Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


  • info

    • 1 session
    • begin: 6th May 9 AM Singapore time
    • end: 7th May 9 AM Singapore time
    • 10 teams
      • 10 different public IP
      • reuse same shared keys
      • reuse same webapp credentials
  • channels

    • kopipackets
    • IRC
  • keep in mind

    • Arxiv paper is available (no reuse)
    • If challenges are too simular then players from last year might be advantaged
    • Challenge has to be hard but realistic
    • OpenVPN round trip time will bi higher


If the first vm is configured correctly then after the duplication you only need to do the following steps:

  • tmux ls and attach to the admin session
  • rename the admin session to teamx
  • type make
  • change EC2_IP in the Makefile
  • test make start with the new IP
  • change openvpn-rclient.conf remote to $EC2_IP
  • change openvpn-rclient2.conf remote to $EC2_IP
  • test openvpn connections cd into teamx folder

Additional checks:

  • sudo iptables -L -t nat
  • minicps version and branch
  • port 8080 open for the webapp
  • port 1337 redirected to
  • port 1338 redirected to
  • sudo ls /root/flags

If some file or software is missing, see

Provided files to each team


Check new enip minicps branch:

git checkout -b remmihsorp-feature/enip2 master
git pull feature/enip2

Generate shared openvpn key:

openvpn --genkey --secret static.key
openvpn --genkey --secret static2.key

Temporary ipv4 forwarding:

cat /proc/sys/net/ipv4/ip_forward
sudo su
echo 1 > /proc/sys/net/ipv4/ip_forward

Persistent ipv4 forwarding:

sudo vim /etc/sysctl.conf:
net.ipv4.ip_forward = 1
  • ettercap

    • installation from source
      • sudo apt-get install debhelper cmake bison flex libgtk2.0-dev libltdl3-dev libncurses-dev libncurses5-dev\ libnet1-dev libpcap-dev libpcre3-dev libssl-dev libcurl4-openssl-dev ghostscript
      • download source file and look at INSTALL file
  • etterfilters

    • as ubuntu user
    • cd ~/s3/online/enip
    • make etterfilters
    • copy the relevant .ec file to the relevant location
  • bettercap

    • install stable rvm with ruby 2.4.1 for simple user
    • gem install packetfu -v 1.1.11
    • git clone
    • cd bettercap
    • gem build bettercap.gemspec
    • gem install bettercap*.gem
    • run with rvmsudo bettercap


Wadi challenges

1: Coil Width Modulation (CWM) scheme

  • TODO

    • check round trip time with openvpn
    • attacker might miss some bits
  • Description

    • New secure modulation scheme: Coil Width Modulation (CWM)
    • rtu2a periodically send data using this modulation scheme scada using offset 0 and no encryption
    • The encoding scheme used is ASCII (Eg: 8-bit to represent one character)
  • Goal

    • Test man-in-the-middle, synch, ASCII decoding.
  • How

    • Send an ettercap command

2: Three-Holding Registers Width Modulation (3-HRWM) scheme

  • Description

    • The rtu2b is using internally (without sending traffic into the network) a faster and more secure modulation scheme the 3-HRWM
    • The scheme uses 3 holding registers (offset from 0 to 2) and a clever offset hopping technique to prevent eavesdropping.
    • The hopping techniques uses 4 masks and each mask is applied to 3 sequences of 3 bytes (Eg: if the mask is 0-1-2 then the first 3 sequences will send the three bytes in natural order).
    • Each register contains an ASCII encoded character (Eg: 8-bit to represent one character
    • Please try to speak with rtu2b to get the flag
  • Goal

    • Test Modbus/TCP client that reads multiple registers in parallel.
  • How

    • Write modbus tcp client

Runtime checks

Mixed challenge ping map:

*** Ping: testing ping reachability
attacker -> X client X X X X X X
attacker2 -> X X client2 X X X X X
client -> attacker X X plc2 plc3 X X X
client2 -> X attacker2 X X X rtu2a rtu2b scada
plc2 -> attacker X X X plc3 X X X
plc3 -> attacker X X X plc2 X X X
rtu2a -> X attacker2 X X X X rtu2b scada
rtu2b -> X attacker2 X X X X rtu2a scada
scada -> X attacker2 X X X X rtu2a rtu2b
  • flask webapp status

  • tcpdump single interface to a file

    • sudo tcpdump -i tap0 -w /tmp/tap0.pcap &
  • tcpdump all interfaces to a file

    • sudo tcpdump -i any -w /tmp/any.pcap &
    • Linux cooked interface no ether headers
  • check interface status

    • watch ifconfig ifname
  • check open ports

    • sudo netstat -tulpn
    • nmap localhost
  • check services

    • sudo service --status-all
    • sudo service service_name status
    • you may need to restart openvswitch switch server
    • type w to check who is logged in
  • check flags

    • TODO
  • start challenges

    • cd ~/s317-minicps/mix
    • make run
    • from another terminal make start
  • clean and restart

    • make restart
  • stop and clean

    • make stop
  • log file

    • tail -f /var/log/commands.log