Skip to content

Passive ICS Network Scanner based on MAC Address Detection

License

Notifications You must be signed in to change notification settings

mniedermaier/macDetec

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

macDetec - Device Identification by MAC Address

The software provided here serves as a PoC implementation. The corresponding paper was presented at the ICS-CSR 2018.

Abstract

Owing to a growing number of attacks, the assessment of Industrial Control Systems (ICSs) has gained in importance. An integral part of an assessment is the creation of a detailed inventory of all connected devices, enabling vulnerability evaluations. For this purpose, scans of networks are crucial. Active scanning, which generates irregular traffic, is a method to get an overview of connected and active devices. Since such additional traffic may lead to an unexpected behavior of devices, active scanning methods should be avoided in critical infrastructure networks. In such cases, passive network monitoring offers an alternative, which is often used in conjunction with complex deep-packet inspection techniques. There are very few publications on lightweight passive scanning methodologies for industrial networks. In this paper, we propose a lightweight passive network monitoring technique using an efficient Media Access Control (MAC) address-based identification of industrial devices. Based on an incomplete set of known MAC address to device associations, the presented method can guess correct device and vendor information. Proving the feasibility of the method, an implementation is also introduced and evaluated regarding its efficiency. The feasibility of predicting a specific device/vendor combination is demonstrated by having similar devices in the database. In our ICSi testbed, we reached a host discovery rate of 100% at an identification rate of more than 66%, outperforming the results of existing tools.

Discovery

The device discovery is working completely passive with ARP requests broadcasted to the network. From these broadcasts, the MAC address is used to look up devices with a similar MAC address in the database of macDetec. If the found device is within a certain range of a known device, it is likely that these devices are the same product.

Vulnerability Mapping

With the above information a vulnerability mapping is done by querying the cve-details web API.

Testbed

The testbed used for the evaluation can be seen in the following figure.

Installation

Install libpcap-dev for the analyzis of network captures (pcap).

sudo apt install libpcap-dev

Install all dependencies necessary to run macDetec.

python3 -m pip install .

Paper

The paper can be accessed over BCS.

@inproceedings{niedermaier2018efficient,
   title={Efficient Passive ICS Device Discovery and Identification by MAC Address Correlation},
   author={Niedermaier, Matthias and Hanka, Thomas and Plaga, Sven and von Bodisco, Alexander and Merli, Dominik},
   booktitle={5th International Symposium for ICS & SCADA Cyber Security Research 2018 (ICS-CSR 2018)},
   year={2018}
}

About

Passive ICS Network Scanner based on MAC Address Detection

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 99.1%
  • Makefile 0.9%