Lab 1

Scenario Overview

The industrial control system (ICS) used in this scenario simulates an environment that might be used to cool industrial equipment. The ICS is made up of five systems. The first system contains a tank, tank level sensor and a water pump. The second system is a programmable logic controller (PLC) which controls the water pump based on the level of water found in the attached tank. The third system is an Open Platform Communications (OPC) server which accesses and modifies data found on the PLC. The fourth system is running Human Machine Interface (HMI) software which communicates with the OPC server to provide a human system operator with system statistics and control. The final system in the ICS is a security appliance that provides routing and firewall services for all systems. This scenario also make use of a system running Kali Linux. In this lab the virtual network switch is configured so that the Kail system receives all data transmitted. (Network diagram)

In this lab you are going to observe that when a hacker is connected to the same network segment as the ICS systems, they are easily able to view data being shared between all devices. After verifying this you will move the hacker system to its own network and again attempt to view data being transferred. You will discover that when a hacker is connected to a different segment then the ICS systems they are no longer able to view data transfers.

Part 1
Install Systems

In this part of the lab you are going to install and configure the systems needed to complete the lab.

  1. Access the lab remote access server at https://guac.nl.northweststate.edu and login using your assigned username and password.
  2. Login a second time to the nlstu-s1.nl.northweststate.edu remote server using your assigned username and password.
  3. When the Linux desktop appears, click the Activities menu located in the top left hand corner of the screen.
  4. Type ics into the Type to search field that appears in the top center of the screen (Example).
  5. Click the ICS Lab Control icon.
  6. Select the New Lab option, click the OK button then wait for the systems to start.

Part 2
Login and configure the network settings

In this part of the lab you are going to login to the hacker system, connect it to the appropriate network then verify that it can connect to the PLC.

  1. Access the Kali system.
  2. At the login screen enter student into the Enter your username field and Password01 into the Enter your password field.
  3. Click the Log In button.
  4. Open a terminal (command prompt) window by clicking the Terminal Emulator button found at the upper left hand corner of the window (Example).
  5. Type the command nmcli connection to view the available network connections.
  6. Notice that the Cell-Area Zone configuration is associated with a device but the Manufacturing Zone configuration is not.
  7. Type the letter q to stop viewing the network configurations.
  8. Switch the zone (network segment) that the Kali system is connected to by typing the command ./change_network.sh then providing the student user's password, Password01 when prompted.
  9. View the available network configurations by typing the command nmcli connection.
  10. Notice that now the Manufacturing Zone configuration is associated with a device but the Cell-Area Zone configuration is not.
  11. Type the letter q to stop viewing the network configurations.
  12. Verify that the PLC is running by typing the command nc 10.0.255.102 23 and observing that the PLC is running, and that the IP address of the PLC and the address of the connecting system is shown.

Part 3
Enable and test an Intrusion Detection System (IDS)

In this part of the lab you are going to enable the Snort as an IDS, configure a rule to detect Modbus traffic and then test the rule.

  1. Start a web browser on the Kali system by clicking the Application menu button at the top left of the screen, scrolling down the list of application folders then clicking the Usual Applications folder, expanding the Internet category and finally clicking on the Web Browser option ( Example ).
  2. Type the address 10.0.255.1 into the Web Browser's address bar then click the Go to the address in the Location bar button ( Example ).
  3. If necessary, click the Advanced... button when you see the Warning: Potential Security Risk Ahead web page, read the explanation for the security warning then click the Accept the Risk and Continue button.
  4. Type the username admin into the Username field.
  5. Type the password Password01 into the Password field.
  6. Click the SIGN IN button.
  7. If you are asked if you would like Firefox to save the login data, click the Don't Save button.
  8. Expand the Services category at the top of the administrative console page then choose the Snort option ( Example ).
  9. Click the Edit icon associated with the MANUFACTURINGZONE (em2) interface ( Example ).
  10. In the General Settings category located at the top of the web page, put a check into the box labeled Enable interface.
  11. Scroll to the bottom of the page then click the Save button.
  12. Click the MANUF Rules link ( Example ).
  13. Type the rule alert tcp any any -> 10.0.255.0/24 502 (msg:"Modbus traffic detected.";sid:1000001;) into the Defined Custom Rules text box ( Example ).
  14. Before going to the next step double check your typing as a typo in the rules will prevent Snort from starting.
  15. Scroll to the bottom of the page then click the Save button.
  16. Click the Snort Interfaces link.
  17. Click the Start button associated with the MANUFACTURINGZONE (em2) interface ( Example ).
  18. Before going to the next step verify that the Running icon appears indicating that Snort started successfully ( Example ).
  19. Access a terminal window on the Kali system.
  20. Type the command msfconsole -r /home/student/labs/ids-ips/modbus_banner_grab.rc to use the Metasploit program to retrieve the banner from the PLC ( Example ).
  21. Access the pfsense web page using the Kali system.
  22. If necessary, expand the Services category at the top of the administrative console page then choose the Snort option.
  23. Click the Alerts link.
  24. Scroll down that page and observe the alerts that the Metasploit program generated.
  25. Take a screen shot that shows the entire Kali window ( Example ) and paste it into the IDS/IPS Lab Form found here.

Part 4
Configure IDS Packet Capture

In this part of the lab you are going to configure the Snort IDS to capture packets matching alert rules and then use the Wireshark program to analyze the data.

  1. Access the pfsense web page using the Kali system.
  2. If necessary, expand the Services category at the top of the administrative console page then choose the Snort option.
  3. Click the Snort Interfaces link.
  4. Click the Edit icon associated with the MANUFACTURINGZONE (em2) interface.
  5. Scroll down the page until you locate the Alert Settings options.
  6. Place a check in the Enable Packet Captures check box ( Example ).
  7. Scroll to the bottom of the page then click the Save button.
  8. Access a terminal window on the Kali system.
  9. Type the command msfconsole -r /home/student/labs/ids-ips/modbus_banner_grab.rc to use the Metasploit program to retrieve the banner from the PLC ( Example ).
  10. Type the command scp root@10.0.255.1:/var/log/snort/snort_em*/snort.log.* snort.pcap to tell the scp program to copy the packet capture from the Security Appliance to the Kali system ( Example ).
  11. Type the password Password01 then press <ENTER> when prompted ( Example ).
  12. Type the command wireshark to start the Wireshark program.
  13. From the File menu in Wireshark choose the Open option.
  14. Navigate to the /home/student directory then open the snort.pcap capture file.
  15. Take a minute to view the captured data.
  16. Right click any packet in the top, packet list, pane then from the pop up menu choose the option Follow -> TCP Stream ( Example ).
  17. Take a screen shot that shows the entire Kali window ( Example ) and paste it into the IDS/IPS Lab Form found here.
  18. Close the Wireshark program.

Part 5
Enable and test an Intrusion Prevention System (IPS)

In this part of the lab you are going to enable the Snort as an IPS, test the IPS and observe how it differs from an IDS.

  1. Access the pfsense web page using the Kali system.
  2. If necessary, expand the Services category at the top of the administrative console page then choose the Snort option.
  3. Click the Snort Interfaces link.
  4. Click the Edit icon associated with the MANUFACTURINGZONE (em2) interface.
  5. Scroll down the page until you locate the Block Settings options.
  6. Place a check in the Block Offenders check box ( Example ).
  7. Scroll down the page until you locate the Choose the Networks Snort Should Inspect and Whitelist options.
  8. Select the CELLAREA_ZONE pass list from the Pass List pull down menu ( Example ).
  9. Scroll to the bottom of the page then click the Save button.
  10. Access a terminal window on the Kali system.
  11. Type the command msfconsole -r /home/student/labs/ids-ips/modbus_banner_grab.rc to use the Metasploit program to retrieve the banner from the PLC.
  12. Attempt to execute the command msfconsole -r /home/student/labs/ids-ips/modbus_banner_grab.rc a second time and note that the connection times out.
  13. Take a screen shot that shows the entire Kali window ( Example ) and paste it into the IDS/IPS Lab Form found here.
  14. Access the pfsense web page using the Kali system.
  15. If necessary, expand the Services category at the top of the administrative console page then choose the Snort option.
  16. Click the Blocked link and notice that the page will not load
  17. Answer the remaining questions found in the IDS/IPS Lab Form.
  18. To end the lab, restart the ICS Lab Control program from the Desktop if necessary, select the Pause/End Lab option, click the OK button then wait for the systems to stop.