A lot of time has passed since the last time I wrote an article in English. So, it is about time!
Everybody knows that the first step to carry out an audit, pentesting or, in the worst case, an adversary; is to gather information about our target. This process, in OT environments, is not different respecting IT world. However, we must take into account some considerations about the kind of devices that we can find on a plant or shop floor. Be sure that you will find computers and other PC based systems, but there are a lot of other devices such as PLCs, HMIs, gateways, and many more. In addition, the lifecycle is higher so neither the hardware cannot respond in the same way nor it has the same resources that a new one.
All of them have a lot of different characteristics such as hardware, firmware, operating system, lifecycle… and, a simple network scan, could stop or impact on the normal operation. For this reason, we must try to run them in a lab environment, just the opposite of what an adversary would do. Anyway, there are a lot of tools available that we can use locally or remotely to collect the information that we need.
Nmap is the most famous, but as you will see there are some specific for ICS environments. Obviously nmap as well.
Today I will talk about S7Scan. Created by Kaspersky, with S7Scan you can enumerate and collect information about Siemens S7-300, S7-400 PLCS. In GitHub website you can get more general and precise information. Please click here.
First of all, we must access the “help” menu to explore S7scan options to run it accordingly to the scenario:
Having the target IP address, we can execute the tool with the following command if our target is on another public or private network.
python s7scan.py –tcp [IP ADDRESS]
Optionally we can define the path to store results. By default, a new folder will be created in the same directory where we execute it if we do not specify it.
There, we can find two text files, one of them is “scan_log.txt” which stores the gathered information about the targets.
Here we can see the communication module:
As we see, we can get data about internal IP address, PLC name, Orden number, model module, and more.
In the picture below, it is shown the information about the PLC CPU:
In the same way, we get information about firmware, order number, etc. and other interesting details. For example, there is a MMC card inserted and which communication is supported.
From this point we can start checking different websites where we can find announced vulnerabilities, technical specifications, etc. that permit us to move forward to the next steps.
Such as other scenarios, this information have been gathered remotely, this is by TCP/IP network. Long time ago I talked about which are the first measures to take; separation and segmentation of both environments, IT & OT. Please click here. So, in the next picture we can see how a Fortinet Fortigate Next Gereration Firewall can detect this kind of activity.
To prevent this scan, we could permit exclusively these operations from those stations that need access to PLCs and apply layer 7 analysis to generate logs according to that. It is important to restrict access, but It is more important to detect unusual behavior that can show us that somebody, or something, is trying to do actions that are not permitted.
See you in the next post!