SCADA HoneyNet project

Posted on by

Recently, there was a post to the honeypots mailing list about the SCADA HoneyNet Project: Building Honeypots for Industrial Networks. I had run into this project before when searching for SCADA information but had not downloaded the program code. According to the PLC (Progammable Logic Controller) Simulation Case Study the components for simulation are:

  • The TCP/IP Stack of the PLC

  • The simulation of the Modbus/TCP server implementation.

  • The simulation of the FTP server, that is found on some PLCs.

  • The simulation of the Telnetd server, that may be found on some PLCs.

  • The simulation of the management HTTP server, which increasingly common on PLCs and other industrial network devices.

These simulations are accomplished via scripts that can be used in conjunction with honeyd or standalone. I decided to test them standalone first and then try them as honeyd scripts. There are four scripts: modbusSrvr.py, vxworks-ftpd.py, vxworks-telnetd.py and StatusApplet.java/StatusApplet.class. Testing out the FTP server first I find that the script does not like the ‘list’ command:


# python vxworks-ftpd.py &

[1] 13568

# nc localhost 21

220 FTP server (VxWorks version 2.6) ready.

username foo

331 Guest login ok, send your complete e-mail address as a password.

password foo@bar.org

230 User Logged in

syst

215 UNIX Type: VxWorks

list

Unhandled exception in thread started by

Traceback (most recent call last):

  File "vxworks-ftpd.py", line 73, in handleConnection

    self.implementCommands(data,conn)

  File "vxworks-ftpd.py", line 106, in implementCommands

    s.connect((self.ClientAddr[0],self.PORTport))

  File "", line 1, in connect

TypeError: an integer is required

Next I try vxworks-telnetd.py which has implemented a ‘help’ and ‘ls’ command. Note that none of the ‘help’ commands have been implemented yet:


# python vxworks-telnetd.py &

[2] 13629

# nc localhost 23

VxWorks Login:admin

Password:admin

Hostname#

help                           Print this list

ioHelp                         Print I/O utilities help info

dbgHelp                        Print debugger help info

nfsHelp                        Print nfs help info

netHelp                        Print network help info

spyHelp                        Print task histogrammer help info

timexHelp                      Print execution timer help info

h         [n]                  Print (or set) shell history

i         [task]               Summary of tasks' TCBs

ti        task                 Complete info on TCB for task

sp        adr,args...          Spawn a task, pri=100, opt=0, stk=20000

taskSpawn name,pri,opt,stk,adr,args... Spawn a task

td        task                 Delete a task

ts        task                 Suspend a task

Hostname#ls

-rw-r--r--    1 root     root           33 Mar  5 18:06 gw

Next is the Modbus/TCP server modbusSrvr.py which at this point has implemented the protocol specific “responses to read_coil (function code 1), write multiple registers (function code 16), diagnostics (function code 8 and the exception response with code 1(unknown function code).” Unfortunately, the module modbusHdrs is missing:


# python modbusSrvr.py &

[3] 13657

# Traceback (most recent call last):

  File "modbusSrvr.py", line 19, in ?

    from modbusHdrs import *

ImportError: No module named modbusHdrs

Lastly is the simulation of the webserver. As is noted on the SCADA HoneyNet webpage a fair number of devices allow the user to connect to a web service and a “Java applet is downloaded to the client and runs within the web browser. In some cases, the applet will them make connection back to the PLC using protocols like Modbus/TCP and FTP for gathering data. The concept of an applet tracking the information of the downloader is new to the Honeynet world, we call them “Honey Applet”.” I think this idea is great.


# /usr/lib/jre/bin/java StatusApplet

Exception in thread "main" java.lang.NoSuchMethodError: main

Unfortunately, an error is encountered. The complaint is about not having a correct main method, which is a bad thing ™. My Java is a bit too rusty to troubleshoot the problem at this time so let’s see if we can get the working portions of the PLC scripts (vxworks-ftpd.py and vxworks-telnetd.py) to work in conjunction with honeyd. I have never used honeyd before although I’m not new to honeynets. Since I am using Fedora I see if there are any RPMs for honeyd using ‘yum search honeyd’. I find that the latest version of honeyd is packaged as an RPM so I easily install it via yum. The scripts that come with honeyd are placed in the ‘/usr/share/doc/honeyd-0.8/scripts/’ directory so I copy the PLC ones into that directory. I then create the honeyd configuration file config.localhost (note: I will be using honeyd over loopback to test locally):


route entry 10.0.0.1

route 10.0.0.1 link 10.0.0.0/24

                                                                                

create router

set router personality "Cisco 7206 running IOS 11.1(24)"

add router tcp port 23 "/usr/share/doc/honeyd-0.8/scripts/router-telnet.pl"

set router default tcp action reset



create plc

add plc tcp port 21 "/usr/share/doc/honeyd-0.8/scripts/plc/vxworks-ftpd.py"

add plc tcp port 23 "/usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py"

add plc tcp port 80 "/usr/share/doc/honeyd-0.8/scripts/plc/StatusApplet.java"

add plc tcp port 502 "/usr/share/doc/honeyd-0.8/scripts/plc/modbusSrvr.py`"

set plc default tcp action reset

                                                                                

bind 10.0.0.1 router

bind 10.0.0.2 plc

Now I need to add a route on my machine for 10.0.0.0/8 and start honeyd:


# route add -net 10.0.0.0 netmask 255.255.255.0 lo

# honeyd -d -f config.localhost -i lo 10.0.0.0/8

Now when I connect to the “Cisco router” for telnet I get:


# nc 10.0.0.1 23

Users (authorized or unauthorized) have no explicit or

implicit expectation of privacy.  Any or all uses of this

system may be intercepted, monitored, recorded, copied,

audited, inspected, and disclosed to authorized site,

and law enforcement personnel, as well as to authorized

officials of other agencies, both domestic and foreign.

By using this system, the user consents to such

interception, monitoring, recording, copying, auditing,

inspection, and disclosure at the discretion of authorized

site.

 

Unauthorized or improper use of this system may result in

administrative disciplinary action and civil and criminal

penalties.  By continuing to use this system you indicate

your awareness of and consent to these terms and conditions

of use.  LOG OFF IMMEDIATELY if you do not agree to the

conditions stated in this warning.

 

User Access Verification

 

Username: admin

admin

Password: admin

 

% Access denied

 

Username:

Good. So connecting to the Cisco router works, and my actions are all logged by honeyd. When connecting to the PLC for telnet (or ftp services for that matter) honeyd complains with an error:


honeyd[14176]: Connection request: tcp (192.168.1.2:34483 - 10.0.0.2:23)

honeyd[14176]: Connection established: tcp (192.168.1.2:34483 - 10.0.0.2:23) <-> /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): Xlib: connection to ":0.0" refused by server

Xlib:

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): No protocol specified

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23):

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): import: Unable to open X server

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23):  (:0.0)

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): .

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 21: PORT: command not found

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 23: HOST: command not found

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 25: CommandLine: command not found

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 27: HelpResponse: command not found

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 30: class: command not found

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 32: PORTport: command not found

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 33: TelnetConn: command not found

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 34: PWD: command not found

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 35: logFile: command not found

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 37: syntax error near unexpected token `('

honeyd[14176]: E(192.168.1.2:34483 - 10.0.0.2:23): /usr/share/doc/honeyd-0.8/scripts/plc/vxworks-telnetd.py: line 37: `    def listen(self):'

honeyd[14176]: Expiring TCP (192.168.1.2:34483 - 10.0.0.2:23) (0x97bdc48) in state 7

The SCADA HoneyNet project looks quite interesting but as I found out there are a few issues yet. This can be expected as it is mostly proof of concept code and in no way do the authors elude that it is ready for prime time. The issues I have encountered can be summarized by the following:

  • modbusSrvr.py missing module modbusHdrs

  • incorrect main method in StatusApplet

  • interoperability issues with honeyd

  • no personality for TCP/IP stack of PLC (nmap-os-fingerprints)