Thursday, 15 March 2018

Industrial Control System Exploitation Framework




Introduction

ISF(Industrial Exploitation Framework) : It is a exploitation framework written in python and based on open source project routersploit. It helps us to test vulnerabilities with multiple programmable logic controller (PLC) and Industrial Control System (ICS) software.
Link :- https://github.com/dark-lbp/isf

Modbus : Modbus is a serial communication protocol. Which is used to connecting industrial electronic devices because they are free and easy to deploy. It has one Master and one (at least) or more Slaves. Each slave has unique 8-bit device address or unit number.
Coils and registers are names or pre-defined variables for memory addresses. The coil is a boolean (bit) variable and a register is an integer variable. There are discrete inputs (read-only boolean), coils (read-write boolean), input registers (read-only integer), and holding registers (read-write integer).

Requirements

* gnureadline
* requests
* paramiko
* beautifulsoup4
* pysnmp
* python-nmap
* scapy

Exploit modules included in ICSSPLOIT

* s7_300_400_plc_control.py: Siemens S7-300 and S7-400 start/stop
* vxworks_rpc_dos.py: Works on all Vxworks system which Remote Procedure
    call (RPC) protocols is enabled.CVE-2015-7599)
* quantum_140_plc_control.py: Schneider Quantum 140 series start/stop.
* crash_qnx_inetd_tcp_service.py: Crash QNX Inetd tcp service started with inetd.
* qconn_remote_exec.py: QCONN QNX Neutrino remote command execution
    vulnerability.

Installation

There is requirements file which can be installed by using pip as:
pip install -r requirements


PoC

--> Setup Modbus master and one slave on other machine in network.

--> Import module
Move to downloaded directory isf and type python
 
from icssploit.clients.modbus_tcp_client import ModbusClient

 

--> Init Client

target = ModbusClient(name=’modbus_tcp_client’, ip=’<IP>’)
 
eg: target = ModbusClient(name=’modbus_tcp_client’, ip=’192.168.0.115’)
target.connect()

We are now connected to Modbus Client.

 
--> Read Coils
 
target.read_coils(address=<Address Of Slave>, count=<Count Of Coils>)
 
eg: target.read_coils(address=100, count=10)
 
This is used to read the values of coil at specified slave address.



--> Write Coils



  
target.write_multiple_coils(address=<Address Of Slave>, values=[<Values To
Be Written>])
 
eg: target.write_multiple_coils(address=100, values=[1, 1, 1, 1, 1, 1, 1, 1])
 
We can also change or write the values of coils here.




Now we can read coils again to confirm the changes made.







-
Labels: , , , , , , , , , ,
Location: India

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Featured Post

Exploiting Windows using malicious VCF file

John Page a cyber security researcher brought this vulnerability, which was a 0 day exploit working on latest windows 10 too. Introductio...