-
info
- 1 session
- begin: 6th May 9 AM Singapore time
- end: 7th May 9 AM Singapore time
- 10 teams
- 10 different public IP
- reuse same shared keys
- reuse same webapp credentials
-
channels
- kopipackets
- IRC
-
keep in mind
- Arxiv paper is available (no reuse)
- If challenges are too simular then players from last year might be advantaged
- Challenge has to be hard but realistic
- OpenVPN round trip time will bi higher
If the first vm is configured correctly then after the duplication you only need to do the following steps:
tmux ls
and attach to the admin session- rename the admin session to
teamx
- type
make
- change
EC2_IP
in theMakefile
- test
make start
with the new IP - change
openvpn-rclient.conf
remote
to$EC2_IP
- change
openvpn-rclient2.conf
remote
to$EC2_IP
- test openvpn connections cd into
teamx
folder
Additional checks:
sudo iptables -L -t nat
- minicps version and branch
- port 8080 open for the webapp
- port 1337 redirected to 10.0.0.1:1194
- port 1338 redirected to 10.0.0.2:1194
sudo ls /root/flags
If some file or software is missing, see init.sh
.
Provided files to each team
README.md
attacker-password
openvpn-rclient.conf
openvpn-rclient2.conf
static.key
static2.key
See init.sh
Check new enip minicps branch:
git checkout -b remmihsorp-feature/enip2 master
git pull https://github.com/remmihsorp/minicps.git feature/enip2
Generate shared openvpn key:
openvpn --genkey --secret static.key
openvpn --genkey --secret static2.key
Temporary ipv4 forwarding:
cat /proc/sys/net/ipv4/ip_forward
sudo su
echo 1 > /proc/sys/net/ipv4/ip_forward
exit
Persistent ipv4 forwarding:
sudo vim /etc/sysctl.conf:
net.ipv4.ip_forward = 1
-
ettercap
- installation from source
sudo apt-get install debhelper cmake bison flex libgtk2.0-dev libltdl3-dev libncurses-dev libncurses5-dev\ libnet1-dev libpcap-dev libpcre3-dev libssl-dev libcurl4-openssl-dev ghostscript
- download source file and look at INSTALL file
- installation from source
-
etterfilters
- as ubuntu user
cd ~/s3/online/enip
make etterfilters
- copy the relevant
.ec
file to the relevant location
-
bettercap
- install stable
rvm
with ruby2.4.1
for simple user gem install packetfu -v 1.1.11
git clone https://github.com/evilsocket/bettercap
cd bettercap
gem build bettercap.gemspec
gem install bettercap*.gem
- run with
rvmsudo bettercap
- install stable
-
Links
-
Debian packages
sudo apt-get install openvpn easy-rsa
- openvpn version 2.4.1
-
Actual setup
- tcp
- Generate a shared secret key for client-server
- Configure openvpn to use
tap
(bridging, transports L2 traffic eg: ARP) - Disable host service at startup
sudo vim /etc/default/openvpn
- uncomment
#AUTOSTART="none"
- check with
sudo service openvpn status
-
TODO
- check round trip time with openvpn
- attacker might miss some bits
-
Description
- New secure modulation scheme: Coil Width Modulation (CWM)
rtu2a
periodically send data using this modulation schemescada
using offset 0 and no encryption- The encoding scheme used is ASCII (Eg: 8-bit to represent one character)
-
Goal
- Test man-in-the-middle, synch, ASCII decoding.
-
How
- Send an
ettercap
command
- Send an
-
Description
- The
rtu2b
is using internally (without sending traffic into the network) a faster and more secure modulation scheme the 3-HRWM - The scheme uses 3 holding registers (offset from 0 to 2) and a clever offset hopping technique to prevent eavesdropping.
- The hopping techniques uses 4 masks and each mask is applied to 3 sequences of 3 bytes (Eg: if the mask is 0-1-2 then the first 3 sequences will send the three bytes in natural order).
- Each register contains an ASCII encoded character (Eg: 8-bit to represent one character
- Please try to speak with
rtu2b
to get the flag
- The
-
Goal
- Test Modbus/TCP client that reads multiple registers in parallel.
-
How
- Write modbus tcp client
Mixed challenge ping map:
*** Ping: testing ping reachability
│
attacker -> X client X X X X X X
│
attacker2 -> X X client2 X X X X X
│
client -> attacker X X plc2 plc3 X X X
│
client2 -> X attacker2 X X X rtu2a rtu2b scada
│
plc2 -> attacker X X X plc3 X X X
│
plc3 -> attacker X X X plc2 X X X
│
rtu2a -> X attacker2 X X X X rtu2b scada
│
rtu2b -> X attacker2 X X X X rtu2a scada
│
scada -> X attacker2 X X X X rtu2a rtu2b
-
flask webapp status
-
tcpdump single interface to a file
sudo tcpdump -i tap0 -w /tmp/tap0.pcap &
-
tcpdump all interfaces to a file
sudo tcpdump -i any -w /tmp/any.pcap &
- Linux cooked interface no ether headers
-
check interface status
watch ifconfig ifname
-
check open ports
sudo netstat -tulpn
nmap localhost
-
check services
sudo service --status-all
sudo service service_name status
- you may need to restart openvswitch switch server
- type
w
to check who is logged in
-
check flags
- TODO
-
start challenges
cd ~/s317-minicps/mix
make run
- from another terminal
make start
-
clean and restart
make restart
-
stop and clean
make stop
-
log file
tail -f /var/log/commands.log