1 Copyright 2011-‐2013 – CYBATI/cybae.org
Contents
1. Notifications Points ts Source Scripts Settings Cai meade Instructions Next is to establish the specific Points or Tags that will be read from the controller Select Configuration Points from the menu Then click on New Point within the configuration box Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 30 Remote Ethernet IP to an HMI S Point Configuration Tagname Green_Light Type Digital v Description Falling Contact Open Rising Contact Close Enabled Sound Log Condition Status Exceeded Text Condition Logic Alarm Quick Help Alarm Area Primary Alarm Area Auto Clear Print Notify Previous Instructions This new tag point will be to read the register associated with the Green Light output Name the tag Green_Light select type Digital ensure the port is MyPLC the source is the Output I O Notice that the output location now contains an additional zero This zero represents the first slot If additional I O were added to this controller then the first value could bea 1ora 2 In this case it is O 0 0 1 The access rights at this time will be read Select Type Digital in the upper right hand corner of the display panel Additional settings within the interface are outside the scope of this course however they may serve as attack vectors if they were manipulated in any way If you are2. e Connectthe a Kismet Sort View Windows external USB aoe Elapsed Alfa 00 27 01 Networks 12 wireless SERRE 8518 Ca rd alana Filtered 30 seconds Could not connect to the GPSD server will reconnect in e Sta rt KISM ET RE cal rire cae to the GPSD server will reconnect in 30 seconds a in Backtrack Instructions Kismet is commonly used to perform 802 11 analysis and within Backtrack it is very easy to use Launch or switchover to the Backtrack VM Connect the USB ALFA wireless card to computer it will automatically be capture by the Backtrack Virtual Machine Us Select kismet from the Shortcuts folder located on the Backtrack desktop Respond to the Terminal colors question Accept the warning that Kismet is running as root This is risky as the kismet wireless parser could have it s own vulnerabilities however for the Pao of this course and laboratory environment it is acceptable Click Ok Click Yes to automatically start the Kismet server Click Start accept defaults You will now be presented with the Console window This is the logging window You will see a few ERRORs associated with Kismet s inability to locate a GPS daemon Kismet can operate with GPS data however it is outside the scope of this course to include a GPS lab although it would be nice to have class outdoors 9 Click Yes to define a packet source 10 Enter wland you can verify that this is interface name by
3. 5 15 o Clear Major Error Upload Radix Structured l Run h l Test Continulas Properties Help Test Single Instructions Select the Errors tab and enter a 1 for Major Error Executing User Fault Rtn S 5 3 Press Enter What happened The processor just faulted and since there is no additional rung in the program to manage this fault the processor halted The physical processor now has an amber indicator enabled next to the Fault word and RSLogix has labeled in red FAULTED More information about the fault code is available in the Error Description pane Select the combo box FAULTED and select then Clear Fault Click Yes at the prompt The processor is not in Remote Program mode To return the processor back to the normal operational state select Remote Run Spend no more than 5 minutes exploring other available settings within the S2 data time Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 55 Launching Armitage and Metasploit e Launch Armitage a Metasploit GUI Start Metasploit A Metasploit RPC server is not running or not accepting connections yet Would you _ like me to start Metasploit s RPC server for you armitige v x Connect 127 0 0 1 Progress Connecting to 127 0 0 1 55553 java net ConnectException Connection refused msf m i eh Help 55553 Instructions 1 Launch Armitage Armitage is a g
4. 79 CY BSAT Simulated Control System Environment Attack and Defend e Combined analysis of a simulated environment using all prior lab knowledge Analyze the ladder logic program Review the OPC HMI Configuration Sniff the communication channel Document the attack surface Attempt to attack the environment Identify appropriate defensive controls Classroom discussion Lab Introduction In this lab we will review a simulated power grid environment The HMI and PLC will be reloaded with new configurations for you to analyze and attempt to attack and defend based upon everything covered Afterwards we will discuss the results Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 80 CYBAT Loading the simulated environment e RSLogix and Download CYBATI HMI and Start Monitoring Micro Starter Lite Open Amport SLC500 Program i le Look in J Ladder_Logic ex Ee D EJ Name Date modified RSLogix B q E X Conveyor _Belt 7 25 2011 11 08 PM Forces Disabled 3S CYBATI_POWER_GRID_DEMO 7 26 2011 11 12 AM Micro o cat oh S Pum Tank_Demo b anr ennss 44 no mae allt ype RSLogix 500 SLC Projec FS Sealed_In_Toggle Size 34 0 KB 5 Sealed_In_Toggle_HMI Date modified 7 26 2011 11 12 AN T t File lt E CYBATI_HMI Instructions Load the RSLogix program CYBATI_Power_Grid_ Demo in to the controlle
5. Mircologix 1 then click on Edit 2 and finally the Test button 3 Review each word 16 bits as itis read and displayed Try manipulating the controller physical inputs and outputs while Testing Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 46 HMI Configuration of Controls and Alarms Data File Il bin INPUT Data File 00 bin OUTPUT o e Offset 15 14 13 12 11 10 Offset 15 14 13 12 11 10 1 0 I 0 0 000000 4 0 1 Q 0 2 lo 0 0 000000 0 EJ I 0 1 000 0 o le 0 0 1 000 0 0 0 o lps E I 0 2 000 0 0 0 o g Red Push Button 0 0 2 000 0 i 0 Green Ligh I 0 3 000 00000 0 0 3 o 0 0 0 0 0 0 0 I 0 4 0 0 O 1 0 1 cm oe De ned Bray C Symb o ie Smbat SSS S ES S E 16 Desc Des D o i Properties Forces i H 00 Properties Forces Help AB PCCC Micrologix Reads Testing Address 15 0 Value Int 1 0 0 0000 0000 0001 0001 17 AB PCCC Micrologix Reads Testing Address 15 0 Value Int 0 0 0 0000 0000 0000 0010 2 Instructions Remember earlier in this lab you reviewed the actual data files within the controller as the inputs and outputs were manipulated Open these Input and Output data files within RSLogix while reviewing the Reads Testing output from the HMI software The words should match as the HMI reads the settings Toggle the inputs and outputs while watching these tables Instructions continued on next slide C
6. Select the Client List while de selecting GPS Data Battery and the Packet Graph This will allow us to not only see current access points and SSIDs discovered but also review their associated wireless clients and OUI analysis It may also be helpful while reviewing a specific network to lock in on its specific channel The channel is identified under the Ch column and can Kismet can be set to not channel hop using the Kismet Config Channel option Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 65 Kismet Configuration e Using OUI information try to find industrial wireless clients x Terminal Edit ia an Clients Sort Windows Instructions Several clients will populate for each SSID identified These clients are automatically categorized using Kismet s OUI file The OUI file uses the first 6 hexadecimal characters in the device s MAC address to guess the Manufacturer Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 66 Kismet PCAP Analysis e Open a terminal window and open the captured frames Ls Kismet 20120301 21 41 58 1l alert Kismet 20120301 21 41 58 1 netxmlL Kismet 20120301 21 41 58 1 gpsxml Kismet 20120301 21 41 58 1 pcapdump Kismet 20120301 21 41 58 1 nettxt wireshark Kismet 20120301 21 41 58 1 pcapdump Instructions Open the pcapdump file using wireshark The capture date and time is used to ide
7. as shown in the slide This condition will write a 1 to the register location if the preceding conditions in the ladder logic rung are true Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 14 0 0 0 1 ors Edit Description Type Address Instruction Green Light Symbol Address lox OK Cancel o E e Pos 0 0 A a END Instructions Next enter the output contact to energize variable location to write a 1 This location will be the output contact of our green light O 0 1 Press Enter and use the description of Green Light Press the OK button Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org CYBAT Ladder Logic Programming q aia ied i a Rung Branch LAD 2 Ta 4 IN Us eon 3 mer Counter input Output A Compare J LAD 2 b b p H O JE O O w 47 gt N User Examine if Closed S fee Instructions Next click on rung 0000 turning it red depicted as 1 in slide Click on the Rung Branch symbol shown highlighted by mouse hovering in section A in slide Now left click on the right side of the branch and hold drag your mouse to the right side of the contact 1 0 2 as shown in 2 in slide After the small box is highlighted in green let go and it will wrap the branch around the Contact 1 0 2 Now click on the left lower corne
8. some of them you are in contention with the running ladder logic Flip all the bits back to zero before continuing Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 53 CYBAT Local Data Tables e Open RSLogix Connect and Review Data File S2 No Forces eee T T gt E Node iq D Nuser AB TimerlCounter K InpullOutput Compare Driver AB_DF1 1 TA SEALED _IN TO c Project H Help roa m Jao x Controller k Controller Properties Scan Times Math Chan 0 Debug Errors Protection Mem Module Forces T Processor Status P Mode 5 170 S 14 naama rocessor Mode 1 0 5 1 4 UT 10 Configuration On Powerup Go To Run Mode Behavior 5 1712 o sare i 2 H be Channel Configuration Fist Pass 5 1 15 a Prooram Fies Free Running Clock 5 4 0111 0000 0000 1011 Ta Online Edits 33 11 33 12 SYS 0 SYS 1 an2 a Data Files Cross Reference 00 OUTPUT Radix Structured v 11 INPUT z 52 STATU _Ip _Propeties _ Help anager T4 TIMER Fa cs_cniuntep Instructions The S2 data file allows a program to view the current operational status of the PLC as well as make some modifications 2 30 S2 55 are programmable interrupts programs can use to ensure certain events are processed timely 2 28 is the watchdog timer that monitors the PLC scan time to ensure the scan rate is appropriate and if too long w
9. 2011 2013 CYBATI cybati org CYBAT Configure Communications Controller IP ML1 1 4 00 Part 1 of 2 Communications iY Autobrowse a fs Browsing network Workstation CYBATI PC Address Device Type Online Name Status Cancel H a Linx steways Ethernet 300 Workstation DF1 COM4 E e AB_DF1 1 DH 485 901 Micrologix1100 UNTITLED al 00 Workstation CYBATI PC E 01 MicroLogix 1100 UNTITLED Help Online Upload r Going to Online Programming State _ Searching for Offline Image Filename No Matching File Found SELECT FILE to merge for documentation names symbols descriptions etc Current Selection Ont s nline Processor Information Server ASLinx API Processor Name ML1100 Node Zz Decimal 1 Octal Processor Type Bul 1763 MicroLogix 1100 Series Create New File Station 1 Dec Program Checksum aa31 0 FFLI N E No Forces Files Found With Matching Online Processor Name Password Browse Go Online Upload S Instructions The controller IP address can only be managed through DHCP Dynamic Host Configuration Protocol or using RSLogix Micro Starter Lite RSLogix Micro Open RSLogix Micro from your desktop You will be prompted again by User Account Control to allow this application to run select yes Select the RSLogix Micro Menu Comms System Comms As reviewed earlier in RSLinx an AB_DF 1 DH 485 communication c
10. RHOST 172 16 1 30 RPORT gt 44818 RPORT 44818 msf auxiLiary gt set RHOST 172 RHOST gt 172 16 1 30 msf auxiliary gt set ATTACK FA ATTACK gt FAULT _ Show advanced options msf auxiLiary gt run j Auxiliary module running as background job Launch Got session id O0xc62a4c9d Got connection id Oxa66c2ac6 Instructions Located in auxiliary cybati micrologix fault Read the Metasploit description You can review the source code of the module at root msf4 modules auxiliary cybati micrologix_fault rb This specific module was created by CYBATI personnel to understand the difficulty of creating vulnerable by design modbus modules Using the CYBATI training kit this module was developed in just under two hours The greatest challenge was to define the appropriate wireshark filters to identify the exact command that create the fault The other necessary requirement was to have the appropriate wireshark dissector to understand the data being transmitted Exactly how this will be discussed in a different lab Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 58 MicroLogix Fault Status Bit Flip using msfcli e Using msfcli to fault the controller 7v xXx root bt File Edit View Terminal Help PAYLOAD 960 exploits 509 aux 257 payl ds 428 ops svn r15903 updated today 2012 09 27 i A N W ee a Ff ee RHOST gt 172 16 1 30 Got session id 0x896
11. attack vectors did you identify 2 Were you successful at attacking the PLC communications channel or HMI gt 3 Were you able to interpret the PLC ladder logic HMI configuration Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 84 CYBATI For More Information e We need volunteers e Mindmap Collaboration Matthew E Luallen CO FOUNDER and P e Educational Resources 001 312 375 4715 D lt m cybati org cybati org e Course Advisory Committee We are constantly seeking the best professionals to be involved with further course and resource development If you are interested in being involved with the continuing evolution of this course please contact Matthew Luallen m cybati org Copyright 2011 2013 CYBATI cybati org 85
12. development of the PLC ladder logic and HMI OPC agent configuration You will now load in to the controller and HMI code that mimics the physical controller I O within the HMI The logic also includes an alarm if an attempt is made within the HMI to enable a toggle switch requiring the operator to use the HMI to acknowledge the alarm Once loaded you will need to review the new AB PCCC card I O settings the new points the alarm acknowledgement and the ML1100 ladder logic loaded in to the controller The logic will be quite different and an additional Binary file will be used on the PLC First open the CYBATI Labs folder on the desktop Browser to Ladder_Logic and open SEALED_IN_ TOGGLE _HMI_ALARM RSS You will next need to configure the IP settings for your POD Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 38 Dw Forces Enabled Driver AB_DF1 1 Driver E TA M1100 Project Channel Configuration General Channel 0 Channel 1 f ji k Hardware Address 00 0F 73 00 F3 C7 Networks Link IO J0 Help a Controller Controller Pro erties p p TA Processor Status Function Files UU 10 Configuration HE Channel Configuration Channel Status 3 Program Files IP Address 172 Subnet Mask 255 255 255 Gateway Address 172 16 P Default Domain Name 16 P 30 0 1 Primary Name Server Secondary Name Server 3 Pro
13. download the program to the processor to upload the program from the processor and to place the processor in test mode Right click on the first ladder rung and select Insert Rung This will add a new rung to our ladder ADDITIONAL LAB STEP AFTER COMPLETING LAB Editing online programs requires right clicking on the RUNG and selecting Start Rung Edits while the processor is still in Remote Run mode The rung will then be duplicated showing the original Rung rrrrr and edit Rung eeee Once you have made the rung edits select Accept Rung Edit The Rung will now be labeled with III Next select Test Edits program verify and finally Assemble edits to merge the edited rung s with the rest of the program Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 20 CYBAT Ladder Logic Programming oe Bul 1763 S ela cnc ann E Brr e J i Bul aes Bul a Bul _ Bul ki 63 e e e e e e e e e e e e Instructions Now insert the logic depicted in the slide Note that you will need to use Normally Closed XIC or look for a zero logic to complete this rung This rung allows the toggle switches to simulate sensors that must be providing positive input for the output to be energized These sensors toggles could be various safety controls that must be in a specific state for the output to be energized while the motor green light is not running Complet
14. enabled for troubleshooting or operational enhancements or failures Try enabling a force as depicted in the slide above 1 Select the item to force a bit either on or off 0 or 1 The slide depicts the Green Push Button Right click on the item and select Force On 2 You will notice the item in the logical program is altered to indicate that the bit is gt ON 3 You will also notice that Forces are now Installed and Enabled Copyright 2011 2013 CYBATI cybati org CYBAT Vulnerability Assessments NMAP and httprint IP Protocol SCAN nmap1 sh POD nmap sO v n max parallelism 16 172 16 1 P 30 5 seconds TCP UDP SCAN with Services Common Ports nmap2 sh nmap sS sU sV T5 O A v n max parallelism 16 172 16 P 30 2 hours TCP only SCAN Common Ports nmap3 sh nmap sS sV T5 O v n max parallelism 16 172 16 P 30 15 seconds UDP only SCAN Common Ports nmap4 sh nmap sU T5 O v n max parallelism 16 172 16 P 30 14 seconds COMMANDS CONTINUED ON NEXT SLIDE Instructions Use Backtrack to perform a NMAP scan of the controller Remember If you are starting BackTrack from power up you may need to set the IP address and subnet mask see Lab 1 for more details 172 16 P 20 if you are performing this lab in a classroom setting then we are using DHCP We recommend using the nmap parameters represented in the slide for faster scan results For m
15. in size to the light You may even be interested in recoloring the circle While the circle is selected you may choose in color available within the palette Of course green may be the best choice Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 34 VJ CY BAT Ya Remote Ethernet IP to an HMI Ctri S r Source Green_Light Process Variable Digital rey C Users CYBATI Desktoy File Edit View Window Cave Ctrl S l Comparsion i Less Than D Value 50 0 Equal To ide Show Configuration Digital J Invert Greater Than x Instructions Double left mouse click the circle to bring up the configuration dialogue for the circle Check the box Enabled next to Hide Show A pop up dialogue will appear allowing you to identify a Source Click the Source button and select the only tag point that is configured Green _Light Click Ok Next check the Invert box as we want the circle to appear when the bit is one Output energized and the circle to disappear when the bit is zero Output de energized Click Ok then OK Then click File Save and File Exit Then Save the MyHMI screen within the Screen pop up window Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 35 CYBAT Remote Ethernet IP to an HMI ions Logs Monitoring Language v Start nNMyHMI Sel
16. interested in learning more about the variables select the Help button on the lower left of the screen Click Ok Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 31 CYBAT Remote Ethernet IP to an HMI F Points coe fen a Generic v Tagname Type Green_Light Digital Instructions There should now be a new tag point within the dialog box Click Ok Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 32 Remote Ethernet IP to an HMI Project Edit Configuration Communi Current f Logi Instructions Screens amp Alarm Groups Delete Browser Duplicate Data Logger Import New Graphics E Ss Open Notifications Points Rename Next we will configure the graphical interface Select Configuration Graphics A window will appear click New and enter MyHMI for the Screen name Click OK Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 33 CYBAT Remote Ethernet IP to an HMI Instructions On the right side of the configuration window are many artist tools Select the circle since it is the closet representation of the light Move your mouse to a point on the white background within the editor Click the left mouse button holding it down drag down and to the right until you have a circle that is similar
17. lab 1 hour In this lab you will join with your expanded team that will coordinate how you will protect your systems during the Red Team Blue Team exercise You must identify a strategy using physical operational and cyber means to successfully protect your systems Each team will comprise of both Red Team and Blue Team participants i e you can both attack and defend Prior to launching any attacks or making in changes to a system you will have to document these changes and have the approved by the event mediator typically the proctor or instructor The next lab describes the environment logic and exercise we will use this lab to prepare for the Red Team Blue Team event Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 71 Red Team Blue Team Events Environment reset no additional controls Environment reset 30 minutes to protect systems no firewall rules Environment static firewall submissions allowed lose points on lost connectivity Notes Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 72 Operations e Create a list of team personnel and their skills e Identify a coordinator that will interact with the mediator e Define a simple incident response plan to notify the mediator Notes Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 73 HMI OPC System and Application e Prote
18. the controller icon right click on it and select Driver Diagnostics You should see the Total Packets Sent and Replay Packets Received incrementing sequentially Close the windows you have now validated the previously defined serial communications to the controller FIX MY COM PORT We are going to find out what com port has been assigned to the USB to RS485 interface We have yet to be able to find a way to hard code this value after imaging workstations using Clonezilla 1 In Windows 7 click the Start button then type device manager in to the Search programs and files input box Click on device manager located in the Control Panel category 2 Select the Ports COM amp LPT menu tree item and identify what COM port has been selected for the DGYCGK device Write this COM port down or memorize it whichever you prefer Using RSLinx Classic select the Communications menu item and then Configure Drivers Click the AB_DF1 1 driver which should also indicate a Status of Conflict Select Configure Change the COM port to equal the COM port you identified earlier and click Auto Configure You will kindly be presented with a pop up stating that the process failed however click OK and you will see in the status panel next to Auto Configure you were successful Click OK and exit out of RSLinx Classic Now continue with the part after FIX MY COM PORT SS eo Instructions continued on next slide Copyright
19. 978a7 Instructions Metasploit modules can be executed directly from the command line using msfcli This example runs the CYBATI MicroLogix fault module against 172 16 1 30 msfcli auxiliary cybati micrologix_fault RHOST 172 16 1 30 e Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 59 MicroLogix Fault Status Bit Flip using Armitage with Cortana e Using Cortana to discover and fault the controller v cybati BB micrologix fault 172 16 1 30 gt dos a gt fuzers v x cortana_micrologix_fault_service_add media sf_CYBATI_Labs Scripts gt gather File Edit View Search Tools Documents Help gt i pdf v scanner i ei OPEN y Save Sn Undo gt IE afo cortana_micrologix_fault_service_add mon service add 44818 println Faulting controller located at 1 Console X nmap X Scripts X Cortana launch auxiliary cybati micrologix fault NMap NSE SCFIPTt scanning 1 2 10 RHOST gt 1 Nmap Initiating NSE at 09 09 I Nmap Completed NSE at 09 09 30 Nmap Nmap scan report for 172 16 Nmap Host is up 0 0023s Latency Nmap Not shown 65533 filtered p Nmap PORT STATE SERVICE VERSION Nmap 80 tcp open tcpwrapped Nmap 44818 tcp open unknown Nmap 1 service unrecognized de ite returning data If you know the service version please submit the following http www insecure org cgi bin servicefp submit cgi a v Plain Text v
20. CYBATI Critical Infrastructure and Control System Cybersecurity GridSecCon 2013 Workbook Updated October 2 2013 CYBAT CI KR Cybersecurity Company cybati org Copyright 2011 2013 CYBATI cybati org NOTICE The laboratory environment for this class is not private Network traffic and host sessions will be monitored throughout the duration of the session to provide real time feedback during the laboratory situations and to aid in course development Do not use the training kit the laboratory network or Internet access for any personal or unrelated business purposes This network and training kit are to only be used for laboratory exercises and items directed related Do not perform unethical activities using the laboratory network or systems If you have any questions or concerns please direct them to the course instructor proctor or volunteer This area left intentionally blank Copyright 2011 2013 CYBATI cybati org POD IP CONFIGURATION Instructor Classroom Replace P with your Assigned POD number PHYSICAL LAPTOP Ubuntu 12 04 LTS yy G a VirtualBox O S VirtualBox O S Windows 7 Backtrack 172 16 P 10 172 16 P 20 Trainer and Controllers 172 16 P 30 Instructions Write down your Instructor or Proctor assigned POD Number and IP address information here and take this page out of your book You have two of them NOTE If this is not an instructor led co
21. IP 2 44818 EtherNet IP Industrial Protocol Session 0x784CF825 Send Unit Data 4 fe fe le Ce le Instructions Review the captured data for specific industrial protocols such as Modbus TCP DNP3 EthernetIP and ISO TSAP Simple search filters are available in wireshark to support protocol search For example you will only need to type mbtcp for Modbus over TCP dnp3 for Distributed Network Protocol and enip for Ethernet over IP If you do capture some control traffic take a look at the payload constructs this will be discussed in a different lab Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org Using GlSKismet for database analysis e GISKismet stores Kismet data in a database e Allows for structured SQL queries of large datasets Instructions GISKismet is a great resource to use when working not only with GPS and map but also to use as structured query environment for large and or multiple Kismet datasets GISKismet accepts the xml file developed by Kismet and parses it It will also parse subsequent datasets and append them to the prior ones as long as you remain with the same directory and use the default giskismet database filename Open a command terminal in Backtrack Type giskismet h This will show the options that are available The Kismet capture files you have been collecting are in the root folder Type giskismet x netxml A new file call
22. Tab Width 8 v Ln 5 Col 9 Instructions Metasploit modules can also be operated and interacted with using the CORTANA scripting language The example located in the CYBATI_Labs Scripts cortana_micrologix_fault_service_add file waits for a service to be added on port 44818 Once added to the Armitage database the script executes launching the CYBATI micrologix fault Metasploit module Many script examples are available in the Cortana User Manual located in the CYBATI_Labs Whitepapers folder To use the Cortana script perform the followings steps In Armitage Select Hosts Add Hosts enter your MicroLogic PLCs IP address and Click Add Then click OK Click on the new workstation monitor added to Armitage and a green dashed line will surround it Click Armitage and then Scripts Click Load and browse to Desktop CYBATI_Labs Scripts cortana_micrologix_fault_service_add Click the Console button to open the Cortana console At the cortana gt prompt enter Is and you should see the new script loaded Enable debugging for this script using the tron cortana_micrologix_fault_service_add command you can use TAB for auto completion of the word You can see all of the available commands by typing help Click Hosts NMAP Scan Intense Scan all TCP Ports Your host will automatically be added and click OK SS aS a a Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 60 CYBAT Physical Cyber Attacks e L
23. ainer_sketch E i D ii A 2 Name Date modified Type tm Dy J disk 9 7 2012 5 25PM _File folder Recent Places CYBATL sketch ino T 9 7 20126 20PM_ INO File Labs mil100 6 CYBATLsketch disk Include in library v Share with New folc Name VolumeLabel S exec tags pdb tags_o pdb Instructions Open that CYBATI_sketch ino file located in the arduino labs folder CYBATI_Labs Labs arduino CYBATI_ sketch CYBATI_sketch ino This file contains the source code of the script that is executed once the USB HID is recognized Note that the device is represented simultaneously as a HID and a storage medium The additionally downloaded and already installed phukdlib h library is used to allow keystroke manipulation to the operating Note that this library is O S independent the script will inject keystrokes to any operating system however powershell will not be there unless it is a Microsoft Windows product The script initializes the local file system and finds the storage device with the name CYBATI The storage device will eventually contain the files located in the disk folder The VolumeLabel file contains the name of disk CYBATI The exec file contains the VBScript that stepped you through the attack The tags pdb and tags _o pdb are the tags that are swapped in the HMI Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 63 Alfa Wireless Card and Kismet Cv a ric
24. aunch the CYBATI_HMI with the CYBATI Trainer e You are an operator observing the environment S1 2 PB PB2 s3 A1 C vents yY EB IN Watchdog primary port ML_PCCC failed to conne latchdog primary port ML_PCCC Control System cyberSecurity Watchdog primary port ML_PCCC failed to conne Acknowledge Alarm Event Log Alarm Log Instructions For the first part of the laboratory you will play the role of an operator observing the environment 1 Launch the CYBATI_HMI from the desktop Shortcuts folder 2 Open the CYBATI Trainer HMI Select Project and Browse for folder CYBATI_ Labs HMI CYBATI_Trainer Click OK 3 Change the IP address configured in the HMI communications setting Communications AB PCCC Masters Micrologix Click Edit Settings and enter your Pod s IP Address e g 172 16 P 30 Click Test to validate connectivity Is connectivity fails contact your instructor or proctor 4 Launch RSLogix Micro Starter from the Shortcut folder Click File Open Choose CYBATI_ Labs Ladder_Logic Sealed_IN_TOGGLE_HMI_ALARM 5 Select Comms Download Click OK and complete the download leaving the PLC in the state of REMOTE RUN 6 Now go back to the CYBATI_HMI and select Monitoring Start to launch the HMI 7 You should now have a HMI that correctly represents the state of the field equipment 1 0 Trainer Inputs and Outputs Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 61 Phy
25. cal means to manipulate the device functionality e Physical cyber attacks constitute physically manipulating the device and then performing a cyber attack based upon the physical modifications Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 52 CYBAT Local Data Tables e Select and energize each output bit write a 1 iz Data File 00 bin OUTPUT eE Offset 15 14 13 12 11 10 3 2 10 l0 0 0 000000 0 0 0 fe 0 0 1 o 00 0 0 J J J U 0 3 0 l0 0 2 0000 0 0 Red Light 0 0 0 3 00000 0 Lo neses zl Data File 00 bin OUTPUT e l Offset 15 14 13 12 11 10 3210 0 0 0 0000000 0 0 0 Radix Binary l0 0 1 0 0 0 symbot o o0 0 0 2 0 o0 0 0 3 o o0 0 0 0 0 0 0 Properties Forces Ijal Radix Binary Symbok o j6 zi Desc po Properties Forces Help Instructions Ensure your physical toggle inputs are as follows 0 0 off down 1 toggle 1 0 1 on up 2 toggle and 1 0 4 off down 3 toggle Now open data table 0 the output file Enter 1 s for each output location 0 0 0 motor O 0 1 green light 0 0 2 yellow light 0 0 3 red light and 0 0 4 white light What happens to the outputs on the PLCs Why is output 0 0 3 not lighting up Hint Review the active state of ladder logic in RSLogix Of course note how you are directly able to manipulate the bits in the data table or at least
26. ct the application host operating system and laptop e Identify security controls patches and events to monitor All workstations are images of each other Notes Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 74 Controller e Protect the PLC configuration and hardware Notes Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 75 Network and Communications e Protect the network devices and communication channels Notes Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 76 Event Monitoring e Define the events to monitor and any automated tools you may want to use e Security onion is another VM already installed on the laptops Notes Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 77 Physical Security e Protect your physical environment identify the operational controls to ensure no physical modifications are performed Notes Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 78 Offensive I O e Identify the tools and offensive operations your team will attempt at each level in the games e Identify the protective control you have in place that will make this type of attack against yourselves unsuccessful Notes Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org
27. der 1 Transmission 2 Generation 3 Distribution 4 Customer The Set point provides stress levels of the generator If you set the generator beyond a threshold for too long it will trip If the SPS circuit is relayed the entire grid will have an outage If the circuits to distribution or the customers is broken only those areas will be affected however a broken circuit to distribution does effect all customers If a failure occurs you will need to manually turn off then on the physical input toggles to reset each device SPS and breakers The generator have a start up timer All alarms must be managed before the manual alarm indicator red light flashing turns off Use the Alarm log to see more than two simultaneous alarms iY a Pp p NO MORE INSTRUCTIONS YOU ARE ON YOUR OWN Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 82 CYBAT Loading the simulated environment This are left intentionally blank Instructions Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 83 CYBAT Summary and Questions e Combined analysis of a simulated environment using all prior lab knowledge Analyze the Ladder Logic Review the HMI Configuration Sniff the communication channel Document the attack surface Attempt to attack the environment Identify appropriate defensive controls Classroom discussion Questions 1 What
28. e the ladder logic validate the program download it to your processor and Run it Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 21 Ladder Logic Programming Fe LAD2 a oC fm E Le Bul 1763 Green Light Toggle Switch 1 Toggle Switch2 Toggle Switch 3 0 0 1 0 1 0 1 0 1 0 1 4 Bul 1763 Bul 1763 Bul 1763 Bul 1763 Instructions Once complete you should be able to toggle the switches and monitor the inputs and outputs within RSLogix as shown in the slide Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org CYBAT Ladder Logic Programming E Data File H bin INPUT ole Offset 15 14 13 12 11 10 5 4 T 0 0 0 0 0 0 0 Oo 0 1 h 0 a 1 0 1 0 00 0 0000 0 We TEF 0 0 o Red Push Button 0 0 0 0 0 0 I 0 2 0 0 re Be 0000 00 0 90 2 I 0 4 0 0 o 0 0 OQO 0 0 1 0 1E al Se Radi Enay sm id pE Desc Toggle Switch 1 11 A Properties Forces Help 00 0 000 0 Data File 00 bin OUTPUT cm Ch fee 3 Offset 15 14 13 12 11 10 1 0 4 3 Bul 1763 Bul 1763 Bul 1763 lo 0 0 00 0 0 0 0 0 0 lo 0 i G 0 0 1 0o 0 0o 0 10 0 2 0 o0 0 0 3 0 0 0 1 reen Light 0 0 0 0 0 0 0 0 ooi 0 0 oe De Radix Binary z Ssma C 6 z besc OOO O OOOO S SE m Properties Forces Help Instructions Now open the Input and Output register tables located in the Data File
29. ect the window to open a er a Instructions Select Monitoring Start A pop up window will display several options Click Open Window If the green light is currently enabled on the controller it should display on the screen with the white background if it is not enabled the screen should be completely white Toggle the green light on and off using the momentary push buttons to see how the HMI to PLC communications occurs You have just configured a HMI to controller SCADA point and an OPC point to republish upstream to another device if this were a larger environment Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 36 CYBAT Introduction to Ladder Logic Communications and HMI Programming e Ladder Logic Programming e Remote Ethernet IP to an HMI Lab Introduction Lab 2 contains three programming components Ladder Logic Programming Ladder logic programs provide the industrial automation of legacy manual functions The logic allows for inputs sensors to control actuators outputs with logic programming defined to enable the appropriate control and safety of operations The goal is to develop a simple latch circuit by using the momentary push buttons Green 1 0 2 and Red 1 0 3 The Green push button will start the process turn on Green light 0 0 1 and the Red push button will stop the process turn off Green light O 0 1 Further we will program the Red light 0 0 3 t
30. ed wireless dbl will be generated This file contains the concise wireless data from your captures Type sqlite3 wireless dbl to open the database You can view the lookup tables available to query using the tables command e g clients and wireless View the table schema using the schema clients and schema wireless commands This will provide the information necessary to developed the SQL statements Some sample select statements to issue a select ESSID from wireless b select COUNT ESSID from wireless c select COUNT DISTINCT ESSID from wireless d select DISTINCT Encryption from wireless e select COUNT Encryption Encryption from wireless GROUP BY Encryption 7 We can even query the database for specific mac addresses such as ones associated with Industrial manufacturers a select mac from clients where mac like 00 e0 62 b output industrial mac txt 8 Even better would be to issue a select statement with a join command and combine how many industrial mac addresses are on wireless networks with no or poor wireless protection Challenge what would the command be 9 Type quit to exit sqlite3 oe Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 70 CYBAT Integrated Security e Prepare for the Red Team Blue Team exercise e Identify protective controls to support your operations e Identify offensive measures to take out competing systems Lab Introduction Time for
31. esktop MyHMI y Version 0 Logged on Browse For Folder Please select the project directory ig Network 4 CYBATILABS J AB_VB do Ladder_Logic J PCAPs a PeakHMI a CYBATIPump_Tank_Demo 4 CYBATL Trainer Instructions The project must be loaded in to CYBATI_HMI Close the CYBATI_HMI and then re open it Click Project Open and browse to the network drive CYBATI LABS HMI CYBATI_ Trainer Click OK You will now need to modify this default project to use your controller s IP address Unless you are Pod 1 change the IP address of the ML1100 controller configuration located in the menu item Communications AB PCCC Masters Micrologix Next click the menu item Monitoring Start Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 44 HMI Configuration of Controls and Alarms CYBATI Trainer v3 o fetal A2 Watchdog primary port ML_PCCC failed to connec 9 03 35 PM Watchdog primary port ML_PCCC 9 03 29 PM Control System cyberSecurity Watchdog primary port ML_PCCC failed to connec 9 03 24 PM Active Alarms Acknowledge pra Event Log Alarm Log Instructions You should now see the trainer events alarms and three buttons 3 This environment mimics the state of the physical trainer unit within the HMI The HMI also can control the push buttons using mouse clicks acknowledge the alarm and attempt to modify the state of the toggle switche
32. eway Address 172 16 Pp Secondary Name Server Instructions Double click on Channel Configuration then click on the Channel 1 tab Channel 0 is the DF 1 RS 485 configuration tab while Channel 1 is the E IP configuration tab Uncheck the default setting of BOOTP Enable Configure the IP address as shown replacing the Pod number P with your value When complete click Apply A pop up will occur providing a Warning message that communication on Channel 1 will be lost This is ok as we are not communicating via Channel 1 we are configuring the controller using Channel 0 Click Apply Then Click OK ML1100 PLC Configuration IP address 172 16 P 30 Subnet Mask 255 255 255 0 Gateway Address 172 16 P 1 LEAVE NAME SERVERS BLANK or DEFAULTS To verify the new setting directly on the ML1100 on the physical controller press the ESC button then down arrow to Advance Set push the OK button Next use the down arrows to select ENET CFG You should now see the MAC address and assigned IP address on the controller LCD screen Instructions continued on next slide Copyright 2011 CYBATI cybati org 11 oft RSLogix Micro Driver AB_DF1 1 Processor Name UNTITLED MicroLogix 1500 LRP Series C MicroLogix 1500 LRP Series B MicroLogix 1500 LSP Series C MicroLogix 1500 LSP Series B i MicroLogix 1500 LSP Series A ia aaa Se eee MicroLogix 1400 Series B d 6 MicroLogix 1400 Series A then na
33. hannel should be established to the MicroLogix 1100 or MicroLogix 1400 If you do not see this channel contact your instructor or proctor Click the OK button Select the OFFLINE drop down box and then Go Online This will initiate a connection with the controller allowing you to download the current ladder logic Select Create New File and RSLogix will establish the connection download in active ladder logic and return back to the programming interface Instructions continued on next slide Copyright 2011 CYBATI cybati org 10 Lab 1 cont Configure Communications Controller IP ML1 1 4 00 Part 2 of 2 Do W Channel Configuration MEE lore E n General Channel Channel 1 Notas E Driver AB_DF1 1 Diiver E TA ML1100 5 Project Help Controller IP Address 172 16 P Controller Properties Subnet Mask 255 255 255 T Processor Status es Function Files AU 10 Configuration Default Domain Name be Channel Configuration Primary Name Server 19 be Channel Status Program Files SYS 0 Protocol Control EPRA BOOTP Enable f DHCP Enable Msg Connection Timeout amp 1m5 15000 LAD 2 MAIN_PROG haa aa s SNMP Server Enable Msg Reply Timeout amp 1mS 3000 l V HTTP Server Enable BY cross Reference 00 OUTPUT l Auto Negotiate EN sa minere Port Setting 10 100 Mbps Full Duplex Half Duplex i Hardware Address 00 0F 73 00 F3 C7 Network Link ID 0 Gat
34. icator lamp s on and off states Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 26 CYBATI Remote Ethernet IP to an HMI 1 Communications Logs Monitoring Language He AB DF1 Masters gt AB Logix Masters s AB PCCC Masters Micrologix Bacnet IP PLC 5 DNP3 toe AB PCCC Micrologix Master Configuration FTP Client SLC 5 05 GE Port name Enter the port name MyPLC Lox cancel _ Instructions Within the CYBATI HMI application select Communications AB PCCC Masters and then Micrologix There is an existing configuration ML1100 we will use this configuration later in the lab Click New and enter the name MyPLC Click OK Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 27 CYBAT Remote Ethernet IP to an HMI PCCC Micrologix Master Test Primary PCCC Micrologix Master Settings Primary IP Address IP Address Port Number Host Name 172 16 P 30 44818 Card IP Address Host Name Connected Register Session Session Handle Controller Response Unregister Session Disconnected Result Instructions 172 16 1 30 10 0 1 12 V y 2051582533 J J y Success Now configure the IP address of the MicroLogix controller 172 16 P 30 replacing the P with your Pod number The port number is the default number TCP 44818 and is not modified Next click Test This will br
35. iguration of Controls and Alarms an FFLINE No Forces on Note iab not prompt me for revision notes again ath C 4 SSEALED_IN_TOGGLE_HMI_ALASRM RSS Download h al K Revision Note Version 0 Upload m Ea Draniart Go Online File PLC Information Sk Processor Name CYBATI Station 1d Processor Type Bul 1763 MicroLogix 1100 Series B Downloading Program A CYBATI for Bull763 MicroLogix 1100 Series B o CYBATI Bul 1763 MicroLogix 1100 Series B river AB_DF1 1 at Nodel re you sure you want to proceed with Download Yes No ogix Micro Starter Lite ix Micro Starter Lite K Micro Starter Lite _ Processor is in remote RUN MODE A Change Back to Run Mode A Do you want to go Online Processor must be switched to remote PROG mode Continue Instructions Next download the new logic to the controller using RSLogix Select Download 1 then click OK 2 click Yes 3 note during this step you may receive an additional prompt that this program was not written for your processor continue and the program will be modified to support the additional capabilities then Yes 4 then Yes 5 then Yes 6 Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 43 CYBAT HMI Configuration of Controls and Alarms CYBATIHMI 7 ynications Logs Monitoring Language H in Start esktop CYBATI LABS mar D l_Trainer Current Project C Users CYBATI D
36. ill download the program to the processor 2 You will be prompted to save the current program to the workstation Save it to the desktop and name it Push_ Button Next a popup windows will display with revision notes Click OK 3 Another popup windows will ask if you want to proceed with the download from the program to the processor your processer name and type may be different Click Yes 4 You will next receive a WARNING prompt pertaining to loss of communications on channel 1 this is the Ethernet IP channel This Is OK We will re configure channel 1 in the next section You will notice that the controller must be power cycled for the Ethernet configuration to be removed Until such time you can review the current IP configuration on the controller using the LCD screen and pings will still be successful Then you will be prompted to place it in the RUN mode click YES and go online also Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 18 CYBAT Ladder Logic Programming RSLogix Micro Starter Lite CYBA File Edit View Search Comms Toc D oe ied e oree E Go Offline a gt Download Upload Run Test Continuous Test Single Jh T a of ew peers werd TA Processor Status Instructions Now it is time to test your program Click on the Remote Program drop down box and select Run This will place the controller in Remote Run mode Push the Green Push Button this sh
37. ing up the test dialogue screen to attempt to make a connection register a session unregister a session and then disconnect with the PLC Press the Test button and similar results as shown on slide should be seen If you do not have a successful result contact your instructor or proctor You have now successfully configured a connection from the HMI OPC system to the controller Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 28 CYBAT Remote Ethernet IP to an HMI Card Size 1 0 Si e ard Sizing Estey Ex Table words Table words t Slo 1 2 3 4 5 6 7 8 vJ Read output cards x Instructions Next you must define which slots data registers the HMI OPC agent should write to and read from The configuration is using Table words 16 bits For this example check the box read output cards and enter 1 next to slot 1 This will instruct the HMI OPC agent to read the output bits associated with Slot 1 in the Micrologix 1100 Later in this lab you will see additional logic read from and written to using variables and inputs Once complete click OK and OK again Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 29 Remote Ethernet IP to an HMI PeakHMI Project Edit Configuration Communicatio Alarm Groups a Sy Current F r top v BE x Browser Graphics Generic gt Import
38. ith create a halt condition If a fault were to occur the S2 29 program will run if there is no program then the processor will halt Tab through the individual settings using the Help dialogue box Optionally change the display to Radix to binary This will display the S2 data file as binary words Hovering over each bit will provide details of its operation within the processor You can return back to the original view by selecting Radix Structured Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 54 Local Data Tables os Fault and halt the processor No Forces i4 4 O JE yE lt gt 4 gt ABL ABS No Forces Node id 4 gt User Bit Timer Counter Input O Driver AB_DF1 1 Clear Fault ig Go Offline A Download E Data File S2 STATUS 3 eE Main Proc Scan Times Math Chan0 Debug Errors Protection Mem Module Forces Upload Fault Override At Powerup 1 8 0 Fault Routine 29 9 Test Continuous Startup Protection Fault 5 1 9 o Major Error S 6 20h Test Single Major Error Halt 5 1713 Error Description Math Overflow Trap 5 0 o 4 minor error bit is set at the end of the Control Register Error S 5 2 iol scan refer to 5 5 minor error bits Major Error Executing User Fault Rtn 5 5 3 REMOTE PROG No Forces Battery Low 5 11 o Go Offline Input Filter Modified 5 13 p oe ASCII String Manipulation Error
39. ktrack 5 Instructions Power up all components If there are any problems during the initialization process please contact your instructor or proctor You will log in to the computer with the username and password pair of student cybati At this time you will not log in to the controller We will discuss the controller screen in a couple of slides Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org CYBAT Configure Communications Configure DF1 RS 485 communications using RSLinx Classic Configure Internet Protocol Communications using Windows 7 Network Properties Backtrack ifconfig and RSLogix Micro Pod IP address assignments Windows 7 172 16 P 10 Backtrack 172 16 P 20 Ubuntu Host 172 16 P 199 Controllers 172 16 P 30 Subnet Mask 255 255 255 0 Default Gateway 172 16 P 1 DNS 8 8 8 8 Instructions DF1 RS 485 is a legacy serial communications interface and protocol It is still commonly used in industrial environments for direct connectivity and smaller legacy deployments DF1 RS 485 will be used for initial configuration of the controller and portions of Lab 2 afterwards the labs will focus on Ethernet IP communications Your instructor or proctor should have assigned a POD number to your group Unique IP addresses will be used for each POD replacing the letter P with the number assigned For example if your group is Pod 1 your IP addresses would be 172 16 1 10 for the con
40. l_16 c8 44 0c d5 02 16 c8 44 Frame Control OxO8CO Normal ae aL ELAASRAAAL LAL ALS AS AAAA AMAA Duration 314 0010 00 00O OO OO Ol OO 02 00 09 00 00 00 00 b5 00 i loo20 cO 08 3a Ol 7c 6d 62 72 Se olem n Mora Destination address Apple _72 ba 9e 7c 6d 62 72 ba 0030 Oc dS 02 16 c8 44 cO OF erage ae Source address Westell_16 c8 44 0c d5 02 16 c8 44 sic Nala del al Sede stata Source Hardware Address wlan sa Packets 971 Displayed 97 w r r aw w wlan sa contains 0c d5 02 Instructions Review the capture packets looking for anything that resembles control system components A hint is depicted above as well as the following OUIs may be helpful Rockwell 00 OF 73 From Documentation automation direct koyo 00 E0 62 From documentation R0pld 324 56S0DIACtION ewsnodgeid0 4 8 54 amp lang enesiteid cseuscxaktorim Oceextranet standard viewreg US amp load treecontent A 08 00 06 hex SIEMENS AG Siemens IT Solutions and Services SIS GO QM O Siemensstrae 2 4 POB 2353 F rth 90713 GERMANY 00 0E 8C hex Siemens AG A amp D ET Siemensstrafe 10 Regensburg 93055 GERMANY 00 1B 1B hex Siemens AG I IA SC EWK PU1 stliche RheinbriickenstraRe 50 76181 Karlsruhe Baden W rttemberg GERMANY Company Schneider Electric Australia Prefix 00 0C 81 http hwaddress com mac 000C81 000000 html TAR Electric M340 foe E 006008 GE versamax PLC GFK 1852 Documentation htto www google com
41. me the 62 MicroLogix 1200 Series C 1 or 2 Comm Ports 62 MicroLogix 1200 Series B 2 icroLogix 1200 Series A 176 MicroLogix 1100 Series B processor and 1763 MicecLosix 1100 Series A MicroLogix 1000 Analog select Type Bul 1761 MicroLogix 1000 DH 485 HDSlave Communication settings Driver Processor Node Reply Timeout AB_DF1 1 yy p Who Active 10 Sec Decimal 1 Octal Instructions In Windows 7 launch RSLogix Micro from the desktop using the Start button and Search for programs and files Click to create a New Project and then name and select the type of processor you will need to review the hardware information label located on the side of the PLC Note the types of processors available to you may vary from what is depicted on the slide Click the OK button to continue Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org CYBAT Ladder Logic Programming F RSLogix Micro Starter UNTITLED gt E aE File Edit View Search Comms Tools Window Help Oe amp lD B3 0 0 JARAN aaO TF gt To ee F Nocas e Forces Enabled gt Diver AB DFT Node 1d 4 gt User Examine if Closed nter Input Output Compare HA UNTITLED x arma g Project H Help Controller i Controller Properties T Processor Status T Function Files Jii IO Configuration H be Channel Configuration 5 Program Files SYS 0 SYS 1 an2 B Data Files Cr
42. ntify the correct pcapdump file The captured data is located in the root directory which is the default directory when opening a command prompt in Backtrack Open the packet capture file using the syntax wireshark lt name of capture pcapdump gt Remember that you can use TAB to auto complete the file name Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 67 Kismet PCAP Analysis MAC File Edit View Go Capture Analyze Statistics Telephony Tools Help FTAA XO RO COZ aoa BG etk Hf yM Filter Expression Clear Apply No Time Source Destination Protoco Info 7 487 123 350413 48 60 bc 67 57 ff RA IEEE 80 Acknowledgement Flags C 488 123 352912 48 60 bc 67 57 ff RA IEEE 80 Acknowledgement Flags C 945312 Westell_16 c8 44 Apple_72 ba 9e 80 Deauthentication SN 252 FN 0 Flags R C 490 125 041149 Westell_16 c8 44 Broadcast 80 Beacon frame SN 253 FN 0 Flags Ge 491 125 990384 SenaoInt_76 28 58 Broadcast 80 Beacon frame SN 203 FN 0 Flags C 492 126 090111 SenaoInt_76 28 58 Broadcast 80 Beacon frame SN 204 FN 0 Flags E 493 126 367919 Westell_16 c8 44 Broadcast 80 Beacon frame SN 272 FN 0 Flags AQA 17A 4737Q Westell 1A cR 44 Rrnadrast RM Rearnn frame SN 73 FNS Flans c v IEEE 802 11 Deauthentication Flags R Source address _16 8 44 0c 05 02 16 c8 44 Type Subtype Deauthentication hoe BSS Id Westel
43. nued on next slide Copyright 2011 2013 CYBATI cybati org 57 MicroLogix Fault Status Bit Flip using Armitage e Faulting the MicroLogix controller using Armitage and Metasploit v auxiliary gt admin gt analyze gt B bnat gt client gt crawler v ae cybati x cybati micrologix fault BB micrologix fault f Allen Bradley Rockwell Automation MicroLogix Major Error Fault a dos The EtherNet IP CIP protocol allows unauthenticated commands to devices that implement gt fuzzers the protocol This module implements the vendor specific attribute CPU MAJOR FAULT gt gather command of the MicroLogix series of controllers from Allen Bradley The S2 default status gt i pat file S 5 3 bit is turned on 1 causing the logic processing to stop due to a MAJOR ERROR HALT The error will be described by the controller as a A minor error bit is set at the end of the scan refer to S 5 minor error bits A user defined fault routine will be run by the controller however the fault must be manually cleared This vulnerability by design can be mitigated by limiting logical access to the controls network restricting write access using preventive controls such as IPS and monitored using the SNORT Ethernet IP signatures Y scanner gt at afn av Console X nmmap X Scripts X Cortana X cybati m Option Value msf gt use auxiliary cybati micrologix_fault ATTACK FAULT msf auxiliary gt set EE
44. o function as an alarm light enabled when the process is off Green light not on We will also program three toggle switches to serve as alarm by passes disabling the Alarm from activating You will develop the program download it to the CPU edit the ladder logic and download it again Remote Ethernet IP I O to an HMI In this exercise you will program remote Ethernet IP connectivity between the controller and a HMI Fe EEEEE HMI Configuration of Push Button Controls and an Alarm In this exercise you will program the CYBATI_HMI Windows application with the visual control indications and alarms of the PLC functioning states Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 37 CYBAT HMI Configuration of Controls and Alarms GO gt coatings Ladder toge Tol Organize v Include in library v Share with v New folder he cca Name f Date modified E Desktop FS Conveyor_Belt Downloads 3S Generator Demo Recent Places FS HSC eS Pump_Tank_Demo iw Libraries FS Sealed_In_Toggle Documents FS Sealed_In_Toggle HMI 19 2011 7 11 AN a Music FS oe 7 19 2011 7 11 AM Pictures Spe RSLogix 500 SLC Project File Pg Videos Size 80 0 KB Date modified 7 19 2011 7 11 AM ee Instructions Programming points defining alarms reprogramming controllers and building screens can be a painstaking and tedious process Therefore for the sake of time and sanity we are going to fast forward the
45. on the ML1100 on the physical controller press the ESC button then down arrow to Advance Set push the OK button Next use the down arrows to select ENET CFG You should now see the MAC address and assigned IP address on the controller LCD screen To complete the verification process Ping your controller from the workstation Click the lower left Windows icon and then type cmd in the text box This will open a command terminal Type ping 172 16 P 30 replacing the P with your pod number Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 25 CYBATI Remote Ethernet IP to an HMI CYBATI HMI cy PeakHMI wse For Folder Project Edit Configuration Communi Please select create the new project directory t C Wsers CYBATI Desk JB CYBATI x n 0 4 Computer nv n Director amp 0s C eon lt 3 DVD RW Drive D Save As i Network CYBATI LABS Backup J MyHMI Print dJ MyLadders Make New Folder Cancel Instructions In Windows 7 launch CYBATL_HMI using the Start button Make sure the green license dongle is inserted in to an open USB port and Search for programs and files then click Project New Create and select the Desktop folder MyHMI and click Ok Click the Log In button using the complex password for the Director username You now have a new HMI project which you will configure a connection to your controller and a visual indicator for the Green ind
46. opyright 2011 2013 CYBATI cybati org CYBAT Lab Summary and Questions Popular Ladder Logic Commands XIO XIC OTE Seal In Rung Toggle Switch Ethernet IP HMI and OPC I O Read Card I O and point Green light screen HMI Reviewed Latch Logic Alarms and HMI Questions 1 What authentication methods were used to configure the PLC HMI points 2 How many other logical operations are embedded in the MicroLogix 1100 or 1400 see View Instruction Palette within RSLogix 3 How many points does your environment have What is the expected scan rate requesting point data and receiving a response Does the scan rate matter 4 How large is the attack surface Answer this question thinking about both cyber and physical cyber physical attack creating a cyber event backdoor Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 48 Forces e Inputs and outputs me Ea can be forced on me or off when forces are enabled spend New Branch Find All REMOTE RUN S Forces Installed Change Instruction Type 6 eo Smb 102 Driver AB_DF1 1 Node 1d i Edit Description 0 2 EEE Cross Reference 1 0 2 Goto DataTable 0 2 structions tions Instr onrem Instructig ForceOn ructions Force Off Instructions Forces require a bit or collection of bits to be a zero or one regardless of the current logical state of the application Forces are typically
47. ore information about nmap flags use man nmap from the command line IF TAKING THIS CLASS INSTRUCTOR LED DO NOT PERFORM THE UDP SCANS DURING CLASS TIME nmap2 sh and nmap6 sh YOU CAN START THESE SCANS AT THE END OF CLASS DAY In Backtrack select CYBATI shortcuts from the desktop Click on nmap scripts to launch a terminal window in the Lab 4 directory Each nmap command is scripted to accept your POD number Replace the letter P below with your pod number nmap1 sh P nmap2 sh P 1 Attempt an NMAP scan while controller is powered up but offline 2 Attempt an NMAP scan while controller is online and you are performing HMI and manual operations 3 Ifa web server is found perform HTTP banner grabbing Were there any result or operational differences between version 1 and 2 Did you note any identifying characteristics that may be used within shodanHQ Did you see any different results between the TCP common ports scan and the TCP all ports scan Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 50 CYBAT Vulnerability Assessments RSLogix Properties and Physical Controller e RSLogix Project Properties Controller Properties Password Compiler Processor Status Errors Protection Memory Module and Forces Function Files Channel Configuration General Channel 0 and Channel 1 Physical Controller Inputs Outputs LCD Interaction Communication Ports Memory Ex
48. oss Reference A 00 OUTPUT E n INPUT 52 STATUS pifie2zf_ CCUUUUUUUUUU SN E Examine a bit for an ON condition Instructions You will now be presented with the configuration screen for the controller its communications and ladder logic programming We will review other properties within the controller later in this laboratory Click on the first rung of the ladder OOOO It will turn red as shown in greyscale in the book showing that it is the currently selected rung Next click on the normally open contact depicted in the slide as Examine if Closed this will place an empty contact Examine if Closed XIC in the rung If you remember from lecture this means look for a 1 within the input register location inside the PLC Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 13 CYBATI Ladder Logic Programming om 4 J T 3E 4 N gt lt gt ABL ABS DN Output dd LE ETAT A Output Energize put Outpt 0 2 Edit Description Type Address C0 Instruction iGreen Push Button Instructions Now add the address of the first contact 1 0 2 Note the address is the number zero not the letter O After you complete naming the contact press enter A popup window will display allowing you to enter a description of the variable enter Green Push Button Press the OK button Next click on the output energize symbol OTE
49. ould turn on the Green Light on and it should stay on In the RSLogix Micro window you will see the variables alternating between lit green and unlit as the variables are identified as True If the entire ladder rungn is true the output is written a one energized The light stays on as the push button input shuts off because the written logic keeps the lamp on and seals latches the circuit Now push the RED push button this being a normally closed circuit XIC Examine if Closed look for a 1 breaks the latch when the contact opens turning off the Green lamp You just created the ladder logic to start and stop a motor Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 19 CYBAT Ladder Logic Programming File Edit View Search Comms To Ooh a fo A N OU JE FF lt gt gt 4D ABL ABS Go Offline N d Download 4 New Rungpit Timer Counter input Upload Program Test Continuous Test Single aa Instructions Next Go Offline to make the following edits Some PLCS allow you to do online editing including the ML1100 however at this time we are not going to perform this If you are interested in reviewing how this works after performing this lab return to this page and perform the additional section below Click on the down arrow next to the REMOTE RUN and click Go Offline notice that there are other options on this dropdown menu that you may also use to
50. pansion Instructions During the next 20 minutes review the RSLogix controller properties identified in the slide to locate potential risks Use the Help Dialogue within RSLogix to learn about the specific settings Also take a few minutes to think of physical attack strategies Document your most interesting findings below we will discuss them in class at the end of this laboratory We will further review these settings in later labs Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 51 CYBAT Physical Memory Modules DFO DF1 LCD Panel dip switches e Physical Access and Administrative Inputs Local access overrides most cybersecurity controls requiring physical security i cc T MM 7 KE E A i ate e EO t R gt zagi 15 00000000000000000 a ee O fs Instructions DO NOT PHYSICALLY DAMAGE THE CONTROLLER OR ITS CONNECTIONS YOU CAN INVESTIGATE THE LCD PANEL AND PHYSICAL CONNECTIONS DO NOT ATTEMPT TO MAKE ANY WIRES EXPOSED or CONTACTS WITH ANYTHING WHILE TURNED ON Review the physical panels located on the controller How could someone use this physical access to manipulate the inputs outputs or processing logic Think about both Physical and Physical cyber attacks Write down some ideas and then continue we will discuss your ideas in class e Physical attacks constitute physically rendering the device unusable and or identifying physi
51. play its contents pod1 sh is an executable text file Run in Terminal Display Cancel Instructions Ask instructor if the laptops are to be assigned via DHCP or static The commands to set Backtrack s IP address at runtime are scripted These commands will need to be re issued at each restart Open CYBATI_ Labs on the desktop then Labs then ip_address_assignment then Backtrack and then select your pod number Run the command in the terminal You can verify these settings by opening the command terminal prompt and executing ifconfig ethO and route n Instructions continued on next slide Copyright 2011 CYBATI cybati org CYBAT Configure Communications DF1 RS 485 Driver Diagnostics for AB_DF1 1 General Performance Event Log I ACK NAK Timeouts Total Packets Set 48 Reply Packets Received 48 Unmatched Reply Packets 0 NAKs Received T j a 01 ML1100 Open RSLinx Classic from the Windows 7 Desktop by clicking the Start button and typing RSLinx in the Search programs and files input box Select RSLinx Classic Review the active connections under AB_DF1 1 DH 485 You should see a 01 ML1 1 4 00 without an X through it If you see an X through the icon you are currently unable to communicate with the controller and there is a port conflict and proceed to the section below FIX MY COM PORT If you see the un Xed version of
52. r and open the CYBATI_HMI CYBATI_ Power_Grid project MANUAL TRAINER UNIT Swap the M1 motor on the unit with the M4 motor RSLogix Open and download to the controller Desktop CYBATI Labs Ladder_Logic CYBATI_Power_Grid_Demo rss You will need to change the project s IP addresses for your POD Do not use DHCP CYBATI_HMII Open and Start Monitoring Desktop CYBATI Labs HMI CYBATI_Power_Grid_Demo project You will need to change the project s IP address for your POD Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 81 Power Grid Simulated Environment A CYBATI Power Grid Demo CYBATI The simulated I O of a generator operating within its operational boundaries a Special Protection o So System SPS a transmission breaker JS _ Operations and a distribution breaker i Generator MW Vibration 85 x 220 330 Ys 469 00 MW Bulk pi ie X ra Generation Le S a A A NAA Transmission sesse Distribution e2 o SPS Status i o o _ A I I 1 1 O 110 220 330 440 550 CLOSE CIB Status CIB Status eee i LFE Set Point CLOSE OPEN Events Watchdog primary port ML1100 ee Event Log Watchdog primary port ML1100 Generator Stop prem Active Alarms CONCEPTUAL Generator Start MODEL Alarm Log INTERPRETATION Customer Power Failure Instructions Here are a few environmental tips The components must be enabled in or
53. r of the branch red location shown in 3 this will turn the corner red Click on the Examine if Close XIC to have the processor look for a zero at the register location Enter the output of 0 0 1 then click enter You will notice that the program automatically provided the previous description to the output You have just created the first part of a sealed in rung that has the ability to remember the state of the momentary push button This essentially creates a toggle with a push button which is typically used to start a motor Another programming option exists to provide sealed in rungs these are called latches We will see a latch later when we review creating HMI alarms It is really the PLC programmer s preference and what functions are integrated in to the PLC Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 16 Ladder Logic Programming jq 4 TT aE ee ee Ga Examine if Open n AET a Nuser Ler Examine if Open 7 i IM Edit Description T ype f Address C Instruction Red Push Button e e e e e e e e a Symbol T A A ne T ag e lt gt Verify Project OK Cancel OK cma A A Timer Counter A Input Output A Instructions Now click on the right top side of the branch this will also turn red as shown in 1 Next click on the Examine if Open XIO which means look for a zero symbol and drag it to the red box Address this location as 1 0 3 Thi
54. raphical interface to Metasploit 2 You will need to connect Armitage to an operational RPC server interface of Metasploit If not available Armitage starts it for you Click connect 3 Now click Yes to start the Metasploit RPC server 4 Armitage will now try to connect to Metasploit this may take up to one minute Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 56 Armitage and Cortana ja gt Armitage View Hosts Attacks Workspaces Help e The Armitage interface gt gt exploit supports identifying sc hosts attacks auto exploitation and pivots CowSay lt metasploit gt Cortana scripts provides Armitage Metasploit scripting Ei IE Sat L a etenn a ma Instructions 1 The Armitage interface provides a view of all of the loaded Metasploit modules in a tree hierarchy on the left side of the screen The bottom of the screen provides a tabbed view which can grow to more tabs as individual jobs are processed or more hosts are actively being attacked 2 Cortana is a research project out of DARPA s cyber fast track program Cortana provides a scripted interface to Metasploit results and modules increasing the ability to not only collect data filter through and automatically make decisions but also do so through a team server allowing multiple red team participants to use Armitage Cortana and Metasploit through a centralized backend Instructions conti
55. ress and assigned IP address on the controller LCD screen Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 39 HMI Configuration of Controls and Alarms lo eE rd gt I File 2 et Instructions Review the ladder logic and the new branches and logic added to handle HMI interactions Each HMI variable is defined with an HMI tag and stored in the B3 register table You will also notice new logic a latch Latches operate like sealed in logic except they are easier to maintain A latch is used in this example to maintain the state of the alarm light even after the rung is no longer true The Alarm Light is unlatched when either the HMI acknowledge button is pressed the HMI sets the register bit to 0 or the two momentary push buttons are depressed simultaneously The following two slides zoom on the ladder logic for review Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 40 HMI Configuration of Controls and Alarms 0 0 1 0 1 0 1 0 Bul 1763 Bul 1763 Bul 1763 Bul 1763 Instructions Review then continue Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org rc C fee 41 Instructions Review then continue writing down any questions you may be interested in asking during the lab review Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 42 HMI Conf
56. rogram three toggle switches to serve as alarm by passes disabling the Alarm from activating You will develop the program download it to the CPU edit the ladder logic and download it again xx kk Remote Ethernet IP I O to an HMI In this exercise you will program remote Ethernet IP connectivity between the controller and a HMI HMI Configuration of Push Button Controls and an Alarm In this exercise you will program the CYBATI_HMI Windows application with the visual control indications and alarms of the PLC functioning states Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 24 Notas E Faces nab Driver AB_DF1 1 Project H Help 8 Controller i Controller Properties TA Processor Status T Function Files UU 10 Configuration his Channel Configuration Channel Status 3 Program Files Channel Configuration General Channel 0 Channel 1 Driver Et Hardware Address IP Address Subnet Mask Gateway Address Default Domain Name Primary Name Server Secondary Name Server Network Link ID 10 00 0F 73 00 F3 C7 172 16 P 255 255 255 172 16 P 30 0 1 Protocol Control BOOTP Enable DHCP Enable SNMP Server Enable V HTTP Server Enable v Auto Negotiate SYS0 SYS1 amp LAD 2 MAIN_PROG Data Files Cross Reference 00 OUTPUT EA e mrur Port Setting 40 100 Mbps Full Duplex Half Duplex Msg Connection Timeou
57. s with an alarm generated Now that the new ladder and HMI logic is loaded you will want to review the new AB PCCC card I O settings the new HMI OPC points the alarm acknowledgement and the ML1100 ladder logic loaded in to the controller Take this time at this step to use your skills learned while creating the green push button HMI You may need to review earlier steps to remember where to find the points card I O settings and screen configuration options especially during the small scale model scenarios and red team blue team exercise We will also step through the configuration in the following steps Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 45 HMI Configuration of Controls and Alarms m Logs Monitoring Language AB DFI Masters f akHMI CYBATI_Trainer AB Logix Masters ABPCCC Masters vV Microlggix Bacnet IP PLC ah DNP3 SiC FTP Client SLC 5 05 AB PCCC Micrologix Master Configuration boba a Reads Edit File Number Start Element Count 0 1 0 1 0 1 Instructions The CYBATI trainer HMI requires additional I O than just reading the output tags In this case the I O also includes read and writing the inputs and a binary file that is used to store HMI and alarm variables View these specific data files as they are actively read by the HMI using the AB PCCC Micrologix Reads panel Open Communications AB PCCC Masters
58. s folder These serve as bit locations for input and output status indicators and are statically allocated by the firmware Manipulate the inputs to toggle the green and red lights while watching the specific bits flip between zero and one Also note that the description tag is displayed in the Desc box during mouse hovers This will also be important as we transition to the HMI and then communication channels You have completed part of 3 of this laboratory Continue to the next section Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 23 Introduction to Ladder Logic Communications and HMI Programming e Ladder Logic Programming e HMI Configuration of Controls and an Alarm Lab Section Introduction Lab 2 contains 3 programming components Ladder Logic Programming Ladder logic programs provide the industrial automation of legacy manual functions The logic allows for inputs Sensors to control actuators outputs with logic programming defined to enable the appropriate control and safety of operations The goal is to develop a simple latch circuit by using the momentary push buttons Green 1 0 2 and Red 1 0 3 The Green push button will start the process turn on Green light 0 0 1 and the Red push button will stop the process turn off Green light O 0 1 Further we will program the Red light 0 0 3 to function as an alarm light enabled when the process is off Green light not on We will also p
59. s is the input for your red push button Enter a description Red Push Button Next click on the Verify Project button to validate the program If there are any coding errors another area will display on the screen describing where you have made a mistake If everything is successfully you should no longer see the edit tages on the left of the rung eeeee Next you will download your program to the processor Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 17 oe CYBANT dit View Search Comms Tools Window rh S amp S b FS Noes e Driver 4B_DF1 1 E Project E Help a Controller System Comms Who Active Go Online Go Online Upload Download N Mode Clear Fault Clear Processor Memory Ladder Logic Programming Wsers CYBATIS Desktop i BBE Desktop bah File name 0 Save as type RSLogix Files RSS f E ii Controller Pro Processor St EEPROM a Function Files Histogram Downloading Program CYBATI for Bul 1763 MicroLogix 1100 Series B ix Micro Starter Lite To i ML1100 Bul 1763 MicroLogix 1100 Series B Driver AB_DF1 1 at Node 1 RSLogix Micro Starter Lite A change was detected with the Ethernet channel configuration In order for the change to take effect a power cycle is required Are you sure you want to proceed with Download Instructions 1 Click on the Menu Comms then Download This w
60. sical Cyber Attacks e A friend colleague it staff is making changes to or you just purchased new USB devices eg Mouse Keyboard Flash Drive Printer Security Dongle Field Technician s USB PLC Cable Insert the inconspicuous looking USB device it is not just a flash drive e Watch the show Look for the message box pop ups and click OK See Instructions for more details Bar and click it Instructions We will now perform a Physical Cyber attack against the operator s workstation Located within your plastic container in the kit is a USB device Ensure the CYBATI Trainer HMI is launched and operational Test the inputs and outputs to make certain the indicators are correct We have modified the device to prompt you with message boxes while performing the attack a true attack may not be so nice Now insert the USB device in to an open slot on the CYBATI workstation Click OK at each Message Box to continue If you lose the Message Box or a window pops over it you can click the VBScript icon on the task bar as shown in the slide Take a look in Device Manager do you notice anything different Did you baseline your workstation STOP HERE LECTURE WILL CONTINUE Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 62 CYBAT Teensy HMI Modification e Open the Sketchbook in Arduino _ Open an Arduino sketch Lookin db CYBATI_Tr
61. t amp 1mS 115000 Msg Reply Timeout x 1mS 3000 Instructions You will need to restart the controller to remove the IP address settings and then we will re apply them You will notice that you will lose communications to the processor from within RSLogix After the processor is back online click the Retry button Verify that the IP address settings are removed using the LCD panel To verify the removal of the IP address on the ML1100 on the physical controller press the ESC button then down arrow to Advance Set push the OK button Next use the down arrows to select ENET CFG You should now see the MAC address and no assigned IP address on the controller LCD screen PLC Configuration IP address 172 16 P 30 Subnet Mask 255 255 255 0 Gateway Address 172 16 P 1 LEAVE NAME SERVERS BLANK or DEFAULTS Place the controller in REMOTE PROG mode Double click on Channel Configuration then click on the Channel 1 tab Channel 0 is the DF 1 RS 485 configuration tab while Channel 1 is the E IP configuration tab Uncheck the default setting of BOOTP Enable Configure the IP address as shown replacing the Pod number P with your value When complete click Apply A pop up will occur providing a Warning message that communication on Channel 1 will be lost This is ok as we are not communicating via Channel 1 we are configuring the controller using Channel 0 Click Apply Then Click OK To verify the new setting directly
62. tocol Control BOOTP Enable DHCP Enable SNMP Server Enable V HTTP Server Enable V Auto Negotiate SYS0 SYS1 amp LAD 2 MAIN_PROG 3 Data Files Cross Reference 00 OUTPUT Mos sumer me Port Setting 10 100 Mbps Full Duplex Half Duplex Msg Connection Timeout amp ImS 15000 Msg Reply Timeout amp ImS 3000 Instructions YOU CAN OMIT THIS STEP SINCE WE ARE USING DHCP HOWEVER YOU MAY WANT TO HARD CODE THE IP ADDRESS DURING THE RED TEAM BLUE TEAM EXERCISE ON FRIDAY AND THIS INFORMATION WILL BE USEFUL Double click on Channel Configuration then click on the Channel 1 tab Channel 0 is the DF 1 RS 485 configuration tab while Channel 1 is the E IP configuration tab Uncheck the default setting of BOOTP Enable Configure the IP address as shown replacing the Pod number P with your value When complete click Apply A pop up will occur providing a Warning message that communication on Channel 1 will be lost This is ok as we are not communicating via Channel 1 we are configuring the controller using Channel 0 Click Apply Then Click OK PLC Configuration IP address 172 16 P 30 Subnet Mask 255 255 255 0 Gateway Address 172 16 P 1 LEAVE NAME SERVERS BLANK or DEFAULTS To verify the new setting directly on the ML1100 on the physical controller press the ESC button then down arrow to Advance Set push the OK button Next use the down arrows to select ENET CFG You should now see the MAC add
63. troller Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org CYBAT Configure Communications Windows 7 L CYBATI Labs Labs gt ip_address_assignment gt windows Include in library Share with New folder Name Date modified orites esktop 3 dhcp ownloads amp podl in ae Type Windows Batch File pod3 Size 157 bytes ecent Places pod2 raries 3 pod4 Date modified 8 21 2012 12 16 PM p ocuments 3 pod5 lusic 23 pod Instructions dm w 9 7 2012 6 36 PM 1012 12 16 P Lu Ask instructor if the laptops are to be assigned via DHCP or static The commands to set your Windows 7 laptop IP address setting are scripted Open CYBATI_Labs on the desktop then click on the folder Labs then the folder ip address assignment Open Windows and then click on your pod number s batch file You can verify the settings by opening the Shortcuts folder on the desktop and then clicking on Network Connections Right click on Local Area Connection and select Properties Double click on Internet Protocol Version 4 TCP IPv4 and modify the settings are prescribed by your POD number and shown in the slide Instructions continued on next slide Copyright 2011 CYBATI cybati org CYBATI Lab 1 cont Configure Communications Backtrack IP CYBATI Labs abs 2 address assignment backtrack Do you want to run podl sh or dis
64. typing ifconfig at a console prompt 11 Click with your mouse or tab to Add 12 You should see several INFO log messages identifying wireless networks being detected Click Close Console Window in the lower right hand corner ea Pee The new version of Kismet launches and will eventually display a TEXT based GUI The interface by default depicts the discovered networks on top a graphical depiction of packets actually frames since this is layer 2 monitored and informational expert analysis of the packets received The right hand tracks the current session statistics There are many options within the Kismet interface that you may want to take a few minutes to explore Use your mouse to click around and also discover the keyboard shortcuts You should also see the CYBATI SSIDs e g CYBATI CITY Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 64 Windows c Network List c Client List GPS Data Battery General Info c Status Packet Graph Source Info Kismet Configuration Kismet Sort View Windows Kismet 200 Elapsed 00 05 33 Networks 13 Packets 770 fis Pkt Sec 0 Filtered 0 ES encryption no channel 0 54 00 mbit INFO Detected new probe network lt Any gt BSSID 7C C5 37 F1 B0 ES encryption no channel 0 54 00 mbit INFO Saved data files INFO Saved data files Instructions It will be very helpful for this lab to alter the default view
65. url sa t amp rct i amp aq Resrc s amp source b amp cd 7 amp ved 0 OFIAG amp url http 3A 2E 2Ewww odtsupn om 2End 00 a0 3d opto 22 snap pac http www opto22 com community showthread php t 231 amp page 1 Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org 68 Kismet PCAP Analysis Protocol e Simple search strings mbtcp dnp3 enip e Click on Expression to search for other O ti O n S v x Kismet 20120930 11 05 08 1 pcapdump Wireshark 1 6 5 SVN Rev Unknown from un p File Edit View Go Capture Analyze Statistics Telephony Tools Internals Help aus jin Filter enip ly Expression Clear No Time Destination Protocol Length Info 1681 42 601229 172 16 1 15 172 16 1 30 CIP 182 Unknown Servi 1699 42 894380 172 16 1 15 172 16 1 30 CIP 182 Unknown Servi 1708 42 911310 172 16 1 15 172 16 1 30 CIP 183 Unknown Servi 1716 43 125342 172 16 1 15 172 16 1 30 CIP 182 Unknown Servi 1735 43 419861 172 16 1 15 172 16 1 30 CIP 183 Unknown Servi 1740 43 619832 172 16 1 15 172 16 1 30 CIP 182 Unknown Servi 1742 42 ASAA11 177 164 1 135 177 164 1 2A Tp 183 Iinknaown Serwi P Frame 27 183 bytes on wire 1464 bits 183 bytes captured 1464 bits PPI version 0 32 bytes IEEE 862 11 QoS Data Flags TC Logical Link Control Internet Protocol Version 4 Src 172 16 1 15 172 16 1 15 Dst 172 16 1 30 172 16 1 Transmission Control Protocol Src Port 52481 52481 Dst Port EtherNet
66. urse then your IP addresses do not change and you are POD 1 POD NUMBER VirtualBox O S Windows 7 IP Address VirtualBox O S Backtrack IP Address Controller IP Address Instructions continued on next slide Copyright 2011 2013 2012 CYBATI cybati org CYBATI cod Initialize the Controller puke TT e Toggled inputs and outputs are displayed in controller LCD panel 0000000000000000 A eo e This example shows 1 0 0 I 0 1 and 1 0 4 in the on state Instructions This screen provides the current RUN mode REMOTE and the current status of inputs I and outputs O Pressing the momentary push buttons or toggling the ON OFF switches you will notice that the PLC indicates the current state of the inputs The MicroLogix 1400 the MicroLogix 1100 is depicted above will have a smaller font screen with more inputs and outputs indicated Instructions continued on next slide Copyright 2011 2013 CYBATI cybati org RSLogix Micro English is the programming interface for the Allen Bradley ML1100 and ML1400 controller RSLinx Classic is the communication editor TIAA Portal is the programming interface for the Siemens S7 1200 controller CYBATI_ HMI is the Human Machine Interface to the controller Oracle VM VirtualBox is a virtual machine program to run virtual machines CYBATI LABS Folder stuff provides a file sharing mechanism between the host O S Ubuntu and the guest O Ss Windows 7 and Bac
Download Pdf Manuals
Related Search