Cybati - Blackbox Challenge #1 - Step 8

This post is blog post 8 of 15 of the Cybati Blackbox #1 challenge.

Step 8:

Instruction: Host Tap Assignment

Mission 7 (5 pts). What host IP/MAC address performed the attack?

Mission 8 (5 pts). What industrial protocol register was attacked?

1. At this point, we should have the VirtuaPlant operational, WireShark up and running in the background with an attack running against the VirtuaPlant. Mission 7 asks us to identify what host IP and MAC address performed the attack. In controlled environments such as this, we could spend the time trying to sift through all of the captured network packets and determine who did the attack. However, it would be easier and beneficial if we know what a good environment and expected network activity looks like. In a real environment, analysts should also know what a good environment and expected network activity looks like. With that, let’s first determine what normal looks like, perform the attack and then try to find who performed the attack.
2. Go to WireShark and click on the red “Stop” button if WireShark is running
   
3. Double click on “7. Execute Logic Attacks (WIZARD)”
   
   
4. Make sure “Move and Fill” is selected and click “Cancel”. This will stop the attack against the simulated bottling process in VirtuaPlant.
   
   
   
5. An alert popup box will appear to let us know that the attack has been stopped. Click “Ok”.
   
   
6. Back in the Cybati Bottle-filling VirtuaPlant factory, we can see that the process is running as expected
   
   
7. Now we can go to WireShark, capture network traffic and analyze the results
8. Go into WireShark and click the green “shark fin” button to collect network traffic
   
   
9. Click “Continue without Saving” to the popup box
10. Now we should see network traffic and we can monitor traffic to the Cybati Bottle-filling VirtuaPlant factory to determine appropriate network traffic. After a few minutes of network activity, click on the red “Stop” button.
    
    
11. In Wireshark, left click on “Statistics” at the top, but hold down the left click button. You will need to hold down the button and hover over “Conversations” in the list. Once your mouse cursor is over “Conversations”, let go of the left mouse button to open up the “Conversations” window.
    
    
12. Click on the “IPv4” tab
13. Here we can see expected network activity
    
14. In the above screenshot, we can see that 172.16.192.2 (the system n5) just talks to 172.16.192.11 (the system n12). The “n5” system is the one with the “World View” of the Cybati Bottle-filling VirtuaPlant factory. We can see the HMI on “n12” has more network connections to other hosts.
15. Click “Close” on the Conversations window and return to WireShark
16. Click the green “shark fin” button to collect network traffic
    
    
17. Click “Continue without Saving” in the popup box
18. Double click on “7. Execute Logic Attacks (WIZARD)”
    
    
19. Make sure “Move and Fill” is selected and click “Ok”. This will start the attack against the Cybati Bottle-filling VirtuaPlant factory.
    
    
20. Open the “World View” to and we can see that the attack is working as intended. The bottling process is not stopping at the appropriate level or the specified amount of time.
    
    
21. WireShark should be capturing the network traffic from the attacker against our systems. Let’s ensure that we get enough network traffic and let this process occur for a few minutes.
22. In WireShark, click on the red “Stop” button.
    
    
23. In Wireshark, left click on “Statistics” at the top, but hold down the left click button. You will need to hold down the button and hover over “Conversations” in the list. Once your mouse cursor is over “Conversations”, let go of the left mouse button to open up the “Conversations” window.
    
    
24. Click on the “IPv4” tab
25. Now we see a new IP address of 172.16.192.128 has communicated with the n5 system
    
    
26. Right click on the line above (your results for Address A and B should be the same) and click on “Apply as Filter”, then “Selected” and then “A <- B”
    
    
27. WireShark will process the filter in the background and you will still be in the Conversations window. Click “Close”.
28. In WireShark, we will see network traffic where the IP address of 172.16.192.128 is talking to n5 (172.16.192.2) which hosts the “World View”
29. If we scroll through all of the results, we see a repeating pattern of the protocols used of “TCP” and “Modbus/TCP”
    
    
30. If we examine the network packet in the window below, we can see more information about the network conversation. If you left click on a similar packet as the screenshot below, you can see information in the lower pane (e.g. where “Ethernet” is highlighted).
    
    
31. In the above screenshot, we can answer the question to Mission 7. The mission asks for the IP address and MAC address of the attacker. Here, we can see the attacker has an IP address of 172.16.192.128 along with a MAC address of 14:9a:10:12:34:56. We can verify this by clicking on the “+” symbol next to “Ethernet” as seen below and clicking on the “+” symbol next to “Source:”
    
    
32. Ensure in the network packet window that you are on a packet with a “Modbus/TCP” protocol
    
    
33. In the lower pane, make sure that “Modbus/TCP” and “Modbus” are the only ones with the “-” symbol as below
    
    
34. From the above screenshots, we can see that the attacker IP address is performing a write action (6) (reference: http://www.simplymodbus.ca/FC06.htm). But, it is difficult to determine what is being set. Even if we were to see traffic to and from the attacker to n5, it is not really apparent what is happening. We can see that registers are being set, but it’s not too clear which or why this matters. The traffic between these two systems is a query (such as writing to a register) and a response of the command that was sent. If we were to remove filters completely, we would see that the HMI queries n5 (World View) to see what the values are in the ModBus registers. However, these requests can go by pretty fast unless we stop the network capture and investigate the network traffic.
35. There are multiple ways to determine values in Modbus registers. One common way is with the “mbtget” tool. This tool allows the user to read or write to a register on a ModBus server.
    
    
36. We can target n5 by IP address to retrieve Modbus register values. In the example below, we are reading the first 7 values from the Modbus server. When the bottles are not being filled, we see the ModBus register values as below:
    
    
37. When the bottles are being filled, we see the Modbus register values below:
    
    
38. Once the attack of “Move and Fill” is initiated, the bottles are supposed to not be filled, but the nozzle continues to run regardless of registers 1 and 3 being set to “1”.
    
    
39. The timing appears to be changed as well and the attack alters registers 3 and 4 to “1” when the bottles are supposed to be filled:
    
    
    
40. If we look at WireShark at the same time as the attack above, we can see the HMI reading the same values from the n5/World View server. This particular network session is the n12/HMI server receiving a response from n5 and it’s Modbus registers. The n12/HMI server had issued a query to n5 to retrieve the Modbus register values.
    
    
    
41. Based on the above screenshot, it appears in the above screenshot that Register 2 is the register being attacked to answer Mission 8. From the “Bottle Filling Engineering” document, this would appear to translate to register 4002 listed on page 3.
    
    

Learning with DVRF - Intro

Getting into any kind of security is a fun and enjoyable experience. I have started to check out hardware hacking as it relates to all kinds of industries and sounds fun. Some of the things I have been exploring is ICS/SCADA hardware, software platforms relating to ICS/SCADA (like the Cybati challenge write-ups), and recently, hardware like network devices. While there have been awesome articles put out there (like this) for hardware hacking, I still like to play and learn with the software side.

It has been fun seeing the Damn Vulnerable Router Firmware (DVRF) project grow with the author b1ack0wl contributing more to the project with challenges and related write-ups. In my process to learn more about different architectures (like MIPS) and firmware hacking, I have been exploring and learning with the DVRF project. I have based some articles on the blog posts from the original author and wrote up new blog posts with the methods I performed at each step. Each blog article will break out a major step into concise instructions to aid in learning with the DVRF project. A few of these steps will cover some information from the original author. Each technical post will show how to perform each step with detailed instructions. Hope you enjoy it and thanks for reading!

Below are the direct links to the posts in this series:
#1 : http://vivirytech.blogspot.com/2016/07/learning-with-dvrf-step-1.html
#2 : http://vivirytech.blogspot.com/2016/07/learning-with-dvrf-step-2.html
#3 : http://vivirytech.blogspot.com/2016/07/learning-with-dvrf-step-3.html
#4 : http://vivirytech.blogspot.com/2016/07/learning-with-dvrf-step-4.html
#5 : http://vivirytech.blogspot.com/2016/08/learning-with-dvrf-step-5-is-this.html
#6 : http://vivirytech.blogspot.com/2016/08/learning-with-dvrf-step-6-binary-ninja.html
#7 : http://vivirytech.blogspot.com/2016/08/learning-with-dvrf-step-7-pwndbg.html
#8 : http://vivirytech.blogspot.com/2016/08/learning-with-dvrf-step-8-what-mips.html
#9 : http://vivirytech.blogspot.com/2016/08/learning-with-dvrf-step-9-hello-mips.html
#10 : http://vivirytech.blogspot.com/2016/08/learning-with-dvrf-step-10-gdb-you-know.html #11 part 1 : http://vivirytech.blogspot.com/2016/08/learning-with-dvrf-step-11-part-1-lets.html
#11 part 2 : http://vivirytech.blogspot.com/2016/08/learning-with-dvrf-step-11-part-2-lets.html
#11 part 3 : http://vivirytech.blogspot.com/2016/09/learning-with-dvrf-step-11-part-3-lets.html #11 part 4 : http://vivirytech.blogspot.com/2016/09/learning-with-dvrf-step-11-part-4-lets.html #11 part 5 : http://vivirytech.blogspot.com/2016/09/learning-with-dvrf-step-11-part-5-lets.html
#12 : http://vivirytech.blogspot.com/2016/09/learning-with-dvrf-step-12-stack-buffer.html
#13 : http://vivirytech.blogspot.com/2016/09/learning-with-dvrf-step-13-stack-buffer.html 
#14 : http://vivirytech.blogspot.com/2016/10/learning-with-dvrf-step-14-stack-buffer.html

Cybati - Blackbox Challenge #1 - Step 7

This post is blog post 7 of 15 of the Cybati Blackbox #1 challenge.

Step 7:

Instruction: Execute Logic Attacks. Execute the Move and Fill logic attack. To stop the attack, execute the script again and click the Cancel button.

1. Click on “Click to Launch” to go back to the file directory window
   
   
2. Double click on “7. Execute Logic Attacks (WIZARD)”
   
   
3. The instructions in Step 7 ask to perform the “Move and Fill” attack. Click “Ok”.
   
   
4. It doesn’t appear to do anything. We need to set up the environment first.
5. Double click on “4. Initialize VirtuaPlant (WIZARD)“ and follow the rest of the steps as “Step 4” earlier in this document to get a working VirtuaPlant
   
   
6. While VirtuaPlant started, you may have noticed popup boxes saying which part of the simulation started on a particular server. If you missed those boxes, that’s ok. In the window for the process status controls, you can see which server this is running on.
   
   
7. It appears that this process is running on the “n12” server
8. If we look at the “World View” for the simulated bottling process, we see that this is running on “n5”
   
   
9. Let’s go back to the “CORE” screen and get further information on these hosts. Click on “CORE”.
   
   
10. Here we can see the two hosts we identified above
    
    
11. Right click on “n12”, select “Shell window” and then select “bash”
    
    
12. You should now have a regular Terminal window and we can run “ifconfig” to get the IP address of the virtual machine
    
    
13. Alternatively, you could have received the same IP information if you hovered over “tcpdump”, “tshark” or “WireShark”
    
    
14. Right click on “n5” and hover the mouse of “tcpdump” to get the IP information of this host
    
    
15. As you hover over objects in the overall “CORE” window, the IP information of the virtual system is displayed
16. For Mission 7, the question is asking who attacked when the action in Step 6 was performed. At this point, you should have the Bottle Filling simulation still running in the background. We have identified previously that “n12” is the virtual host who has the controls to the simulated bottling process.
17. Go back to the “Click to Launch” window and double click on “6. Host Tap Assignment (WIZARD)”
    
    
18. Click “Ok” to the informational popup box
19. Leave “Industrial” selected and click “Ok”
20. WireShark will open up and click “Ok” to the informational popup box
21. Wait for WireShark to fully initialize and for packets to scroll through the middle window
22. Go back to the “Click to Launch” window and double click on “7. Execute Logic Attacks (WIZARD)”
    
    
23. An attack wizard opens up giving us various options to alter the pre-configured/engineer approved process. “Move and Fill” is selected and asked to be performed in “Step 7”. Click “Ok”
    
    
24. If we go back to the simulated bottling process, we can see bad things are happening