This repository contains the links, and code necessary for the OT SOC Detection Engineering Workshop.
This installation has been tested on VirtualBox 7.0 on Debian based systems. (Ubuntu 24 and Parrot have been tested and it works)
-
Linux
-
OpenVSwitch
-
VirtualBox
Grab the OVA folder and all the OVA files for the VM’s required for this lab from https://drive.google.com/drive/folders/17EAxxYFAVeSE4wMMMwmLJultcku7yWc2?usp=sharing
Download all these files and put them in a folder called 'OVA'. You will need the fully qualified path to this folder. Please put this fully qualified path into the ./setup_script.sh script under the OVA_FOLDER variable.
Run ./setup_script.sh import as your user (not root)
This should import the machines
sudo ./setup_script.sh startup should bring up the lab. You need sudo to execute the OpenVSwitch commands
-
Chemical Plant Simulation : http://192.168.95.10
-
PLC : http://192.168.95.2:8080
-
Firewall : http://192.168.90.100
-
Workstation : 192.168.95.200
Configure your browser for using a Dynamic Socks 5 Proxy. It’s better to create a new profile, open that in a new window and use the proxy on the new profile. This will enable you to use your unproxied browser for doing research and browsing the internet, while using your proxied browser to manage the OT simulation ecosystem.
You should enter the following details into the fileds below
SOCKS5 HOST : 127.0.0.1
PORT : 8080 (or whatever port you used after the -D flag in your ssh command)
Dont bother with the DNS settings in 4 below.
Open your browser (the one with the proxy setting) and head to
Chemical Plant Sim : http://192.168.95.10
HMI Creds - admin : admin
pass : kali
Do not do this in a shared lab as it will spoil the activity for your fellow participants. Ordinarily, as an attacker, you can spoof the HMI using arpspoof 192.168.90.5 from your attacker machine, and then run wireshark on the interface connected to that network. You should see the modbus commands going between the PLC and HMI.
Inspecting this traffic will help you to understand which coil to change to shutdown the plant. (It’s coil 40)
Flip the bit in Coil 40. Use the python script provided to do this. In the attacker machine go to ~/Documents/working_files. Activate the python env using source venv/bin/activate and run the python file
link:working_files/shutdown_plant.py[role=include]This should have the same result as clicking on the HMI
Turn the plant back on and make sure the simulation is running. Now we are going to upload a malicious PLC program to cause the plant to explode. Use the attack.st file to upload your malicious program to the PLC. Use the PLC’s web interface on http://192.168.95.2:8080 for this.
If you want to understand this PLC program in detail, you should install the OpenPLC editor. https://autonomylogic.com/download/
Grab the PLC programs from the original GRFICSv2 repo and play with them.
When you’re done blowing up the plant, you should put the simpl.st file back on the PLC.
You can achieve a similar result to the malicious PLC program upload (unsafe state) by over writing a safe pressure setpoint register. If you download the GRFICSv2 workstation VM, open the OpenPLC editor, and view the initial setpoints of the PLC program, it becomes clear that there are two registers (exposed on 1025 and 1026) that contain values that can be overwritten to put the plant in an unsafe state.
You may try this from the below code
link:working_files/blow_up_plant.py[role=include]The GRFICSv2 simulation is by Fortiphyd - https://github.com/Fortiphyd/GRFICSv2
The above whitepaper lists out all the possible attacks on the GRFICSv2 testbed.
-
Suricata - https://suricata.io/
-
Zeek (Bro) - https://zeek.org/
-
Wazuh - https://wazuh.com/
-
OpenvSwitch - https://www.openvswitch.org/
-
PfSense - https://www.pfsense.org/
-
OpenPLC Editor - https://autonomylogic.com/download/
-
OpenPLC Runtime - https://autonomylogic.com/
-
Caldera - OT : https://github.com/mitre/caldera-ot