Getting Started in ICS/OT Cyber Security - 20+ Hours - Part 5 (Asset Registers & Inventory)
FULL TRANSCRIPT
hello my friend and welcome back and uh
this part I'm really excited about this
part because uh in part some of this is
actually recorded and already on my
YouTube channel actually recorded some
of the asset register videos previously
uh because it's so important to cyber
security in in icot environments but
we've also updated the sections uh
particularly concerning to when we look
at performing active scanning so we're
going to look at using tools like nmap
in an icot environment which we
typically say we don't do but there
could be a time and place for it
potentially and then so it also borders
on talking about penetration testing in
ic OT environments so so the section is
not as boring on the surface as it seems
to be because asset registers no one's
ever is going to say is like a fun sexy
topic to to talk about but not only
we're going to talk about active
scanning in the environments but we're
also going to talk about passive
listening which really builds into a
network intrusion detection conversation
or network security monitoring right how
do we find the bad people on the
network if we're not looking for them
right so we need to be looking at we
need to be looking at Network traffic
and we can look at Network traffic as
one way to determine you what type of
assets do we have in the environment and
that's really what this section is going
to be about but it's going to be one of
those other long long sections but
hopefully in in a good way so and let's
just jump in right after our disclaimer
because everything we're talking about
in in in the course is is for
informational purposes only right to
help you in your environments uh become
more more
secure
so here's the agenda for this part so
again we're going to talk about asset
registers and and if you're not familiar
with the term asset registers which I
was not coming into OT from it and Ian
it sounds like we're talking about asset
inventory but why wouldn't we call it
asset inventory um it's a good question
they just call it asset registers in
inot so it's exactly what we're talking
about so when we say asset register in
OT it just means it's an asset inventory
it's just a list of the assets that we
have in the environment it just looks
probably slightly different than what we
would have in it where it is primarily
computers right with workstations and
servers and and laptops and and while we
have some of those in OT right we also
have things like programmable logic
controllers are plc's and other types of
OT assets that are going to be in that
inventory vory or on that asset register
that that we're not going to see in it
so we're going to look at how we build
that asset register and and the four
main ways that we can do that so if
especially if you go into let's say an
environment that's existed for say 10
plus years and they don't have an asset
register how are you going to to build
that and so that's where we can talk
about doing things like walking the
environment right tracing cables to to
actually find those assets and and add
them to a list
we can do active scanning and when we
talk about doing Network mapping using
tool like like nmap that's usually going
to be the one that that people are still
going to use even though there there
could be some risks there so so there's
some ways to limit that that risk and
there are other tools out there and
we'll talk about some we talk about
active versus passive scanning I hate
the term passive scanning cuz well
passive scanning we're not scanning
anything so why why do we call it that
so that's really where it's it's more
like passive listening and where we're
capturing traffic on the network to
review to see oh okay what hosts are out
there and what are they talking so and I
have some new plc's in my my home lab so
we'll actually get to see the traffic
generated by those I'm excited to to get
to get to play with those and and show
those off a little bit so um we talk
about there's there's other types of
documents out there that we can pull
information from so the change
management process is one of them uh
maybe in procurement right you we've
bought these plcs so hopefully we have a
receipt somewhere and that we're able to
find that receipt and then be able to
use that to to add it to our asset
register so that's there's a couple
options that we're going to talk about
there uh also things like PLC
programming code that we're going to
talk about project uh and program data
right those are all places where asset
information can hide that that we want
to
find uh and then after that we're going
to come back and you can see monitoring
the control system State that's actually
what I built my Master's thesis on so
I'm not going to bore you with the whole
uh I think it came out to be about 30
pages so it's not too crazy uh it's not
too much um but but we get a get an idea
of why it's important to understand uh
when we look at at especially the plc's
in our environment all right and and
trying to understand when they're secure
when they're in a safe State versus when
they're in a unsecure or a vulnerable
state and it's not as cut and dry as a
lot of people in the industry will will
make it sound and that's really the
point of the the thesis so and then
ultimately we'll wrap up well once we
have this asset register uh or as we're
building this asset register which which
more than likely h honestly is probably
just a bunch of inventory data in an
Excel spreadsheet nothing fancy uh but
we have to make sure we keep it safe
because if an attacker was able to gain
access to that asset register
essentially if they have this treasure
map of your environment right you have a
list of all the assets and and the
software that's running and the services
and the versions of the software and the
services which they can map to
vulnerabilities and then they could use
that to come and and attack the
environment and and take control which
obviously is the last thing that we want
to have happen in OT that's why we're
here so we already started to touch on
right this idea that you know we need
asset registers in OT environments just
like we have to have asset inventories
in an it I think also like an asset
inventories in it they're never they're
never going to be perfect and even if
they are 100% accurate let's say today
something's probably going to change
tomorrow or next week or within the next
year and it's not going to be 100%
accurate so I never assume any of these
are 100% accurate I've never met an IT
environment that unless it was super
tiny and super small that had an asset
inventory that was 100% accurate just
doesn't happen I did I did a
presentation at a gardener conference
one time in front of you know I think
300 cios and and
csos and asked you know raise your hand
if if you feel that your inventory
management program has everything 100%
or as close to 100% as possible and one
guy raised his hand and he was sitting
in the front row so of course everybody
else sitting in the room was laughing at
him behind his back because it just just
doesn't work that way they're never
going to be perfect but we need them to
be as close to perfect as possible and
why I focus on them it's not necessarily
a matter of do I care what do we have in
the environment sure we say you know we
have to know or understand what we have
in the environment to be able to protect
it and I'm like yeah there's a sense of
Truth to that but I don't completely
agree with that I can still protect the
environment even if I don't know
everything that's in it because if I
then play off of the two main areas that
I always focus on in cyber security
whether it's in it or OT when we talk
about vulnerability management and we
talk about incident detection and
response I cannot effectively do
vulnerability management or incident
detection and response in an OT
environment without an asset
register so without that asset register
we're only
guessing and so if I can't become aware
of the vulnerabilities in the
environment or what if I have have an
incident how do I respond how do I even
know I have an incident in the first
place and we'll talk about a couple of
stories that uh as we go
throughout of things that that either
I've seen or I've talked with people
especially recently that have have had
certain circumstances come up where you
know they didn't have an asset register
and here's how it did to damage or
here's where the lack of an asset
register prevented them from effectively
responding in an incident that did
significant damage to the environment to
the point where people lost
jobs and that's one of the the big
focuses for me in in cyber security
always is I don't want a breach ever to
result in somebody losing their job
right it's just as easy as
that so I know I'm going off on a
tangent
already but the idea is with the asset
register is our inventory
list now very similar to it but there
are other pieces of information about
those assets that we're going to be
tracking in OT that we don't see in in
it and as hopefully by now throughout
the course we understand yeah it and OT
environments while very similar they're
also very different so your asset
register yeah it's going to look very
similar to an IT asset inventory but
it's also going to be different so we
want to make sure we clud when we talk
about all the Assets in the OT
environment we're talking about all the
hardware so whether it's a server a
workstation an HMI a PLC DCS all of your
sensors and other instrumentation we
have at that lowest level of the Purdue
model right that's we want to make sure
all of those are
listed and then all the software that's
running on those systems and then also
the firmware firmware is not necessarily
something that's always tracked in the
it World sometimes it is sometimes it's
not but it's something we definitely
want to be tracking in the OT world so
we're going to be tracking all Hardware
software and firmware and those are the
three main focuses but then we'll also
have lots of other properties for these
that we're tracking that we'll see when
we look at some of the examples of or
sample asset
registers you if you have virtualized
assets let's say I'm running a VMware
server and then I have a bunch of
virtualized hosts running on top of that
we want to make sure all of those
virtualized host are inventoried as well
as the VMware
server because those are all assets
they're all I always think of especially
and this isn't always 100% true but for
the most part if you think something has
an IP address in on it I want to know
about it in particular now I understand
in OT environments maybe not all assets
are running
tcpip maybe they're just talking in an
older OT
protocol they don't have to talk tcpip
right maybe old profet right that host
oh it doesn't have a have an IP address
but we'll still see it talking on the
network we'll actually see that in the
example that we're going to talk about
in a little
bit but again my main focus and why I
want to work in asset registers and why
it's so important is that it builds in
into allowing us to do vulnerability
management and incident detection
response without that asset register
we're we're crippled right we're
hampered and we can't do the job 100%
probably can't even do it
50% like I mentioned earlier is that we
never want to assume that the asset
register is 100% complete I'm I'm very
fortunate that most of the environments
that I work in you through my day job
they're brand new environments right I
have a client that I'm working with you
know outside of my my day job now which
is a a brand new manufacturing
facility and maybe that asset inventory
is a 100% accurate today but again
changes are H happening over
time and it's never going to be 100%
accurate let alone what if you had an
attacker come into to the environment
and maybe they take something out or you
know probably more important they leave
something right they connect maybe some
type of attack jump host to the
network so things to start to consider
so we it it's kind of a weird situation
where I can talk about well we have to
have asset registers and we want them as
accurate as as they can be right we want
them to be 100%
complete but also with the understanding
that it might not be that way tomorrow
because something can always
change and so when we talk about
different changes that can happen yeah
common occurrences is what if a a
technician comes into to you connect a a
a new sensor to to the network and
doesn't let anybody know right will we
even detect that maybe
not but now we have a new asset on the
network that we don't understand and
maybe that asset has a vulnerability
that we need to be able to
understand what if a PLC programmer uh
brings in a new engineering workstation
right maybe they bring in their personal
laptop and plug it in to the OT Network
to do programming on on a PLC would we
detect that and what are the dangers
there right if somebody brings in a
personal laptop and plugs it in well
what if they were infected while they're
at home I was just talking with a
gentleman actually this morning from the
UK he worked in in a manufacturing
facility where there was a lady that
brought in a USB drive from home because
she wanted to show off some holiday
pictures you plugs it into the the OT
Network and because that personal USB
drive she had was infected and infected
all the systems at the manufacturing
plant and the manufacturing plant not
only went down
but because they had no backups they had
no ability to recover that the plant
shut down they went out of business and
160 people lost their jobs just because
somebody wanted to bring in their
holiday photos and show them off on the
OT
Network that's pretty devastating I
couldn't imagine the responsibility that
that that woman felt I mean hopefully
she felt responsible for
it so so what happens when we bring in
these different types of of assets we
actually had a client one time where
some one of the operators in the control
room they they thought it was a good
idea to bring in an
Xbox now I don't know why they thought
they were going to have an internet
connection for the Xbox in the control
room because that's always a big no no
in OT environments but for some reason
right they they thought they would bring
in their Xbox and connect it to the
network and and play games when they are
at the
at work in the middle of the night right
that's something we want to be able to
detect when somebody attaches a new
device to the network we want to get an
alert and be able to
investigate 99.9% of the times it's not
something evil it's not something
malicious it's somebody doing something
that they're not supposed to be doing
right they're bringing in the personal
USB drive they're bringing in their XBox
because apparently they're
bored the you know the maintenance
technician you doing the the install of
the the the field device right they just
forgot to let somebody know they didn't
maybe go through the appropriate change
management
procedures there's lots of reasons but
again 99.9% of what we find in OT
environments when looking for the bad
things we don't find the evil malicious
cyber attackers it's it's people just
making stupid mistakes
there are time we we can find
operational issues that if we find those
issues we can get them fixed before they
can affect the availability or the
uptime of the plan which is great so
that's where we really push when we talk
about implementing things like network
security monitoring in OT environments
it's not just about security it can also
help with things like ensuring
availability but by identifying
operational
issues we have another one and this is
you the classic example and I see this a
lot of facilities where you go
especially larger facilities out in the
middle of nowhere and they don't take
physical security as seriously as they
should and somebody could just walk into
the the facility and they they could
plant a device on the network and it
gets an IP address from DHCP and Boop
they're off and running because they
have that foothold on the network so
they're able to attack other devices in
the environment or or what if they're
doing this over Wi-Fi right after I'm
recording this I actually have a a
meeting with one of our Engineers for a
large project in in Canada about
securing Wireless communication in OT
environments so it's extremely important
but it's one of those areas that that
are are vastly
overlooked so when you look at and this
is what kind of alluded to earlier right
where do we put the asset
register and or how do we create it I
mention most asset registers still today
are are in Excel now there are uh
different applications you can buy so we
talk about off the shelf Solutions you
can you can purchase I I've seen
environments uh build you internal web
applications to be able to stor as as
something like a Microsoft SQL Server
back end and they create a web interface
and so there's not really a lot to do
you could probably code one of these
with chat gbt in probably 15 minutes or
less right so it's it's it's not hard
hard to do it's actually probably a good
idea
but but we still see most of these are
are stored in
Excel again we'll come back and talk
about it as we wrap up the main idea is
I don't care where it is other than it
needs to be
accessible but it also needs to be
secure so we want to make sure plant
Personnel have access to that
information when we're doing things like
vulnerability management having
conversations around risk we're doing
network security monitoring but again we
want to make sure that the attackers
aren't able to access that information
because it gives them that that treasure
map on how to break into the environment
and that's not what we want to
provide also mentioned in that last
point sure you can go out and buy an
application and you can store this in
the cloud or in some app that's running
on the
internet just keep in mind that any
Cloud environment any app that's out
there on the internet it's going to be
compromised one day okay it's another
one maybe not tomorrow maybe not next
week but maybe next month maybe next
year it's going to be
compromised so do you want to take that
risk or do you want to make sure that
it's only stored locally on
premise where your employees can access
it right it's it's a risk conversation
definitely to be had and it may might
sound silly but it's actually one of
those really
important conversations to have about
where are we going to store the asset
register right we want to make sure
everybody has access to it least the
people that need access to it right our
plan operators our our OT cyber security
team
members they need access to the asset
register so do we want to put put it in
a cloud-based application that's
eventually going to get hacked and then
the attackers have access to that
information and at that point again they
have that treasure map on just basically
a guideline on yeah here's exactly how
you break into the environment and take
control over it okay that's not
something that we want to have
exposed so now that we've talked a
little bit of the idea of what an asset
register is and where we're going to put
this inventory data right whether it's
an Excel spreadsheet or a web
application maybe in the cloud maybe
maybe not but what are we storing in the
asset register and there's a lot of
information that we could put in the
register I'm always a fan of the more
the better and realistically once you
put it in there once you have that
information and you don't have to
ideally worry about you know losing it
or or having to go back and recreate it
for somewhere or maybe you forget a
piece of information that you later need
and then you scramble around trying to
find it so I'm a big fan of having as
much up front as possible throw
everything in the kitchen sink into it
personally but keep it organized right
that's excel's good at that but and you
can see so there's there's an asset ID
that's ass assigned to that ass asset or
that system usually that's an internal
naming convention right that that will
assign even if it's you're the first
asset right you're the second asset
we've deployed or the third asset and
and so on it just doesn't have to be
anything
complicated usually we'll have asset
names you know we'll give systems names
or use a naming convention that help us
remember or understand what that asset
is just based off of his name maybe even
where it's located on site so we can use
that the the naming convention to help
us with that we'll talk about the asset
type so is it a workstation a server a
PLC an HMI etc
etc right the location where is it
stored right what building is it um or
out in the field or in a substation or
the list goes on and on where where is
this this asset hiding right where where
do we have it located so we want to make
sure that that's that's definitely a
piece of information we have listed
right we want to understand who the
manufacturing the manufacturer is right
who's the vendor right who produced it
because we also want to know the model
because we can use that information to
understand if I have let's say a seen
PLC as a SL1
1200 there could be certain
vulnerabilities that are associated with
that let alone there could be different
attacks that are specific to the
sl1200 that I need to be a aware of from
a security perspective and I need to
understand that I have these plc's in
the environment so I have these risks I
have these
vulnerabilities you see we can track
serial numbers for assets so it's always
comes in handy for for inventory
purposes or if you're maybe calling in
for
support if there's an IP address right
so if it's running tcpip then you want
to have the IP address if if it's
running tcpip it's going to have a MAC
address could also have a Mac address if
it's if it's running some other protocol
and not tcpip so you're going to want to
to have those listed there that's
especially one of those keys that's
going to help us later on doing network
security monitoring and incident
detection then you can see when it was
installed all right that's you maybe
good background information to to have
now I want to see what firmware is
installed what software is running on it
and and what version of software because
those are other pieces of information we
can use to find out are there
vulnerabilities in that firmware are
there vulnerabilities in that software
that we need to be aware of again if we
have that asset register we can plug
that into our vulnerability management
processes to look up to see if those
vulnerabilities exist and if there is a
vulnerability well how bad is it and
we're going to come back and talk about
that more in the next part but it's
really that understanding of if we have
a critical risk vulnerability does it
threaten safety
right rather physical or environmental
safety or does it threaten the
operations of the plan if it is then
we're going to want to look at how we're
going to get that addressed if it
doesn't threaten one of those three
things honestly we're probably not going
to do anything about it because it's not
going to threaten right our main focuses
right keeping people safe keeping the
environment safe keeping the plant up
and running producing whatever it
produces you see we tracked the last
maintenance in state sometimes that can
come in handy uh whether from a security
perspective or or an operations
perspective right some when's the last
time somebody fiddled with something
right maybe we're seeing some strange
activity coming maybe from this HMI
talking to a PLC we hadn't seen these
commands
before and we saw these starting with oh
this last maintenance date so maybe it's
just because of a firmware update or
some programming change it wasn't an
attacker taking over the HMI and using
it to try to compromise the the
PLC like to know when there's a
maintenance schedule if there's a
regular maintenance schedule for this
type of equipment so that way when we do
get alerts we can see is this in a
maintenance schedule or
not because I can give it a sign idea if
I see lplc maybe go from run mode which
means it's up and running and ideally in
readon mode so it can't be changed more
on that later you know versus is it in
program mode which does put it in this
kind of writable format where people can
do things or a technician can upload
firmware or make changes to PLC
programming you see are we going to
consider it a mission critical asset if
I lost this asset if this asset went
down and I didn't replace it let's say
for
days would the entire operation come to
a standstill or would we still be up and
running if the entire operation would
come to a standstill or if it's used to
ensure safety like our sis remember the
safety instrumented system the the fail
safe backup that we've talked
about that is considered a mission
critical asset if we have no sis the
plant's not running because then we have
no way to guarantee people are
safe we see a responsible party we want
to make sure well who who are we going
to contact if we have a question about
one of these devices what if I get a
security alert about a specific IP
address I can look it up in the asset
register understand oh well what type of
asset this is right oh it's it's a PLC
okay well who's the vendor oh it's it's
Alan Bradley
Rockwell it's a micro 820 PLC well who
who do I need to contact about questions
on that right maybe it's an engineer or
someone in operations right who do I
need to reach reach out
to we see a status a lot of times is it
in production maybe
not you can look at uh if there's any
additional notes that people have placed
and then when we get more into Isa 62443
but we we started to introduce in the
last section when we started talking
about secure network architecture the
idea of zones and conduits so every
asset should be assigned to reside in a
Zone can be a VLAN but remember it's
this idea of a a
subnetwork where all the assets are
collected together because they share a
common
purpose so all of the assets that make
up the sis right they're in a sis
Zone and then if you have any
communication into or out of that zone
remember each path each form of
communication each you know one
essentially ACL right the access control
list if we have a path from one IP
address to another IP address that would
be a conduit and then we're also
remembering to make them as specific as
possible so not just IP address to IP
address but we also have to make sure to
include the source and the destination
ports
right so that's a lot of information and
there's there's other pieces of
information that you could put into an
asset register but I think that's a lot
of the the common ones it's rare
actually to see zones and conduits for
most people but it's you know now in
2024 we're starting to see
people understanding the importance of
62443 seeing it as the gold standard of
how do I build a cyber security program
for my OT Network and so we do see zones
and conduits pop up if you don't have
them there initially you're going to
want to add them later on because you
are going to do risk assessments and
we're going to talk about that in one of
the later part Parts but when you do
those risk assessments it's all based
off of guess what zones and conduits and
really it's about what assets do we have
what zones are they in and what zones
are talking with what other
zones that's the risk assessment so we
have to have that information to be able
to do a risk assessment that's why
another reason why this section is very
important here's a sample idea honestly
I just had this generated in chat GP
I don't often use chat GPT I don't use
it to um write text or context but uh
when it was oh you know what create a
sample asset register it's a it's a
perfect job for it so I don't have to
sit there and and take the time to worry
about it and so you can see asset ID
asset name asset type the manufacturer
so that's where you get all these you
know kind of generic names right a model
serial number location IP address
installation date last last maintenance
date and then status you know what I
think it did a really good job
personally I we could have gone back and
used like real manufacturer names like
seens and um Rockwell and and used real
models of of assets but but other than
that I again I'm happy with this I
thought it was a good good they did a
good
job so now that we've looked at this
idea of yeah here's a sample asset
register and here's all this information
that we can store in the
database that well now again what if we
go into an environment and they don't
have an asset register or they say they
have an asset register but it's sadly
lacking they might have 10 assets listed
and they could have hundreds or
thousands or tens of thousands of assets
you know depending on the size of the
environment
so there's really four main ways that we
can build that asset register or
Continue to update it and so we're going
to come back and and look at each one of
these in in detail you see the number
one way we can look at or the number one
that we the first one we talk about it's
probably not the the one the ones
preferred but we can walk the
environment we can trace cables we can
go into the the the data room and and
look at the first switch we see and grab
the first cable we see and walk it Down
Right trace it
down yeah start to think though that
that takes time that takes takes money
and as our employees Trace cables out
into an environment they're probably not
in a very safe environment right so
there's this idea of putting our
employees in harm way Harm's Way so
walking in the environment is not
necessarily always preferred I think
I've already shared the the story of
when I was in the grid course one of the
gentlemen that was taking the class his
job was to do this at Disney World for
all the
rides it's a really cool job so they
would shut down each of the rides for
like two weeks and he would Trace cables
to figure out how each of the rides was
was wired and then he would also look at
the protocols that they were used
because you know you had different
person writing these different protocols
for each of the different rides and they
were very custom jobs and of course they
or an actually you know any type of
Industry standard as you might imagine
so now there's review we can review
existing data so this is where yeah we
can find network diagrams programming
data project files procurement info
right invoices where we've purchased
this equipment so we can use all of that
to try and understand what's in the
environment we can capture Network
traffic and then we can examine that so
we can use a tool like wire shark to to
capture traffic on the wire and use that
to see well what assets are talking with
each other because we can use that to
identify things like IP addresses or Mac
addresses protocols being used because
again not everything necessarily in an
OT environment is talking tcpip we're
going to see some examples of that
today and then we can also talk about we
can actively scan the environment using
a tool like nmap and and we'll do some
of that in the the home
lab but when you think about it right we
always talk about we don't want to do
active scanning in a production
environment because there's always a
chance it'll cause an issue now it's
more true in older
environments but do you want to take the
chance that you cause some type of issue
especially whether it's again you're
going to crash the site and bring it
down for three days and cost the company
$10 million or what if it could
introduce some type of physical or
environmental safety issue I had a CSO
uh ciso for a very large Manufacturing
Company in the United States told me one
time that they had a basically a PLC
that if you scanned it with nmap and it
went down it the resulting Chain
Reaction would create an explosion that
would leave a crater in the ground a
mile
wide and he was completely
serious
100% so that's always always stuck with
always stuck with
me so we want to be very careful now is
that an extreme case most
definitely but it's always in the back
of mine do you want to ever take a
chance for me no there can never be
enough liability insurance or errors and
and Emissions
Insurance to offset the the dangers that
we have in OT
environments so let's go back and talk
about you know when we're walk in the
environment we've already covered most
of this so we're not going to spend a
ton of time here remember the idea is
we're out there we're taking the time to
physically Trace cables but if we're
physically in the site there could be
danger depending on on the site in most
OT environments right there's always
some level of danger just very different
levels right but even in a maybe a tiny
manufacturing facility you're still
probably wearing steel toed boots and
and a hard hat and a safety vest and
safety
glasses there's a reason why you're
wearing the PPE right to protect
yourself in case something goes wrong
you see this is going to take the most
time I always think of this is the one
that that I had added you know after the
fact but I was thinking of because
because I've I've done this before in
whether my home OT lab or in in it what
if I'm tracing cables and uh I'm moving
my hand to the cable behind you know
maybe it's going into a rack and there's
other cables and accidentally you know
one of the other cables comes loose and
I don't realize it well type of issue
did I just
create maybe it's something that's no
big deal maybe it's something that
brings down the environment we don't we
don't
know one of the things we do add in
there though is if you're out there in
the field right if you're out in the
plant one of the things we talk about is
you want to if you have plc's and they
have key switches whether it's like
literally a physical key or sometimes
it's like a dip switch right a little
switch you can just flip up and down the
idea is we want to make sure all of
those are always kept in run mode
because the general idea is if you have
the key switch in run mode it puts the
PLC in readon
mode so that way it can't be change at
least remotely by an attacker so they
can't upload malicious firmware or PLC
programming uh like they did in the tric
incident where the Russians had come
into the petrochemical facility run by
Saudi Arab
and because the sis wasn't on a separate
segment and that it was connected and
the key switch was in program mode it
allowed the attackers to remotely access
the the sis controllers and upload
essentially a malicious
code so we always want to make sure that
if controllers have those key switches
whether it's a physical key or a little
dip switch then you want to make sure
it's in run
mode and a lot of people say well that
keeps it safe that's not necessarily
true and again this goes back to my
thesis but the idea is that not all
plc's play by the same rules so it's
really up to the vendor some vendors say
yeah if you're run mode you can't make
remote changes now all the plc's that I
tested they allow you even when you're
in run mode to still make changes to the
PLC
code now you can't upload new firmware
so it helps some of the
problem but not all of the problem and
then the other part with this is if
people are just monitoring for the key
switch the problem is a lot of plc's
especially lower-end ones right lower
cost ones that you'll see in more you
smaller to medium siiz environments they
don't have key switches some of them
might have a dip switch but a lot of
even the Seaman SL 20 1200 that I paid
$1,500 for or that it has no Hardware
switch you can control it through
software but there is no Hardware switch
so I I can't just look for a PLC key
switch and make sure it's in run mode
because it doesn't
exist so there's other aspects that we
want to monitor for like I want to
monitor when it comes out of run run
mode because somebody could have used
software to take it out of rad mode to
make programming changes or upload
firmware
so just a couple things I don't want to
go too far off the the
tangent so we can review project file
data again this is and really it's just
idea of how all the information we have
related to the environment right so
Network diagrams is a is a big one of
course logical physical and then we'll
have things like oh plc's and IP
addresses and hmis listed and there are
IP addresses and maybe it has the vendor
information and and so
on other system div design
specifications so you can have a lot
of uh you other documents that go along
with network diagrams they could have
some
details the programming files themselves
for plc's could have potential
information in
there right asset specifications so as
you're designing the
environment those specifications can
give us clues or have information about
like what types of plc's that we have in
the
environment and you can see I mean a lot
of the different records to you and
plans that are associated with the
project can all have Clues to what types
of assets we have in the environment
especially going talk about again those
purchase records which is something that
I don't think a lot of people people
talk about but I was at work one day
realizing as we're going through talking
about a practice
to ensure when our Engineers are
ordering equipment right we have a whole
security questionnaire that goes with it
and then of course these assets
eventually when they're brought on site
are placed into the the asset register
so we should be able to go back through
those purchase records and find
assets there's also another way that
we're going to look at in a minute where
we talk about we can go into the network
and there's different places where we
can look for Clues like on network
switches and firewalls where we can look
at ARP tables so those ARP tables will
show us the IP addresses and the Mac
addresses of any systems that are
sending traffic through that device
again typically a firewall or a a
network
switch and again we're going to come
back and and talk about that in a few
minutes so here's an example of a
network diagram this is one I just got
off of the Cisco kind of OT I site that
they have
and so we can see here's maybe some some
switches right we can see a model number
I don't see any IP address for it so I'm
assuming it has a management interface
that's probably out of band so it's not
connected to the rest of the network but
there's probably still an IP address
there to manage it unless they're making
you physically watch the walk to the
switch to make those
changes but then I can see oh here's
some type of asset at 1 18268
2.400 here's one at 10.1 19511
19.9 right here's oh here's an HMI at
10.1 19511
19.8 so we do have a list of here are
some assets I think of it as as building
a Sudoko puzzle or suduku puzzle however
you say it his ideas is you get these
little pieces of information like said
oh I have this asset maybe this switch
at iie named ie4000 d119 do25 over here
oh and I know it's in zone one okay
great that's some great information I
don't have an IP address for its
management interface or Mac address or I
could probably look up the vendor right
or in this case okay we know it's Cisco
what
firmware is running on this box right
are there any other potential
applications or software running on the
box probably not because it's a
switch but those all pieces of
information that we need to gather so we
just have this one little clue that it's
oh okay you have a switch that's named
this now go find all this other
information right same thing like when
we're over here and and there's other
pieces because I can say oh well all
these hosts start with
10.15.19 so they're on this subnet 10.1
19519 maybe there's other host in that
same subnet and they're just not on the
the network diagram right so it's just
finding all these little Clues and and
then having to chase them to
ground now this is kind of jumping a
little bit ahead or to the side but this
is what the home lab Network looks like
that we're going to be using to do the
scanning and the the passive sniffing so
this is what I have set up for the doing
the the thesis that I was working on so
you can see I have my my laptop the
engineering workstation at
192.168.100.1
100 and then it's connected with a
really long Ethernet cable to the other
side of my living
room through a unmanaged network switch
that I paid $20 for off of Amazon so
nothing special and then actually have
four plc's connected to it but we're
only seeing three here but that's part
of the oh well how are we going to find
that fourth
one so you can see I have a click plus
PLC that's at 200 of an Allan Bradley or
Rockwell Automation a micro 820 at 220
and then there's the seens sl1200 at 220
that I was talking about and then again
there's there's one other Mystery
Machine this is what I have out there
for the the thesis so I don't have any
other systems that are actually being
controlled and there's there's no HMI
the HMI hasn't shown up yet I'm very
disappointed with that um but so that's
what we're going to work with so kind
we'll come back and look at that but
this is what we're going to be scanning
and this is what going to be looking at
Network traffic for when we come back
and and get into those
sections so earlier we were talking
about one place to find
information about host on the network is
in network switches now I should have
said these are managed Network switches
so remember this network switch I have
in the home lab it's unmanaged so it's
not going to give us an interface it's
not going to show us us any information
so it's it's worthless other than it
provides connectivity which you know
that's all I cared about
honestly but if I have let's say Cisco
Network switches in the environment
which is still very popular in in
OT right I can log into the
switch with an administrative name and
and password and I can look at the
config sometimes the configs have pieces
of information like in this case you can
see well the switch probably has a a IP
address of
192.168.1.1 so maybe that's what they're
using as a default gateway so they're
using it as a router which you can do
with a what they call a level three
switch right can see some descriptions
on ports like plc-1
firewall-1 valve do-1 so oh okay well I
have a PLC and maybe it's named
plc-1 what's the IP address on the
interface named fast ethernet 01 right
now there's a new PLC I can add to the
asset register okay it's plain
Suduko and when you're on that manage
switch you can also tell it to show you
the ARP table so the ARP table tracks
all the IP addresses and the Mac
addresses and the MAC address is that
physical 48-bit address that we assigned
to the network interface
card when we connect it or that we
connect to the network
and so we have that physical address the
MAC address on each network interface
and then we logically assign it an IP
address so we always talk about well we
talk IP address to IP address well
really we talk Mac address to MAC
address the IP address and that's that
logical address that makes it easier for
for us to be able to connect to
computers at that transport layer of the
OSI
model but with arp right we can go to
these network devices and we can also do
this on on our machines which we're
going to take a look at in a
second but any machine that either
passes tcpip traffic or that talks
tcpip it's going to have a command to be
able to look at the ARP cache to see oh
yeah in this case right I can see
there's one two 3 four five six seven
different host with IP
addresses I can see how long that's been
in the cache right when's the last time
that communication was seen now in this
case I don't see who's talking with who
I just see there is a host at
192.168.0.1 and that it has a MAC
address of 0000
BB2
6f and then can also see it's on VLAN 80
which is also another great piece of
information we can use but again I'm
really interested in those IP addresses
and the Mac
addresses so that's with being able to
look at the the ARP
cache so real quickly just going to like
okay we're talking about ARP and ARP
caches so what the heck is ARP so arp we
use in the world of
tcpip to allow computers initially to
find each other and it's also very
important when we do things like was
tied in with the DHCP process right if
you you have a host like a let's say an
engineering workstation maybe that
doesn't have a static IP address for
some reason if you had a DHCP server you
could use it to assign a dynamic IP
address to that that workstation now
that's usually just in it you should
have static IP addresses for everything
in OT there's no reason not to right
don't don't be lazy so but the idea is
that ARP allows us again to map those
logical IP addresses to the physical
addresses the MAC address on each of our
network interfaces it's a 48 bits long
which usually represented in
HEX and then it's broadcast traffic
which means it goes to all of the
computers on that local network so
everybody's going to see it and and
we'll see some examples in in a second
so that traffic goes everywhere on the
network
so if there's a computer there if
there's an asset there and it talks
tcpip or it's able to at least see AR
traffic and understand it it will see
the traffic and then try to to process
it now you can see that last note is
broadcast traffic including ARP right
that's actually blocked by routers
because you don't want to have like this
broadcast traffic sent everywhere and
then it gets out to the internet and it
tries to go everywhere on on the
internet and everybody else is doing the
same thing your bandwidth would fill up
and everything would
crash so we do broadcast in a very
limited fashion you even use broadcast
to do discovery of assets like those
plcs I had in my doing the home
research right when I had like the Click
PLC when I installed the click PLC
software on the engineering workstation
the first thing it does is it sends out
a broadcast out on the network to say
hey are there any click plc's out there
and if there's any click plc's out there
on the network they respond back and say
yeah hey I'm here here's my IP address
here's my Mac address here's my firmware
version hey I'm in run mode or I'm in
stop mode it's they give a lot of
information here's my
name like too much information but it
makes it super easy right to set up and
configure right that's that whole
balance between if it's easy to use it's
probably not secure and vice
versa so if we want to look at ARP
traffic and we can generate ARP traffic
if we want now we can go back and
actually have wire shark running so just
capturing traffic from the let me uh go
back to there it is so here we have wire
shark oh my gosh I think I had just
updated it so it's
a very tiny window so let's yeah blow it
up so it makes it easier to
read and so here's all the traffic
that's happening on the the home
lab and I can see oh yeah there's an
engineering workstation to that's the
remember the Dell right there it's
taking that 48 bit Mac address and it's
remember if we take that first half the
first 24 bytes or bits sorry
and we do a look up on the i e Mac
database we can see who the manufacturer
is so I see oh Dell oh okay well that's
my
laptop or oh seens oh well I guess
that's the Seaman PLC or Phoenix
contact right or and then I guess those
are the ones that we see there there's
there's a few more out
there but that's the idea if we start to
see the traffic if I want to limit it
just to the ARB traffic I can just go up
into that upper field type in ARB and
then hit enter now we can see just the
ARP traffic that's that's been captured
from the
network and usually remember with ARB
again it's computers trying to find
other
computers and so and you can see oh yeah
here from this Rockwell device it's any
broad so it goes out to everybody on the
network over ARP and it says hey who out
there has an IP address of 169.254 do1
153-178 in this case probably what
happened is that PLC got turned on and
the DHCP server that I was using
cheating with uh was turned
off and so it was saying hey I'm going
to give myself an IP address in this
169.254
15531 178
range if you're out there and you're
using this IP address tell me now and I
won't use it but if it doesn't get a
response back and it sounds like that IP
address is free it'll use the IP address
idea is we just want to check because if
you have two hosts using the same IP
address there's going to be
conflicts and then one will send traffic
one won't they'll be stepping on each
other and you'll have lost connectivity
and you'll you'll drive yourself crazy
trying to troubleshoot it
so that's one type of of ARP or
broadcast you can also see the more
common one is the second one we see
where you can say oh who has
192.168.1 100210 tell
192.168.100.1
100 what that means is the engineering
workstation at
192.168.100.1 100 remember you can see
the source says
Dell it wants to talk with the PLC
at210 but it hasn't talked to it yet so
it doesn't know what the MAC address is
we again we know the IP address but we
don't know the MAC address the only way
to get the MAC address is to send out
this broadcast and just shout out on the
network hey if you're out there hey 100
tell me what your Mac address
is and then if 100's out there it should
respond back and say oh yeah here's
here's my Mac address
we don't actually see it uh right oh
actually it probably responded back not
with a broadcast but unit cast or
pointto point which is why you probably
don't see
it but that's some of the ARP
traffic if I go ahead and let's go ahead
and oh let me hide my little recording
bar let's go ahead and stop this we're
going to go and let's do a brand new
capture right because what we're talking
about about back on the slides is we can
use nmap as a tool to generate a ARP
broadcast on the local subnet to
hopefully find hosts that are out there
and you'll see how effective or let's
say uneffective it could be right it's
more effective in in certain
environments I surpris it's less
effective but let's let's go ahead and
open up end map all right so if I use
nmap and we're going to go ahead and
test against our 100.0 24 that's the the
subnet mask so or subnet range and
subnet mask for the the home research
lab and what I'm going to do is I'm
going to do a dash s lowercase s
lowercase
n that basically says do a ARP
broadcast so if I go
back to Wi Ark you can see that's EX
exactly what what end map is doing you
can see it's just saying hey
192.1681 100. one are you out there
right we go all the way to the beginning
right are you out there right or I guess
kind of out of order
but one are you out there two are you
out there 85 are you out there 86 are
you out there 87 are you out there it's
going through all 254 possible
combinations to say hey if you're out
there if you are tell me and I'll add
you to my list so here we actually see a
response somebody responded back and
said oh yeah hey I'm
192.168.1 100.2 200 and I'm at 00 d07
c18
5687 so well now we know there's
something at
192.168.1 100.2 and it has a MAC address
of 00 d07 c1a 5687
and we took that 00 D 07c the first half
of the MAC address and we looked it up
or wi shark did in this case in the it
jle database and it says oh that was was
manufactured by the
electronics I know that's going to be
the click
PLC again this is how we can look at
Network traffic to get an idea of oh
yeah there's two host right there's one
at
192.168.1 100.2 and
192.168.1
100100 and if we keep going down then oh
we found oh here's somewhere here's
somebody who's a Rockwell device and
it's responding saying hey I'm at 210
and my Mac address is BCF 49900
1392 and if you take that BC F4 99 and
you look it up in the i e Mac database
you see Rock
automation like oh okay well there's the
Rockwell
820 the micro 820 PLC I have sitting
over
there so again it's building the suduku
puzzle now some OT environments will
tell you not even to generate ARB
traffic that is too dangerous so that's
a whole conversation you have to have
and and any type of scanning or any type
of network traffic you create you're
going to need authoriz ization to do
that in the
environment most people will tell you
that you know our traffic is very
limited it's not I guess heavy to to to
hit systems if it's just like one packet
hitting all of them you know one
time so I think a lot of environments
will say yeah there's a
place but that's the idea of an ARB
broadcast where it just ask hey if
you're out there on the network tell me
and you could see that there were some
responses saying hey I'm here here's my
Mac
address so we have that ability and then
nmap comes back and puts it oh in the
screen for you and says oh yeah well we
found someone at 100100 well yeah that's
the workstation we're running the the
scan from so thanks for
that and then we can see oh there's
there's something at 251 but we don't
know what that is
yet it's actually another IP address on
the same laptop so don't get too excited
there now we can also see that oh
there's one something at
100.2 and it's we don't know exactly
what it is but here's its Mac address
and here's the vendor coyo Electronics
that's the The Click
PLC and then here we have oh there's a
host at 192.168 what 100210 and well
that is an unknown Mac address which is
we see nmap doesn't know what these are
because it hasn't updated its i e Mac
database but wi shark
does so wire shark's own local database
is more up to- date than this version of
of end map and this should actually be a
fairly new version of
nmap so that's why nmap and wi Shark
look definently they're just using
different versions of that
database now also remember there's two
other plc's out there but we're not
seeing them here and so as we get
further on through this part we'll see
well why is that why aren't we seeing
that well are they talking tcpip or
maybe they are talking TCP but maybe are
they hidden in some way shape or form
right something something to consider
but not to to give everything
away sometimes and this is a screenshot
I took from another wire shark capture
and in general
uh broadcast traffic what you see is the
destination is all FS which represents a
subnet mask and destination of
255.255.255.0 which logically means we
go to Every machine on the network right
this was just a different type of
capture this was not uh end map
traffic right um and here's a screenshot
of this was on my home it
Network right so I can see my default
gateway at
10.21.13
1.24 or oh again there's some unknown
device but we know it's at 10.2.1
247 I see there's oh some type of Intel
device that's almost always like a PC or
a laptop I see that at 10.2.1 254 and
then oh there's a Roku TV at
254 right right down
here and then there's also something at
252 but we're not sure what that
is so get lots of information right and
that's a great tool to use I love map's
still my favorite tool and it's 25 years
old and I've been using it pretty much
since day one when it came out so we'll
talk a lot more about that as we go on
but that's just a real quick brief in
introduction so I also mentioned you can
go into other different types of systems
to look up the the ARP
table so I can go and I can if I open up
the command prompt on my Windows machine
and I type in
rp-a you can actually see and this for
every inter I have every interface on
the machine I have a ton of interfaces
because VMware is installed and a few
other things are emulation software is
installed
but you can see for this one interface
it knows oh here's a bunch of IP
addresses and their Mac addresses now
some of these are are not valid IP
addresses for individual hosts they're
either what we call Local Host or
they're broadcast addresses or they're
multicasting addresses as well so a lot
of and I know this is not that place to
have that discussion but I realize some
of these are not valid host right we're
looking for things if you want to think
like in in the middle of the range so
we're not looking for one we're not
looking for
254 but I'll take oh there's
210 right or 254 that could be
legit and that's oh um no that's that's
probably about it those are the only
legit IP addresses so this is not the
greatest example I'm sorry because of
the way all of this do
work but that's where we're at actually
see in here so you have to limit all the
things like the broadcast addresses
remember all fs and all those local
hosts like 1.1 or 1. one it actually
could be a legitimate
host everything else those are all
multicast addresses plus the Last
Broadcast so those are not you know
individual host in which we're looking
for now Linux you can see oh here
there's the host has a Gateway and
here's the MAC address you still have to
do a look up what's the IP address for
the Gateway
and then here you can see oh yeah here's
two other hosts one at 2.2 and one at
254 and here's the Mac addresses for
those so I'm not sure if those examples
help or H it depends on if you have some
tcpip experience so it's a way to look
for again hints on where are some IP
addresses and what are those Mac
addresses that are out there but it's
not as easy as oh here's all these IP
addresses because again most of these IP
address addresses are not actually valid
host IP
addresses so we've already alluded to
this idea that if we want to do active
scanning or we want to map the network
using a tool like
nmap that it can be very risky SL
dangerous if we want to just use nmap or
another type of scanning tool like a
vulnerability
scanner to just Blast away on the OT
Network now perfect world we can scan
everything at any time and not worry if
anything the problems I see in a lot of
OT environments is it's not that nmap's
going to necessarily blow something up
or vulnerability scanner is going to
right it's going to take out that PLC
that's going to cause an explosion and
put this huge crater in the ground
is the fact that maybe the network is
not wired
correctly and so by generating an end
map scan it could take down the network
if the network switches aren't
configured correctly that that could
definitely
happen so we H we still have to be
careful a couple things to remember yes
we're going to be careful if we're doing
any type of network scanning we have to
have author authorization
first keep in mind and like we'll see in
the lab right not all those plcs are
running
tcpip so when we do a a look you know an
ARP scan to look for host running tcpi
and get their Mac addresses remember we
only saw two assets
respond but we know there's two other
PC's
there like hm okay well what are they
running
and we'll talk more about this as we go
on when we get into the thread and
vulnerability management part which is
next right or say that says UniFi but
it's part six so the next next uh
video again with active scanning we're
only going to do this with authorization
right and the whole point with active
scanning is we're generating packets to
put on the
network why people in OT environments
get scared when you do this especially
the the old school folks
is that older OT equipment they're not
designed to understand different types
of network packets they're only designed
to understand the specific Network
packets that are legitimately being sent
to it they don't have you know basically
error checking information or error code
or collection built in so if I get am an
older PLC and I get this packet that's
saying hey what's your Mac address but I
don't understand what ARP traffic is I
get so confused that it takes up all my
resources and I
crash that's why active scanning still
has a bad
name in OT environments and it can still
cause issues right and so we always want
to make sure are people going to be safe
is the environment safe is the plant
going to stay up and running can you
guarantee those things
100% if you can't don't think about
running
nmap
so there's a a give and take there's
there's a balance especially in newer
environments right there's there's an
approach that that we'll talk about
where we can find that that good balance
where we can scan and and where we can't
or where maybe we can again it just is
going to depend from environment to
environment and we mentioned the common
uh n Maps or scanning tool Network
scanning tool we use is nmap whether
it's an it or or
OT because it it's been around for 25
years and and it's still the one tool
everybody use it's like wire shark
because it works and it does an awesome
job I do anything else any other tools
you say Network scanning tools uh that
are quote unquote better than nmap it's
only because they're faster and they can
be super fast and those could definitely
crash an OT Network because they can
definitely crash an IT Network that's
wired correctly so they could easily
crash an either an OT Network that's
wired correctly or an O OT Network that
is not wired correctly at all if you
want to see some of the horror stories
you can follow uh Josh Vorhees on uh
LinkedIn he runs a company called trace
route and that's his whole focus is
doing networks in OT environments and he
has you know crazy stories about
networks going down or you know assets
not able to talk to each other and they
get called in to to do troubleshooting
so it's really fascinating at least for
me you being an old networking
person so let's talk about end map a
little bit now I have a full end map
Workshop that I'll I'll probably post
either alongside this or or after the
course but uh I mentioned I'm a I'm a
big fan I've always been a big fan since
day one I remember when map pretty much
came out and and it was this amazing
tool where it's like oh I can map I can
see what hosts are on the network and
not only what hosts are on the network
what what ports are open on those host
TCP and UDP Port so then you could start
to guess
what services are there over time nmap
added additional functionality like
service script scans that we're going to
look at to give us more information but
it's an amazing amazing tool right and
again still is it's the reason why
everybody still uses it 25 years down
the road there created by a gentleman
named he went by Theodore so he was ran
reading Russian Russian literature at
the time that was his thing so but
Gordon lion I uh got to meet him at
Defcon one year many many years ago and
uh I think nmap 2.0 was was out at the
time but uh you can download map from
insecure. org even though humans are
insecure computers are unsecure but
anyways um nmap runs on just about any
operating system out there whether it's
Windows Linux uh any variation of of
other uh systems that that are out there
uh Android you can you can run it I saw
a study where they're talking about the
software that comes with entertainment
consoles and high-end cars and there was
you know $100,000 Mercedes that had nmap
installed on them which which is kind of
funny because it used to come just
installed by default on a lot of Linux
host there is a guey interface uh in it
called zenmap that's your thing I think
a lot of people look down at you though
if you use the the guey interface right
you're supposed to use the command line
uh you can see the current version is
7.94 uh and then I actually have some
quick start guys that you can find on my
GitHub
repository and you can see the URL there
and this is what they they look like so
there's one
for it so this is the it version and so
it gives you some the basic commands of
scanning a subnet running things like
script
scans and service scans which are
incredibly powerful in in end map and
then there's also the icot
version so it has some of the the basic
scannings like from the the previous
quick guide but then you can see things
like in the lower middle you can see a
list of you know some of the more common
ports that we see for industrial control
protocols that run over
tcpip so when we talk about mod bus or
really again it's mod bus over
tcpip we can see it runs on TCP
502 or S7 S7 com right the Seaman
industrial control protocol it runs on
TCP 102 and and so on and so forth so so
those are there to help you get started
with map whe whether it's in it or in
icot so we'll play around with some of
this in a little bit when we talk about
active scanning and and looking at the
home
lab now with scanning a network and this
is what I touching on a little bit just
a few minutes ago is using a tool like
mmap we can go ahead and scan the
network and really what we're looking
for is we're looking for what hosts are
on the Network right so we're looking
for live hosts so really I'm almost
always looking for IP addresses just
like we were looking at earlier when
we're looking in you the the wire shark
capture or the ARP tables right I want
to find IP addresses and Mac addresses
that indicate live hosts right hosts
that are on and active on the
network then we have open ports right in
TCP we have
65,535 possible ports that can be active
and open on one system running
tcpip and then you also have
65,535 UDP ports as well and we're going
to come back in in a little bit and talk
about the differences between TCP and
UDP now once I see those ports are open
then I can do additional tests using
nmap like service scans to determine
well what's running on that open port so
maybe I see TCP 22 is open and I can
assume that's for SSH but let's not make
any assumptions let's do some additional
checks because maybe it's not SSH but
maybe it's being used for SFTP like
secure
FTP which yes it uses SSH but but I
think you get the idea so we want to do
additional checks to make sure what
really is the service that's running on
that
Port same thing if I see TCP e 502 open
I can assume it's modbus but is it let
me double
check and then if it is well then maybe
I can determine oh then maybe it's a
PLC but we want to find Live host we
want to enumerate or determine what open
ports are on those host then we want to
find out what services or applications
are tied into that
Port then we want to find the version of
that software of that application so
earlier we mentioned SSH well what
version what type what vendor of SSH oh
it's open SSH version
2.22 well if I have that version
information and the vendor information
and then the the type of software I can
use my best friend Google to see are
there any vulnerabilities associated
with this
software or maybe I determine oh this is
a PLC well what type of PLC what version
of firmware is it running because
there's end map scripts that will help
you find that information on plc's and
we'll see that when we look at the do
the active scanning on the the
lab so I can take that information again
back to my friend Google and say hey are
there any vulnerabilities on this host
and if there are then if we're an
attacker or a pin tester right we win
essentially if we're on the defensive
side we need to determine what do we do
next now I'm jumping ahead right because
that's the next part in the course where
we're talking about thread and
vulnerability management so we're not
going to go too far down that rabbit
hole right
now but Live host to open ports to what
services and applications are running on
those ports to what version of those
services and applications because we
want to go to our friend Google and
determine are there any existing
vulnerabilities on these
hosts and well if there is a
vulnerability is there an exp exploit
that we can use to take advantage of
that vulnerability and maybe gain full
control over that
asset so those are our scanning
objectives now nmap has a whole bunch of
different scans that it can do and this
is one where I'll just I don't have a
slide on this but I remember the first
time I took Ed scotus SS course and Ed
scotus is considered kind of The
Godfather of pin testing and he built
all all the offensive security courses
for for
sanss and so Ed and super super great
guy I mean like many of the Sans
instructors they're just all really
phenomenal people that that want to help
but I remember him talking about if you
really want to understand how your tools
work run wire shark behind the scenes so
that way you can go back and watch
what's happening just like earlier
remember we were watching
that ARP traffic that was being
generated by an ARP scan in
nmap so we could actually understand
what's happening or what's being taken
place by the actual tool
itself so just keep that in mind you
don't have to do it but I've done that a
big part of my career especially when
learning so that way I could watch the
tool see what it's doing behind the
scenes actually in the first
Sans IC course that I took they had some
end map commands and they said oh only
use this end map command because it does
not do trying to remember at this time
right
XYZ and basically I had to point out
well if you run wi shark and you run
this command just as you have it for
nmap it actually does it doesn't do XYZ
but it does Y and Z which is you
definitely don't want those happening in
an OT
environment so use wi shark while you're
running these tools to understand what's
actually happening behind the scenes how
are they what are they actually doing on
the network that's even more important
now in OT than than in it again it a lot
of environments is just like scan away
247 365 scan whatever you want whenever
you
want that's what it is like at my day
job I can scan 40,000 hosts anytime I
want in an OT environment maybe with 100
host or 50 host I'm not scanning
anything
usually we'll talk more about that as
well so one of the first types of scans
that we're going to run with nmap is a
ping sweep so this is where typically
nmap will send out an icmp echo request
which is that first part of the the Ping
packet to say hey are you there and if
it gets a response back we understand
that there's a host there if that host
responds back back with an echo
reply and that's generally how it it it
works there's some small exceptions can
run wire shark in the background if you
want to learn how those different
exceptions work but let's go ahead and
open up a command prompt and we can go
ahead and just do a quick scan against
the home lab that we have set up again
where we're just going to do a quote
unquote ping sweep and send out an echo
request now technically behind the
scenes since the host recognizes that
it's on the same subnet as the host that
we're targeting so the engineering
workstation is on the same host as the
rest of the lab it realizes since
they're on the same same host he can
just do an art broadcast to to get a
response and not have to send out icmp
packets so that's actually what's going
on behind the scenes uh if you're not on
the same subnet you're trying to scan
then it'll actually send out icmp Echo
requests but
anyways so here you can see that we did
a quote unquote ping sweep against the
home lab and we saw oh okay there's a
host at 100 at 200 and that looks like
that's associated with coyo
electronics there's another unknown host
at two uh 200
210 and then there's another one at 220
where we see
seens so so we have a seaman Industrial
Automation product so some Seaman thing
is there at 220 we have some unknown
entity at 210 and then at 200 we have
coo Electronics right so we have an idea
at least that there's these three host
that are on the subnet that we can pick
up from active scanning now remember
there's there's more because we have the
engineering workstation but we're
scanning from the engineering
workstation so we don't see it and
there's actually another PLC out there
that is active on the network it's just
not configured with
tcpip so once we find hosts that are out
there we want to do a port scan right
this is going to allow us to find the
individual ports that are open on that
asset usually use the example if you're
not familiar with ports the idea is
especially I always think of it as from
the attacker perspective is think of if
somebody wants to break into a house in
your neighborhood they're going to
they're going to drive through in their
probably in their car maybe they walk
through the neighborhood and just
casually looking for are there any open
windows or maybe any doors that are
popped open maybe the garage door is
open and so they're looking for those
openings that you can use to get into
the house well in this case those ports
are the doors and the windows that we
can use to get into the
system now we talk about each host
running
tcpip each each of those has
65,535 TCP ports and then you have
another
65,535 UDP ports as well now we're
mostly focused on the TCP
ports and we'll talk about that in a
little bit why but it takes a long time
to scan all the UDP ports where doesn't
take too long to scan all of the
65,535 TCP ports but that's the
differences between how in TCP and UDP
work and we're going to come back and
talk about that now we also look at
ports and there's this idea that we have
these well-known ports so any port
between 1 and 1024 essentially is
considered well-known which means if I
see a port like Port 80 that oh we know
that Port 8 that's used for HTTP that's
the the default Port that's used for a
web server for a web page or if you're
going to the encrypted version you would
go to Port TCP
443 right those are commonly known ports
so the idea is that people aren't
supposed to use those ports for anything
else than what they're commonly known
for it doesn't mean that uh normally
right tcp2 is used for email SMTP to to
send email but what
if I put a web server on Port 25 you can
do that you can put pretty much any
application on any port you want you
just have to maybe make some adjustments
to be able to reach it like in that case
you have to take tell your web browser
not to go to Port 80 or 443 by default
but to go to Port 25 it'll still work
you just have to do the extra work to
say hey go to Port
25 realistically anything over 1024 is
kind of wide open there's this idea sure
there's registered ports and so they're
associated with different applications
but
yeah and then say and then there's free
ports again for me everything over 1024
pretty much is open you can do a Google
Search and there's a couple main pages
on the internet that will show you you
know Common applications with associate
ports but a lot of those still have
dozens of applications associated with
them so it's not like a one toone
relationship so again at that point does
it really matter if I put my own
application on a port that 20 other
applications are going to use as well as
long as they're not running on the same
machine there's no
conflict it's only when you try to run
two applications using the same port
that's where well one's going to bind
into the port and use it and the other
one's going to be like sorry the port's
not available I'm not going to be able
to work until you put it on something
else so we want to go through and find
all of the different ports that are open
on the system right if we're the thief
walking down the neighborhood we're
looking for the houses we're looking for
the windows we're looking for the doors
then we're starting to look at well what
you know do does it look like the the
windows cracked open or maybe somebody
left the garage door slightly open right
maybe a door a jar so we can slip
through that's really what we're we're
looking
for so we'll take a step back and talk
about and I mentioned right there are
differences between TCP and
UDP idea is TCP is what we call a
connection oriented protocol versus UDP
which is
connectionless the idea is and we use
the example that if I want to send I was
talk about I want to send a a say
Christmas card to my mom who actually
just did till recent she used to live in
San Diego on the other side of the
country so if I wanted to send her a
Christmas card I would take it down to
the post office I get the letter or the
the card in the envelope and I would
address it i' put her her address on it
I put my address on it and then I put a
stamp on it and then I would
uh drop it in the the post office in in
the mailbox and I'm going to assume that
it's going to get to where it's going
now know there's a million in one things
that could go wrong between where I live
in South Carolina on one side of the
country and San Diego where my mom used
to live she just moved here
actually but I she might not ever get
that letter right that's the idea of UDP
traffic it's connectionless we just just
put packets out there with an address
right we say this is where it's going
get it there but we don't have an idea
of if it actually ever gets there or not
if I want to make sure my mom gets that
Christmas card I can go
to UPS or FedEx and then I can or the
post office and I can ask for a return
receipt so I get guaranteed delivery so
when they drop it off at my mom's house
I even get a picture right here's the
the letter at your mom's house or here
your mom actually signed for this right
there's a return receipt so I know
without a certainty of a doubt that she
got
it that's TCP so when we say connection
oriented protocol it means there's a
return receipt there's guaranteed
delivery where UDP has no such guarantee
but because we're not we don't have this
extra overhead doing the guarantees it
actually makes UDP very
fast so when we talk about sending large
amounts of
data we like to use UDP because it's
much faster than
TCP so when we're doing something like
streaming Netflix and we have billion
billions and billions of packets and you
know what if I lose one or two packets
it's not a big deal it's not going to
stop the show from from playing the
human eye is not going to notice a
difference on the TV that a couple of
packets were
dropped and so it's much quicker to use
UDP for for things like
streaming TCP when we talk about that
connection oriented protocol right it is
reliable it is slower but it has its
play sometimes especially when we talk
more about security
usually and part of the reason when we
talk about having that connection
oriented protocol or how we get this
idea of guaranteed delivery it comes
because of the three-way
handshake and so the three-way handshake
looks like this where if I have my
computer let's say on the left hand side
and I want to talk with let's say this
this web server on the right hand
side so before I can just have my web
browser open up a web page from the
server my computer actually has to go to
the server on the port that the website
is running on and say Hey I want to talk
to you that's why it sends that
synchronization or that send packet
says Hey I want to talk to you and then
the server nor it needs to send an
acknowledgement back to say hey I want
to talk or I'll talk with
you right so we send a s pack and say I
want to talk with you and then the
server is supposed to send an
acknowledge back back says okay I'll
talk with
you the problem is is when we set up
that connection that's that only allows
the client on the left to send data to
the server on the right it doesn't allow
the server on the right to send data to
the client it's a one-way connection so
when two computers talk to each other
over tcpa we have to set up two way
communication so they realize back in
the day instead of sending you know a s
packet and then an act packet for one
way and then the other way you would
send another send packet and another
ackn acknowledgement or act packet right
which would be four packets
that they took the the two metal packets
and combined those into one just to to
save some some time and space saves
bandwidth so now that client wants to
transfer the web website the web page
right sends a synchronization packet to
the server says Hey I want to talk to
you the server sends the acknowledgement
back saying Hey I want to talk to you as
well or I'll talk with you as well and
then it also combines it send packet to
say hey I want to talk with
you and then the client gets that and
says oh okay he's talking with me oh and
he wants to talk with
me right so one he's going to receive my
information and then it's oh he wants to
send me information as
well he or
she and then it'll take my computer and
then send that final acknowledgement
back to say okay I'll talk with you so
then we get two-way communication
between these hosts
again the idea is we could have done
that with a four-way handshake a sin an
act a sin and an act but why not just
combine that send and act packet into
one so we just save the time and band
l so that's the idea of the three-way
handshake now the three-way handshake
becomes important when we talk about
nmap because that's what nmap uses to
determine when ports are open or if
they're closed or if they're filtered by
a firewall when we're talking talking
about testing TCP
ports and packets can have different
flags so the sin is a type of flag the
act or the acknowledgement that's
another type of flag and there's others
like urge or push which you could see
these are more kind of old school when
youed to have really slow networks but
trying to you know push in Urgent
traffic or push it through to to make it
go
faster so usually you'll see
act so you'll start seeing these as we
go through some of the wire shark
captures later on but then and then
there's also the fin and the reset so
this is for when well we're done talking
you know I've got my website you I
loaded the web page I've I've got what I
needed out of you so thanks take care
and we go ahead and close down that that
connection so that's where we'll see
other flags like fin and and
reset so there's a sin scan that we have
at nmat right which is the the kind of
the default end map scan that we have
now or they talk about this half openen
scan because what happens is that let's
say here I am and I'm doing a port scan
on this server and so I'll go ahead and
send a send packet to Port one saying
Hey I want to talk to
you if that port is open the computer
will come back and say okay yeah let's
talk and I want to talk with you
too and so at that point we have the
information we're trying to get and we
know in this case Port one is open and
then maybe I'll try Port two and three
four five six until I get oh Port 80 oh
Port 80 sends me a synac so I know okay
Port 80 is open again I'm not trying to
load a web page off of Port 80 I just
want to see if it's open or not so at
this point I know the port's open or not
so done from a port scanning perspective
we're done we don't have to send the
acknowledgement I got the information we
need right I know that the port's open
so that's why they call it a half open
scan because we never send the final
acknowledgement we know the port's open
that's all we came for so we're done
we're moving
on ports open we win at this
point now the full send
scan right and the idea here is right if
I send the send
packet and what happens when I get a
reset act back from the server that I'm
scanning what this means is that well
the port's closed so what happens is the
Sy packet actually got to the server and
the server processed it and the server
says oh hey you're testing Port one
nothing nothing's running on Port one so
it sends that reset acknowledgement back
saying nothing here is running on Port
one so again there's there's two things
that happen at that point is again we
know we're communicating with the server
because the send packet got there and it
send us a reset act back so we know we
have two-way communication with the
server and we know the port's closed so
again we're trying to scan are the ports
open or closed well in this case now we
know the ports closed so again it's
another one where we
win the other combination we see is well
what happens if there's a firewall
whether it's a network-based firewall
it's a host-based firewall that's
blocking traffic because if you think if
I send a sin packet to test a port and
the firewall blocks the
traffic then I never get a response back
I'm just sitting there waiting and
waiting and waiting so if I don't get
any type of response back then we just
realize okay the port's filter there's a
firewall Block in us or maybe it was
some just really freaky network
connection that just went bad at that
one particular point in time but let's
say all the time right it's it's going
to be oh there's a firewall in the way
so the three options we have is when we
scan a port if we send a s packet and
get a syac back it means oh yeah that
port's open good okay we know we have a
Target we have a window or a door that
could potentially allow us to get into
the
house remember if I see a reset act that
comes
back in that case it means right the
port's closed because we're talking with
the server we said hey we're just
checking what we want to talk to Port
one and the server just comes back says
Hey Port one's closed there's nothing
here like okay that hey you know what
that's all we wanted to know open or
closed remember the third alternative is
if we send a send packet and there's a
firewall blocking that traffic we never
get a response so after an amount of
time we'll just say okay we're going we
haven't got a response back we're not
going to wait anymore we're just going
to say hey y you know what that that
Port is filtered means there's a
firewall somewhere between our computer
and the target we're scanning right so
we get closed open filtered
so we can do these default scans we can
pick one of
these systems that we have
in
the home
lab so let's say I'm going to go ahead
and
scan I mean they're all kind of the same
now I can scan 192 say do 16800
100 oops or sorry 200 so this is the
click PLC that we have
in the lab again it doesn't tell us much
we don't see any open ports we don't see
any Clos or well we we see a thousand
closed ports and what this means is by
default I'm kind of go back to the slide
I'm kind of jumping
ahead by default nmap scans the most
common 1,000 Port so Theodore had a
project once upon a time where he
scanned the entire internet with end map
and then he took all those results and
then just went through and determined
you know which Port was seen the most on
the internet he just put them all in
order so it's like oh okay so we can
come up with this idea of whether the
top 1,000 commonly used ports remember
on the internet not not internal
networks so by default it only scans for
1,000 the top 1,000 Port so so that's
what we're seeing here is hey I scanned
the top 1,000 ports and didn't find
anything now just remember there's
65,535 ports so just because we don't
find anything with the default top 1,000
it doesn't mean that there's not
something there so we can tell it to
scan all TCP ports if we
want so we can use the- p- switch is
usually what I do because that's the one
that Theodore talked about when I saw
him at Defcon a long time ago
before it was a documented
feature so you can say Okay scan all
65,000 535 ports it's going to take a
second or two or
60 so now that the scan completed we
scan all
65,535 ports we do see that there is one
port identified as open so we see TCP
502
open now now we can assume we know what
that's normally associated with or some
of you might not but we'll find out well
how how do we know what what's running
on that that Port right and and we'll
come back and and we'll look at that in
in a sec and here going back to slide
this is where right we're scanning all
the ports in this case you can see in
the example right that's a Windows box
that that we're scanning or in this case
we know we're scanning a
PLC
we just kind that was a side by-side
comparison so we can scan UDP
ports so instead of the the normal
default scan we actually have to specify
Dash lowercase S capital
u now the problem with UDP is that UDP
traffic is just sent remember we put the
mail in the mailbox and we assume it
gets to where it's going there is no
three-way handshake because we use that
three-way handshake for guaranteed
delivery there's no guaranteed delivery
in
UDP so because there's no three-way
handshake mmap doesn't have that that
real true functionality on how to
determine if a UDP port is open or not
there are some tricks where it kind of
can so in this case you can see if it
sends UDP traffic to a port that's not
open it should get an icmp Port
unreachable message back from the server
or the target
should but might or or might
not and we could use that to determine
the port is closed right and anything
else would be considered open or
filtered or that the server is just not
responding so that's it so when you try
to scan UDP you can kind of get an idea
but one is is you're only going to scan
a handful of
ports and mostly because it takes an
extremely lot of time because UDP just
you have to sit there and wait and wait
and wait to see if you ever get that
icmp Port unreachable message to tell
you that the port's closed and then
otherwise you say oh it's open or
filtered well there's a big difference
between is a port open or is it filtered
by a firewall right those are completely
two different
things
so UDP you're going to scan a few ports
but you're not going to
scan for
everything but here's an example of
scanning a it's a a Windows machine
right for UDP because it does have UDP
you see things like like for DNS right
when you do a DNS lookup to resolve a a
name to an IP address that's over UDP 53
so UDP traffic does have its place and
you will see it in certain
instances and even in control system
environments and and we'll see a couple
of
examples and here's some different ways
on how we can scan like entire subnets
which we're doing you can see you can
scan individual IP addresses or maybe a
sub range like everything between one1
and and 100 there's a few things for you
to to play with there like oops you can
also import a list a text list of host
So and I've used this I use this
actually a lot of times maybe I get a
list of vulnerable host out of maybe an
Excel spreadsheet and it has 100 hosts
and then I want to put them into end map
to do additional scans to really
determine what what type of hosts these
are so you can do that so that's a
really nice trick you can also you can
exclude certain hosts maybe I have one
host that I know that if I scan it it'll
crash so I'm always going to exclude
that right in this case don't scan 1.32
scan everything else in that
192.168.1 range just don't scan
192.168.1
32 right you can scan an entire subnet
which we've already been doing right we
say end map and then we give it the
subnet range Insider notation right
which is the slash followed by the
subnet mask and we'll scan everything in
the entire
192.168.1 range nice thing also is
there's the dash dash open option which
I guess kind of gives away well what's
running on Port 502 but we'll come
back the idea is if you're scanning a
large range and maybe in this case I'm
saying hey I'm only scanning for
instances of modbus on 502 but if I scan
an entire
range every time I'm I hit a a host that
doesn't have mod bus running it sends me
a ho a a message back that says closed
close close close close close and then
you see oh open close close close close
close close it's like well I just want
to see what's open so that's the dash
dash open just show me where the open
ports are so when you're especially
scanning larger ranges that makes it
very nice and very clean so just
something to to think
about
oops kind of jumping ahead because the
one thing that's left off here is well
what we're seeing here is the service
scan so if I go back to our window right
and it's like oh okay I know something's
running on Port 502 so there's a couple
things that we can do here one is I can
go back to our end map command now
instead of saying oh scan all the ports
or scan the top 1,000 common I can say
does just just scan Port 502 because it
looks like that's the only Port running
on TCP
so I want to run just Port 502 and I'm
going to use what they call the service
scan in
nmap so I can use Dash lowercase S
capital V as inv Victor and what that
does so now it's only going to test to
see if 100.2 200 has Port 502 open and
then it's going to do additional checks
to tell
me
what is actually running on that Port so
we know Port 502 is open but now it's
going to come back and say before we saw
mbap I maybe maybe modb
something but I don't
know and I'm not going to make an
assumption I want to check because
somebody could put like a web server
running on
502 but in this case oh okay it's mod
bus over
tcpip awesome so this definitely now
even more so looks like yeah it's it's a
PLC well if we want to take it to the
next level what we can do is we can run
that service scan again but we can also
do what they call a script
scan so we do Dash lowercase S capital c
as in
Charlie so now it's going to run some
additional test on top of the service
scan to see if it can get any other
information from that Port now in this
case by default we don't see anything
else
right so at this point we found the port
we know we verified it's modbus TCP Now
map also has uh and we we tried the
scripting engine it didn't come up with
anything by default now there's also
individual scripts that you can run so
so there's one for modbus specifically
we're going to change that- as capital c
we're going to change that to just say--
script and then we're going to type in
modbus ddis
discover. NSE which is the name of this
modbus script and there's there's other
scripts as well and we're going to look
at some a little bit later on uh and you
can see then it comes back with well
here's the slave ID and I know m still
is is
this hierarch based off of Master Slave
model we're trying to get away from that
because of the the racist uh connotation
but or meaning um but for now it's like
okay here's another piece of information
about this host and we could use that
again GA gather more information that
helps us successfully attack that in
this case that that PLC right so again
that probably doesn't mean a lot yet but
again it's just another
piece of the puzzle so I think we are
transitioning from building asset
registers to penetration testing though
so I'm going to try and reel us reel us
back but so that gets us through the
active scanning portion as far as
looking for host on the network using a
scanning tool like nmap right finding
ports finding and really from building
asset registers perspective it's about
what's running on those ports do we get
information about what service what
version of that service or application
is running right so so that way again it
helps us build out that asset
register so let's go ahead now and and
let's kind of switch gears and we're
going to talk about passive s sniffing
or passive
listening okay so and you you can see
earlier we talked about passive scanning
but again we're not scanning anything I
hate that term so we're really talking
about passive listening sometime passive
passive sniffing we talk about sniffing
of of packets and the idea is that we're
sitting in the network with network
connectivity where we have visibility to
see packets moving over the wire and
that we can capture that traffic so
again yeah we're not scanning anything
we're not generating packets and putting
anything on the wire so this is
safe to be able to do the only time this
isn't safe is when
you unplug the wrong things or you pull
the power on on a network switch or you
know the network goes down that but just
from a passive listening or packet
sniffing
perspective again we're not generating
traffic to put on the network so there's
no chance of breaking anything from from
that
perspective so and we've already talked
about using wire shark in the in the
core so we can use wire shark as a tool
we going open it up or actually I guess
we already have one instance open up but
we can open up a new one right in this
case the uh ethernet adap the killer
ethernet adapter is is the one that's
connected to the the home the research
lab so I can just double click on that
and then let me go ahead and blow this
up a little bit so it's a little bit
easier to little bit easier to
see and then we can see maybe that's too
big the traffic as it comes through and
again right now I'm not seeing any tcpip
traffic right whereas if you're in an IT
Network you see tons of tcpip traffic
and very little anything
else where now you can see multicast
traffic labeled as LLP which we're going
to come back and talk about oh and now
we're starting to see oh there's some
icmp we actually see some version six
traffic if we want we can go ahead well
I can generate some traffic if I want
right so why don't I go ahead and can I
ping that first PLC that's on the
network oh yeah I'm getting the response
back and you can actually see there's
the in pink there's the icmp echo
request and the icmp reply remember we
had we did that four times so we have
four set of icmp echo requests and and
Echo replies we're seeing some ARP tra
TR like we were talking about earlier
remember the broadcast
traffic and then everything else again
we start to see it's not tcpip
traffic but what we're
seeing is other forms of communication
from these
plc's and then if I start looking at
them let me go ahead and stop this
capture so now we can see based off of
the MAC address remember wi shark's
going to translate that first half of
the Mac address for us so we do see
seens right which that lines up with
what we saw in the nmap scan earlier
because that Seamans PLC is running
tcpip but it's also running other
protocols industrial control protocols
just not
tcpip and then we can see oh there's
another PLC out there number four we
said kind it's the ghost in the machine
so it's from Phoenix contact
now it's not running
tcpip it's just running other industrial
control protocols like
profinet remember Dell that's our
engineering
workstation imaginatively named new
laptop and I think that's all we're
seeing here we're not seeing any other
traffic from the The Click
plc
so there's a lot we can see and a lot of
information that's being shared because
they're actually trying to kind of
announce information about each
other right if I open up this one packet
right we can
see that this is again coming from that
that
seens and if you can read through this
we can get the idea of the name of the
PLC we can then and we can see of course
the vendor we can see the where it
starts to get into the the kind of the
software or model type the model really
actually is that CPU 1200 down
below right we can see then things like
hardware version firmware version it's
proba probably the serial
number on the device right this is all
information that's advertised in the
clear this is not encrypted traffic most
traffic in OT environments is is not
encrypted and that's not a bad thing
people in it always cringe we have to
encrypt everything to keep it safe not
necessarily in
OT and for me I I love it when it's
unencrypted because it makes Network
intrusion detection so much more
easier so I don't have to worry about
capturing traffic and then breaking the
traffic breaking the encryption to be
able to read the tra the packets to see
you know is there malicious traffic in
there or
not so that's actually a really nice
advantage of not having traffic
encrypted I'm a big proponent in most in
most environments not using encryption
now there's some you know Mission
critical or super secret sensitive
proprietary information formula or
process that that the business is
worried about an attack or stealing then
you're going to
encrypt otherwise if it's no risk to
physical safety environmental safety or
the availability of the plant why do it
especially if it's it's going to give us
it's going to benefit us more so in the
long
run but if you want to see in fact we
can go ahead I think if I have this
open uh doesn't look like it but I can
so we can open up the ta uh portal which
is the seman software so in this case
since we were just talking about the the
semen software we can go ahead and and
open this up and you'll
see what and most
at least the ones I'm familiar with most
of the client software that we use for
configuring
plc's it has this option in this case it
we go down to online and Diagnostics and
basically it has an option basically to
go out on the network and find in this
case Seaman
plc's and so we can go ahead and you can
oh we're going to go start
search you can see we selected right the
right network interface and so it's
sending out traffic to see if it can
find any devices talking in this case
probably over
profet and you can actually see it comes
back with
two and so we can see oh well here's our
Seaman PLC at
192.168.1 100.00 and oh there's that
other
fourth plc
and oh it does have an IP address
assigned it's just on a different
subnet which is why we're not seeing it
right now we see oh it's
192.168.1.2 not 100.
230 but it also still has that other
traffic that it can use to talk on the
local
network so we kind of did it on purpose
so that way it's it's hidden but we can
still find it on the network and again
that's another one and i' I've seen many
instances of this in the real world so
this is another example of we're
building that suduku
puzzle and there's other options right
we have but this is how we can work with
a PLC so if you've ever never connected
to a PLC through its client software
this this is pretty pretty standard and
this is kind of similar to the other
packages that are out there there's
usually an option for something like
flash LED so that way if you had a
technician or you were you you were
going to try to program that PLC and
you're in there and you have a hundred
Seaman plc's well which one maybe do I
need to connect directly
into so you can say oh Flash the L8 LED
on this one PLC and then when you're
standing there you can see oh yeah this
is the one
or if I want I can go ahead and I can
connect to
it and then when I connect to
it it takes a second but you'll see once
it loads then we can get into things
like oh I want to go ahead and be able
to
program the PLC or maybe I want to go
ahead and make you know basic
changes to the
PLC right and here where you can also
see this look like what we were talking
about earlier is it in run
mode where you hopefully it's read only
and you can't make any changes right in
this case it's not but let's let's go
ahe and put it in run
mode you can just see it takes a second
and it actually already has PLC
programming so now that PLC programming
that code is running it's doing its job
it's monitoring it's it's going to make
changes in the environment if it needs
to
and I can't make changes at least to the
firmware unless I go into stop mode
right so the seen SL2 1200 this is one
of those plcs very
common but it doesn't have a physical
key switch or dip switch on the outside
to control it's just software it's just
literally you would connect with it
through the Tia portal and then go in
here and click stop and then when you
click on stop that will actually bring
it bring it down and now I could do
something like upgrade the
firmware but okay we'll go ahead and
turn it back
on so it just gives you a high level
intro again if it's something you
haven't seen before I think the first
time you see it it's really cool
especially the first time you play with
it that's the other thing when I I like
the you know I suggest if anybody if you
have the time the resources to go ahead
and get aplc the best one you can start
with is the click PLC from automation
direct because fully loaded it's 400
dollar which you're not going to find a
better deal even trying to buy something
off of eBay you're just not um and they
have a lot of training for it and all
their software is free and it's really
intuitive so it's fairly straight
forward to use but here's kind of the
same process that we saw with the Seaman
software said oh it broadcast see are
there any click plc's out on the network
and you see oh yeah here it found one
and again it tells us all this
information about itself in this case it
even says hey I'm in run mode and I'm
all
good and so I can go ahead and connect
to
it now in this case I actually assigned
a password for this one you can see the
seens one did not have a password by
default and it still doesn't have one
assigned to
it have to remember my
password and then uh in this case we're
going to just tell it okay use the
project code that's on the PLC this is
the lad logic very simple just to make
sure that I had something to get the PLC
up and running and just like in the
Seamans you know I have the ability to
go in and if I want I can stop it I can
put it in stop mode I can make changes
to the programming code if I wanted to
and this is what really most of what the
the rest of this interface is so
especially if you're new to OT like I
I'm still I was talking actually with an
engineer today and he was asking you
know what people would think if you come
from it cyber security really basic
questions about uh
firewalls and at the same time he's like
yeah I yeah I feel stupid asking these
questions he's like you know because
I've been programming plc's for 20 years
and and DCS and I'm like well yeah it's
but I've been doing firewalls for 20
years and I've you know I just program
plc's on the side when when I have
time I'm just learning so yeah it's it's
it's give and take so it's kind of
interesting
conversation but again if it's not
something that you've seen before it's
really interesting again I always
suggest if if you have the time the want
and and the money to get the get a a
click
PLC um and then you can program that and
get started with that and and then kind
of build your home lab from there but
yeah it's unfortunately it's not cheap
to have like a physical you know asset
to have a physical PLC
unfortunately so and and there are
lesser altern so you can do them with
arduinos or um with uh raspberry pies
it's it's just and they're great
Alternatives it's it's just not the same
of having a true PLC so I definitely
suggest doing the the full PLC if you
can so but enough of that i' I've
totally derailed
us because what we were talking about
was using wire shark packet captures to
fine host on the network right and so we
kind of went down a rabbit hole but you
also got the idea of how we started
finding these plcs and we even found one
PLC that wasn't talking tcpip on the lab
network but it was still talking a
protocol on the network right and so
that's what we're really trying to do
with those now um when I was when I
first put this class together I didn't
have the big lab or well the quote
unquote big lab I only had one PLC
before um so I was using different
pocket captures that I would download
from GitHub repositories on the internet
so there's this I i1 I mentioned this
actually earlier in the course which is
great um so you can go and and there's
tons of captures for different
industrial control protocols so
definitely play with those in in wi
shark um to get get an idea but what we
can go back and do is wi shark has all
these great features or menu options so
that way if I go up to um
statistics and then there's a couple of
these that we would look for so
typically the one especially if I'm
starting and I'm trying to build an
asset register after packet capture
information I'm going to I'm going to go
to
endpoints and so you can actually see if
now here's ethernet addresses so that's
Mac addresses let's say you know we're
going to make it simple and I'm I just
want to look for IP addresses just IP
version 4 IP addresses right now so out
of all that traffic that was captured we
see 1 2 3 4 5
six IP addresses now the last four IP
addresses those are all multicasting
addresses that's a lot of the other
industrial control protocols that we are
seeing talking sharing
information but not tcpip so we actually
only have we see traffic from 100 which
is the engineering workstation and we
see traffic from
100.00 which is the click
PLC now this brings up a great point
because this capture that shows two IP
addresses is only a capture at a certain
point in
time so in OT environments two assets
right they might never talk or they
might talk once a month or once a
week so in that environment we know oh
well we have four four Fu can't can't
can't talk right now four host that we
should see over tcpip if they were all
talking but again they're not all
talking right now now if I did a scan we
would see a lot more pop up right
because that would generate some some
talk or conversation between those
hosts but just keep in mind
that that packet capture is only good
for that slice of time and that OT
devices by default right they're they're
not constantly talk they are not Windows
machines right they're not chatter boxes
not on tcpip we can see otherwise right
in the background over lldp where
they're just
multicasting all the information about
themselves like I'm here I'm here here's
here's all my information it's almost
like steal my
identity please they're begging us
to but you can use that endpoints option
to go in and see show show me all the IP
addresses and you can see it sure it had
it was showing Mac addresses so that
we're seeing more of right than just IP
addresses because remember those
machines are out there and they're not
not talking tcpip but they are connected
to the network and they are
talking if there's IP version 6 traffic
we'll see that as well and then you'll
see if there's any TCP or UDP traffic
right here now we're seeing the IP
addresses in the
ports
so the ports is where you we want to see
if we see anything like oh a port 502 or
and here we see like 5353 so mdns
multicast DNS or um but and other some
kind of random high order ports which
probably don't mean
anything so that's end points there's
other options as well so we can look at
conversations so it's like oh okay now
show me who's talking talking with
who so if I go back and see okay
192.168.100.1 100 is talking with 100.00
right so that's our engineering
workstation talking
with the click PLC we can see the
engineering workstation also doing a lot
of
multicasting we can see how much trans
data is transferred between the two so
you can see not a lot very minimal you
can see the the different directions how
much was sent to and from
you see again there's IP version 6
traffic if there's any TCP traffic which
we don't see any and then there's oh UDP
traffic because a lot of that especially
the broadcast traffic between an
engineering workstation and a PLC is is
done over
UDP so we have that and then we can also
look at the protocol hierarchy always
find
interesting not necessar neily for
usually for building asset registers we
probably got as much information already
out of the packet capture as we're going
to um but in this case we can see all
the protocols that are talking and how
much what percentage so we can see yeah
the biggest one is that that link layer
Discovery protocol lldp we saw all the
plcs using to again advertise hey I'm
here there's all this information about
me and then yeah we saw
some UDP traffic
so there's a couple of things that that
we can find from from that and there's
some some other ones that are in there
but those are the those are the big ones
especially when we talk about looking
for building asset registers we're going
to talk a lot more about wi shark when
we get into the intrusion detection
section but again we just kind of wanted
to kind of you can start to see at this
point how you can capture traffic in the
OT Network okay we're not active
scanning we're not putting any network
packets on the network so there's no
nothing at
risk and right we're just looking or
reviewing that information to see what's
out there okay now you might have
limited
visibility and don't forget you have to
capture traffic over a long period of
time because in OT it's not like an it
right the the systems aren't just
constantly talking to each other at
least again over
tcpip here you can see these PL plcs
trying to continually talk with each
other you know say I'm here here I'm
here it's just not over
tcpip all
right so that's what we were talking
about there so there's the slid uh
Network minor I just want to mention you
real quickly is is an alternative out
there um that you can use the cool thing
I like about Network mon uh minor is you
can see it's a little different view as
far as what host are out there tries to
guess what type of host it's not an OT
tool though so don't it don't you it's
not going to put like PLC on there or
anything um but if there's any type of
files that are transferred in that
Network traffic like a Word document or
a picture file or a web page it extracts
all of that and puts them on your hard
drive to read which is really really
cool so it's more for for it but it can
kind of come in handy in in OT
environments as well and there's a free
version and there's a paid for version
so um you know definitely always check
it out always you know you know
definitely love to use free software so
and here you see yeah you as you expand
those it tries to give you more
information about each host um so it's
definitely a little different as wiar
not as powerful as wire shark in any
stretch to the imagination but the few
things that wi shark doesn't do well it
does really well um and I think that's
kind of how they made their name it's
like okay we're going to do everything
that people the few things that people
don't like about wi shark we're going to
do them and we're going to do them well
and that's I guess that's their claim to
fame
honestly so last but not least to kind
of wrap everything
up and we've already started talking
about this earlier once we have build
out the asset register and maybe again
it's not 100% complete but it's as
complete as we're going to get
it it's like what could an attacker do
if they got the asset register again
that's it's the treasure map it's the
blueprint for here's the plan on how to
break into the environment so we want to
make sure that attackers aren't able to
access the asset register wherever we
store
it so if we're storing it let's say on a
system whether it's in the cloud whether
it's on within the the organization
whether it's on on site maybe it's on
the it Network and not the OT Network
it's maybe not a bad idea or you have it
on
both because we do have to make sure we
get access to it if we're you know on
the OT network doing things like
incident response or security
monitoring but wherever it goes right we
want to make sure we Harden the system
against attack so use things like go to
the Center for Internet Security uh and
get the hardening guidelines for the
operating system for that system that
you're the server or the host that
you're you're storing it on so if it's
for a Windows server or a Windows
workstation or or if it's a Linux host
or Linux work yeah it's go get that the
system hardening guidelines and make
sure you lock down that machine make it
as secure as possible remember we don't
want an attacker getting this blueprint
to how to attack the
environment you can consider encrypting
it right so even if it's just an Excel
spreadsheet yeah put the put the
password on it to encrypt it just make
sure this is where we want to make sure
everybody knows what the password is
because we don't want somebody getting
locked out in When In the Heat of the
Moment where they really need access to
the asset register where it could even
potentially Save a Life the last thing
we want is a password on Excel
spreadsheet uh preventing us from saving
somebody's life and I know that sounds
silly but at the same time that's kind
the conversation we have in
OT because everything ultimately comes
down to is is Saving Lives protecting
lives the environment and then we can
talk about uptime or availability of of
the
environment you can put access control
so things like permissions determine who
has access to it you can put in phys
make sure it's physically secure so
wherever whatever server or system that
it's residing on make sure it's it's
locked up and people just can't get to
it so hopefully it's a server like in
the data center maybe off the
engineering room or the control center
we're just talking about one location
today where they actually have the
control room on the second floor and the
data centers on the the floor beneath
them so for certain tasks they actually
have to leave the control room to go
into the data center down one floor I
thought that was really strange it's a
it was a outside party it's not related
to my my day job but that was very very
strange um and then what other things
should we consider those are some of
that that you know the high high level
ones uh some people might consider
keeping it offline I think personally if
you're you're in a physically secure
location which a lot of OT environments
typically are or not not all but I say t
especially larger ones probably
typically are are better um but you you
can have it printed out and sitting on
your desk if if you have of really good
you know physical security and keeping
people from coming in but you make sure
if you have it printed out on your desk
that when you're not there you put it at
least in maybe a locking file cabinet or
you know protect it in physically for
when you're you're not there so so
things to things to
consider of course we want to make sure
that the asset register is updated over
time so we have a process weekly monthly
quarterly annually where we're going
through and making sure there it's
updated probably I would say no more uh
don't wait for longer than you know
every quarter or three months don't wait
to do it every year that's crazy maybe
or you know once a month right so that
way you capture minimal changes and it
doesn't take all the time if you're only
doing it once a year you're going to
hate doing it so a lot of this plays
into change management procedures at
site so when somebody makes a change it
should go through change management and
get authorization
before right you're swapping out parts
or putting in new new assets or taking
out old assets so make sure and we're
going to talk more about this when we
get into things like incident detection
response because again when we do
incident detection response and we get
alerts 99% of the time it's not a hacker
or malicious activity it's someone doing
operations and maintenance
and maybe they didn't go through the
authorized change management procedures
or
panels right so it's we don't normally
have a high sense of paranoia in OT as
much as in in the IT world right and and
and and that's fair we still still
should have some paranoia though so
little little paranoia is good so again
we're going to come back and and talk
about that more and that's where we get
into going all the way full circle to
the beginning of the section again why
I'm such a firm believer in asset
registers where it sounds like it's so
so pouring because all we're talking
about is asset inventory but that asset
inventory especially in OT environments
it allows us to do threat and
vulnerability management and it allows
us to do incident detection and response
and those are the two biggest things
outside of network architecture that we
can do to protect the
environment and all of those are based
off of the asset register so having the
asset register is
critical and that's why we were talking
about
it so I appreciate everybody's time I
this is kind of a another big section
but hopefully everybody found it
interesting I know we took a few side
tangents but uh if you have questions
comments concerns you can comment on the
video if you like it you know give me a
thumbs up um you know subscribe if if
you haven't subscribed to the channel
anymore but you can feel free to reach
out to me there's my email address you
can always ping me on LinkedIn uh and
then of course you know where the
YouTube channel is cuz you're watching
so you don't need it there but anyways I
appreciate everybody's time and and
coming and watching the video and uh
we'll have part six out in a couple of
days where that's when we'll actually
get into threat and vulnerability
management so that's one of my other
favorite sections so I'll see everybody
soon all right take care
UNLOCK MORE
Sign up free to access premium features
INTERACTIVE VIEWER
Watch the video with synced subtitles, adjustable overlay, and full playback control.
AI SUMMARY
Get an instant AI-generated summary of the video content, key points, and takeaways.
TRANSLATE
Translate the transcript to 100+ languages with one click. Download in any format.
MIND MAP
Visualize the transcript as an interactive mind map. Understand structure at a glance.
CHAT WITH TRANSCRIPT
Ask questions about the video content. Get answers powered by AI directly from the transcript.
GET MORE FROM YOUR TRANSCRIPTS
Sign up for free and unlock interactive viewer, AI summaries, translations, mind maps, and more. No credit card required.