Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
logs
Makefile
README-ATTACKER.md
README.md
bridge-start.sh
bridge-start2.sh
bridge-stop.sh
bridge-stop2.sh
clean.sh
init.py
init.sh
openvpn-client.conf
openvpn-client2.conf
openvpn-iptables
openvpn-rclient.conf
openvpn-rclient2.conf
openvpn-server.conf
openvpn-server2.conf
plc2.py
plc3.py
rtu2a.py
rtu2b.py
run-local.py
run.py
scada.py
static.key
static2.key
topo.py
utils.py

README.md

s317-minicps

  • info

    • 1 session
    • begin: 6th May 9 AM Singapore time
    • end: 7th May 9 AM Singapore time
    • 10 teams
      • 10 different public IP
      • reuse same shared keys
      • reuse same webapp credentials
  • channels

    • kopipackets
    • IRC
  • keep in mind

    • Arxiv paper is available (no reuse)
    • If challenges are too simular then players from last year might be advantaged
    • Challenge has to be hard but realistic
    • OpenVPN round trip time will bi higher

Init

If the first vm is configured correctly then after the duplication you only need to do the following steps:

  • tmux ls and attach to the admin session
  • rename the admin session to teamx
  • type make
  • change EC2_IP in the Makefile
  • test make start with the new IP
  • change openvpn-rclient.conf remote to $EC2_IP
  • change openvpn-rclient2.conf remote to $EC2_IP
  • test openvpn connections cd into teamx folder

Additional checks:

  • sudo iptables -L -t nat
  • minicps version and branch
  • port 8080 open for the webapp
  • port 1337 redirected to 10.0.0.1:1194
  • port 1338 redirected to 10.0.0.2:1194
  • sudo ls /root/flags

If some file or software is missing, see init.sh.

Provided files to each team

README.md
attacker-password
openvpn-rclient.conf
openvpn-rclient2.conf
static.key
static2.key

See init.sh

Check new enip minicps branch:

git checkout -b remmihsorp-feature/enip2 master
git pull https://github.com/remmihsorp/minicps.git feature/enip2

Generate shared openvpn key:

openvpn --genkey --secret static.key
openvpn --genkey --secret static2.key

Temporary ipv4 forwarding:

cat /proc/sys/net/ipv4/ip_forward
sudo su
echo 1 > /proc/sys/net/ipv4/ip_forward
exit

Persistent ipv4 forwarding:

sudo vim /etc/sysctl.conf:
net.ipv4.ip_forward = 1
  • ettercap

    • installation from source
      • sudo apt-get install debhelper cmake bison flex libgtk2.0-dev libltdl3-dev libncurses-dev libncurses5-dev\ libnet1-dev libpcap-dev libpcre3-dev libssl-dev libcurl4-openssl-dev ghostscript
      • download source file and look at INSTALL file
  • etterfilters

    • as ubuntu user
    • cd ~/s3/online/enip
    • make etterfilters
    • copy the relevant .ec file to the relevant location
  • bettercap

    • install stable rvm with ruby 2.4.1 for simple user
    • gem install packetfu -v 1.1.11
    • git clone https://github.com/evilsocket/bettercap
    • cd bettercap
    • gem build bettercap.gemspec
    • gem install bettercap*.gem
    • run with rvmsudo bettercap

OpenVPN

Wadi challenges

1: Coil Width Modulation (CWM) scheme

  • TODO

    • check round trip time with openvpn
    • attacker might miss some bits
  • Description

    • New secure modulation scheme: Coil Width Modulation (CWM)
    • rtu2a periodically send data using this modulation scheme scada using offset 0 and no encryption
    • The encoding scheme used is ASCII (Eg: 8-bit to represent one character)
  • Goal

    • Test man-in-the-middle, synch, ASCII decoding.
  • How

    • Send an ettercap command

2: Three-Holding Registers Width Modulation (3-HRWM) scheme

  • Description

    • The rtu2b is using internally (without sending traffic into the network) a faster and more secure modulation scheme the 3-HRWM
    • The scheme uses 3 holding registers (offset from 0 to 2) and a clever offset hopping technique to prevent eavesdropping.
    • The hopping techniques uses 4 masks and each mask is applied to 3 sequences of 3 bytes (Eg: if the mask is 0-1-2 then the first 3 sequences will send the three bytes in natural order).
    • Each register contains an ASCII encoded character (Eg: 8-bit to represent one character
    • Please try to speak with rtu2b to get the flag
  • Goal

    • Test Modbus/TCP client that reads multiple registers in parallel.
  • How

    • Write modbus tcp client

Runtime checks

Mixed challenge ping map:

*** Ping: testing ping reachability
│
attacker -> X client X X X X X X
│
attacker2 -> X X client2 X X X X X
│
client -> attacker X X plc2 plc3 X X X
│
client2 -> X attacker2 X X X rtu2a rtu2b scada
│
plc2 -> attacker X X X plc3 X X X
│
plc3 -> attacker X X X plc2 X X X
│
rtu2a -> X attacker2 X X X X rtu2b scada
│
rtu2b -> X attacker2 X X X X rtu2a scada
│
scada -> X attacker2 X X X X rtu2a rtu2b
  • flask webapp status

  • tcpdump single interface to a file

    • sudo tcpdump -i tap0 -w /tmp/tap0.pcap &
  • tcpdump all interfaces to a file

    • sudo tcpdump -i any -w /tmp/any.pcap &
    • Linux cooked interface no ether headers
  • check interface status

    • watch ifconfig ifname
  • check open ports

    • sudo netstat -tulpn
    • nmap localhost
  • check services

    • sudo service --status-all
    • sudo service service_name status
    • you may need to restart openvswitch switch server
    • type w to check who is logged in
  • check flags

    • TODO
  • start challenges

    • cd ~/s317-minicps/mix
    • make run
    • from another terminal make start
  • clean and restart

    • make restart
  • stop and clean

    • make stop
  • log file

    • tail -f /var/log/commands.log