07-gas_station_controller
07-gas_station_controller
Nota importada desde Inbox durante consolidacion bulk.
Gas Station Controller
MOSTLY - the process, methods, and command are similar if not identical to previous section covered. So from here on we will only introduce new material and just mention previously covered materials [p] in Petest Platform.
ICS found in Gas Stations as well.
Can manipulate a controller via telnet
change mac address [p]
Start Conpot Simulator
conpot -f --template guardian_ast on the Ubuntu PLC VM using the guardian_ast template.
Shodan [p]
- port 10001
Port:10001 - device function code
I20100
Host Discovery [p]
- use netdiscover to discover hosts [p]
Service discovery with NMAP [p]
use nmap to scan all ports [p]
tcp port 10001 is open
AutoGas Systems also shows as linked to the MAC address
NMAP NSE
Lets search for scripts that are linked to AutoGas Systems with atg wildcard.
find /usr/share/nmap --name atg*.nse
returns
/usr/share/nmap/scripts/atg-info.nse
sudo namp 10.1.0.11 -p 10001 --script atg-info.nse
This return information from the target tank such as volume, water, temp, etc.
OSINT search - Google Dorks
I20100 "function code" filetype:pdf as a google search.
Vendor Veeder-Root has product TLS-350 Automatic Tank Gauge (ATG)
Google search for ATG Exposed Public and find result from Eric Zhang
In Eric's blog he shows how you can through telnet using port 10001 communicate to atg's.
This is how:
- Telnet into port 10001 of an ATG's IP
- Type
^A(Ctrl A) followed byI20100
This gives the basic report of the ATG.
For the full list of function codes in the vendor manul see: ATG vendor manual
Examples:
|Function Code| Description|
|--|--|
|I20100|In-Tank Inventory Report|
|I20200|In-Tank Delivery Report|
|I20300|In-Tank Leak Detection Report|
|I20400|In-Tank Shift Inventory Report|
|I20500|In-Tank Status Report|
Check the function codes under telnet with:
^A followed by I20500 for the In-Tank Status Report
Next Section -> Modbus PLC Simulation