Attacking ICS Plant – Walkthrough
Hi everyone, welcome to our blog on attacking Industrial Control System (ICS) #1. Here is the link to this room: https://tryhackme.com/room/attackingics1 . We also have walkthroughs for eternal blue exploit or “Blue” as is referred to by try hack me and a privileges escalation walkthrough for the try hack me room vulnversity, the links to these rooms are shared below:
Our norm is usually to start off the attack box or open VPN, however, for this room it is not necessary to start off the attack box first. Our approach for this will be to first of understand all about ICS system and the Modbus protocol.
Take your note book out and let’s start learning.
What is expected of the room?
The room is a simulation of a bottle-filling plant, it lets the learner gaining basic knowledge on how to discover and attack ICS plants using modbus protocol.
[Task 1] Introduction to OT/ICS
Operational technology or OT is uses hardware and software to manage, monitor and control industrial equipment.
OT devices mostly interact with other machines, such as industrial control systems (ICS). Their purpose is to ensure that these ICS assets are operating correctly and adequately.
OT includes Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS).
. . .
[Task 2] Introduction to Modbus Protocol
Modbus is a serial communication protocol for use with its programmable logic controllers (PLCs).
Modbus is a request-response protocol implemented using a master-slave relationship where communication always occurs in pairs—one device must initiate a request and then wait for a response—and the initiating device (the master) is responsible for initiating every interaction.
There are several articles that will explain what Modbus is and how it works in more depth, below are a two URLs to point you towards the right direction:
Before we can answer the questions, we will need to:
- Download the task files and
- Install Modbus; to install simply use the command:
pip3 install pymodbus==1.5.2
In case you do not have pip3 installed, you will have to install it first using the command
sudo apt install python3-pip.
[ # 1] Which function is used to read holding registers in pymodbus library
Extract contents in the downloaded and read the discovery.py file
[ # 2] Which function is used to write holding registers in pymodbus library.
In order to get the answer to this, we need to read the content inside the attack_move_fill.py file.
. . .
[Task 3] Discovery
Connect to the plant using the URL http://<machine’s_IP> , we need to observe what happens in this processing plant.
[ #1 ] How many phases can we observe?
We need to identify the following phases in order to have the right answer:
- Filling and
[ # 2] How many sensors can we observe?
A sensor is a device that detects and responds to some type of input from the physical environment. Sensors measure physical input from its environment and converts it into data that can be understood by either humans or machine.
The specific input could anything varying from light, heat, motion, moisture, pressure, or any one of a great number of other environmental phenomena.
Sensors observed in this case are:
- Water level sensor and
- Bottle under nozzle sensor
[ # 3] How many actuators can we observe?
Actuators are the moving parts or parts that control the mechanism of a system. At this stage we need to identify the following:
- start/stop the plant
- start/stop the roller
- open/close the nozzle
[ # 4 ] How many registers can we count on the script discovery.py?
Let’s us read contents of this script
[# 5] How many registers are continuously changing their values once the plant is started and bottle are loaded?
If you read through the scripts, you will realize that we are alternating between the following registries:
- Start & Stop the roller
- Open & Close the nozzle
[# 6 ] The maximum and minimum values observed simply refer to the start and stop bits
[ # 8 ] Which registry is holding its value?
We will notice that on all scripts, the start plant registry is always holding its value.
[ #9 ] Registries are set to 1 while the nozzle is filling a bottle
We need to identify all the registries that are on while the nozzle is filling the bottle
These will be Open nozzle and Bottle is under the nozzle in order to get the correct answer, you need to input the registry numbers in the order that they follow each other
[ # 10] Identify registries are set to 1 while the roller is moving the bottles
Just like we did previously, we need to understand which other registries are on while the roller is moving. These registries are: start roller and bottle not filled
[ # 11] Which registry associated with the roller
This is simply the start/stop roller registry so input the roller registry
[ # 12] Registry associated with the water level sensor
This is the bottle not filled registry so input the registry value this registry
. . .
[Task 4] Play & Learn
[ # 1] Registry associated with the nozzle?
You need to identify the registry that opens and closes the nozzle. Check the scripts we downloaded and you will be able to identify the registry.
. . .
[Task 5] Attack
[ # 1] Shutdown the plant and starts it again
You need to navigate to the IP address provided to have a look at the automated plant operation.
The first task requires us to shut down the plant and avoid the plant manager from starting it. To do that we’ll navigate to the attack.py scritpt and have a look at it.
This is the script that will shutdown the plant and will run it against the IP address.
And true to our word the plant is shut down. Lets have a look just to confirm
[ # 2] Start the plant, open the nozzle while bottles are moving.
To start the plant with the nozzle open and the bottles moving we’ll run the following script. This will disable the registry that opens and closes the nozzle.
And upon checking the plant seems like it worked. Awesome!! Lets move on see how we can answer the rest of the questions.
[ # 3] Start the plant, open the nozzle and stop the roller.
For this attack you’ll basically be spilling the contents of the plant. This attack disables the registries that detect when an empty bottle is in place and when its full.
To confirm that we have answered question 3 lets have a look just to ensure.
[ # 4] Repeat attack in question 1 abusing sensor registries.
For you to abuse the registries we’ll run the script that will abuse how both registries work ie the amount that is released and the interval at which they are released.
We’ll run the following script against our plant
Just to confirm that our attack worked. Looks like it did. Awesome!! Lets carry on
[ # 5] Repeat attack in question 2 abusing sensor registries.
You’ll need to run a script that will ensure that the registries do not detect when a bottle is present and when to close the nozzle.
This is the script we’ll run
You can go ahead and confirm that the registries have malfunctioned ie the nozzle and the registry to detect an empty bottle.
[ # 6] Repeat attack in question 3 abusing sensor registries.
In question 3 you are required to start the plant open the nozzle and stop the roller. We’ll run the following script to do just that
To confirm that we have indeed started the plant, opened the nozzle and stopped the rolle we’ll navigate to our browser and see we have done just that.
. . .
Hurray we are done with attacking the ICS plant, hope you learnt something new because we sure did. Hope to see you on the next write-up Adios!.