185

honey5

When we type exploit, we see that this scanner will start listing the stationID every customer in the system.

Finally, let's use it modbus client module to write data to a coil.

This module will allow us to write data to the coils or registers of the modbus client. As you can imagine, this could wreak havoc on a SCADA system as it could turn PLCs on or off or change the their.

kali > use auxiliary/scanner/scad/modbusclient

honey6

This section requires that we select the ACTION WRITE_COIL ή WRITE REGISTER. In addition, we must choose the UNIT_NUMBER (the client ID) and finally, the data we want to send to the coil or register. Since here we will send data to the coil, we can only choose 0 or 1 (resp or activation).

Finally, we type run.

honey7

As we can see in the screenshot above, we have successfully changed the data to the selected one coil. As you can imagine, we can go through each coil and change its data.

As you can see, the conpot SCADA honeypot we built looks and reacts just like an authentic SCADA system!

Step #3 Monitor the Honeypot

Ideally, the honeypot should have some sort of intrusion/security monitoring system, such as Snort, the Splunk, the Suricata or other. Without them, we can still monitor the activities through standard Linux monitoring tools like,

  • / var / log / syslog – contains all the except those related to authentication. Analyzing, I found only his messages and thermald. Each line contains: date, hostname, program that produced the message, process ID, and log message.

  • /var/log/auth.log – contains system authorization information, including user logins via screen and login managers, sudo access requests, authentication mechanism for crontab, daemon policykit etc. This log is found on Debian Linux distributions, but some others use it / var / log / secure Instead.

  • /var/log/btmp – tracks failed login attempts. It is a binary file and can be read with the command last.

  • /var/log/dpkg.log and /var/log/yum.log – contain messages about installations or upgrades for various package managers

 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
SCADA Hacking, honeypot

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).