Book Image

Pentesting Industrial Control Systems

By : Paul Smith
Book Image

Pentesting Industrial Control Systems

By: Paul Smith

Overview of this book

The industrial cybersecurity domain has grown significantly in recent years. To completely secure critical infrastructure, red teams must be employed to continuously test and exploit the security integrity of a company's people, processes, and products. This is a unique pentesting book, which takes a different approach by helping you gain hands-on experience with equipment that you’ll come across in the field. This will enable you to understand how industrial equipment interacts and operates within an operational environment. You'll start by getting to grips with the basics of industrial processes, and then see how to create and break the process, along with gathering open-source intel to create a threat landscape for your potential customer. As you advance, you'll find out how to install and utilize offensive techniques used by professional hackers. Throughout the book, you'll explore industrial equipment, port and service discovery, pivoting, and much more, before finally launching attacks against systems in an industrial network. By the end of this penetration testing book, you'll not only understand how to analyze and navigate the intricacies of an industrial control system (ICS), but you'll also have developed essential offensive and defensive skills to proactively protect industrial networks from modern cyberattacks.

Related Content you might be interested in

Current Title:

Small book image
Pentesting Industrial Control Systems
Paul Smith
Dec, 2021 | 450 pages
Small book image
Industrial Cybersecurity
Pascal Ackerman
Oct, 2017 | 456 pages
Small book image
IoT and OT Security Handbook
Vasantha Lakshmi | Smita Jain
Mar, 2023 | 172 pages
Small book image
Industrial Cybersecurity
Pascal Ackerman
Oct, 2021 | 800 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Section 1 - Getting Started
Section 1 - Getting Started
Free Chapter
2
Chapter 1: Using Virtualization
Chapter 1: Using Virtualization
Technical requirements
Understanding what virtualization is
Discovering what VMware is
Turning it all on
Routing and rules
Summary
3
Chapter 2: Route the Hardware
Chapter 2: Route the Hardware
Technical requirements
Installing the Click software
Setting up Koyo Click
Configuring communication
Summary
4
Chapter 3: I Love My Bits – Lab Setup
Chapter 3: I Love My Bits – Lab Setup
Technical requirements
Writing and downloading our first program
Overriding and wiring the I/O
Testing control
Summary
5
Section 2 - Understanding the Cracks
Section 2 - Understanding the Cracks
6
Chapter 4: Open Source Ninja
Chapter 4: Open Source Ninja
Technical requirements
Understanding Google-Fu
Searching LinkedIn
Experimenting with Shodan.io
Investigating with ExploitDB
Traversing the NVD
Summary
7
Chapter 5: Span Me If You Can
Chapter 5: Span Me If You Can
Technical requirements
Installing Wireshark
Using a TAP during an engagement
Navigating IDS security monitoring
Summary
8
Chapter 6: Packet Deep Dive
Chapter 6: Packet Deep Dive
Technical requirements
How are packets formed?
Capturing packets on the wire
Analyzing packets for key information
Summary
9
Section 3 - I’m a Pirate, Hear Me Roar
Section 3 - I’m a Pirate, Hear Me Roar
10
Chapter 7: Scanning 101
Chapter 7: Scanning 101
Technical requirements
Installing and configuring Ignition SCADA
Introduction to NMAP
Port scanning with RustScan
Introduction to Gobuster
Web application scanning with feroxbuster
Summary
11
Chapter 8: Protocols 202
Chapter 8: Protocols 202
Technical requirements
Industry protocols
Modbus crash course
Turning lights on with Ethernet/IP
Summary
12
Chapter 9: Ninja 308
Chapter 9: Ninja 308
Technical requirements
Installing FoxyProxy
Running BurpSuite
Building a script for brute-forcing SCADA
Summary
13
Chapter 10: I Can Do It 420
Chapter 10: I Can Do It 420
Technical requirements
Installing corporate environment elements
Discovering and launching our attacks
Getting shells
Summary
14
Chapter 11: Whoot… I Have To Go Deep
Chapter 11: Whoot… I Have To Go Deep
Technical requirements
Configuring a firewall
I have a shell, now what?
Escalating privileges
Pivoting
Summary
15
Section 4 -Capturing Flags and Turning off Lights
Section 4 -Capturing Flags and Turning off Lights
16
Chapter 12: I See the Future
Chapter 12: I See the Future
Technical requirements
Additional lab configurations
User interface control
Script access
Summary
17
Chapter 13: Pwned but with Remorse
Chapter 13: Pwned but with Remorse
Technical requirements
Preparing a pentest report
Closing the security gap
Summary
Why subscribe?
18
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Routing and rules

When it comes to setting up our virtual lab network, we want to try and mimic real-world segmentation strategies. With that being said, it is hard to talk about OT networking without at least commenting on the Purdue model. This model has been used as a reference by almost all industries as a method of building out a baseline for segmenting levels in the network. The levels are as follows:

  • Level 5: Enterprise
  • Level 4: Site Business Systems
  • Level 3: Operations and Control
  • Level 2: Localized Control
  • Level 1: Process
  • Level 0: I/O

So, true to form, we will take the same approach in our lab. We will start by placing the Virtual PLC into Level 1, the SCADA VM into Level 2, the Windows 7 Engineering Workstation into Level 3, and finally our Kali Linux attack host into Level 5. We will need to log into ESXi and click on Networking. This will bring up a screen showing multiple tabs related to the networking infrastructure of ESXi, as shown here:

Figure 1.29 – Networking dashboard

Figure 1.29 – Networking dashboard

We will create a new switch on the Virtual switches tab. Start by filling out the vSwitch Name option and change Link discovery Mode to Both, as shown in the following screenshot. This allows details about the physical and virtual switches to be published and available:

Figure 1.30 – Configuring the virtual switch

Figure 1.30 – Configuring the virtual switch

We will go back and change Promiscuous mode in Chapter 5, Span Me If You Can, when we discuss Intrusion Detection Systems (IDS). Once completed, you should see your new virtual switch.

Next, we want to move on to the Port groups tab. From here, we want to click Add port group, which will bring up a modal where we can set a Name, VLAN, and associate port group to a Virtual switch. For port security, we are going to default to inheriting the security settings from vSwitch1, which we created in the previous step. All these details can be seen in the following screenshot:

Figure 1.31 – Port group configuration

Figure 1.31 – Port group configuration

Now, we want to complete the process by adding the remaining networks:

  • Enterprise
  • Site Business systems
  • Operations & Control
  • Localized Control

Once completed, you will see the port groups associated with the dedicated switches. Note that there are many ways to complete segmentation and adhere to the Purdue model:

Figure 1.32 – Port Groups dashboard

Figure 1.32 – Port Groups dashboard

As you can see, we still have all our VMs associated with the VM network. The next step will be to move the VMs into their own individual segments and manually set their IP addresses and ranges. We will start with the PLC VM, so we need to select Virtual Machines from the navigator bar and then click on PLC VM. Click the Edit button; this will take you to the following page:

Figure 1.33 – Port Groups selection

Figure 1.33 – Port Groups selection

We want to switch our Network Adapter from VM Network to Level 1: Process and then click Save. Next, we want to manually set the IP address for the PLC. So, we need to open the console, log into the PLC, and navigate to Network settings.

You will see the following page:

Figure 1.34 – Network settings

Figure 1.34 – Network settings

From here, we can click the Wired Settings option. Then, a pop-up window will appear. Next, you want to select the gear icon, which is located next to the purple slider, as shown in the following screenshot:

Figure 1.35 – Wired network interface

Figure 1.35 – Wired network interface

At this point, we should take a moment to discuss our IP address scheme.

Here, we will break each network segment into a dedicated IP range, as shown in the following table:

Now, we can pre-assign IP addresses to the VMs that we have built out.

We will assign the following IP addresses:

  • PLC: 192.168.1.10
  • SCADA: 192.168.2.10
  • Workstation: 192.168.3.10
  • Kali: 172.16.0.10

We can check our machines to make sure that the IP addresses have taken affect by running the ip addr command on the Linux-based distros, similar to what's shown in the following screenshot:

Figure 1.36 – Checking the network address

Figure 1.36 – Checking the network address

From here, select IPv4 and then choose the Manual option. The option to set the Linux-based distro IP address for all three – PLC, SCADA, and Kali – should appear underneath Addresses, as shown in the following screenshot:

Figure 1.37 – Ubuntu manual IP configuration

Figure 1.37 – Ubuntu manual IP configuration

Now, we can move on to the Windows 7 configuration and set the IP address manually there as well. The Windows 7 configuration looks like this:

Figure 1.38 – Windows 7 network configuration

Figure 1.38 – Windows 7 network configuration

Make sure that PLC, SCADA, and Workstation can all ping each other by running the ping command, as shown in the following screenshot:

Figure 1.39 – Checking communication between VMs

Figure 1.39 – Checking communication between VMs

We have now successfully set up the network segmentation so that it represents that of the Purdue model. The IP addresses have all been statically set, and we've tested the communication between the levels and the VMs.

Previous Section
End of Section 6
Next Section