Pentesting ICS (DNP3)
What is DNP3?
DNP3 Simulators
C++: https://github.com/automatak/dnp3 Docs: https://www.automatak.com/opendnp3/docs/guide/current/build/cmake/
Use –recursive when cloning:
git clone --recursive https://github.com/automatak/dnp3.git
Qt4: https://sourceforge.net/projects/dnp/
DNP3 Identification:
- Shodanhq dork: port:20000
- Using nmap with script dnp3-info.nse: https://github.com/sjhilt/Nmap-NSEs/blob/master/dnp3-info.nse
# Add script to nmap directory
$ sudo mv dnp3-info.nse /usr/share/nmap/scripts/
# Update nmap db
$ sudo nmap --script-updatedb
# Start scanner
$ nmap 10.0.13.37 --script=dnp3-info
- When you identified the host, the DNP3_RAW, my C client to interact with devices with DNP3 enabled 🙂
Exploit and stuff:
MiTM, packet replay? To be continued…
Fuzzers:
- Aegis: https://www.automatak.com/aegis/
- Achilles Test Platform: https://www.ge.com/digital/products/achilles-vulnerability-testing-platform
- Peach Fuzzer: https://www.peach.tech/wp-content/uploads/DNP3_DataSheet.pdf
Conclusions
Resources:
- !!! Quick Refference: https://read.pudn.com/downloads151/doc/comm/655523/DNP3QuickReference.pdf
- OpenDNP3 Decoder and stuff: https://www.automatak.com/opendnp3/#documentation
- DNP3 User manual: https://www.multitrode.com/assets/product-manuals/protocol-translator-dnp3-user-manual.pdf
- Protocol description: https://www.ixiacom.com/company/blog/scada-distributed-network-protocol-dnp3