ICS Pentest Course Notes_DNU

ICS Pentest Course Notes_DNU

Nota importada desde Inbox durante consolidacion bulk.

ICS Pentest Course Notes

OSINT

Google Dorks / Hacking

Shodan

Shodan

Find and scan public IP address ranges with Shodan

  • ipinfo - try 85.26.250.216 and get asn-route

then use Shodan with net: <ip/cidr>

Hunt for Vbs with CISA

  • google search for cisa ics cert and find CISA ICS

Setup your ICS Lab

  1. Install Virtualbox
  2. Create Ubuntu Server 22.04 VM. then the following therein:
  • python3 -> sudo apt install python3
  • pip3 -> sudo apt install python3-pip
  • honeypots -> sudo pip install honeypots
  • conpot -> pip install conpot
  • snap7 -> sudo pip install python-snap7
  • install firewall -> sudo apt install ufw
  • disable firewall -> sudo ufw disable
  • install nano -> sudo apt install nano
  • add to path:
    • sudo nano ~/.profile
    • add to bottom of file PATH="$HOME/.local/bin:$PATH"
  1. download and install Kali Linux VM. Then the following software therein:
  • plcscan -> sudo git clone https://github.com/meeas/plcscan.git
  • ICSSecurityScripts -> sudo git clone https://github.com/tijldeneut/ICSSecurityScripts.git
  • NMAP scripts from RedPoint-> sudo git clone https://github.com/digitalbond/Redpoint.git
  • install modbus cli ->
    sudo gem install modbus-cli . Test with modbus --help
  • copy RedPoint nmap scripts to nmap sripts folder usr/share/nmap/scripts. Need root access.
  • download and install modbuspal and https://sourceforge.net/projects/modbuspal/files/modbuspal/RC%20version%201.6b/

Pentest Platform overview

  • change MAC address of Unbuntu VM with first 6 characters being 00000B

  • on Ubuntu PLC VM start the honeypot with:
    sudo python3 -m honeypots --setup telnet,http,smb,vnc,snmp

  • on Kali PLC start terminal

netdiscover

  • scan network with:
    sudo netdiscover -r 10.1.0.0/24

NMAP fingerprinting

after finding the hosts, we can discover ports:

  • sudo nmap -Pn 10.1.0.100 -sU -F -> faster scan of UDP ports
  • sudo nmap -Pn 10.1.0.100 -p 161 -> specific port
  • sudo nmap -Pn 10.1.0.100 -p 1-65535 -> all ports

Enumerate with snmp-check

snmp-check 10.1.0.100

Metasploit: the Pentesters Toolkit

THE toolkit for Pentesting.

Start Metasploit with:
sudo msfconsole

Then in metasploit use:
set and setg

Module commands:

  • search
  • use
  • info
  • options

example:

  • search modbus and returns all the module that can be used
  • use 6 -> number to use the modbusclient
  • info -> to get info on the in use module
  • set RHOSTS 10.1.0.11 -> set remote host of modbus host

Open Source Tools

plcscan

  • navigate with cd to plcscan folder
  • my plcscan folder is in ~\gits\plcscan
  • sudo python2 plcscan.py 10.1.0.11

ICS Security Scripts

  • navigate with cd to ICSSecurityScripts folder
  • my plcscan folder is in ~\gits\ICSSecurityScripts
  • sudo python3 SiemensScan.py

modbus

modbus [OPTIONS] SUBCOMMANDS [ARG] -> subcommands include read,write,dump

Themes