Starting from:

$25

CPE459-Exercise 5 Reconnaissance Attacks Solved

  Objective
A reconnaissance attack is when an attacker targets a victim’s system to gather information about its vulnerabilities. In this assignment, you will use three tools to perform tasks: NMAP, SHODAN and S-MOD. This exercise has three parts to design and implement a Reconnaissance attack on a SCADA system.

1.       Perform a network scan (IP address & MAC) to find all the IP addresses and MAC addresses of your Virtual Network. Use NMAP to also find open ports in your virtual network.

2.       Use S-MOD to identify registers, coils, and function codes available in a system.

3.       Discover information about devices connected to the internet using SHODAN.

2         Before Starting       
2.1        Install a Kali Linux VM
Make sure you have Kali Linux installed on a VM. If you don’t have it, please click on the below and go to part 5:  https://sites.google.com/uah.edu/openplctipsandtricks/initial-vm-setup 


An attacker gathers information about a system by observing system operations and listening in on the network communication. Therefore, the network architecture of this assignment is as follows:

 

3         Network Scan with NMAP
3.1        Find all IP addresses and MAC addresses on your Virtual Network
Kali Linux comes with some pre-installed tools such as NMAP. So, you do not need to install it.
Open the terminal and type the command: “sudo nmap –sn [subnet/CIDR]”.
Using the information that you have found, answer the post-exercise questions.
3.2        Use NMAP to find open ports in your virtual network.
Open the terminal and type: “sudo nmap -sT -p [range of ports] [subnet/CIDR]”.
Close any other port that is does not use Modbus, ScadaBR and OpenPLC services. Type this command for each port you want to close:
“sudo iptables -A INPUT -p tcp --destination-port [port number] -j REJECT”

Type again the command “sudo nmap -sT -p [range of ports] [subnet/CIDR]” to verify if all the ports are closed except the ones cited above.
Using the information that you have found, answer the post-exercise questions.
4         Using S-MOD to identify registers, coils, and function codes
4.1        Initial Setup
Open Kali terminal and install S-MOD, type: “sudo git clone https://github.com/theralfbrown/smod-1”
Next, type: “cd smod-1”
Run smod-1: “python smod-1”
After you run, type “show modules” to get the list containing all the functions available using this tool.
4.2        Use S-MOD to find the function codes
Type: “use modbus/scanner/getfunc” and configure the module if it needs some additional settings before running (Check Reconnaissance slide deck for instructions). 
You will need this task completed in order to answer the post-exercise questions.
4.3        Use S-MOD to read coils and register values
To read register values, use the steps from 5.2 except you type:
use modbus/function/readHoldingRegister
After you run, you need to know if the values you obtained are correct or not – register values should be in front of the registerVal list. To find out that:
Go to your HMI and open SCADABR.
Click on Data Sources.
Click on the Edit icon for the Traffic Light.
Under Modbus read data, choose Holding Register for Register range, change the number of registers to 8 and click on Read data.
Note what you see and answer the post-exercise questions.
To read coil values, use the steps from 4.2 except you type:
use modbus/function/readCoils
After you run, you need to know if the values you obtained are correct or not – coil values should be in front of coilStatus list. To do this, 
Go to your HMI and open SCADABR.
Click on Data Sources.
Under Modbus read data, choose Coil Status for Register range, change the number of registers to 8 and click on Read data.
Note what you see and answer the post-exercise questions.
5         SHODAN
SHODAN is a search engine that lets users find certain types of computers connected to the Internet. Use SHODAN to answer the post-exercise questions.

6         Post Exercise Report
Submit your answers to the following questions.

6.1        Using what you found in section 3.1, please fill out the table below:
Node
IP ADDRESS
MAC ADDRESS
 
 

6.2        Using what you found in section 3.2, please fill out the table below:
Node
IP
MAC
Port
Service
 1.                   
6.3        What are the function codes used in your system?
6.4        Is it possible to create a reconnaissance attack and change the values of registers or coils using function codes 5 through 16? Why or why not? Explain. 
HINT: Remember that the values are in decimal, but they are stored in binary/hexadecimal.
6.5        For Section 4.3, you read the registers and coils. For each of them, compare what you see on the HMI with what you see using S-Mod. Are they the same? Why or why not? Explain. 
Hint: Consider how coils are read either in Little Endian or Big Endian.
6.6        How many Modbus ports are found in the world?
6.7        How many DNP3 ports can you find using SHODAN? Are they all real DNP3 ports? Justify your answer.
 

 

More products