![]() If both conditions are met, then the captured messages correspond with the ones expected for the end of the communication loop and will be used as seed for the attack.This is done to prevent errors opening a non existent layer on the next checkpoint Has a “Raw” layer, which is present in all Modbus packets captured with Scapy.The penultimate message is checked for the presence of the following traits:.The packet destination is FactoryIO’s IP.4 consecutive messages will be captured (it is recommended to capture twice as many messages as needed -in this case, 2 messages are needed: Query, and ACK – in order to prevent aliasing) using the sniff() function with the following filters:.With the above-mentioned points in mind, the following logic is implemented in order to capture the last packet of the communication loop: Green: fixed part that identifies a ” Write Coils” function // Red: variable part containing the desired target state for the outputs in the “Write Coils” function Top: Modbus TCP packet captured with Wireshark // Bottom Left: Modbus TCP packet (with Raw Layer) sniffed with Scapy // Bottom Right: not Modbus TCP packet (without Raw Layer) sniffed with Scapy ![]() Every “Write Coils” query has a fixed part in the Modbus layer and, a variable part that corresponds with the desired target state for the outputs.The penultimate message of every communication loop is a “Write Coils” query, followed by a final ACK from OpenPCL to FactoryIO.Red: time between messages during a single iteration of OpenPLC’s communication loop // Green: time between different OpenPLC’s communication loops In order to maximize the chances of success, we will exploit the time between communication loops (100 ms) to perform the injection. That is a problem because sniffing, crafting, and injecting a packet can take longer than that. Comparison between Send() and Sendp() functions in ScapyĪs it was previously discovered, messages between OpenPLC and FactoryIO are exchanged every 0.5ms approximately. In this scenario send() will be used, so it will not be necessary to configure the Ethernet layer manually. While sendp() sends layer 2 packets, send() forwards layer 3 packets and Scapy takes care of generating the proper configuration for layer 2. Scapy Importīefore starting with the layer definition, it is necessary to know that Scapy offers two different functions to send packets: send() and sendp(). From that point, the objective will be to build every layer of the malitious packet one by one. The first step is to create a Python script and import Scapy to access all the classes and functions that it provides. Visual Studio Code (VS Code) is free and quite complete ( link to download) and can be easily set up in Kali Linux. However, here is a link to the installation documentation in case a different Operative System is being used to simulate the attacker machine.Īdditionally, it is recommended (but optional) to install an IDE that facilitates the scripting in python. It is available by default in Kali Linux distributions, so it will not be necessary to perform any additional installation. Scapy is a Python library that offers multiple packet manipulation functionalities. Generate packet that complies with the TCP sequence expected by Factory IO, but with a malicious data payload.Use one of the sniffed messages (preferably the last message of the communication loop between FactoryIO and OpenPLC in order to have more time available to sniff, craft, and inject it) as a seed to predict the TCP sequence values. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |