Título: Jurassic Pcap Autores: Aarón Flecha y Jairo Alonso Resumen: Presentación de entornos industriales y sus redes, centrándose en el análisis y tratamiento de capturas de tráfico con protocolos propietarios. Desarrollo de filtros y disectores.

1. JairoAlonsoOrtiz AaronFlechaMenendez
ViCON2019

2. Whoweare?
JairoAlonsoOrtiz AaronFlechaMenendez
JACINTOMORAL
MATELLAN
Me piro de
vacaciones
que estos
están locos

3. Introduction
IndustrialProtocols
Analysingthenetwork
ICSDissectors
DEMO

4. Introduction

5. Introduction
Information Technology Operation Technology
System Life Cycle Component lifetime 3-5 years Component lifetime: 10-20+ years
Security Level Maturity and knowledge on cybersecurity First steps on cybersecurity. Lack of awareness
Security Standards ISO 27002, COBIT, NIST, etc. IEC 62443, NERC CIP, IEEE 1686, etc.
Architectures Standard methodologies and architectures Isolated, all connected (new paradigm)
Patching
Straightforward upgrades and automated
changes
Infrequent to nearly impossible
Data Confidentiality Low - High Low - Moderate
Data Integrity Low - Moderate Very High
Availability Low - Moderate Very High (99.9999% uptime common)
Throughput High Modest
Time Criticality Delays tolerated Critical
Operating Systems COTS COTS, RTOS, Embedded OS (Firmware)
Communication Protocols TCP/IP primarily HART, DNP3, Mod/FieldBus, ICCP, TCP/IP, etc.
Communication Topology LAN/WAN, Telco, etc. LAN/WAN, Telco, Satellite, Serial, etc.
IT OTVs

6. Introduction
• EnsurethatonlythepeopleyouwantcanseetheinformationConfidentiality
• EnsurethedataiswhatissupposedtobeIntegrity
• EnsurethesystemordataareavailableforuseAvailability
IT OTVs
Confidentiality
Integrity
Availability
Availability
Integrity
Confidentiality

7. Introduction
HumanMachineInterfaceRemoteTerminalUnit
ProgrammableLogicController
They show information of the state of
theprocessessothatoperatorscoordinate
andcontroltheactionstobecarriedout.
Sometimes, they allow actions to adjust
theprocessormodifyvariables.
They allow to obtain signals
from the processes and send the
information to a remote site
whereitisprocessed.
It allows to automate processes
thankstoitsprogramming. Theyhave
digitaloranalogoutputsandinputs.

8. Introduction
SupervisoryControlAnd
DataAcquisition
Performs actions of supervision,
control and management of
informationinrealtime.
Theyallowacentralizationofsignals
generatedbyone orseveral industrial
processes(alertcontrol).
It communicates with a multitude of
deviceslocatedinthecontrolnetwork
(PLC, RTU, HMI, etc.)

9. Introduction
INTERNET
LDAP
OT
Jump host
LDAP
IT
Mail
Server
Historian
Backup
Web
Server
SCADA Historian Engineering
Workstation
PLC HMI RTU

10. Introduction
Energy Water
Foodand
Agriculture Health
Transport ChemicalIndustry
Nuclear Information
Technology
FinancialServices Researchfacilities
Administration
StrategicandcriticalsectorsinSpain

11. IndustrialProtocols

12. IndustrialProtocols

13. IndustrialProtocols
Modbus1TCP
FunctionCode RegisterType
1 ReadCoil
2 ReadDiscreteInput
3 ReadHoldingRegisters
4 ReadInputRegisters
5 WriteSingleCoil
6 WriteSingleHoldingRegister
15 WriteMultipleCoils
16 WriteMultipleHoldingRegisters
http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf
ThedifferencebetweenatraditionalModbusProtocolDataUnit(PDU)andtheModbus1TCP ADUis
theadditionoftheModbusApplicationProtocol(mbap) headeratthefrontoftheframe
http://modbus.org/docs/MB-TCP-
Security-v21_2018-07-24.pdf

14. IndustrialProtocols
IEC104
Often on TCP port
2404 (can also be on
2405 if two masters
areonthesamenetwork)
Protocol of the electric sector
that is used for communications
betweenelectricalsubstationsand
controlcentres

15. IndustrialProtocols
DNP3
OftenonTCPport20000
AcronymforDistributedNetworkProtocol
CommunicationprotocolusedinPowerindustryfordatacommunication
NonproprietaryprotocolmanagedbyDNPusersgroup
ExtensivelyusedinSCADAsystemscommunicationbetweenMastercontrolcenterandRTUs
SerialandEthernet

17. Analysingthenetwork

18. Analysingthenetwork
Triton1TRISIS1Hatman
Hatman
TRITON
TRISIS

19. Analysingthenetwork
Attackscenarios
https://ics-cert.us-
cert.gov/sites/default/files/doc
uments/MAR-17-352-
01%20HatMan%20-
%20Safety%20System%20Targe
ted%20Malware%20%28Updat
e%20B%29.pdf
https://enredandoconredes.co
m/tag/hatman/
Attack Option 1: Use the SIS to shutdown the process
Attack Option 2: Reprogram the SIS to allow an unsafe state
Attack Option 3: Reprogram the SIS to allow an unsafe state – while using the DCS to create
an unsafe state or hazard
https://github.com/MDudek-
ICS/TRISIS-TRITON-HATMAN
https://www.youtube.com/wat
ch?v=U-BO7y1HU8k

20. Analysingthenetwork
TriStationprotocol
https://github.com/NozomiNe
tworks/tricotools
https://www.nozominetworks
.com/blog/new-triton-
analysis-tool-wireshark-
dissector-for-tristation-
protocol/https://www.bsi.bund.de/DE/Presse/Pres
semitteilungen/Presse2018/RAPSN_SETS
_26062018.html

21. Analysingthenetwork1Wireshark
Endpoints
tshark -q -z endpoints,eth -n -r <PCAP>
Endpointsidentifythelogicaladdressesonthe
networkateachprotocollayer
Conversations
tshark -q -z conv,eth -n -r <PCAP>
Conversationsidentifycommunicationsbetween
thoselogicaladdresses
ThisoptionturnoffthenameofEthernetvendor

22. FunctionCode RegisterType
5 WriteSingleCoil
6 WriteSingleHolding
Register
15 WriteMultipleCoils
16 WriteMultipleHolding
Registers
Analysingthenetwork1Wireshark

23. https://www.wireshark.org/docs/dfref/m/mbtcp.html
mbtcp.modbus.func_code
mbtcp.modbus.unit_id
(104asdu) && (104asdu.typeid == 45)
mbtcp.unit_id == 255 || mbtcp.unit_id == 0
modbus.func_code == 5 || modbus.func_code == 6 || modbus.func_code ==15 || modbus.func_code == 16
Analysingthenetwork1Wireshark

24. https://www.blackhat.com/docs/eu-17/materials/eu-17-Lei-The-Spear-To-
Break%20-The-Security-Wall-Of-S7CommPlus-wp.pdf
https://github.com/CrySyS/bro-step7-plugin
https://www.youtube.com/watch?v=93lyRgZYxKw
https://www.youtube.com/watch?v=NNAKaAKRUow
Byte 0x72 representsthestartofthe S7CommPlus packet
Dataistransferred inseparateattributeblocksbeginwiththe
twobytes“0xa3, 0x8x”
Analysingthenetwork1Wireshark

25. ls *.pcap | while read PCAP; do tshark -r $PCAP -T fields -e ip.src -Y 'nbns.name == "FRED<00>"'; done |
sort | uniq -c
tshark -r <PCAP> -T fields -e ip.src -e ip.dst -e modbus.func_code | sort -Unique
mbtcp.unit_id == 255 || mbtcp.unit_id == 0
Analysingthenetwork1Wireshark
tshark -r <PCAP> -q -z io,phs,ip.addr== <IP>
tshark -r fragmentado_captura_00032_20180116191647.pcapng.pcap -q -z endpoints,ip| awk -F ' '
'{print$1}'|grep ^[0-9] | wc -l
tshark -O arp -Y 'arp.opcode == 2' -n -r <PCAP>

26. tshark –r <PCAP> -z io,phs
tshark -n -r <PCAP> -Ys7comm-plus -Tfields -e s7comm-plus.data.opcode| sort -n | uniq -c
tshark -n -r <PCAP> -Y 's7comm-plus.data.opcode == 0x33' -Tfields –e s7comm-plus.notification.subscrobjectid | sort -n | uniq -c
tshark -n -r <PCAP> -Y 's7comm-plus.data.opcode == 0x31' -Tfields -e s7commplus.data.function | sort -n | uniq -c
tshark -n -r <PCAP> -Y 's7comm-plus.data.opcode == 0x31' -Tfields -e s7comm-plus.data.function | sort -n | uniq -c
tshark -n -r <PCAP> -Y 's7comm-plus.data.opcode == 0x32' -Tfields -e s7commplus.data.function | sort -n | uniq -c
tshark -n -r <PCAP> -Y 's7comm-plus.data.opcode == 0x32' -Tfields -e s7commplus.data.function | sort -n | uniq -c
Analysingthenetwork1Wireshark

27. https://packettotal.com/
https://cloudshark.io/
Analysingthenetwork1Wireshark

28. ICSDissectors

29. ICSDissectors1CreatingICSDissectors
LUAdissector VS Cdissector
• Perfectforsmallpacketcapturesamplesand
testingorvalidatingthedissector
• TestableintheGUIorthroughcommandline
• EasiertowritethanC
• AddabletoWiresharkthroughtheGUI
• Must be added by recompiling the
Wiresharksourcecode
• UsableinGUIorcommandlineonceadded
• Moredifficulttocodethan LUAbut
hasbetterspeeds
https://www.netresec.com/?page=Blog&month=2018-09&post=Reverse-Engineering-Proprietary-ICS-Protocols

30. ICSDissectors
HowcanIusemydissectors

31. ICSDissectors
http://www.lirasenlared.xyz/20
17/05/industrial-protocol-
wireshark-dissectors.html
• DNP3
• IEC 104
• GOOSE (IEC61850)
• SV (IEC61850)
• MMS (IEC61850)
• Modbus/TCP
• OPC DA
• HART-IP
• Siemens S7
• OPC UA
• Profinet
• EtherCAT
• EtherNet/IP
• CIP
• DeviceNet
• BACnet
• KNXnet / IP
• Lontalk / LonWorks
• ZigBee
Moreinformation
https://www.wireshark.org/docs/dfref/Allinformationaboutdisplayfilters

32. ICSDissectors1CreatingICSDissectors
Kaitai
Kaitaitowireshark
https://github.com/kait
ai-io/kaitai_struct
https://github.com/joushx/kaitai-to-wireshark

33. Proprietaryprotocols
NopublicdefinitionLimitedinformationOwnerprotocol

34. WhatINeed
Acquireprotocolframes
Identifycommonpartsinframes
Identifydifferencesbetweensendandreplay
DevelopLUAdissector
Addtheprogramtothevisualizationapplication

35. DEMO
DEMO

36. DEMO1Components
Remote
Local

37. DEMO1Network1RemoteControl
HMI
Engineering
Workstation
Switch roboticarm
PLC
Portmirror

38. DEMO1Network1LocalControl
HMI
roboticarm
ArduinoUno
SmallHammerShield
EthernetShield

39. DEMO1theresult
It’stimeforarealDEMO

41. Theprotocol

42. Steps
Whatisthemeaningof0f0f0a0204?
Howmanypartsdoestheframehave?
Couldyousaywhichistheprotocol?
Arethereanytechnicalinformationaboutit?

43. Definingtheprotocolbaseline

44. ConverttoLUA

45. Finalsteps
Reviewthescriptresult
Makeconditionals
DefinedePORT
Addthescripttothewiresharkplugindirectory
Changeorderinaddcommands
Andbufferreadposition

46. Anydoubts?

47. Grazas