Practical Industrial Control System Penetration Testing

PICSPT - Your practical and offensive workshop for newcomers to ICS/OT Security 2023

What you'll learn

Show your pentest skills on 6 interactive industrial controller simulations

Build your own ICS pentest platform with open source tools

NO exploits, privilege escalation nor root shells

Learn the typical attack surfaces of an ICS

Workshop with high practical part with more than 30 tasks

Requirements

Don't be afraid to use the Linux command line!

No licenses needed. All tools are open source!

Windows 10 system with 8GB RAM and virtualization enabled.

Basic knowledge or interest in industrial process automation.

Description

Hacking ICS/OT on shodan or in your own company? Better not!I believe that the best way to learn is with practical experience. OT Security is a new and important skill for all technicians and engineers working on industrial control systems. There are quite a few open source tools that can be used to investigate the cyber security of industrial control systems, but unfortunately there is no suitable training opportunity.For learners of IT pentesting, there are plenty of opportunities like HackTheBox or VulnHub, where pentest tools and hacking skills can be tried out. Training platforms with ICS focus either don't exist or come in the form of a boring seminar with over 1000€ participation fee.In this workshop you will learn important pentest tools from Kali and open source tools and you can try them out in 6 interactive simulations of industrial controllers. Of course the simulations are not perfect, so I will show you the tools and techniques on two real PLCs.The workshop has a high practical part and encourages you to participate! There are more than 30 exciting tasks waiting for you, with which you can deepen your skills bit by bit!Important: The pentesting of ICS cannot be compared to the typical pentesting of the IT world. Industrial plants need to be continuously available and hardly any plant operator wants to risk a production stop. Typically, security testing is performed at the lowest or second lowest aggressiveness level. So if you are hoping to pwn your device with buffer overflows, kernel exploits, privilege escalation and root shells, you are in the wrong place.Are you interested in security analysis of ICS and do you already have basic knowledge of industrial cyber security? Then this is the right place for you!Are you currently studying for the (CEH) Certified Ethical Hacker? From v12 on knowledge in OT is required! This course offers you a hands-on introduction to understand the typical vulnerabilities of OT hardware!Please note that the software used is not mine. I can only offer limited assistance in case of problems. Please contact the publisher of the software for help. The installation instructions were created to the best of my knowledge, but the responsibility for the installation lies with the participants.

Overview

Section 1: Basics

Lecture 1 Welcome and Introduction to the Workshop

Lecture 2 IT x OT

Lecture 3 ICS are easy targets for attackers

Lecture 4 Typical ICS Attack Surface

Lecture 5 Default credentials and exposed ICS webservers

Lecture 6 Typical OT Pentest Scenarios and Focus of this Workshop

Lecture 7 Classification of a Pentest

Lecture 8 Understanding Security Goals of IT and OT

Lecture 9 IPv4 Address and Subnetting

Section 2: Offensive OSINT

Lecture 10 Welcome to the section

Lecture 11 Default credentials in ICS

Lecture 12 Google Dorks for finding exposed ICS

Lecture 13 Shodan

Lecture 14 Find and scan public IP Address Ranges with Shodan

Lecture 15 Hunt for vulnerabilities with CISA

Section 3: Setting up your ICS Lab

Lecture 16 Welcome to the section

Lecture 17 Introduction to your Lab and Virtual Machines

Lecture 18 Installation of Virtual Box

Lecture 19 Downloading the Kali Linux VM

Lecture 20 Installation of Ubuntu Server

Lecture 21 Setting up the ICS Simulations

Lecture 22 Setting up Kali Linux and installation of open source tools

Section 4: Brief overview of your pentest platform

Lecture 23 Welcome to the section

Lecture 24 Starting a simple honeypot and Kali Linux

Lecture 25 Host discovery with netdiscover

Lecture 26 Fingerprinting with namp

Lecture 27 Enumeration with snmp-check

Lecture 28 Metasploit: The Pentesters Toolkit

Lecture 29 Open source tools

Section 5: S7 PLC Simulation 1

Lecture 30 Welcome to the section and preparation of the VM

Lecture 31 Shodan task

Lecture 32 Shodan solution

Lecture 33 Google Dorks Task

Lecture 34 Google Dorks Solution

Lecture 35 Default credentials task

Lecture 36 Default credentials solution

Lecture 37 Starting the simulation and host discovery task

Lecture 38 Host discovery solution

Lecture 39 nmap task

Lecture 40 nmap solution

Lecture 41 Snmp enumeration task

Lecture 42 Snmp enumeration solution

Section 6: S7 PLC Simulation 2

Lecture 43 Welcome to the section

Lecture 44 Starting the simulation and host discovery task

Lecture 45 Host discovery solution

Lecture 46 nmap task

Lecture 47 nmap solution

Lecture 48 nmap NSE task

Lecture 49 nmap NSE solution

Lecture 50 plcscan task

Lecture 51 plcscan solution

Lecture 52 Search exploits in metasploit and exploit DB

Lecture 53 Adding external exploits to the metasploit framework

Lecture 54 Attacking the simulation task

Lecture 55 Attacking the simulation solution

Lecture 56 SiemensScan

Section 7: Pentesting real Siemens S7 industrial hardware

Lecture 57 Welcome to the section

Lecture 58 Recon and fingerprinting with nmap

Lecture 59 Enumeration and exploitation with metasploit

Lecture 60 Enumeration and exploitation with open source tools

Section 8: Gas station controller simulation

Lecture 61 Welcome to the section

Lecture 62 Shodan task

Lecture 63 Shodan solution

Lecture 64 Starting the simulation and host discovery task

Lecture 65 Host discovery solution

Lecture 66 nmap task

Lecture 67 nmap solution

Lecture 68 nmap NSE task

Lecture 69 nmap NSE solution

Lecture 70 OSINT task

Lecture 71 OSINT solution

Lecture 72 Attack task

Lecture 73 Attack solution

Section 9: Modbus PLC Simulation 1

Lecture 74 Welcome to the section

Lecture 75 Shodan search task

Lecture 76 Shodan search solution

Lecture 77 Google dorks task

Lecture 78 Google dorks solution

Lecture 79 Default credentials task

Lecture 80 Default credentials solution

Lecture 81 Starting the simulation and host discovery task

Lecture 82 Host discovery solution

Lecture 83 nmap task

Lecture 84 nmap solution

Lecture 85 Finding metasploit modules task

Lecture 86 Finding metasploit modules solution

Lecture 87 Running metasploit modules against the target task

Lecture 88 Running metasploit modules against the target solution

Section 10: Modbus PLC Simulation 2

Lecture 89 Welcome to the section

Lecture 90 Starting the simulation and nmap scan task

Lecture 91 nmap scan solution

Lecture 92 metasploit task

Lecture 93 metasploit solution

Lecture 94 Read memory blocks task

Lecture 95 Read memory blocks solution

Lecture 96 Manipulate memory blocks task

Lecture 97 Manipulate memory blocks solution

Section 11: Pentesting real modicon hardware

Lecture 98 Welcome to the section

Lecture 99 Recon and fingerprinting with nmap

Lecture 100 Enumeration and exploitation-trial with metasploit

Lecture 101 Enumeration and exploitation with open source tools

Section 12: Your Challenge: Pentesting an Infrastructure Substation

Lecture 102 Welcome to the section and preparation of the VM

Lecture 103 Your Red Team Assignment

Lecture 104 Hint: Methodology and Steps (No Spoilers)

Lecture 105 Step 1 Solution: Recon and Fingerprinting

Lecture 106 Step 2 Solution: Enumeration

Lecture 107 Step 3 Solution: Triggering the Shutdown

Curious people who want to look at an industrial control system from the attacker's perspective,Beginners with basic knowledge of industrial cyber security,CEHv12 Participants