Modbus Traffic Analysis | SANS ICS Concepts
HTML-код
- Опубликовано: 5 июн 2024
- This SANS ICS concept overview covers capturing network traffic to a SE M221 program logic controller and analyzing it using Wireshark and Tshark. This analysis provides insight to the Modbus protocol and how the tools can be used to identify specific types of interactions between the PLC and other systems on the network.
Script by Don C. Weber (@cutaway), Certified SANS Instructor and Cutaway Security, LLC
Don C. Weber is the Principal Consultant and Founder at Cutaway Security, LLC, an information security consulting company based in Texas. Don's previous experiences include large-scale incident response efforts for organizations with international assets and interests, the certification and accreditation of classified federal and military systems, assessment and penetration testing of worldwide commercial assets, and, as a Navy contractor, the management of a team of distributed security professionals responsible for the security of mission-critical Navy assets. Don has achieved his master's degree in network security, the Certified Information Systems Security Professional (CISSP) certification, and many GIAC certifications. Don was a founding member of the GIAC Ethics Council of which he was the GIAC EC Chair in 2009. Don regularly contributes to a wide variety of open source projects involving information security and incident response. Learn more about Don at www.sans.org/profiles/don-c-w...
Special Thanks to ICS Village - www.icsvillage.com/
References:
M221 Traffic PCAP - github.com/cutaway-security/c...
Modbus - en.wikipedia.org/wiki/Modbus
SE M221 PLC - www.se.com/us/en/product-rang...
rodbus-client - github.com/stepfunc/rodbus
Wireshark - www.wireshark.org/
Tshark - www.wireshark.org/docs/man-pa...
SANS ICS Training:
ICS410: ICS/SCADA Security Essentials - www.sans.org/cyber-security-c...
ICS456: Essentials for NERC Critical Infrastructure Protection - www.sans.org/cyber-security-c...
ICS515: ICS Active Defense and Incident Response - www.sans.org/cyber-security-c...
ICS612: ICS Cybersecurity In-Depth - www.sans.org/cyber-security-c... 
Наука
Wow! Outstanding in deep video on Modbus packets analysis and Wireshark. Thank you so much. :-)
Great video tutorial, thank you!
Hey Don, wanted to ask you about your lab. At the beginning you described showing switch, cables and software in the 2 different laptops but could you please extend on that, for instance in the engineer laptop you mentioned 2 pieces of software , one HMI I guess and the other specific of the PLC I guess which could understand it because for sure is to manage remotely the PLC but that HMI piece and the graphic of “pumps” you can turn on and on, is that software an emulator , which software it is , how you deploy it, are the pumps real or virtual ... if yes , why the 2 red cables , what is in the other side of those cables because you showed only the netgear switch side , also that switch has the capability of configuring one port as span? Appreciated for all the details you could add in your lab deployment and mention specific software you used ... looking to emulate it. Thanks and great videos sir!
@Mr. Cannibal I believe the network cable configuration was: Black cable goes to PLC #1 Red cable goes to HMI #2 Red cable does to assessment / threat actor laptop Grey cable (switch's span port) goes to assessment / threat actor laptop's monitoring interface. I hope that answers your question.
I am a student looking for home lab projects. Do you think one could write (say) a Python script to automate the application of the TShark commands and output to CSV files? Is that a thing that people in forensics would do?
Hi Don, thanks for putting these video's together. I really enjoy them and they are giving me lots of ideas of at home projects I do to build my skill. I have 2 questions for you when you have a chance. 1) Can you recommend an resource that it is a little more entry level to Modbus? I have some familiarity, but when you were discussing the flags in the video I realized I could definitely use more background on the standard. 2) I was curious if you were going to do similar videos with DNP3 or IEEE 2030.5 (SEP2)? I don't know what the appetite from real OT professionals is for those two standards but I was just curious and wanted to throw the idea out these. Thanks again and I look forward to more videos in the future.
@Jason, thank you for watching and commenting. Modbus is sorta the entry level industrial protocol because of its simplicity, ease of use, and wide employment. I do have some other protocol breakdowns planned and I am working with some individuals that can explain them from more of an OT implementation perspective. With our current release schedule, you'll see them in a couple of months. Getting back to your first question, I think you are hoping for a bit more information about process control topics that provide more information on how tags are used to reference values that, in this case, are referenced by Modbus coils / registers. To help with that, maybe check out Rob M. Lee's resource list for educating yourself on ICS (www.robertmlee.org/tag/resource-list/) or the SCADA Hacker Library (scadahacker.com/library/). The SANS ICS team is working on a similar list for one of our SANS ICS posters (www.sans.org/security-resources/posters/industrial-control-systems).
No need to change the capture settings in wireshark to display Modbus tcp protocol?