Pentesting Industrial Control Systems
On this intense 2 days training, you will learn everything you need to start pentesting Industrial Control Networks. We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems.
We will cover the most common ICS protocols (Modbus, S7, Profinet, Ethernet/IP, DNP3, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them. The training will end with an afternoon dedicated to a challenging handson exercise: The first CTF in which you capture a real flag ! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.
The detailed outline of the training will be the following:
- Introduction to ICS & common vulnerabilities
- Pentesting Basics & tools [Handson]
- Windows basics and pentesting Windows [Handson]
- Focus on ICS protocols
- Programming PLCs [Handson]
- Pentesting ICS [Handson]
- Capture The Flag [Handson]
Detailed content:
Module 1: Introduction to ICS & common vulnerabilities
For starters, I will introduce the concept of ICS. The topics will include:
- Vocabulary
- Classic architectures
- ICS components (PLCs, HMI, SCADA, DCS, sensors, RTUs, Historian, etc) and their roles
- OT vs IT
I will also introduce attendees to the most common vulnerabilities in ICS, and describes some of the public attacks:
- Lack of network segmentation / Exposure
- Lack of hardening
- ICS protocols insecurity
This module is not hands-on
Module 2: Pentesting Basics & tools
This module will introduce the concept of penetration test. I do not intend to spend too much time of the theoretical stuff (how to make a report, etc etc) since that is not what attendees are looking for. However, I think a module is required to ensure that everyone shares at least the basic concepts of penetration testing, in order to understand the rest of the training.
The module will include :
- OSINT for ICS : Where to look to find informations
- Reconnaissance : how to portscan & nessus
- Exploitation : Metasploit basics
Toolz used : nmap, Nessus, Metasploit Lab setup : Windows Servers and workstations, Metasploitable, Kali Linux
Module 3: Windows basics and pentesting Windows
Any ICS now includes, at least in some areas, Windows systems. So I think that some time must be spent on Windows basics. This module will introduce the following topics:
- Windows Active Directory
- How to find credentials on Windows systems
- Exploiting and pivoting to gain Domain Admin privileges
A selection of hacking techniques will be applied on lab machines.
Module 4: Focus on ICS protocols
This module will introduce the most common ICS protocols: Modbus/TCP, S7, Profinet, DNP3, Ethernet/IP….
Attendees will analyze network captures and be introduced to software libraries/ clients to use these protocols to talk to PLC simulators.
This module is not hands-on
Module 5: Programming PLCs
In order to have a better understanding of how a PLC works, student will use dedicated software to program a PLC in ladder logic (using trial versions of TIA portal and/or soMachine basic). Students will then deploy the code to real PLCs. Toolz used : SoMachine Basic Lab : Windows virtual machine
Module 6: Pentesting ICS
This module will be mostly lab sessions, in order to apply the knowledge learned so far: Network capture analysis & replaying packets Talking industrial protocols : Modbus, S7
Additional PLC features: web server, ftp, snmp and how to exploit it Toolz used : nmap, Nessus, Metasploit Lab : Windows Servers and workstations, Kali Linux, Siemens and Schneider PLCs
Module 8: Capture The Flag
I strongly believe that a good training must include “reallife” examples and labs. I will dedicate the last halfday of the training to a Capture The Flag event. To do so, I will have a specific setup where attendees will be able to use their newlyacquired knowledge on a simulation of a “real-life” system.
This will include compromise of Windows host, pivoting to the ICS, understanding the industrial process, and finally capturing a real flag with a robot hand! This will be an expanded version of the CTF I usually organize during the ICS workshops at conferences.
Target audience:
This training is aimed at OT professionals willing to understand what are the security issues within ICS, and how to technically assess the security level of an ICS. It will also be beneficial for IT security professionals wanting to understand the technical specificities of ICS.
Key takeaways:
The attendees will learn what are the common ICS vulnerabilities, the tools and techniques to assess an ICS (both Windows systems and PLCs), and will practice these techniques during an handson Capture The Flag on real hardware.