E-Book, Englisch, 450 Seiten
Smith Pentesting Industrial Control Systems
1. Auflage 2024
ISBN: 978-1-80020-728-8
Verlag: De Gruyter
Format: EPUB
Kopierschutz: 0 - No protection
An ethical hacker's guide to analyzing, compromising, mitigating, and securing industrial processes
E-Book, Englisch, 450 Seiten
ISBN: 978-1-80020-728-8
Verlag: De Gruyter
Format: EPUB
Kopierschutz: 0 - No protection
The industrial cybersecurity domain has grown significantly in recent years. To completely secure critical infrastructure, red teams must be employed to continuously test and exploit the security integrity of a company's people, processes, and products.
This is a unique pentesting book, which takes a different approach by helping you gain hands-on experience with equipment that you'll come across in the field. This will enable you to understand how industrial equipment interacts and operates within an operational environment.
You'll start by getting to grips with the basics of industrial processes, and then see how to create and break the process, along with gathering open-source intel to create a threat landscape for your potential customer. As you advance, you'll find out how to install and utilize offensive techniques used by professional hackers. Throughout the book, you'll explore industrial equipment, port and service discovery, pivoting, and much more, before finally launching attacks against systems in an industrial network.
By the end of this penetration testing book, you'll not only understand how to analyze and navigate the intricacies of an industrial control system (ICS), but you'll also have developed essential offensive and defensive skills to proactively protect industrial networks from modern cyberattacks.
Autoren/Hrsg.
Fachgebiete
Weitere Infos & Material
Table of Contents - Using Virtualization
- Route the Hardware
- I Love My Bits – Lab Setup
- Open Source Ninja
- Span Me If You Can
- Packet Deep Dive
- Scanning 101
- Protocols 202
- Ninja 308
- I Can Do It 420
- Whoot… I Have To Go Deep
- I See the Future
- Pwnd but with Remorse
: Using Virtualization
This first chapter touches on the relevance of virtualization and the importance of familiarizing yourself with the different flavors, including VirtualBox, Hyper-V, KVM, VMware, and more. However, in this book, we are going to focus on VMware, and specifically ESXi Hypervisor, as it is free and a scaled version of what you will see out in the real world when it comes to production. We are going to spin up Hypervisor in efforts to create our own lab, install a handful of virtual machines (VMs), and attempt to mimic a virtual Supervisory Control and Data Acquisition (SCADA) environment.
In this chapter, we're going to cover the following main topics:
- Understanding what virtualization is
- Discovering what VMware is
- Turning it all on
- Routing and rules
Technical requirements
For this chapter, you will need the following:
- A computer that supports virtualization and dual interfaces
- VMWare ESXi
- VMWare Fusion
- Ubuntu ISO
- Windows 7 ISO
- Kali Linux ISO
The following are the links that you can navigate to download the software:
- macOS Fusion: https://www.vmware.com/products/fusion/fusion-evaluation.html
- Windows: https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html
- ESXi: https://my.vmware.com/en/web/vmware/evalcenter?p=free-esxi7
- Kali Linux: https://www.kali.org/downloads/
Understanding what virtualization is
Virtualization, in layman's terms, is the method of simulating any combination of hardware and software in a purely software medium. This allows anyone to run and test an endless number of hosts without incurring the financial burden and the costs of hardware requirements. It is especially useful if you have distro commitment issues.
I cannot emphasize the importance of understanding the inner workings of virtualization enough. This technology has become the foundation on which all development and testing is performed and built. Every engagement that I have been involved in has had large parts of their infrastructure running on some sort of virtualization platform. Having concrete knowledge of how virtualization works is pivotal for any engagement, and you can perform reconnaissance of your organization or technology and reproduce it inside your virtual lab.
Performing some simple Open Source Intelligence (OSINT), you can easily discover what networking equipment an organization is utilizing, including their firewall technology, endpoint protection, and what Operational Technology Intrusion Detection System (OT IDS) that the company has installed. With this information, you can navigate to the websites of your newly discovered intel and download VM instances of the software and spin it up alongside your new, homegrown virtual environment. From here, you can plan out every angle of attack, design multiple scenarios of compromise, establish how and where to pivot into lower segments of the network, build payloads to exploit known vulnerabilities, and ultimately gain the to the kingdom. This technique will be discussed in further chapters, but know that it is key to building out an attack path through an organization's infrastructure.
One of the most important features of virtualization is the use of snapshots. If, at any point, you "brick" a box, you can roll it back and start afresh, documenting the failed attempt and ultimately avoiding this pitfall on the live engagement. This allows you to try a variety of attacks with little fear of the outcome, as you know you have a stable copy to revert to. There are numerous flavors of virtualization vendors/products that I have come in contact with over the course of my career. These include , , , , and . Each has their own pros and cons. I have defaulted to VMware and will go forward through this book, utilizing the various products by them.
In no way shape or form is this any sales pitch for VMware; just know that VMWare is easier to work with as there is near seamless integration across the ecosystem of products, which, almost irritatingly so, has made it become the medium that organizations are embracing in their environments.
Understanding the important role that virtualization plays in pentesting will help strengthen your budding career. Practicing spinning up a basic VM on each stack will help you understand the nuances of each platform and learn the intricacies of virtual hardware dependencies. As a bonus, by familiarizing yourself with each hypervisor vendor, you will figure out which software you prefer and really dig deep to learn the ins and outs of it. With all this said, I will be using VMware going forward to build the lab.
Discovering what VMware is
VMware was founded in 1998, launching their first product, in 1999. 3 years after the company was founded, they released GSX and ESX into the server market. Elastic Sky X (ESX) retained the name until 2010. The "i" was added after VMware invested time and money into upgrading the OS and modernizing the user interface. The product is now dubbed ESX integrated (ESXi). If you are reading this, I think it is safe for me to assume that you have perused a few books on related topics, since most books cover Desktop Hypervisors such as , , and/or . I want to take this a step further and provide some hands-on exposure and practice with ESXi in the next section.
OK, maybe that was a slightly sales-y pitch, but I can honestly say that I have never worked for VMware and do not get any royalties for plugging their technology. However, I feel it would do you a disservice to not take you through a hands-on practical experience with technology that you will most certainly discover out there in the field. I have personally encountered VMware in the verticals of oil and gas, energy, chemical, pharma, consumer product production, discrete manufacturing, and amusement parks, to name a few.
A typical production solution consists of the following:
- Distributed Resource Scheduler (DRS)
- High Availability (HA)
- Consolidated Backup
- VCenter
- Virtual machines
- ESXi servers
- Virtual Machine File System (VMFS)
- Virtual symmetric multi-processing (SMP)
For a better overview of these specific components, please reference the following web page: https://www.vmware.com/pdf/vi_architecture_wp.pdf.
I do not want to deep dive into VMware; instead, I simply want to make you aware of some of the pieces of technology that will be encountered when you're on an engagement. I do, however, want to call out the core stack, which consists of vCenter, ESXi servers, and VMs. These are the building blocks of almost all virtualization implementations in large organizations. vCenters control ESXi servers, and ESXi servers are where VMs live. Knowing this will help you understand the path of Privilege Escalation once you get a foothold of a VM inside the operational layer of the company. I have had many of conversations with security personnel over the years around Separation of Duties (SoD), and teams dedicated to their applications are more than happy to explain the great pain and lengths they have gone through to adhere to Confidentiality, Integrity, and Availability (CIA). When performing tabletop exercises with these same teams and asking them "" and then continuing with, "" you'll find that the answers, in most cases, will shock you, if not terrify you to the bone. I challenge you to ask your IT/OT team – or whoever is managing your virtual infrastructure – how many VMs are running per server. Then, follow that up with, Disaster Recovery DR?" Knowing if a piece of the critical control is running inside an over-taxed server with minimal resources is quite useful from a risk mitigation point of view, but for the purpose of this book, we need to exploit a weakness in an overlooked component in the system.
The following diagram shows the relationship between the different components we mentioned previously and how they integrate with each other:
Figure 1.1 – VMware infrastructure
I performed some work for a Steam Assisted Gravity Drainage (SAGD) heavy oil company, and part of their claim was the virtualization of the ....
