SCADA HoneyNet project
Posted by creining | Filed under Security
Recently, there was a post to the honeypots mailing list about the SCADA HoneyNet Project: Building Honeypots for Industrial Networks. I had run into this project before when searching for SCADA information but had not downloaded the program code. According to the PLC (Progammable Logic Controller) Simulation Case Study the components for simulation are:
- The TCP/IP Stack of the PLC
- The simulation of the Modbus/TCP server implementation.
- The simulation of the FTP server, that is found on some PLCs.
- The simulation of the Telnetd server, that may be found on some PLCs.
- The simulation of the management HTTP server, which increasingly common on PLCs and other industrial network devices.
These simulations are accomplished via scripts that can be used in conjunction with honeyd or standalone. I decided to test them standalone first and then try them as honeyd scripts. There are four scripts: modbusSrvr.py, vxworks-ftpd.py, vxworks-telnetd.py and StatusApplet.java/StatusApplet.class. Testing out the FTP server first I find that the script does not like the ‘list’ command:
# python vxworks-ftpd.py &
[1] 13568
# nc localhost 21
220 FTP server (VxWorks version 2.6) ready.
username foo
331 Guest login ok, send your complete e-mail address as a password.
password foo@bar.org
230 User Logged in
syst
215 UNIX Type: VxWorks
list
Unhandled exception in thread started by
Traceback (most recent call last):
File "vxworks-ftpd.py", line 73, in handleConnection
self.implementCommands(data,conn)
File "vxworks-ftpd.py", line 106, in implementCommands
s.connect((self.ClientAddr[0],self.PORTport))
File "", line 1, in connect
TypeError: an integer is required
Next I try vxworks-telnetd.py which has implemented a ‘help’ and ‘ls’ command. Note that none of the ‘help’ commands have been implemented yet:
# python vxworks-telnetd.py & [2] 13629 # nc localhost 23 VxWorks Login:admin Password:admin Hostname# help Print this list ioHelp Print I/O utilities help info dbgHelp Print debugger help info nfsHelp Print nfs help info netHelp Print network help info spyHelp Print task histogrammer help info timexHelp Print execution timer help info h [n] Print (or set) shell history i [task] Summary of tasks' TCBs ti task Complete info on TCB for task sp adr,args... Spawn a task, pri=100, opt=0, stk=20000 taskSpawn name,pri,opt,stk,adr,args... Spawn a task td task Delete a task ts task Suspend a task Hostname#ls -rw-r--r-- 1 root root 33 Mar 5 18:06 gw
Next is the Modbus/TCP server modbusSrvr.py which at this point has implemented the protocol specific “responses to read_coil (function code 1), write multiple registers (function code 16), diagnostics (function code 8 and the exception response with code 1(unknown function code).” Unfortunately, the module modbusHdrs is missing:
# python modbusSrvr.py &
[3] 13657
# Traceback (most recent call last):
File "modbusSrvr.py", line 19, in ?
from modbusHdrs import *
ImportError: No module named modbusHdrs
Lastly is the simulation of the webserver. As is noted on the SCADA HoneyNet webpage a fair number of devices allow the user to connect to a web service and a “Java applet is downloaded to the client and runs within the web browser. In some cases, the applet will them make connection back to the PLC using protocols like Modbus/TCP and FTP for gathering data. The concept of an applet tracking the information of the downloader is new to the Honeynet world, we call them “Honey Applet”.” I think this idea is great.
# /usr/lib/jre/bin/java StatusApplet Exception in thread "main" java.lang.NoSuchMethodError: main
Unfortunately, an error is encountered. The complaint is about not having a correct main method, which is a bad thing ™. My Java is a bit too rusty to troubleshoot the problem at this time so let’s see if we can get the working portions of the PLC scripts (vxworks-ftpd.py and vxworks-telnetd.py) to work in conjunction with honeyd. I have never used honeyd before although I’m not new to honeynets. Since I am using Fedora I see if there are any RPMs for honeyd using ‘yum search honeyd’. I find that the latest version of honeyd is packaged as an RPM so I easily install it via yum. The scripts that come with honeyd are placed in the ‘/usr/share/doc/honeyd-0.8/scripts/’ directory so I copy the PLC ones into that directory. I then create the honeyd configuration file config.localhost (note: I will be using honeyd over loopback to test locally):
route entry 10.0.0.1 route 10.0.0.1 link 10.0.0.0/24 create router set router personality "Cisco 7206 running IOS 11.1(24)" add router tcp port 23 "/usr/share/doc/honeyd-0.8/scripts/router-telnet.pl" set router default tcp action reset create plc add plc tcp port 21 "/usr/share/doc/honeyd-0.8/scripts/plc/vxworks-ftpd.py" add plc tcp port 23 "/usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py" add plc tcp port 80 "/usr/share/doc/honeyd-0.8/scripts/plc/StatusApplet.java" add plc tcp port 502 "/usr/share/doc/honeyd-0.8/scripts/plc/modbusSrvr.py`" set plc default tcp action reset bind 10.0.0.1 router bind 10.0.0.2 plc
Now I need to add a route on my machine for 10.0.0.0/8 and start honeyd:
# route add -net 10.0.0.0 netmask 255.255.255.0 lo # honeyd -d -f config.localhost -i lo 10.0.0.0/8
Now when I connect to the “Cisco router” for telnet I get:
# nc 10.0.0.1 23 Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, and law enforcement personnel, as well as to authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized site. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. User Access Verification Username: admin admin Password: admin % Access denied Username:
Good. So connecting to the Cisco router works, and my actions are all logged by honeyd. When connecting to the PLC for telnet (or ftp services for that matter) honeyd complains with an error:
honeyd[14176]: Connection request: tcp (192.168.1.2:34483 - 10.0.0.2:23)
honeyd[14176]: Connection established: tcp (192.168.1.2:34483 - 10.0.0.2:23) <-> /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): Xlib: connection to ":0.0" refused by server
Xlib:
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): No protocol specified
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23):
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): import: Unable to open X server
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): (:0.0)
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): .
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 21: PORT: command not found
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 23: HOST: command not found
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 25: CommandLine: command not found
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 27: HelpResponse: command not found
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 30: class: command not found
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 32: PORTport: command not found
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 33: TelnetConn: command not found
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 34: PWD: command not found
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 35: logFile: command not found
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 37: syntax error near unexpected token `('
honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 37: ` def listen(self):'
honeyd[14176]: Expiring TCP (192.168.1.2:34483 - 10.0.0.2:23) (0x97bdc48) in state 7
The SCADA HoneyNet project looks quite interesting but as I found out there are a few issues yet. This can be expected as it is mostly proof of concept code and in no way do the authors elude that it is ready for prime time. The issues I have encountered can be summarized by the following:
- modbusSrvr.py missing module modbusHdrs
- incorrect main method in StatusApplet
- interoperability issues with honeyd
- no personality for TCP/IP stack of PLC (nmap-os-fingerprints)
FC2 upgrade
Posted by creining | Filed under Linux/BSD
The Fedora project recently announced the release of Fedora Core 2 so I’ve gotten around to downloading the ISOs via BitTorrent. According to what I’ve read on Slashdot and the Fedora mailing lists, using yum to upgrade from FC1 to FC2, although possible, is not a good idea so that’s why I went the ISO/anaconda route. I did run into one major issue with upgrading to FC2 and that was sound output. ALSA (Advanced Linux Sound Architecture) has been merged into the 2.6 series and replaces the older Open Sound System (OSS). After loading the Intel i810 audio driver (snd-intel8x0) I could not get any sound output. After fiddling around for awhile and not being able to get it working I installed a PCI Ensoniq 1371 card which worked just fine. I’ve found http://fedoranews.org to be a helpful site for keeping up with the Fedora project and the Fedora Core 2 SELinux FAQ to get a grasp on the SELinux features which I plan on playing around with.
Home entertainment upgrades
Posted by creining | Filed under Uncategorized
I recently bought an Onkyo TX-SR601 receiver and a pair of Paradigm Mini Monitors. These components sound absolutely awesome together (especially considering I was replacing a Sony compact stereo system I’ve had for 6 years). I’m planning on building out a complete home theater system by adding a Paradigm center channel (CC-370) , a couple Paradigm rear surrounds (Atoms), and a Paradigm subwoofer (PDR-12). Also on the home entertainment frontier, I recently subscribed to Netflix which absolutely rocks for DVD rental. For music, I’ve been utilizing the local library as it is conveniently just a few blocks from my apartment. The area library system (7 counties total) has a decent web-based interface for the entire library catalog that allows me to search for and request CDs which will be shipped to my preferred pickup library and held. The library system used to have a telnet interface (which was pretty neat!) to the catalog but according to this FAQ entry it is being discontinued.
tcpsound
Posted by creining | Filed under Linux/BSD
A post to the tcpdump-workers mailing list mentions tcpsound which “forks a pseudo terminal in which to run tcpdump(8), parses that output, and plays a wide variety of user configuable sounds.” Nifty? Perhaps. Useful? Not likely.
Reflections on Trusting Trust by Ken Thompson
Posted by creining | Filed under Security
I came across the classic Ken Thompson article from a 1984 Communication of the ACM entitled “Reflections on Trusting Trust”. The moral that he lays out is “You can’t trust code that you did not totally create yourself.” after he chooses to trojan the C compiler. This is obviously a true statement but I think the trust can and does translate well into the open source development model. You can have many different people working on the same code base, many people will therefore be perusing the code, and most projects use CVS for version control which makes it easy to track what code is being committed (especially with auto-magic email diffs upon commit).
Undocumented IOS commands
Posted by creining | Filed under Security