ICS Vulnerabilities

Scanning the new subnet revealed new hosts. The default nmap scans should not be used as they can cause issues with legacy ICS devices. (see below for an example in the lab)

One of the hosts is has a ENIP server running.

ENIP is a protocol used for PLC and IO devices and is primarily used by Rockwell Automation.

Using the enip-info nmap script, confirms our suspicion.

Using default nmap settings to scan an ICS device can cause damage to the device.

The scans caused the clutch to not operate as normal, which resulted in a power outage.

Even though the scans were stopped, the generators suffered damage.

When scanning ICS devices, need to use T2 or less scanning template to avoid crashing the device.

DOS

The ICS devices are also susceptible to a DOS attack.

Simple script that tries to ping every device in the subnet 30,000 pings

#!/bin/bash
for i in {10..15}
do
  nping -c 30000 --rate 500 192.168.95.$i &
done

In this attack, no damage was caused to the generators, so normal operations continued after the DOS attack was stopped.

RDP Password Cracking

Discovering a device with RDP.

Using the previously discovered username, it was possible to use a password list to bruteforce the RDP credentials.

Connected to the engineering workstation.

Sniffing Fieldbus Traffic

Download ARP spoof to the engineering workstation.

Using Wireshark to inspect the traffic shows that the node is being polled (Get Attribute) and also sending commands (Set Attribute), leads to this being a PLC.

Polling ENIP Values

Using the discovered attributes and this script

https://raw.githubusercontent.com/pjkundert/cpppo/master/server/enip/poll_example_simple.py

it is possible to poll the device for the ENIP values as there was no authentication or encryption.

Human Machine Interfaces

Based off the redirect value, after a quick Google search reveals that the PLC is CODESYS based.

The HMI allows us to cause disruptions to operations by setting the setpoint to extreme low or high or completely shutting down the generators with the emergency stop button.

PLC Programming

Opening up the gas pant program in CODESYS on the engineering workstation.

After looking and the MAIN file, in line 6 the spark plug is used to ignite the gas in the turbine. If this is removed, than the spark plug will not fire.

After making the change, save and upload the program to the PLC.

Because the spark plug did not fire, the generators did not turn on during peak demand and caused an outage.

PreviousDMZ VulnerabilitiesNextEndpoint Defences

Last updated