Industrial Control System Exploitation Framework | Lucideus Research

Image Source
Introduction                             (Difficulty:Medium)
ISF(Industrial Exploitation Framework) : It is a exploitation framework written in python and based on open source project routersploit. It helps us to test vulnerabilities with multiple programmable logic controller (PLC) and Industrial Control System (ICS) software.  Download

Programmable​ ​ Logic​ ​ Controller: PLCs are connected to the sensors for harvesting the sensor output signals in order to convert the sensor signals into digital data. PLCs are used instead of RTUs because of the advantages of PLCs like flexibility, configuration, versatile and affordability compared​ ​ to​ ​ RTUs.

Industrial Control System(ICS): Industrial control system (ICS) is a general term used to describe the integration of hardware and software with network connectivity in order to support critical infrastructure. ICS technologies include, but are not limited to, supervisory control and data acquisition (SCADA) and distributed control systems (DCS), industrial automation and control systems (IACS), programmable logic controllers (PLCs), programmable automation controllers (PACs), remote terminal units (RTUs), control servers, intelligent electronic devices (IEDs) and sensors.

Modbus : Modbus is a serial communication protocol. Which is used to connecting industrial electronic devices because they are free and easy to deploy. It has one Master and one (at least) or more Slaves. Each slave has unique 8-bit device address or unit number.
Coils and registers are names or pre-defined variables for memory addresses. The coil is a boolean (bit) variable and a register is an integer variable. There are discrete inputs (read-only boolean), coils (read-write boolean), input registers (read-only integer), and holding registers (read-write integer).

ModbusPal : ModbusPal is a MODBUS slave simulator. Its is use to interface with the capabilities​ ​ reproduce​ ​ complex​ ​ and​ ​ realistic​ ​ MODBUS​ ​ environments. The core of ModbusPal is Java based simulator. TCP/IP is supported and the serial communication is supported if RxTx library is installed on the computer. The flexibility​ ​ of​ ​ ModbusPal​ ​ is​ ​ that​ ​ an​ ​ user​ ​ can​ ​ write​ ​ external​ ​ scripts​ ​ and​ ​ deploy​ ​ it. The second key feature of ModbusPal is the "Learn" mode. In other words, it works
and​ ​ creates​ ​ files​ ​ dynamically​ ​ as​ ​ soon​ ​ as​ ​ the​ ​ request​ ​ is​ ​ processed​ ​ by​ ​ it. ModbusPal can simulate up to 247 MODBUS slaves. Each slave can has holding registers and coils. Each register or coil can be animated by being associated to a dynamic​ ​ value​ ​ generator,​ ​ called​ ​ "automation".

Terminologies and Requirements
  • Requirements
  • GNU Readline
  • Paramiko
  • Beautiful Soup 4
  • Pysnmp
  • Python-nmap
  • Scapy
Exploit modules included in ICSSPLOIT
  • Siemens S7-300 and S7-400 start/stop
  • Works on all Vxworks system which Remote Procedure Call (RPC) protocols is enabled.(CVE-2015-7599)
  • Schneider Quantum 140 series start/stop.
  • Crash QNX Inetd tcp service started with inetd.
  • QCONN QNX Neutrino remote command execution vulnerability.

GNU Readline : The GNU Readline library provides a set of functions for use by applications that allow users to edit command lines as they are typed in. Both Emacs and vi editing modes are available. The Readline library includes additional functions to maintain a list of previously-entered command lines, to recall and perhaps reedit those lines, and perform csh-like history expansion on previous commands.

Paramiko : This is a library for making SSH2 connections (client or server). Emphasis is on using SSH2 as an alternative to SSL for making secure connections between python scripts. All major ciphers and hash methods are supported. SFTP client and server mode are both supported too.

Beautiful Soup : Beautiful Soup sits atop an HTML or XML parser, providing Pythonic idioms for iterating, searching, and modifying the parse tree.

PySNMP : PySNMP is a cross-platform, pure-Python SNMP engine implementation. It features fully-functional SNMP engine capable to act in Agent/Manager/Proxy roles, talking SNMP v1/v2c/v3 protocol versions over IPv4/IPv6 and other network transports. PySNMP implementation closely follows intricate system details and features bringing most possible power and flexibility to its users. 

Python-nmap : python-nmap is a python library which helps in using nmap port scanner. It allows to easily manipulate nmap scan results and will be a perfect tool for systems administrators who want to automatise scanning task and reports. It also supports nmap script outputs. It can even be used asynchronously. Results are returned one host at a time to a callback function defined by the user.

Scapy : Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.

Simatic S7-300 : A graded CPU range with a wide performance range is available for configuring the controller. The product range comprises 7 standard CPUs, 7 compact CPUs, 5 fail-safe CPUs and 3 technology CPUs. The CPUs are available from a width of only 40 mm.

Siemens S7-400 : There is a graded range of CPUs from the entry-level CPU right up to the high-performance CPU for configuring the controller. All CPUs control large quantity structures; several CPUs can work together in a multicomputing configuration to boost performance. The CPUs enable short machine cycle times. The different CPUs are distinguished by, for example, work memory, address range, number of connections and execution time. As well as the standard CPUs, there are also two failsafe and three fault-tolerant CPUs available.

CVE-2015-7599  : Integer overflow in the _authenticate function in svc_auth.c in Wind River VxWorks 5.5 through, when the Remote Procedure Call (RPC) protocol is enabled, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a username and password.

Schneider Quantum 140 : The Modicon Quantum PLC provides a scalable, modular structural design that is designed to meet the need of the most critical solution from a single frame system to a plant wide structural design system. The scalability makes the Modicon Quantum PLC ideally suited for the industries, which requires a continuing operation to achieve optimum cycle time.

 Inetd : The inetd daemon listens for connections on certain well-known ports. When it finds a connection on one of its sockets, the daemon decides what service the socket corresponds to and invokes a program to service the request. After that program is finished, inetd continues to listen on the socket (except in some cases, described below). Essentially, inetd lets you run one daemon to invoke several others, reducing load on the system. 

QNX Neutrino:  The QNX Neutrino Realtime Operating System (RTOS) is a full-featured and robust RTOS designed to enable the next-generation of products for automotive, medical, transportation, military and industrial embedded systems. Microkernel design and modular architecture enable customers to create highly optimized and reliable systems with low total cost of ownership. With the QNX Neutrino RTOS, embedded systems designers can create compelling, safe, and secure devices built on a highly reliable RTOS software serving as the foundation that helps guard against system malfunctions, malware, and cyber security breaches.

Coils : Coils are 1-bit registers, are used to control discrete outputs, and may be read or written. Discrete Inputs are 1-bit registers used as inputs, and may only be read. Input registers are 16-bit registers used for input, and may only be read. Holding registers are the most universal 16-bit register, may be read or written, and may be used for a variety of things including inputs, outputs, configuration data, or any requirement for "holding" data.

Installation Guide

ModBus : 
Step 1: Open terminal and download clone from github : git clone

Step 2: cd pyModbusTCP
# here change "python" by your python target(s) version(s) (like python3.2)
sudo python install

There is requirements file which can be installed by using pip as:
#pip install -r requirements

Proof of Concept in Action

Step 1: Setup Modbus master and one slave on other machine in network.

Step 2: Import module. Move to downloaded directory ISF and type python from icssploit.clients.modbus_tcp_client import ModbusClient

Step 3: Init Client            
target = ModbusClient(name=’modbus_tcp_client’, ip=’<IP>’)

eg: target = ModbusClient(name=’modbus_tcp_client’, ip=’’)
target.connect()   //We are now connected to Modbus Client.

Step 4: Read Coils    
target.read_coils(address=<Address Of Slave>, count=<Count Of Coils>)            
eg: target.read_coils(address=100, count=10)
This is used to read the values of coil at specified slave address.

Step 5: Write Coils           
 target.write_multiple_coils(address=<Address Of Slave>, values=[<Values To Be Written>])            
eg: target.write_multiple_coils(address=100, values=[1, 1, 1, 1, 1, 1, 1, 1]) 
We can also change or write the values of coils here.

Step 6: Now we can read coils again to confirm the changes made.

Conclusion: The modbus simulator exploitation shown above makes you understand basics of the communication between the modbus master and (ModbusPal)slave. Here we only demonstrated few functions, but this simulator is capable of nearly all the modbus functions. So what are you waiting for , try it by yourself if you are a ICS lover and do comment your findings what more you can experiment with it.


Post a Comment