3-day ICS Pentesting

On this intense 3-day training, you will learn everything you need to start pentesting Industrial Control Networks. We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems.

We will cover the most common ICS protocols (Modbus, S7, Profinet, Ethernet/IP, DNP3, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.

The training will end with an afternoon dedicated to a challenging hands-on exercise: The first CTF in which you capture a real flag ! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.

 

Detailed content

The training would be composed of 11 modules of 1h30 to 2h. Some modules will be theoretical only, to introduce the subject, while the majority will include hands-on operations on lab systems. The lab will be composed of Windows machines as well as real PLCs.

The outline would be the following:

 

  • Day 1
    • AM
      • Module 1: Introduction to ICS
      • Module 2: Pentesting Basics & tools
    • PM
      • Module 3: Windows basics and pentesting Windows
      • Module 4: Common ICS vulnerabilities
  • Day 2
    • AM
      • Module 5: ICS protocols
      • Module 6: Introduction to safety for security pros
    • PM
      • Module 7: Programming PLCs
      • Module 8: Pentesting ICS
  • Day 3
    • AM
      • Module 9: Securing ICS
      • Module 10: Case study
    • PM
      • Module 11: Capture The Flag

 

Detailed description of the modules

 

  • Module 1 : Introduction to ICS
    For starters, I will introduce the concept of ICS. The topics will include:

    • A brief history of ICS
    • Vocabulary
    • The CIM model
    • Classic architectures
    • ICS components (PLCs, HMI, SCADA, DCS, sensors, RTUs, Historian, etc) and their roles
    • OT vs IT

This module is not hands-on

 

  • Module 2 : Pentesting Basics & tools
    This module will introduce the concept of penetration test. I do not intend to spend too much time of the theoretical stuff (how to make a report, etc etc) since that is not what attendees are looking for. However, I think a module is required to ensure that everyone shares at least the basic concepts of penetration testing, in order to understand the rest of the training.
    The module will include :
    • OSINT for ICS : Where to look to find informations
    • Reconnaissance : how to portscan & nessus
    • Exploitation : Metasploit basics

Toolz used : nmap, Nessus, Metasploit

Lab setup : Windows Servers and workstations, Metasploitable, Kali Linux

 

  • Module 3 : Windows basics and pentesting Windows
    Unfortunately, any ICS now includes, at least in some areas, Windows systems. So I think that some time must be spent on Windows basics. This module will introduce the following topics:

    • Windows Active Directory
    • How to find credentials on Windows systems
    • Exploiting and pivoting to gain Domain Admin privileges

A selection of hacking techniques will be applied on lab machines.

 

  • Module 4 : Common ICS vulnerabilities
    This module will introduce the most common vulnerabilities found during ICS audits:

    • Lack of network segmentation / Exposure
    • Lack of hardening
    • ICS protocols insecurity

 

This module is not hands-on

 

 

  • Module 5: Module 5: ICS protocols

 

This module will introduce the most common ICS protocols: Modbus/TCP, S7, Profinet, DNP3, Ethernet/IP….

Attendees will analyze network captures and be introduced to software libraries/ clients to use these protocols to talk to PLC simulators.

 

  • Module 6 : Introduction to safety for security pros
    This module will introduce the required safety knowledge in order to understand the OT world. The different concepts of safety will be detailed, as well as the leading norms and hazard analysis. The differences with IT risk analysis will be mentioned and to finish, a basic case study will be performed.

 

This module is not hands-on

 

  • Module 7 : Programming PLCs
    In order to have a better understanding of how a PLC works, student will use dedicated software to program a PLC in ladder logic (using trial versions of TIA portal and/or soMachine basic). Students will then deploy the code to real PLCs (I already have 6 entry-level PLCs from Schneider/Siemens, and will add several more depending on how many students will register for the training).

    Toolz used : TIA Portal / SoMachine Basic
    Lab : Windows virtual machine and real PLCs from Schneider and Siemens

 

  • Module 8 : Pentesting ICS
    This module will be mostly lab sessions, in order to apply the knowledge learned during module 5:
    • Theory and general warning
    • Common weaknesses
    • Network capture analysis & replaying packets
    • Talking industrial protocols : Modbus, S7
    • Additional PLC features: web server, ftp, snmp…

 

Toolz used : nmap, Nessus, Metasploit
Lab : Windows Servers and workstations, Kali Linux, Siemens and Schneider PLCs

 

  • Module 9 : Securing ICS
    We all know it, all clients want to know what they can do to improve the security of their systems. This module will detail the technical and organizational solutions one may engage in to secure their ICS. This will include : system hardening, network segmentation, sharing data with IT systems, and security supervision.
    The leading security standards will also be mentioned and briefly compared.

    Toolz used : Windows virtual machine, IDS
    Lab : Students will have to configure an IDS virtual machine and verify its efficiency, and write a new attack signature for an attack previously performed.

 

  • Module 10 : Case study
    In this module, students will be given information and network diagrams about a case-study ICS. They will have to highlight the security weaknesses and come up with recommendations.

 

  • Module 11 : Capture The Flag
    I strongly believe that a good training must include “real-life” examples and labs. To go further individual labs that will occur, I will dedicate the last half-day of the training to a Capture The Flag event. To do so, I will have a specific setup where attendees will be able to use their newly-acquired knowledge on a simulation of a “real-life” system.
    This will include compromise of Windows host, pivoting to the ICS, understanding the industrial process, and finally capturing a real flag with a robot hand !

IMG_0208

Industrial Control Systems CTF at Hack In Paris 2018

Prerequisites

This training is aimed at security professional willing to deep dive into the Industrial Control Systems and have real-world, hands-on sessions. There is no specific requirement for attendees except a basic infosec culture.

All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum)

Each attendee will be given a USB key with a custom Kali virtual machine, that includes the specific tools that we will use as well as the lab files (pcap, etc), and a Windows virtual machine with specific ICS software to perform the lab sessions.

2 comments

    1. Hello, thank you for your interest. At the moment, we do not offer this class remotely. However, we’re working on a new version of the training that might be done online, I will post more information once the content is more advanced.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: