Everand Logo

Welcome to Everand!

  • Discover millions of ebooks, audiobooks, and so much more with a free trial

    From $11.99/month after trial. Cancel anytime.

    Pentesting Industrial Control Systems: An ethical hacker's guide to analyzing, compromising, mitigating, and securing industrial processes
    Pentesting Industrial Control Systems: An ethical hacker's guide to analyzing, compromising, mitigating, and securing industrial processes
    Pentesting Industrial Control Systems: An ethical hacker's guide to analyzing, compromising, mitigating, and securing industrial processes
    Ebook658 pages4 hours

    Pentesting Industrial Control Systems: An ethical hacker's guide to analyzing, compromising, mitigating, and securing industrial processes

    By Paul Smith

    ()

    Read preview

    About this ebook

    The industrial cybersecurity domain has grown significantly in recent years. To completely secure critical infrastructure, red teams must be employed to continuously test and exploit the security integrity of a company's people, processes, and products.
    This is a unique pentesting book, which takes a different approach by helping you gain hands-on experience with equipment that you’ll come across in the field. This will enable you to understand how industrial equipment interacts and operates within an operational environment.
    You'll start by getting to grips with the basics of industrial processes, and then see how to create and break the process, along with gathering open-source intel to create a threat landscape for your potential customer. As you advance, you'll find out how to install and utilize offensive techniques used by professional hackers. Throughout the book, you'll explore industrial equipment, port and service discovery, pivoting, and much more, before finally launching attacks against systems in an industrial network.
    By the end of this penetration testing book, you'll not only understand how to analyze and navigate the intricacies of an industrial control system (ICS), but you'll also have developed essential offensive and defensive skills to proactively protect industrial networks from modern cyberattacks.

    LanguageEnglish
    PublisherPackt Publishing
    Release dateDec 9, 2021
    ISBN9781800207288
    Pentesting Industrial Control Systems: An ethical hacker's guide to analyzing, compromising, mitigating, and securing industrial processes
    Author

    Paul Smith

    PAUL SMITH is a dedicated father of two and an expert trainer in leadership and storytelling techniques. As the author of the popular Lead with a Story, he has seen his work featured in The Wall Street Journal, Time, Forbes, The Washington Post, Success, and Investor's Business Daily, among others.

    Read more from Paul Smith

    Related to Pentesting Industrial Control Systems

    Related ebooks

    Enterprise Applications For You

    View More
    View More

    Related podcast episodes

    Related articles

    Related categories

    Reviews for Pentesting Industrial Control Systems

    0 ratings

    0 ratings0 reviews

    What did you think?

    Tap to rate

    Review must be at least 10 words

      Book preview

      Pentesting Industrial Control Systems - Paul Smith

      cover.png

      BIRMINGHAM—MUMBAI

      Pentesting Industrial Control Systems

      Copyright © 2021 Packt Publishing

      All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

      Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

      Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

      Group Product Manager: Vijin Boricha

      Publishing Product Manager: Preet Ahuja

      Senior Editor: Shazeen Iqbal

      Content Development Editor: Romy Dias

      Technical Editor: Shruthi Shetty

      Copy Editor: Safis Editing

      Project Coordinator: Shagun Saini

      Proofreader: Safis Editing

      Indexer: Hemangini Bari

      Production Designer: Alishon Mendonca

      First published: October 2021

      Production reference: 1211021

      Published by Packt Publishing Ltd.

      Livery Place

      35 Livery Street

      Birmingham

      B3 2PB, UK.

      ISBN 978-1-80020-238-2

      www.packt.com

      Contributors

      About the author

      Paul Smith has spent close to 20 years in the automation control space, tackling the red herring problems that are thrown his way. He has handled unique issues such as measurement imbalances resulting from flare sensor saturation, database migration mishaps, and many more. This ultimately led to the later part of his career, where he has been spending most of his time in the industrial cybersecurity space pioneering the use of new security technology in the energy, utility, and critical infrastructure sectors, and helping develop cybersecurity strategies through the use of red team/pentest engagements, cybersecurity risk assessments, and tabletop exercises for some of the world's largest government contractors, industrial organizations, and municipalities.

      I want to thank my family, for providing the encouragement and motivation I've needed to write this book. Special thanks to my father, for buying me my first computer and allowing me to connect it to the telephone system. Props to Revelation and the group of hackers/phreakers that made up the Legion Of the Apocalypse for steering me down this path and ultimately establishing my career in this field. Thanks to the entire Packt team, for dealing with my schedule creep and topic crunches.

      About the reviewer

      Dmitry Khomenko is an information security professional with over 10 years of experience in industrial automation, IT, and industrial cybersecurity. He has designed, implemented, and supported development projects of information cybersecurity of OT/ ICS in the biggest industrial companies of Russia, such as Gazprom, Rosneft Oil Co., Norilsk Nickel, EuroChem Group, and Metalloinvest. Currently, he is the founder and chief of the information security department of a new information security services division in an engineering company and works with leaders of the industrial automation industry and key companies of the Russian extractive industry.

      I would like to thank my wife, Elizabeth, who always shows her love and supports me in various important decisions and moments in my life. Thanks to my little son, Vladislav, for fulfilling me with his love and youthful energy. Thanks to my parents, for their honest words and support after my life and work mistakes. All this helps me to become better and move forward.

      Table of Contents

      Preface

      Section 1 - Getting Started

      Chapter 1: Using Virtualization

      Technical requirements

      Understanding what virtualization is

      Discovering what VMware is

      Turning it all on

      How to install Fusion

      How to install ESXi

      How to install Hypervisor

      Spinning up Ubuntu as a pseudo-PLC/SCADA

      Spinning up Windows Engineering Workstation

      Spinning up Kali Linux

      Routing and rules

      Summary

      Chapter 2: Route the Hardware

      Technical requirements

      Installing the Click software

      Setting up Koyo Click

      Configuring communication

      Summary

      Chapter 3: I Love My Bits – Lab Setup

      Technical requirements

      Writing and downloading our first program

      Overriding and wiring the I/O

      Testing control

      Summary

      Section 2 - Understanding the Cracks

      Chapter 4: Open Source Ninja

      Technical requirements

      Understanding Google-Fu

      Searching LinkedIn

      Experimenting with Shodan.io

      Investigating with ExploitDB

      Traversing the NVD

      Summary

      Chapter 5: Span Me If You Can

      Technical requirements

      Installing Wireshark

      macOS

      Linux distros

      Windows 10

      Using a TAP during an engagement

      Navigating IDS security monitoring

      Node license saturation

      Alert exhaustion

      Other protocol or uncommon port

      Encrypted protocol usage

      Living off the land

      Summary

      Chapter 6: Packet Deep Dive

      Technical requirements

      How are packets formed?

      The Application layer

      The Presentation layer

      The Session layer

      The Transport layer

      The Network layer

      The Data Link layer

      The Physical layer

      Capturing packets on the wire

      Capture filters

      Display filters

      Analyzing packets for key information

      Summary

      Section 3 - I’m a Pirate, Hear Me Roar

      Chapter 7: Scanning 101

      Technical requirements

      Installing and configuring Ignition SCADA

      Introduction to NMAP

      Port scanning with RustScan

      Installing RustScan

      Introduction to Gobuster

      Installing Gobuster

      Web application scanning with feroxbuster

      Summary

      Chapter 8: Protocols 202

      Technical requirements

      Industry protocols

      Modbus crash course

      Establishing a Modbus server

      Turning lights on with Ethernet/IP

      Establishing the EthernetIP server

      Summary

      Chapter 9: Ninja 308

      Technical requirements

      Installing FoxyProxy

      Running BurpSuite

      Building a script for brute-forcing SCADA

      Summary

      Chapter 10: I Can Do It 420

      Technical requirements

      Installing corporate environment elements

      Installing and configuring the domain controller

      Adding and installing the DNS server

      Adding and installing the DHCP server

      Adding and installing network file sharing

      Configuring Kerberos

      Installing and configuring workstations

      Kali Linux tools

      Discovering and launching our attacks

      Getting shells

      Summary

      Chapter 11: Whoot… I Have To Go Deep

      Technical requirements

      Configuring a firewall

      I have a shell, now what?

      Escalating privileges

      Pivoting

      Summary

      Section 4 -Capturing Flags and Turning off Lights

      Chapter 12: I See the Future

      Technical requirements

      Additional lab configurations

      LDAP connection

      PHP setup

      User interface control

      Script access

      Summary

      Chapter 13: Pwned but with Remorse

      Technical requirements

      Preparing a pentest report

      Attack vector

      Probability of happening

      Level of complexity

      Security controls

      Closing the security gap

      MITRE ATT&CK

      Industrial firewalls

      Summary

      Other Books You May Enjoy

      Preface

      The industrial cybersecurity industry has grown significantly in recent years. To truly secure today's critical infrastructure, red teams must be employed to continuously test and exploit the security integrity of a company's people, processes, and products. This pentesting book takes a slightly different approach than most by helping you to gain hands-on experience with equipment that you'll come across in the field. This will enable you to understand how industrial equipment interacts and operates within an operational environment.

      The book begins by helping you get to grips with the basics of industrial processes, and then shows you how to create and break the process, along with gathering open source intel to create a threat landscape for your potential customer. As you advance, you'll find out how to install and utilize offensive techniques used by professional hackers. Throughout the book, you'll explore industrial equipment, open source intel gathering, port and service discovery, pivoting, and finally, launching attacks against systems in an industrial network.

      By the end of this penetration testing book, you'll not only understand how to analyze and navigate the intricacies of an Industrial Control System (ICS) but will also have gained essential offensive and defensive skills to proactively protect industrial networks from modern cyber-attacks.

      Who this book is for

      This book started out as purely a manual for industrial pentesting and in doing so it was aimed at people who wanted learn about industrial pentesting; however, it grew into more of a convergence effort because I had numerous people ask me about getting into the Operational Technology (OT) security space, I figured that I would try and cover topics that addressed both sides of the convergence the OT and IT personas. IT security personnel who want a hands-on introduction to industrial pentesting will learn about the automation and controls aspect of industrial pentesting, while automation/control engineers who want to better understand their potential threat landscape will learn more about the IT networking aspects.

      What this book covers

      Chapter 1, Using Virtualization, will walk you through the basic building blocks of virtualization, and then progress into building out a hypervisor that will support our virtual ICS lab.

      Chapter 2, Route the Hardware, covers the principles of setting up a Programmable Logic Controller (PLC), and then moves on to the fundamentals of connecting that PLC to a virtual machine on our newly minted hypervisor.

      Chapter 3, I Love My Bits – Lab Setup, takes us through the steps of writing, downloading, and uploading our first program to our PLC.

      Chapter 4, Open Source Ninja, teaches you about the power of Google-Fu, oversharing on LinkedIn, exposed devices on Shodan.io, navigating ExploitDB, and finally, leveraging the national vulnerability database.

      Chapter 5, Span Me If You Can, teaches you about SPANs and TAPs and how they can be leveraged in a pentesting engagement, and then we will take a deep dive into intrusion detection systems.

      Chapter 6, Packet Deep Dive, walks through the structure of a typical packet, teaching you how to capture packets from the wire, and then analyzing those packets for key information.

      Chapter 7, Scanning 101, starts out by building a live SCADA system, and then moves on to using NMAP, RustScan, Gobuster, and feroxbuster to perform scanning techniques on our live SCADA system.

      Chapter 8, Protocols 202, takes a deep dive into Modbus and Ethernet/IP and the ways we can utilize these protocols to perform pentesting tasks inside the ICS.

      Chapter 9, Ninja 308, leverages FoxyProxy and Burp Suite to analyze and attack the SCADA user interface.

      Chapter 10, I Can Do It 420, starts off by installing and configuring a corporate-side firewall to provide a more holistic lab setup. Then, we continue on to scanning, exploiting, and then landing reverse shells.

      Chapter 11, Whoot… I Have To Go Deep, now that we have the shells, looks at running post-exploitation modules to glean data from inside the network. We will escalate privileges on the machines that we compromise, and then pivot down to the lower segments.

      Chapter 12, I See the Future, looks at the dangers of credential reuse by taking you through the steps of leveraging credentials discovered in previous steps and then accessing the SCADA interface for ultimate control of the system.

      Chapter 13, Pwnd but with Remorse, discusses the core deliverable, the report. If there is no evidence, did a test actually occur? We will prepare a template for future assessments/pentests, then discuss the critical information that lands inside the report, and then finally, document recommendations that can be used by the blue team to protect their systems into the future.

      To get the most out of this book

      You should try and get your hands on a mini-PC that can handle 32 GB+ of RAM and has at least two Ethernet ports. Intel NUC, GIGABYTE BRIX, and Zotac Z-Box are examples of devices that would be very useful to run your virtual images on.

      If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book's GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

      Code in Action

      The Code in Action videos for this book can be viewed at https://bit.ly/3iZpT2f.

      Download the color images

      We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781800202382_ColorImages.pdf.

      Conventions used

      There are a number of text conventions used throughout this book.

      Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: Go ahead and open the PCAP file labeled 4SICS-GeekLounge-151021.pcap with Wireshark.

      A block of code is set as follows:

      def run_async_server():

      store = ModbusSlaveContext(

      di=ModbusSequentialDataBlock(0, [17]*100),

      co=ModbusSequentialDataBlock(0, [17]*100),

      hr=ModbusSequentialDataBlock(0, [17]*100),

      When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

      import logging

      FORMAT = ('%(asctime)-15s %(threadName)-15s'

      '%(levelname)-8s %(module)-15s:%(lineno)-8s %(message)s')

      logging.basicConfig(format=FORMAT)

      log = logging.getLogger()

      log.setLevel(logging.DEBUG)

      Any command-line input or output is written as follows:

      tcpdump -i -v -X

      Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: We will want to set the port mirroring, so select the Monitoring option from the menu on the left and then select Port Mirror.

      Tips or important notes

      Appear like this.

      Get in touch

      Feedback from our readers is always welcome.

      General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

      Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

      Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

      If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

      Share Your Thoughts

      Once you've read Pentesting Industrial Control Systems, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

      Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

      Section 1 - Getting Started

      Industrial control systems (ICS) are the heart and soul of critical infrastructure. Understanding the process they impact goes a long way toward understanding the vendors chosen and devices running. Due to the nature of the ICS space having many verticals, such as power, energy, chemical, water, manufacturing, transportation, building management, and amusement parks, to name a few, and under these main verticals there being subcategories, such as production/generation, delivery/distribution, and refining, it becomes difficult to build an extensive lab. However, for all intents and purposes, we will be building a test lab as a starting point to explore tactics, techniques, and procedures. This starter lab will help you to develop a foundation that will be scalable as more equipment is accumulated over the years.

      The following chapters will be covered under this section:

      Chapter 1, Using Virtualization

      Chapter 2, Route the Hardware

      Chapter 3, I Love My Bits – Lab Setup

      Chapter 1: Using Virtualization

      This first chapter touches on the relevance of virtualization and the importance of familiarizing yourself with the different flavors, including VirtualBox, Hyper-V, KVM, VMware, and more. However, in this book, we are going to focus on VMware, and specifically ESXi Hypervisor, as it is free and a scaled version of what you will see out in the real world when it comes to production. We are going to spin up Hypervisor in efforts to create our own lab, install a handful of virtual machines (VMs), and attempt to mimic a virtual Supervisory Control and Data Acquisition (SCADA) environment.

      In this chapter, we're going to cover the following main topics:

      Understanding what virtualization is

      Discovering what VMware is

      Turning it all on

      Routing and rules

      Technical requirements

      For this chapter, you will need the following:

      A computer that supports virtualization and dual interfaces

      VMWare ESXi

      VMWare Fusion

      Ubuntu ISO

      Windows 7 ISO

      Kali Linux ISO

      The following are the links that you can navigate to download the software:

      macOS Fusion: https://www.vmware.com/products/fusion/fusion-evaluation.html

      Windows: https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html

      ESXi: https://my.vmware.com/en/web/vmware/evalcenter?p=free-esxi7

      Kali Linux: https://www.kali.org/downloads/

      Understanding what virtualization is

      Virtualization, in layman's terms, is the method of simulating any combination of hardware and software in a purely software medium. This allows anyone to run and test an endless number of hosts without incurring the financial burden and the costs of hardware requirements. It is especially useful if you have distro commitment issues.

      I cannot emphasize the importance of understanding the inner workings of virtualization enough. This technology has become the foundation on which all development and testing is performed and built. Every engagement that I have been involved in has had large parts of their infrastructure running on some sort of virtualization platform. Having concrete knowledge of how virtualization works is pivotal for any engagement, and you can perform reconnaissance of your victim's organization or technology and reproduce it inside your virtual lab.

      Performing some simple Open Source Intelligence (OSINT), you can easily discover what networking equipment an organization is utilizing, including their firewall technology, endpoint protection, and what Operational Technology Intrusion Detection System (OT IDS) that the company has installed. With this information, you can navigate to the websites of your newly discovered intel and download VM instances of the software and spin it up alongside your new, homegrown virtual environment. From here, you can plan out every angle of attack, design multiple scenarios of compromise, establish how and where to pivot into lower segments of the network, build payloads to exploit known vulnerabilities, and ultimately gain the keys to the kingdom. This technique will be discussed in further chapters, but know that it is key to building out an attack path through an organization's infrastructure.

      One of the most important features of virtualization is the use of snapshots. If, at any point, you brick a box, you can roll it back and start afresh, documenting the failed attempt and ultimately avoiding this pitfall on the live engagement. This allows you to try a variety of attacks with little fear of the outcome, as you know you have a stable copy to revert to. There are numerous flavors of virtualization vendors/products that I have come in contact with over the course of my career. These include VMware, VirtualBox, Hyper-V, Citrix, and KVM. Each has their own pros and cons. I have defaulted to VMware and will go forward through this book, utilizing the various products by them.

      In no way shape or form is this any sales pitch for VMware; just know that VMWare is easier to work with as there is near seamless integration across the ecosystem of products, which, almost irritatingly so, has made it become the medium that organizations are embracing in their environments.

      Understanding the important role that virtualization plays in pentesting will help strengthen your budding career. Practicing spinning up a basic VM on each stack will help you understand the nuances of each platform and learn the intricacies of virtual hardware dependencies. As a bonus, by familiarizing yourself with each hypervisor vendor, you will figure out which software you prefer and really dig deep to learn the ins and outs of it. With all this said, I will be using VMware going forward to build the lab.

      Discovering what VMware is

      VMware was founded in 1998, launching their first product, VMware workstation, in 1999. 3 years after the company was founded, they released GSX and ESX into the server market. Elastic Sky X (ESX) retained the name until 2010. The i was added after VMware invested time and money into upgrading the OS and modernizing the user interface. The product is now dubbed ESX integrated (ESXi). If you are reading this, I think it is safe for me to assume that you have perused a few books on related topics, since most books cover Desktop Hypervisors such as Player, Workstation, and/or Fusion. I want to take this a step further and provide some hands-on exposure and practice with ESXi in the next section.

      OK, maybe that was a slightly sales-y pitch, but I can honestly say that I have never worked for VMware and do not get any royalties for plugging their technology. However, I feel it would do you a disservice to not take you through a hands-on practical experience with technology that you will most certainly discover out there in the field. I have personally encountered VMware in the verticals of oil and gas, energy, chemical, pharma, consumer product production, discrete manufacturing, and amusement parks, to name a few.

      A typical production solution consists of the following:

      Distributed Resource Scheduler (DRS)

      High Availability (HA)

      Consolidated Backup

      VCenter

      Virtual machines

      ESXi servers

      Virtual Machine File System (VMFS)

      Virtual symmetric multi-processing (SMP)

      For a better overview of these specific components, please reference the following web page: https://www.vmware.com/pdf/vi_architecture_wp.pdf.

      I do not want to deep dive into VMware; instead, I simply want to make you aware of some of the pieces of technology that will be encountered when you're on an engagement. I do, however, want to call out the core stack, which consists of vCenter, ESXi servers, and VMs. These are the building blocks of almost all virtualization implementations in large organizations. vCenters control ESXi servers, and ESXi servers are where VMs live. Knowing this will help you understand the path of Privilege Escalation once you get a foothold of a VM inside the operational layer of the company. I have had many of conversations with security personnel over the years around Separation of Duties (SoD), and teams dedicated to their applications are more than happy to explain the great pain and lengths they have gone through to adhere to Confidentiality, Integrity, and Availability (CIA). When performing tabletop exercises with these same teams and asking them "Who controls the ESXi server your app lives on? and then continuing with, What is your total exposure if your vCenter is compromised?" you'll find that the answers, in most cases, will shock you, if not terrify you to the bone. I challenge you to ask your IT/OT team – or whoever is managing your virtual infrastructure – how many VMs are running per server. Then, follow that up with, "When is the last time you performed a Disaster Recovery (DR) failover test?" Knowing if a piece of the critical control is running inside an over-taxed server with minimal resources is quite useful from a risk mitigation point of view, but for the purpose of this book, we need to exploit a weakness in an overlooked component in the system.

      The following diagram shows the relationship between the different components we mentioned previously and how they integrate with each other:

      Figure 1.1 – VMware infrastructure

      Figure 1.1 – VMware infrastructure

      I performed some work for a Steam Assisted Gravity Drainage (SAGD) heavy oil company, and part

      Enjoying the preview?
      Page 1 of 1