Cyber security
I need help answering some questions .It is about analyzing network traffic using network analysis tool
LAB EXERCISE 1 (W4):
NETWORK ANALYSIS TOOLS
|
Name |
|
|
|
|
|
Course Number |
CSCI 397.01W or CSCI 397.61W (select one) |
|
Course Time |
Tuesday: 1630 – 1900 h |
|
Semester |
Fall 2020 |
|
Submission |
|
|
Due Date |
September 21, 2020 |
|
Instructor |
Joel Langill |
|
joel.langill@tamuc.edu |
|
|
Phone |
+1 (920) 594-0321 |
|
Office Hours |
Monday: 1630 – 1900 h Thursday: 1630 – 1900 h By Appointment |
PART 1: DOWNLOADING AND USING NETWORK ANALYSIS TOOLS
Downloading Network Analysis Tools
How long did it take you to download the three network analysis tools?
Installing GrassMarlin
Did you experience any difficulties installing GrassMarlin? If so, please explain.
How long did it take for you to install GrassMarlin?
Installing Wireshark
Did you experience any difficulties installing an updated Wireshark after GrassMarlin? If so, please explain.
How long did it take for you to install the updated Wireshark?
Installing NetworkMiner
Did you experience any difficulties installing NetworkMiner? If so, please explain.
How long did it take for you to install NetworkMiner?
Using Wireshark
1. Can you explain why the following Wireshark expression returns a yellow warning? What could you do to make this expression work correctly
ip.addr != 172.16.100.36 && dns
2. What is the IP address of the DNS Server used to resolve the host ICSCSI.org ?
3. What is the IP address of the webserver hosting https://ICSCSI.org ?
4. Realizing this question is asked very early in this course – well ahead of the discussions that will take place during the last two lectures ….
What would be the security risk in using HTTPS to encrypt traffic between a client computer and a webserver? Do you have any ideas how to mitigate this risk?
Please submit your PCAP file with this lab exercise submittal document. There is currently an 8MB file size limit on assignment uploads. Your PCAP file should be relatively small because of its short duration. If your file size is greater than 8MB, please contact your instructor for further assistance.
PART 2: ANALYZING ICS NETWORK TRAFFIC WITH NETWORK ANALYSIS TOOLS
Analyzing SMB Traffic
How long did it take you to complete the section on SMB?
1. What would the Wireshark Display Filter look like?
2. What packet number does this occur in?
3. What layer would you expect the “NetBIOS Session Service” to reside?
4. What would your new Display Filter look like? (Hint: you will need to use a logical “AND”)
5. What packet number contains this file?
6. What would your new Display Filter look like? (Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices you have)
7. List some of the files that you see transferred across this connection.
8. What packet number contains this file?
9. What other text file ending in .txt was transferred in this capture file?
10. Provide the name and contents of this file(s)
11. What ports is the Domain Server servicing (e.g the Destination port) in this example containing the two text files?
12. What service is used on each of these ports? (Hint: use Wireshark and a web search)
13. What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
14. What service to you think that server is running?
15. What are the contents of this file?
16. What packet number was this file first referenced in?
17. What did you find?
18. How many “groups” or “networks” are shown?
(Consider a network as more than one device)
19. Which network(s) appear to have connections to external devices on the public Internet?
20. What countries do these addresses most likely reside in? (Hint: View Details for the address by right-clicking)
21. What transport, port number, and service(s) are used in the external connections? (Hint: View Frames for the details of the packets by right-clicking)
22. Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
23. Do you know what the destination IP addresses represent?
Analyzing Modbus/TCP (MBT) Traffic
How long did it take you to complete the section on Modbus/TCP?
1. What would the Display Filter look like?
2. What ports are being used by the PLC (192.168.1.5) for incoming sessions?
3. What is the most common service used by each of the TCP port numbers?
4. What is the manufacturer of the PLC?
5. Where did you find this information?
6. Is there more information about the manufacturer?
7. What information is provided here that was not provided with Wireshark?
8. What ports are listed under the “Incoming” sessions where the PLC would act as a server?
9. What TCP port is used by Modbus/TCP?
10. What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way handshakes if possible?
11. What packet number did this occur?
12. Why does it show two in this case?
13. What is contained in the “Modbus” portion of the frame?
14. What Function Code is used here?
15. What is the meaning of this Function Code?
16. What is the meaning of the “Reference Number”?
17. What is the meaning of the “Word Count”?
18. What packet number did this occur?
19. What is the value stored in Register Number 12300?
20. What does “UINT16” stand for?
21. What is the “Byte Count” in the Response different from the “Word Count” in the Request?
Analyzing EtherNet/IP (EIP) Traffic
How long did it take you to complete the section on EtherNet/IP?
1. What can you determine about this PLC?
2. What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
3. How long did this session last?
4. How many host IP addresses does NetworkMiner show?
5. How many of these IP addresses are IP Version 6 (IPv6)?
6. So, now how many HOST IPv4 addresses are on this network?
7. How many IPv4 addresses are shown in Wireshark Endpoints?
8. What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
9. What can you tell me about the manufacturer of this device?
(Hint: use the Wireshark OUI Lookup Tool)
10. What would the Display Filter look like to filter out all traffic except that using the PLC?
11. What packet number did this occur?
12. What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
13. What packet number did this occur?
14. What packet is the CIP Connection closed?
15. Is this traffic likely to be Time Critical or Non-Time Critical?
Analyzing OPC Data Access (OPC-DA) Traffic
How long did it take you to complete the section on OPC-DA?
1. Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform operating system they are likely running, and what services and ports are being used.
2. What does DCOM stand for?
3. What packet number represents this action?
4. What endian is the data for this session using?
5. What username is used to authenticate against the client against the server?
6. Looking at the “RemoteCreateInstance request” packet, what frame number contains the response? (Hint: look in the Application Layer details)
7. What types of information can you decipher from this ASCII data?
8. What is this port number?
9. What number is shown for “StringBinding[2]” “NetworkAddr”?
10. What is the new TCP port number that will be used for the remaining data exchange session?
11. Is this the same port?
12. what is the new Display Filter that was automatically created?
PART 3: LAB EVALUATION
Did you find this lab useful?
What would you like to see changed?
Do not forget to submit your PCAP file used in the beginning of the lab under “Using Wireshark”. There is an 8MB site limit on file size of uploads. If your PCAP file is larger than 8MB, please notify the instructor for alternate instructions.
CSCI 397.01W | CSCI 397.61W © 2012-2020 ICSCSI LLC
Fundamentals of Industrial Control System Cyber Security Page L1-1 of 14
Fall 2020 CSCI 397 F20 – Lab Exercise 1 x
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 1/2
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
OBJECTIVES
Unlike the first part of this lab exercise that used a lot of illustrations to introduce new tools and capabilities, this part will focus on using these tools to
perform analysis of different types of industrial and business communications that occur on the network. Each section will ask you to perform a variety
of tasks using a set of network captures that should be downloaded from LAB EXERCISE 1. The lab exercise submittal document also contains a
sections that must be completed based on the tasks given within the lab exercise.
This exercise has the following objectives:
1. Download and open a network packet capture (pcap) file in each of the three network analysis tools. This pcap file contains a diversified
collection of network protocols where you will investigate the Server Message Block (SMB) used to exchange files between Windows host
computers.
2. Using the same pcap file as Step 1 above, isolate and analyze the Modbus/TCP traffic that occurs between a Windows computer and a PLC.
3. Download and open a pcap file containing Common Industrial Protocol (CIP) traffic that occurs between a Windows computer and a PLC.
4. Download and open a pcap file containing Open Platform Communication (OPC) Data Access traffic that occurs between an OPC Server
and a Windows computer.
LAB EXERCISE 1 contains the files downloads needed for this exercise, along with the submittal document containing questions that will be discussed
throughout the exercise. Do not forget to submit your files when you have completed this activity.
(Note: problems may occur if using Google Chrome as a browser where it tries to open links in Google Docs. The “Docs PDF/PowerPoint Viewer (by
Google)” extension must be disabled or removed.)
PREV < Introduction NEXT > Analyzing SMB Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://training.scadahacker.com/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 2/2
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 1/3
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING OPC-DATA ACCESS TRAFFIC
(EXPECTED TIME TO COMPLETE = 10 minutes | 2:20)
This section will use the “industrial-protocols-opc.pcap” network capture file downloaded in LAB EXERCISE 1 to study OPC Data Access (OPC-
DA) communications. Unlike the previous cases with SMB, Modbus, and EtherNet/IP where you were given the architecture, in this exercise you will
determine the hosts and their relationships without guidance.
QUESTION 1:
Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform
operating system they are likely running, and what services and ports are being used.
From the section heading, it is obvious that the OPC Data Access protocol will be analyzed. During lecture it was mentioned that “classic” OPC-DA
presented many new challenges to the manufacturing world. The dependence on the Microsoft COM/DCOM infrastructure limited the usability of the
technology to strictly Windows-based computing platforms.
QUESTION 2:
What does DCOM stand for?
OPC-DA was originally released in 1996, and in 2003 when the Blaster work exploited vulnerabilities in the Windows Remote Procedure Call (RPC)
service, Microsoft responded with the introduction of the Windows Firewall in Windows XP Service Pack 2. The design of OPC and how it performed a
“hand-off” from one communication port (135/tcp) to another service port caused by the dynamic port allocation within RPC made it inoperable
immediately after users installed XP-SP2.
The answer for many was to disable the Windows Firewall to keep their OPC-DA connections alive. This introduced even more problems as industry
worked to address security and usability at the same time.
In the lecture, the basic process of an OPC session was reviewed. In this part of the lab exercise, you will follow the session and observe how this
technology operates.
Most of this exercise will be at the packet level, so Wireshark will be the easiest tool to use.
The first step in establishing an OPC connect from the client to the server is using a Distributed Computing Environment (DCE) / Remote Procedure
Call (RPC) “Bind” command.
QUESTION 3:
What packet number represents this action?
Select the packet referenced with the “Bind” command, and expand the “Distributed Computing Environment / Remote Procedure Call” Application
Layer in the data panel on the bottom. Notice the “Data Representation” entry.
QUESTION 4:
What endian is the data for this session using?
The Bind is then acknowledged by the server and the client then attempts authentication against the server.
QUESTION 5:
What username is used to authenticate against the client against the server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 2/3
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
The client then establishes a “connection” by sending a “RemoteCreateInstance request” to the server.
QUESTION 6:
Looking at the “RemoteCreateInstance request” packet, what frame number contains the response?
(Hint: look in the Application Layer details)
Now using this response frame and the IP addresses for the client and the server, use the bottom “Packet Bytes” panel of Wireshark that shows raw
data to look for ASCII character-based patterns. You should be able to recognize a large portion of the data that is visible here.
QUESTION 7:
What types of information can you decipher from this ASCII data?
If you are having trouble, move to the first DCERPC “Request” frame in the capture list and notice the TCP Destination Port.
QUESTION 8:
What is this port number?
Now go back to the “RemoteCreateInstance response” frame at look again … look for a pattern of ASCII characters that represent an IPv4 address. If
you click the text panel over the ASCII numbers that look like an IPv4 address, Wireshark will find this dissected information in the other “Packet
Details” panel.
QUESTION 9:
What number is shown for “StringBinding[2]” “NetworkAddr”?
QUESTION 10:
What is the new TCP port number that will be used for the remaining data exchange session?
Go forward to the first DCERPC “Request” frame and look at the TCP Destination Port.
QUESTION 11:
Is this the same port?
This cleartext “handoff” resulting from the dynamic port allocation of RPC makes it easy for security appliances to follow this conversation and create a
dynamic rule that will open the newly assigned ports. Without this feature, a firewall would need to open a range of ports defined within the
DCOMCNFG service resulting in an unnecessary attack surface through the perimeter protected by the firewall.
It is possible to create a Wireshark Display Filter to look for this “handoff”. If you expand the “ISystemActivator” portion of the ADU in packet 9, you can
right-click on “Operation: RemoteCreateInstance (4)” and select “Apply as Filter” and “Selected”. The Display Filter is automatically generated and
placed in the Display Filter entry line at the top of Wireshark.
QUESTION 12:
What is the new Display Filter that was automatically created?
We will look at this in the last two lecture sections of the course.
PREV < Analyzing EtherNet/IP Traffic End of Lesson
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 3/3
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING SMB TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:20)
The remainder of the lab exercise will focus on applying some basis skills using the three network analysis tools. This first portion applies to common
IT protocols and services. You are encouraged to spend some free time experimenting on your personal network. This section will show you how to
extract file data from a network capture. You can re-create this on your home network by sharing a file between two devices while you run Wireshark
one of them. Feel free to share your thoughts in the LAB EXERCISE 1 submittal. Questions will be asked throughout this section – your answers
should be provided on the LAB EXERCISE 1 submittal document.
This section will use the “multi-network-architecture.pcap” network capture file downloaded in LAB EXERCISE 1. Begin by opening this file in all
three network analysis tools – GrassMarlin, NetworkMiner, and Wireshark.
The Server Message Block or SMB is an Application Layer protocol used by multiple operating systems to allow sharing of files across the network. It is
also known by the name Common Internet File System In a Windows environment, it can also be used for legacy NetBIOS traffic, and facilitates an
access mechanism for inter-process communications (IPC) via the $IPC administrative file share using named pipes.
In the network capture provided, there are primarily two major types of communications using 445/tcp: [1] authentication between Windows Domain
Members (10.1.1.60, 10.1.1.251) and Windows Domain Servers (10.1.1.1), and [2] file sharing services between clients (172.16.100.240) and the
Windows Server (10.1.1.1).
Using Wireshark, create a Display Filter that will narrow the traffic down to just these three assets.
QUESTION 1:
What would the Wireshark Display Filter look like?
Apply the filter now.
You will notice that there is more than just SMB traffic using 445/tcp. You should scroll down the filtered packet list and find the start of the 3-way
handshake for the first occurrence of traffic using 445/tcp.
QUESTION 2:
What packet number does this occur?
One of the protocols that SMB uses is the NetBIOS Session Service. This should be the first set of packets following the successful completion of the
3-way handshake. Using the data panel within Wireshark, along with what you learned during Week 3, you can identify the position in the OSI 7-Layer
Model for the protocol.
QUESTION 3:
What layer would you expect the “NetBIOS Session Service” to reside?
Now let us append to the existing Display Filter to limit the information displayed to only contain traffic using the SMB protocol.
QUESTION 4:
What would your new Display Filter look like?
(Hint: you will need to use a logical “AND”)
Apply the filter now.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 2/4
You should notice that the 3-way handshake is no longer displayed because the filter is looking for traffic using the SMB protocol. The 3-way handshake
is establishing a connection on 445/tcp which may not be for SMB in all cases.
Find the first SMB packet after the handshake completes between 10.1.1.60 (client) and 10.1.1.1 (server). This should be “Negotiate Protocol
Request”.
QUESTION 5:
What packet number contains this file?
Scroll down and observe the sessions that follows. Most of the traffic at this point is associated with a domain login occurring between 10.1.1.60 and
10.1.1.1 and the exchange of policy information that follows.
What we are really trying to find is the transferring of files across the network using SMB on 445/tcp. We can do this by appending a Display Filter that
displays SMB Transaction2 Extensions that will show the browsing of remote directories and identification of files that will be transferred. This is done
using “smb.trans2.cmd” and “ANDing” it with the previous Display Filter limiting traffic to SMB.
QUESTION 6:
What would your new Display Filter look like?
(Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices your have)
Your Display Filter should start to look like “… && smb && smb.trans2.cmd”.
Apply the filter now.
QUESTION 7:
List some of the files that you see transferred across this connection
It is important to understand that just because username/password authentication is encrypted does not mean that all the traffic that is transferred after
authentication is also encrypted. We are going to see what files have been transferred in cleartext across the network!
Wireshark provides the ability to export certain Objects that are contained in network traffic. You can access this by selecting “File” from the menu, and
“Export Objects” at the bottom. For this exercise, select “SMB”.
The packet numbers on the Export report correspond to the packet that “completed” the transfer. Search for the file “shared_file_on_server.txt”.
QUESTION 8:
What packet number contains this file?
QUESTION 9:
What other text file ending in “.txt” was transferred in this capture file?
Save the the contents of both .txt files to your local hard disk, and open each of them (using Notepad, Wordpad, Write, etc.).
QUESTION 10:
Provide the name and contents of the file(s)
Now, switch to NetworkMiner and if you have not already done so, select “File” -> “Open” to import the capture file. Notice how NetworkMiner provides
a basic inventory of devices on the network.
Select the “Files” tab at the top. You should see a similar list of files that were extracted from the capture file. You will notice on the “Files” tab that
information about the Source and Destination TCP port number is provided. You can also see that NetworkMiner has automatically downloaded the
files and placed them in a temporary directory on your local hard disk. This is listed in the “Reconstructed file path” column.
QUESTION 11:
What ports is the Domain Server servicing (e.g. the Destination port) in this example containing the two text files?
Go to the “Hosts” tab in NetworkMiner and expand the information for the Domain Server (10.1.1.1). It summarizes the Incoming and Outgoing
sessions. Expand the Incoming sessions by clicking the “+”. You will notice more than just our SMB traffic has been accessing the server. Four
additional TCP sessions have been enumerated.
QUESTION 12:
What service is used on each of these ports?
(Hint: use Wireshark and a web search)
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 3/4
NetworkMiner also enumerates Outgoing sessions for the Domain Server. Expand the Outgoing sessions and review the information presented.
QUESTION 13:
What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
QUESTION 14:
What service to you think that server is running?
Go back to the “Files” tab and look for the sessions between the Domain Server (10.1.1.1) and this other “server” (10.1.1.254). Notice that you see
additional files that were not available from Wireshark. These files are the TLS certificates used to connect to the other “server” using HTTPS on
443/tcp.
Find the file “shared_file_on_server…”, and open it by right-clicking and selecting “Open file” to view its contents.
QUESTION 15:
What are the contents of this file?
QUESTION 16:
What packet number was this file first referenced in?
Go back to Wireshark and look for this packet number. You will have to clear the Display Filter if you have not already done so. Right-click on the
packet and select “Follow” and “TCP Stream”. This will display all the packets in the session as a contiguous data stream.
Enter “abcd1234” in the Find field at the bottom and select “Find Next”.
QUESTION 17:
What did you find?
Now, go to GrassMarlin and look at the visualization of the packet capture data. If you have not already done so, import the capture file into
GrassMarlin. GrassMarlin defaults network definition using a CIDR /24. The networks are listed in a tabular fashion on the left, and visually in the center.
QUESTION 18:
How many “groups” or “networks” are shown?
(Consider a network as more than one device)
You should notice a couples networks that contain only two assets, one having an IP address that ends with .255. Remember that this is the Broadcast
Address for that particular network, and does not usually reflect a physical device. This can easily be confirmed by looking at the hardware MAC
address, and can be done by right-clicking the shaded area containing the address. If the MAC address is “FF:FF:FF:FF:FF:FF”, then it is the
Broadcast Address.
QUESTION 19:
Which network(s) appear to have connections to external devices on the public Internet?
QUESTION 20:
What countries do these addresses most likely reside in?
(Hint: View Details for the address by right-clicking)
QUESTION 21:
What transport, port number, and service(s) are used in the external connections?
(Hint: View Frames for the details of the packets)
QUESTION 22:
Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
QUESTION 23:
Do you know what the destination IP addresses represent?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
PREV < Objectives NEXT > Analyzing Modbus/TCP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING MODBUS/TCP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:40)
Using the same “multi-network-architecture.pcap” file from the Analysis of SMB Traffic section, let us now focus on ICS protocols and traffic. This
portion will analyzes traffic using the Modbus/TCP protocol over 502/tcp. The architecture consists of a PLC (192.168.1.5), an HMI (192.168.1.129),
and a SCADA Server (192.168.1.60).
You can use CIDR notation to create a Display Filter in Wireshark that will narrow the traffic down to just this 192.168.1.0/24 network.
QUESTION 1:
What would the Display Filter look like?
Apply the filter now.
Using Wireshark “Conversations” under the “Statistics” menu, select the “TCP” tab. The report shows all the traffic in the capture file, so look at the
bottom and select “Limit to display filter” to simply the report.
QUESTION 2:
What ports are being used by the PLC (192.168.1.5) for incoming sessions?
QUESTION 3:
What is the most common service used by each of the TCP port numbers?
QUESTION 4:
What is the manufacturer of the PLC?
QUESTION 5:
Where did you find this information?
Let us focus on the same host address using NetworkMiner. Find the PLC (192.168.1.5). Do you notice “Siemens” is presented with the IP Address.
Expand the device by clicking the “+” sign.
Is there more information about the manufacturer?
QUESTION 6:
Is there more information about the manufacturer?
Expand the “OS: Siemens” entry.
QUESTION 7:
What information is provided here that was not provided with Wireshark?
QUESTION 8:
What ports are listed under the “Incoming” sessions where the PLC would act as a server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 2/4
NetworkMiner uses device signatures to help enumerate the actual device that is present. A feature not possible with Wireshark. The Satori TCP
database was used to fingerprint the Siemens PLC. One of the instructors of this course has been actively working with the developer of NetworkMiner
to expand this library.
The one piece of information that NetworkMiner is not able to provide is that relating to the Application Layer and the associated ADUs. Recall from the
lecture that Wireshark has protocol “dissectors” that allow the packet to be broken down extracting headers from data units. These data units can be
further broken down into function codes and data elements.
So, let us return to Wireshark and analyze the Modbus/TCP Application Layer protocol.
QUESTION 9:
What TCP port is used by Modbus/TCP?
QUESTION 10:
What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way
handshakes if possible?
If you go to the very top of the display, you can see the actual handshake that took place. That is the benefit of generating traffic in a lab versus in the
real world. This handshake occurred only a single time throughout the five minutes of traffic collected.
Search for the first Modbus/TCP “Query” packet.
QUESTION 11:
What packet number did this occur?
Select the packet and observe the display panel below that displays the various layers of the OSI Model. Two Application Layer entries are provided:
Modbus/TCP and Modbus.
QUESTION 12:
Why does it show two in this case?
Referring to the lecture material (slide 35) and shown below as
Figure 81
, what is contained in the “Modbus/TCP” portion of the frame?
QUESTION 13:
What is contained in the “Modbus” portion of the frame?
Figure 81
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 3/4
QUESTION 14:
What Function Code is used here?
QUESTION 15:
What is the meaning of this Function Code?
QUESTION 16:
What is the meaning of the “Reference Number”?
QUESTION 17:
What is the meaning of the “Word Count”?
(Hint: several good documents were referenced in the lecture that dissect the complete Modbus/TCP frame)
Look at the associated Modbus/TCP “Response” packet. This might help you answer the question above!
QUESTION 18:
What packet number did this occur?
QUESTION 19:
What is the value stored in Register Number 12300?
QUESTION 20:
What does “UINT16” stand for?
QUESTION 21:
What is the “Byte Count” in the Response different from the “Word Count” in the Request?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Before leaving this portion of the lab exercise, you are encouraged to modify your Wireshark Display Filter and look at the ICS communication taking
place on 102/tcp using the Siemens S7COMM protocol. This PLC supports both Modbus/TCP and Siemens S7COMM, and can serve the same data
using either protocol. If you look at packets 11579 and 11580, you can see the data request and response. Notice the different syntax used to access
the PLC internal registers with S7COMM by expanding the details in the “S7 Communication” ADU in the request packet 11579.
PREV < Analyzing SMB Traffic NEXT > Analyzing EtherNet/IP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING ETHERNET/IP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 2:00)
This section will use the “industrial-protocols-cip.pcap” network capture file downloaded in LAB EXERCISE 1 to study the Common Industrial
Protocol (CIP) in its EtherNet/IP (EIP) form. This architecture consists of a Rockwell Automation Micro850 PLC (192.168.1.17), an engineering
workstations (192.168.1.97) running the Connected Components Workbench (CCW) software used to configure and monitor the PLC.
Open the file in all tools and provide anything you can find regarding the vendor, model, version, etc. of the PLC in the capture. Remember to consider
the OUI portion of the hardware MAC address. You can also look up MAC OUI’s on the Wireshark website ( https://www.wireshark.org/tools/oui-
lookup.html). The master list of registered OUI information can also be found on the IEEE standards website (http://standards-oui.ieee.org/oui.txt). This
latter site can also provide information pertaining the country of origin of the device.
QUESTION 1:
What can you determine me about the PLC?
Using NetworkMiner, expand the PLC (192.168.1.17) and notice that NetworkMiner could not fully enumerate the device in terms of OS and device
type like it was previously able to do with the Siemens S7 PLC.
Expand on the Incoming sessions and notice that the PLC is acting as a server using port 44818/tcp. Look at incoming sessions to reveal PLC as
server using 44818/tcp. Expand this further and reveal information about the client.
QUESTION 2:
What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
QUESTION 3:
How long did this session last?
QUESTION 4:
How many host IP addresses does NetworkMiner show?
If you have not already noticed, the number of hosts is shown next to the “Hosts” tab in the top of the NetworkMiner window.
QUESTION 5:
How many of these IP addresses are IP Version 6 (IPv6)?
One of the IPv4 addresses shown is for multicast traffic using address 224.0.0.106. This is not really a host or device, but rather an address that can
be used to send traffic to multiple devices that subscribe to the session. You might also recall from the lecture that IPv6 uses a multicast address that
begins with “ff0”, so ff02::1:2 is also a multicast address.
QUESTION 6:
So, now how many HOST IPv4 addresses are on this network?
Notice device NetworkMiner presents at IP address 169.254.2.2. This is known as a “self assigned” IP address and is what a device gives itself if it
does not receive one from a Dynamic Host Configuration Protocol (DHCP) server. This is also an address that can be manually entered in the device
network configuration allowing it to link and connect to an existing network.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://www.wireshark.org/tools/oui-lookup.html
http://standards-oui.ieee.org/oui.txt
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 2/4
From a cyber security perspective, these addresses are important because they can signify the presence of an authorized host on the network that is
trying to remain hidden. This is one way a device can connect to a network and “listen” for traffic to enumerate hosts and their communications.
Go back to Wireshark and open this packet capture file if not already done. Observe the first 25 packets and notice the broadcast traffic and other
layer 2 traffic like the Address Resolution Protocol (ARP), Link-Layer Discovery Protocol (LLDP), and Spanning Tree Protocol (STP).
Now let us look at the enumerated devices by selecting “Analyze” in the menu followed by “Endpoints” and look at the “IPv4” results.
QUESTION 7:
How many IPv4 addresses are shown in Wireshark Endpoints?
Notice that 169.254.2.2 is not on this list, but if you select “Ethernet” you see 23 entries.
QUESTION 8:
What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
You can right-click the FF:FF:FF:FF:FF:FF address from the Endpoints – Ethernet listing and select “Apply as Filter” and “Selected” to view this traffic
in Wireshark. You will notice Address Resolution Protocol (ARP) and NetBIOS Name Service (NBNS) traffic.
Close the Endpoints summary and return to the main display. Using the Find feature by type “Control+C” (that is the Control Key and the C character
key at the same time), enter “169.254.2.2”. If you expand the “Address Resolution Protocol (request)” shown in the Packet Details panel, you will find
the Sender IP address of 169.254.2.2.
QUESTION 9:
What can you tell me about the manufacturer of this device?
(Hint: first look at how Wireshark “resolves” the MAC address, and then use the Wireshark OUI Lookup Tool)
If you entered only the OUI that was found from Wireshark, you probably saw a long list of manufacturers. If you append additional MAC information to
the address, and enter “00:50:c2:b3”, you will see an entry “00:50:C2:B3:20:00/36 Byres Security Inc”. This is a CIDR type expression for a MAC
address. Using the same logic that was presented in the lecture, you can take a string of 36 1’s and logically “AND” it with the MAC address to extract
the base address registered to Byres Security, with the remaining 12 bits allowed for device-specific addressing.
Each hexadecimal number represents 4-bits. This means that the base address is “00:50:C2:B3:2”, and 2 1̂2 or 4,096 devices can be assigned by the
manufacturer to MAC addresses in the range of “00:50:C2:B3:20:00” to “00:50:C2:B3:2F:FF”.
Let us know focus on traffic with the PLC (192.168.1.17).
QUESTION 10:
What would the Display Filter look like to filter out all traffic except that using the PLC?
Apply the filter now.
We are now going to walk through the communication that was shown during the lecture for Week 3 (slide 48) shown below as
Figure 82
.
Figure 82
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 3/4
The first step is to create an EtherNet/IP Session. This is performed using the “RegisterSession” Request command.
QUESTION 11:
What packet number did this occur?
QUESTION 12:
What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
The next step that occurs is the establishment of a CIP Connection using the CIP Connection Manager (CM) and issuing a “Forward Open” command.
QUESTION 13:
What packet number did this occur?
Did you notice that Wireshark recognizes this and labels the packet with a protocol of “CIP CM”. Notice that the CIP Connection Manager is at the
highest part of the Application Layer in the Packet Details panel on the bottom.
QUESTION 14:
What packet is the CIP Connection closed
All of the communication between the opening and the closing of the CIP Connection is “explicit” “connected” CIP traffic using 44818/tcp. You might
want to refer back to lecture in Week 3 (slide 42) and shown below as Figure 83 to see what type of traffic was exchanged here.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Figure 83
QUESTION 15:
Is this traffic likely to be Critical or Non-Critical?
The application may or may not unregister the EtherNet/IP Session. This is not done with this session.
PREV < Analyzing Modbus/TCP Traffic NEXT > Analyzing OPC-DA Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
LAB EXERCISE 1 (W4):
NETWORK ANALYSIS TOOLS
|
Name |
|
|
|
|
|
Course Number |
CSCI 397.01W or CSCI 397.61W (select one) |
|
Course Time |
Tuesday: 1630 – 1900 h |
|
Semester |
Fall 2020 |
|
Submission |
Lab Exercise 1 |
|
Due Date |
September 21, 2020 |
|
Instructor |
Joel Langill |
|
joel.langill@tamuc.edu |
|
|
Phone |
+1 (920) 594-0321 |
|
Office Hours |
Monday: 1630 – 1900 h Thursday: 1630 – 1900 h By Appointment |
PART 1: DOWNLOADING AND USING NETWORK ANALYSIS TOOLS
Downloading Network Analysis Tools
How long did it take you to download the three network analysis tools?
Installing GrassMarlin
Did you experience any difficulties installing GrassMarlin? If so, please explain.
How long did it take for you to install GrassMarlin?
Installing Wireshark
Did you experience any difficulties installing an updated Wireshark after GrassMarlin? If so, please explain.
How long did it take for you to install the updated Wireshark?
Installing NetworkMiner
Did you experience any difficulties installing NetworkMiner? If so, please explain.
How long did it take for you to install NetworkMiner?
Using Wireshark
1. Can you explain why the following Wireshark expression returns a yellow warning? What could you do to make this expression work correctly
ip.addr != 172.16.100.36 && dns
2. What is the IP address of the DNS Server used to resolve the host ICSCSI.org ?
3. What is the IP address of the webserver hosting https://ICSCSI.org ?
4. Realizing this question is asked very early in this course – well ahead of the discussions that will take place during the last two lectures ….
What would be the security risk in using HTTPS to encrypt traffic between a client computer and a webserver? Do you have any ideas how to mitigate this risk?
Please submit your PCAP file with this lab exercise submittal document. There is currently an 8MB file size limit on assignment uploads. Your PCAP file should be relatively small because of its short duration. If your file size is greater than 8MB, please contact your instructor for further assistance.
PART 2: ANALYZING ICS NETWORK TRAFFIC WITH NETWORK ANALYSIS TOOLS
Analyzing SMB Traffic
How long did it take you to complete the section on SMB?
1. What would the Wireshark Display Filter look like?
2. What packet number does this occur in?
3. What layer would you expect the “NetBIOS Session Service” to reside?
4. What would your new Display Filter look like? (Hint: you will need to use a logical “AND”)
5. What packet number contains this file?
6. What would your new Display Filter look like? (Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices you have)
7. List some of the files that you see transferred across this connection.
8. What packet number contains this file?
9. What other text file ending in .txt was transferred in this capture file?
10. Provide the name and contents of this file(s)
11. What ports is the Domain Server servicing (e.g the Destination port) in this example containing the two text files?
12. What service is used on each of these ports? (Hint: use Wireshark and a web search)
13. What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
14. What service to you think that server is running?
15. What are the contents of this file?
16. What packet number was this file first referenced in?
17. What did you find?
18. How many “groups” or “networks” are shown?
(Consider a network as more than one device)
19. Which network(s) appear to have connections to external devices on the public Internet?
20. What countries do these addresses most likely reside in? (Hint: View Details for the address by right-clicking)
21. What transport, port number, and service(s) are used in the external connections? (Hint: View Frames for the details of the packets by right-clicking)
22. Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
23. Do you know what the destination IP addresses represent?
Analyzing Modbus/TCP (MBT) Traffic
How long did it take you to complete the section on Modbus/TCP?
1. What would the Display Filter look like?
2. What ports are being used by the PLC (192.168.1.5) for incoming sessions?
3. What is the most common service used by each of the TCP port numbers?
4. What is the manufacturer of the PLC?
5. Where did you find this information?
6. Is there more information about the manufacturer?
7. What information is provided here that was not provided with Wireshark?
8. What ports are listed under the “Incoming” sessions where the PLC would act as a server?
9. What TCP port is used by Modbus/TCP?
10. What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way handshakes if possible?
11. What packet number did this occur?
12. Why does it show two in this case?
13. What is contained in the “Modbus” portion of the frame?
14. What Function Code is used here?
15. What is the meaning of this Function Code?
16. What is the meaning of the “Reference Number”?
17. What is the meaning of the “Word Count”?
18. What packet number did this occur?
19. What is the value stored in Register Number 12300?
20. What does “UINT16” stand for?
21. What is the “Byte Count” in the Response different from the “Word Count” in the Request?
Analyzing EtherNet/IP (EIP) Traffic
How long did it take you to complete the section on EtherNet/IP?
1. What can you determine about this PLC?
2. What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
3. How long did this session last?
4. How many host IP addresses does NetworkMiner show?
5. How many of these IP addresses are IP Version 6 (IPv6)?
6. So, now how many HOST IPv4 addresses are on this network?
7. How many IPv4 addresses are shown in Wireshark Endpoints?
8. What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
9. What can you tell me about the manufacturer of this device?
(Hint: use the Wireshark OUI Lookup Tool)
10. What would the Display Filter look like to filter out all traffic except that using the PLC?
11. What packet number did this occur?
12. What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
13. What packet number did this occur?
14. What packet is the CIP Connection closed?
15. Is this traffic likely to be Time Critical or Non-Time Critical?
Analyzing OPC Data Access (OPC-DA) Traffic
How long did it take you to complete the section on OPC-DA?
1. Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform operating system they are likely running, and what services and ports are being used.
2. What does DCOM stand for?
3. What packet number represents this action?
4. What endian is the data for this session using?
5. What username is used to authenticate against the client against the server?
6. Looking at the “RemoteCreateInstance request” packet, what frame number contains the response? (Hint: look in the Application Layer details)
7. What types of information can you decipher from this ASCII data?
8. What is this port number?
9. What number is shown for “StringBinding[2]” “NetworkAddr”?
10. What is the new TCP port number that will be used for the remaining data exchange session?
11. Is this the same port?
12. what is the new Display Filter that was automatically created?
PART 3: LAB EVALUATION
Did you find this lab useful?
What would you like to see changed?
Do not forget to submit your PCAP file used in the beginning of the lab under “Using Wireshark”. There is an 8MB site limit on file size of uploads. If your PCAP file is larger than 8MB, please notify the instructor for alternate instructions.
CSCI 397.01W | CSCI 397.61W © 2012-2020 ICSCSI LLC
Fundamentals of Industrial Control System Cyber Security Page L1-1 of 14
Fall 2020 CSCI 397 F20 – Lab Exercise 1 x
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 1/2
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
OBJECTIVES
Unlike the first part of this lab exercise that used a lot of illustrations to introduce new tools and capabilities, this part will focus on using these tools to
perform analysis of different types of industrial and business communications that occur on the network. Each section will ask you to perform a variety
of tasks using a set of network captures that should be downloaded from LAB EXERCISE 1. The lab exercise submittal document also contains a
sections that must be completed based on the tasks given within the lab exercise.
This exercise has the following objectives:
1. Download and open a network packet capture (pcap) file in each of the three network analysis tools. This pcap file contains a diversified
collection of network protocols where you will investigate the Server Message Block (SMB) used to exchange files between Windows host
computers.
2. Using the same pcap file as Step 1 above, isolate and analyze the Modbus/TCP traffic that occurs between a Windows computer and a PLC.
3. Download and open a pcap file containing Common Industrial Protocol (CIP) traffic that occurs between a Windows computer and a PLC.
4. Download and open a pcap file containing Open Platform Communication (OPC) Data Access traffic that occurs between an OPC Server
and a Windows computer.
LAB EXERCISE 1 contains the files downloads needed for this exercise, along with the submittal document containing questions that will be discussed
throughout the exercise. Do not forget to submit your files when you have completed this activity.
(Note: problems may occur if using Google Chrome as a browser where it tries to open links in Google Docs. The “Docs PDF/PowerPoint Viewer (by
Google)” extension must be disabled or removed.)
PREV < Introduction NEXT > Analyzing SMB Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://training.scadahacker.com/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 2/2
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 1/3
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING OPC-DATA ACCESS TRAFFIC
(EXPECTED TIME TO COMPLETE = 10 minutes | 2:20)
This section will use the “industrial-protocols-opc.pcap” network capture file downloaded in LAB EXERCISE 1 to study OPC Data Access (OPC-
DA) communications. Unlike the previous cases with SMB, Modbus, and EtherNet/IP where you were given the architecture, in this exercise you will
determine the hosts and their relationships without guidance.
QUESTION 1:
Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform
operating system they are likely running, and what services and ports are being used.
From the section heading, it is obvious that the OPC Data Access protocol will be analyzed. During lecture it was mentioned that “classic” OPC-DA
presented many new challenges to the manufacturing world. The dependence on the Microsoft COM/DCOM infrastructure limited the usability of the
technology to strictly Windows-based computing platforms.
QUESTION 2:
What does DCOM stand for?
OPC-DA was originally released in 1996, and in 2003 when the Blaster work exploited vulnerabilities in the Windows Remote Procedure Call (RPC)
service, Microsoft responded with the introduction of the Windows Firewall in Windows XP Service Pack 2. The design of OPC and how it performed a
“hand-off” from one communication port (135/tcp) to another service port caused by the dynamic port allocation within RPC made it inoperable
immediately after users installed XP-SP2.
The answer for many was to disable the Windows Firewall to keep their OPC-DA connections alive. This introduced even more problems as industry
worked to address security and usability at the same time.
In the lecture, the basic process of an OPC session was reviewed. In this part of the lab exercise, you will follow the session and observe how this
technology operates.
Most of this exercise will be at the packet level, so Wireshark will be the easiest tool to use.
The first step in establishing an OPC connect from the client to the server is using a Distributed Computing Environment (DCE) / Remote Procedure
Call (RPC) “Bind” command.
QUESTION 3:
What packet number represents this action?
Select the packet referenced with the “Bind” command, and expand the “Distributed Computing Environment / Remote Procedure Call” Application
Layer in the data panel on the bottom. Notice the “Data Representation” entry.
QUESTION 4:
What endian is the data for this session using?
The Bind is then acknowledged by the server and the client then attempts authentication against the server.
QUESTION 5:
What username is used to authenticate against the client against the server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 2/3
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
The client then establishes a “connection” by sending a “RemoteCreateInstance request” to the server.
QUESTION 6:
Looking at the “RemoteCreateInstance request” packet, what frame number contains the response?
(Hint: look in the Application Layer details)
Now using this response frame and the IP addresses for the client and the server, use the bottom “Packet Bytes” panel of Wireshark that shows raw
data to look for ASCII character-based patterns. You should be able to recognize a large portion of the data that is visible here.
QUESTION 7:
What types of information can you decipher from this ASCII data?
If you are having trouble, move to the first DCERPC “Request” frame in the capture list and notice the TCP Destination Port.
QUESTION 8:
What is this port number?
Now go back to the “RemoteCreateInstance response” frame at look again … look for a pattern of ASCII characters that represent an IPv4 address. If
you click the text panel over the ASCII numbers that look like an IPv4 address, Wireshark will find this dissected information in the other “Packet
Details” panel.
QUESTION 9:
What number is shown for “StringBinding[2]” “NetworkAddr”?
QUESTION 10:
What is the new TCP port number that will be used for the remaining data exchange session?
Go forward to the first DCERPC “Request” frame and look at the TCP Destination Port.
QUESTION 11:
Is this the same port?
This cleartext “handoff” resulting from the dynamic port allocation of RPC makes it easy for security appliances to follow this conversation and create a
dynamic rule that will open the newly assigned ports. Without this feature, a firewall would need to open a range of ports defined within the
DCOMCNFG service resulting in an unnecessary attack surface through the perimeter protected by the firewall.
It is possible to create a Wireshark Display Filter to look for this “handoff”. If you expand the “ISystemActivator” portion of the ADU in packet 9, you can
right-click on “Operation: RemoteCreateInstance (4)” and select “Apply as Filter” and “Selected”. The Display Filter is automatically generated and
placed in the Display Filter entry line at the top of Wireshark.
QUESTION 12:
What is the new Display Filter that was automatically created?
We will look at this in the last two lecture sections of the course.
PREV < Analyzing EtherNet/IP Traffic End of Lesson
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 3/3
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING SMB TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:20)
The remainder of the lab exercise will focus on applying some basis skills using the three network analysis tools. This first portion applies to common
IT protocols and services. You are encouraged to spend some free time experimenting on your personal network. This section will show you how to
extract file data from a network capture. You can re-create this on your home network by sharing a file between two devices while you run Wireshark
one of them. Feel free to share your thoughts in the LAB EXERCISE 1 submittal. Questions will be asked throughout this section – your answers
should be provided on the LAB EXERCISE 1 submittal document.
This section will use the “multi-network-architecture.pcap” network capture file downloaded in LAB EXERCISE 1. Begin by opening this file in all
three network analysis tools – GrassMarlin, NetworkMiner, and Wireshark.
The Server Message Block or SMB is an Application Layer protocol used by multiple operating systems to allow sharing of files across the network. It is
also known by the name Common Internet File System In a Windows environment, it can also be used for legacy NetBIOS traffic, and facilitates an
access mechanism for inter-process communications (IPC) via the $IPC administrative file share using named pipes.
In the network capture provided, there are primarily two major types of communications using 445/tcp: [1] authentication between Windows Domain
Members (10.1.1.60, 10.1.1.251) and Windows Domain Servers (10.1.1.1), and [2] file sharing services between clients (172.16.100.240) and the
Windows Server (10.1.1.1).
Using Wireshark, create a Display Filter that will narrow the traffic down to just these three assets.
QUESTION 1:
What would the Wireshark Display Filter look like?
Apply the filter now.
You will notice that there is more than just SMB traffic using 445/tcp. You should scroll down the filtered packet list and find the start of the 3-way
handshake for the first occurrence of traffic using 445/tcp.
QUESTION 2:
What packet number does this occur?
One of the protocols that SMB uses is the NetBIOS Session Service. This should be the first set of packets following the successful completion of the
3-way handshake. Using the data panel within Wireshark, along with what you learned during Week 3, you can identify the position in the OSI 7-Layer
Model for the protocol.
QUESTION 3:
What layer would you expect the “NetBIOS Session Service” to reside?
Now let us append to the existing Display Filter to limit the information displayed to only contain traffic using the SMB protocol.
QUESTION 4:
What would your new Display Filter look like?
(Hint: you will need to use a logical “AND”)
Apply the filter now.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 2/4
You should notice that the 3-way handshake is no longer displayed because the filter is looking for traffic using the SMB protocol. The 3-way handshake
is establishing a connection on 445/tcp which may not be for SMB in all cases.
Find the first SMB packet after the handshake completes between 10.1.1.60 (client) and 10.1.1.1 (server). This should be “Negotiate Protocol
Request”.
QUESTION 5:
What packet number contains this file?
Scroll down and observe the sessions that follows. Most of the traffic at this point is associated with a domain login occurring between 10.1.1.60 and
10.1.1.1 and the exchange of policy information that follows.
What we are really trying to find is the transferring of files across the network using SMB on 445/tcp. We can do this by appending a Display Filter that
displays SMB Transaction2 Extensions that will show the browsing of remote directories and identification of files that will be transferred. This is done
using “smb.trans2.cmd” and “ANDing” it with the previous Display Filter limiting traffic to SMB.
QUESTION 6:
What would your new Display Filter look like?
(Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices your have)
Your Display Filter should start to look like “… && smb && smb.trans2.cmd”.
Apply the filter now.
QUESTION 7:
List some of the files that you see transferred across this connection
It is important to understand that just because username/password authentication is encrypted does not mean that all the traffic that is transferred after
authentication is also encrypted. We are going to see what files have been transferred in cleartext across the network!
Wireshark provides the ability to export certain Objects that are contained in network traffic. You can access this by selecting “File” from the menu, and
“Export Objects” at the bottom. For this exercise, select “SMB”.
The packet numbers on the Export report correspond to the packet that “completed” the transfer. Search for the file “shared_file_on_server.txt”.
QUESTION 8:
What packet number contains this file?
QUESTION 9:
What other text file ending in “.txt” was transferred in this capture file?
Save the the contents of both .txt files to your local hard disk, and open each of them (using Notepad, Wordpad, Write, etc.).
QUESTION 10:
Provide the name and contents of the file(s)
Now, switch to NetworkMiner and if you have not already done so, select “File” -> “Open” to import the capture file. Notice how NetworkMiner provides
a basic inventory of devices on the network.
Select the “Files” tab at the top. You should see a similar list of files that were extracted from the capture file. You will notice on the “Files” tab that
information about the Source and Destination TCP port number is provided. You can also see that NetworkMiner has automatically downloaded the
files and placed them in a temporary directory on your local hard disk. This is listed in the “Reconstructed file path” column.
QUESTION 11:
What ports is the Domain Server servicing (e.g. the Destination port) in this example containing the two text files?
Go to the “Hosts” tab in NetworkMiner and expand the information for the Domain Server (10.1.1.1). It summarizes the Incoming and Outgoing
sessions. Expand the Incoming sessions by clicking the “+”. You will notice more than just our SMB traffic has been accessing the server. Four
additional TCP sessions have been enumerated.
QUESTION 12:
What service is used on each of these ports?
(Hint: use Wireshark and a web search)
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 3/4
NetworkMiner also enumerates Outgoing sessions for the Domain Server. Expand the Outgoing sessions and review the information presented.
QUESTION 13:
What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
QUESTION 14:
What service to you think that server is running?
Go back to the “Files” tab and look for the sessions between the Domain Server (10.1.1.1) and this other “server” (10.1.1.254). Notice that you see
additional files that were not available from Wireshark. These files are the TLS certificates used to connect to the other “server” using HTTPS on
443/tcp.
Find the file “shared_file_on_server…”, and open it by right-clicking and selecting “Open file” to view its contents.
QUESTION 15:
What are the contents of this file?
QUESTION 16:
What packet number was this file first referenced in?
Go back to Wireshark and look for this packet number. You will have to clear the Display Filter if you have not already done so. Right-click on the
packet and select “Follow” and “TCP Stream”. This will display all the packets in the session as a contiguous data stream.
Enter “abcd1234” in the Find field at the bottom and select “Find Next”.
QUESTION 17:
What did you find?
Now, go to GrassMarlin and look at the visualization of the packet capture data. If you have not already done so, import the capture file into
GrassMarlin. GrassMarlin defaults network definition using a CIDR /24. The networks are listed in a tabular fashion on the left, and visually in the center.
QUESTION 18:
How many “groups” or “networks” are shown?
(Consider a network as more than one device)
You should notice a couples networks that contain only two assets, one having an IP address that ends with .255. Remember that this is the Broadcast
Address for that particular network, and does not usually reflect a physical device. This can easily be confirmed by looking at the hardware MAC
address, and can be done by right-clicking the shaded area containing the address. If the MAC address is “FF:FF:FF:FF:FF:FF”, then it is the
Broadcast Address.
QUESTION 19:
Which network(s) appear to have connections to external devices on the public Internet?
QUESTION 20:
What countries do these addresses most likely reside in?
(Hint: View Details for the address by right-clicking)
QUESTION 21:
What transport, port number, and service(s) are used in the external connections?
(Hint: View Frames for the details of the packets)
QUESTION 22:
Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
QUESTION 23:
Do you know what the destination IP addresses represent?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
PREV < Objectives NEXT > Analyzing Modbus/TCP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING MODBUS/TCP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:40)
Using the same “multi-network-architecture.pcap” file from the Analysis of SMB Traffic section, let us now focus on ICS protocols and traffic. This
portion will analyzes traffic using the Modbus/TCP protocol over 502/tcp. The architecture consists of a PLC (192.168.1.5), an HMI (192.168.1.129),
and a SCADA Server (192.168.1.60).
You can use CIDR notation to create a Display Filter in Wireshark that will narrow the traffic down to just this 192.168.1.0/24 network.
QUESTION 1:
What would the Display Filter look like?
Apply the filter now.
Using Wireshark “Conversations” under the “Statistics” menu, select the “TCP” tab. The report shows all the traffic in the capture file, so look at the
bottom and select “Limit to display filter” to simply the report.
QUESTION 2:
What ports are being used by the PLC (192.168.1.5) for incoming sessions?
QUESTION 3:
What is the most common service used by each of the TCP port numbers?
QUESTION 4:
What is the manufacturer of the PLC?
QUESTION 5:
Where did you find this information?
Let us focus on the same host address using NetworkMiner. Find the PLC (192.168.1.5). Do you notice “Siemens” is presented with the IP Address.
Expand the device by clicking the “+” sign.
Is there more information about the manufacturer?
QUESTION 6:
Is there more information about the manufacturer?
Expand the “OS: Siemens” entry.
QUESTION 7:
What information is provided here that was not provided with Wireshark?
QUESTION 8:
What ports are listed under the “Incoming” sessions where the PLC would act as a server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 2/4
NetworkMiner uses device signatures to help enumerate the actual device that is present. A feature not possible with Wireshark. The Satori TCP
database was used to fingerprint the Siemens PLC. One of the instructors of this course has been actively working with the developer of NetworkMiner
to expand this library.
The one piece of information that NetworkMiner is not able to provide is that relating to the Application Layer and the associated ADUs. Recall from the
lecture that Wireshark has protocol “dissectors” that allow the packet to be broken down extracting headers from data units. These data units can be
further broken down into function codes and data elements.
So, let us return to Wireshark and analyze the Modbus/TCP Application Layer protocol.
QUESTION 9:
What TCP port is used by Modbus/TCP?
QUESTION 10:
What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way
handshakes if possible?
If you go to the very top of the display, you can see the actual handshake that took place. That is the benefit of generating traffic in a lab versus in the
real world. This handshake occurred only a single time throughout the five minutes of traffic collected.
Search for the first Modbus/TCP “Query” packet.
QUESTION 11:
What packet number did this occur?
Select the packet and observe the display panel below that displays the various layers of the OSI Model. Two Application Layer entries are provided:
Modbus/TCP and Modbus.
QUESTION 12:
Why does it show two in this case?
Referring to the lecture material (slide 35) and shown below as
Figure 81
, what is contained in the “Modbus/TCP” portion of the frame?
QUESTION 13:
What is contained in the “Modbus” portion of the frame?
Figure 81
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 3/4
QUESTION 14:
What Function Code is used here?
QUESTION 15:
What is the meaning of this Function Code?
QUESTION 16:
What is the meaning of the “Reference Number”?
QUESTION 17:
What is the meaning of the “Word Count”?
(Hint: several good documents were referenced in the lecture that dissect the complete Modbus/TCP frame)
Look at the associated Modbus/TCP “Response” packet. This might help you answer the question above!
QUESTION 18:
What packet number did this occur?
QUESTION 19:
What is the value stored in Register Number 12300?
QUESTION 20:
What does “UINT16” stand for?
QUESTION 21:
What is the “Byte Count” in the Response different from the “Word Count” in the Request?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Before leaving this portion of the lab exercise, you are encouraged to modify your Wireshark Display Filter and look at the ICS communication taking
place on 102/tcp using the Siemens S7COMM protocol. This PLC supports both Modbus/TCP and Siemens S7COMM, and can serve the same data
using either protocol. If you look at packets 11579 and 11580, you can see the data request and response. Notice the different syntax used to access
the PLC internal registers with S7COMM by expanding the details in the “S7 Communication” ADU in the request packet 11579.
PREV < Analyzing SMB Traffic NEXT > Analyzing EtherNet/IP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING ETHERNET/IP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 2:00)
This section will use the “industrial-protocols-cip.pcap” network capture file downloaded in LAB EXERCISE 1 to study the Common Industrial
Protocol (CIP) in its EtherNet/IP (EIP) form. This architecture consists of a Rockwell Automation Micro850 PLC (192.168.1.17), an engineering
workstations (192.168.1.97) running the Connected Components Workbench (CCW) software used to configure and monitor the PLC.
Open the file in all tools and provide anything you can find regarding the vendor, model, version, etc. of the PLC in the capture. Remember to consider
the OUI portion of the hardware MAC address. You can also look up MAC OUI’s on the Wireshark website ( https://www.wireshark.org/tools/oui-
lookup.html). The master list of registered OUI information can also be found on the IEEE standards website (http://standards-oui.ieee.org/oui.txt). This
latter site can also provide information pertaining the country of origin of the device.
QUESTION 1:
What can you determine me about the PLC?
Using NetworkMiner, expand the PLC (192.168.1.17) and notice that NetworkMiner could not fully enumerate the device in terms of OS and device
type like it was previously able to do with the Siemens S7 PLC.
Expand on the Incoming sessions and notice that the PLC is acting as a server using port 44818/tcp. Look at incoming sessions to reveal PLC as
server using 44818/tcp. Expand this further and reveal information about the client.
QUESTION 2:
What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
QUESTION 3:
How long did this session last?
QUESTION 4:
How many host IP addresses does NetworkMiner show?
If you have not already noticed, the number of hosts is shown next to the “Hosts” tab in the top of the NetworkMiner window.
QUESTION 5:
How many of these IP addresses are IP Version 6 (IPv6)?
One of the IPv4 addresses shown is for multicast traffic using address 224.0.0.106. This is not really a host or device, but rather an address that can
be used to send traffic to multiple devices that subscribe to the session. You might also recall from the lecture that IPv6 uses a multicast address that
begins with “ff0”, so ff02::1:2 is also a multicast address.
QUESTION 6:
So, now how many HOST IPv4 addresses are on this network?
Notice device NetworkMiner presents at IP address 169.254.2.2. This is known as a “self assigned” IP address and is what a device gives itself if it
does not receive one from a Dynamic Host Configuration Protocol (DHCP) server. This is also an address that can be manually entered in the device
network configuration allowing it to link and connect to an existing network.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://www.wireshark.org/tools/oui-lookup.html
http://standards-oui.ieee.org/oui.txt
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 2/4
From a cyber security perspective, these addresses are important because they can signify the presence of an authorized host on the network that is
trying to remain hidden. This is one way a device can connect to a network and “listen” for traffic to enumerate hosts and their communications.
Go back to Wireshark and open this packet capture file if not already done. Observe the first 25 packets and notice the broadcast traffic and other
layer 2 traffic like the Address Resolution Protocol (ARP), Link-Layer Discovery Protocol (LLDP), and Spanning Tree Protocol (STP).
Now let us look at the enumerated devices by selecting “Analyze” in the menu followed by “Endpoints” and look at the “IPv4” results.
QUESTION 7:
How many IPv4 addresses are shown in Wireshark Endpoints?
Notice that 169.254.2.2 is not on this list, but if you select “Ethernet” you see 23 entries.
QUESTION 8:
What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
You can right-click the FF:FF:FF:FF:FF:FF address from the Endpoints – Ethernet listing and select “Apply as Filter” and “Selected” to view this traffic
in Wireshark. You will notice Address Resolution Protocol (ARP) and NetBIOS Name Service (NBNS) traffic.
Close the Endpoints summary and return to the main display. Using the Find feature by type “Control+C” (that is the Control Key and the C character
key at the same time), enter “169.254.2.2”. If you expand the “Address Resolution Protocol (request)” shown in the Packet Details panel, you will find
the Sender IP address of 169.254.2.2.
QUESTION 9:
What can you tell me about the manufacturer of this device?
(Hint: first look at how Wireshark “resolves” the MAC address, and then use the Wireshark OUI Lookup Tool)
If you entered only the OUI that was found from Wireshark, you probably saw a long list of manufacturers. If you append additional MAC information to
the address, and enter “00:50:c2:b3”, you will see an entry “00:50:C2:B3:20:00/36 Byres Security Inc”. This is a CIDR type expression for a MAC
address. Using the same logic that was presented in the lecture, you can take a string of 36 1’s and logically “AND” it with the MAC address to extract
the base address registered to Byres Security, with the remaining 12 bits allowed for device-specific addressing.
Each hexadecimal number represents 4-bits. This means that the base address is “00:50:C2:B3:2”, and 2 1̂2 or 4,096 devices can be assigned by the
manufacturer to MAC addresses in the range of “00:50:C2:B3:20:00” to “00:50:C2:B3:2F:FF”.
Let us know focus on traffic with the PLC (192.168.1.17).
QUESTION 10:
What would the Display Filter look like to filter out all traffic except that using the PLC?
Apply the filter now.
We are now going to walk through the communication that was shown during the lecture for Week 3 (slide 48) shown below as
Figure 82
.
Figure 82
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 3/4
The first step is to create an EtherNet/IP Session. This is performed using the “RegisterSession” Request command.
QUESTION 11:
What packet number did this occur?
QUESTION 12:
What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
The next step that occurs is the establishment of a CIP Connection using the CIP Connection Manager (CM) and issuing a “Forward Open” command.
QUESTION 13:
What packet number did this occur?
Did you notice that Wireshark recognizes this and labels the packet with a protocol of “CIP CM”. Notice that the CIP Connection Manager is at the
highest part of the Application Layer in the Packet Details panel on the bottom.
QUESTION 14:
What packet is the CIP Connection closed
All of the communication between the opening and the closing of the CIP Connection is “explicit” “connected” CIP traffic using 44818/tcp. You might
want to refer back to lecture in Week 3 (slide 42) and shown below as Figure 83 to see what type of traffic was exchanged here.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Figure 83
QUESTION 15:
Is this traffic likely to be Critical or Non-Critical?
The application may or may not unregister the EtherNet/IP Session. This is not done with this session.
PREV < Analyzing Modbus/TCP Traffic NEXT > Analyzing OPC-DA Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
LAB EXERCISE 1 (W4):
NETWORK ANALYSIS TOOLS
|
Name |
|
|
|
|
|
Course Number |
CSCI 397.01W or CSCI 397.61W (select one) |
|
Course Time |
Tuesday: 1630 – 1900 h |
|
Semester |
Fall 2020 |
|
Submission |
Lab Exercise 1 |
|
Due Date |
September 21, 2020 |
|
Instructor |
Joel Langill |
|
joel.langill@tamuc.edu |
|
|
Phone |
+1 (920) 594-0321 |
|
Office Hours |
Monday: 1630 – 1900 h Thursday: 1630 – 1900 h By Appointment |
PART 1: DOWNLOADING AND USING NETWORK ANALYSIS TOOLS
Downloading Network Analysis Tools
How long did it take you to download the three network analysis tools?
Installing GrassMarlin
Did you experience any difficulties installing GrassMarlin? If so, please explain.
How long did it take for you to install GrassMarlin?
Installing Wireshark
Did you experience any difficulties installing an updated Wireshark after GrassMarlin? If so, please explain.
How long did it take for you to install the updated Wireshark?
Installing NetworkMiner
Did you experience any difficulties installing NetworkMiner? If so, please explain.
How long did it take for you to install NetworkMiner?
Using Wireshark
1. Can you explain why the following Wireshark expression returns a yellow warning? What could you do to make this expression work correctly
ip.addr != 172.16.100.36 && dns
2. What is the IP address of the DNS Server used to resolve the host ICSCSI.org ?
3. What is the IP address of the webserver hosting https://ICSCSI.org ?
4. Realizing this question is asked very early in this course – well ahead of the discussions that will take place during the last two lectures ….
What would be the security risk in using HTTPS to encrypt traffic between a client computer and a webserver? Do you have any ideas how to mitigate this risk?
Please submit your PCAP file with this lab exercise submittal document. There is currently an 8MB file size limit on assignment uploads. Your PCAP file should be relatively small because of its short duration. If your file size is greater than 8MB, please contact your instructor for further assistance.
PART 2: ANALYZING ICS NETWORK TRAFFIC WITH NETWORK ANALYSIS TOOLS
Analyzing SMB Traffic
How long did it take you to complete the section on SMB?
1. What would the Wireshark Display Filter look like?
2. What packet number does this occur in?
3. What layer would you expect the “NetBIOS Session Service” to reside?
4. What would your new Display Filter look like? (Hint: you will need to use a logical “AND”)
5. What packet number contains this file?
6. What would your new Display Filter look like? (Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices you have)
7. List some of the files that you see transferred across this connection.
8. What packet number contains this file?
9. What other text file ending in .txt was transferred in this capture file?
10. Provide the name and contents of this file(s)
11. What ports is the Domain Server servicing (e.g the Destination port) in this example containing the two text files?
12. What service is used on each of these ports? (Hint: use Wireshark and a web search)
13. What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
14. What service to you think that server is running?
15. What are the contents of this file?
16. What packet number was this file first referenced in?
17. What did you find?
18. How many “groups” or “networks” are shown?
(Consider a network as more than one device)
19. Which network(s) appear to have connections to external devices on the public Internet?
20. What countries do these addresses most likely reside in? (Hint: View Details for the address by right-clicking)
21. What transport, port number, and service(s) are used in the external connections? (Hint: View Frames for the details of the packets by right-clicking)
22. Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
23. Do you know what the destination IP addresses represent?
Analyzing Modbus/TCP (MBT) Traffic
How long did it take you to complete the section on Modbus/TCP?
1. What would the Display Filter look like?
2. What ports are being used by the PLC (192.168.1.5) for incoming sessions?
3. What is the most common service used by each of the TCP port numbers?
4. What is the manufacturer of the PLC?
5. Where did you find this information?
6. Is there more information about the manufacturer?
7. What information is provided here that was not provided with Wireshark?
8. What ports are listed under the “Incoming” sessions where the PLC would act as a server?
9. What TCP port is used by Modbus/TCP?
10. What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way handshakes if possible?
11. What packet number did this occur?
12. Why does it show two in this case?
13. What is contained in the “Modbus” portion of the frame?
14. What Function Code is used here?
15. What is the meaning of this Function Code?
16. What is the meaning of the “Reference Number”?
17. What is the meaning of the “Word Count”?
18. What packet number did this occur?
19. What is the value stored in Register Number 12300?
20. What does “UINT16” stand for?
21. What is the “Byte Count” in the Response different from the “Word Count” in the Request?
Analyzing EtherNet/IP (EIP) Traffic
How long did it take you to complete the section on EtherNet/IP?
1. What can you determine about this PLC?
2. What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
3. How long did this session last?
4. How many host IP addresses does NetworkMiner show?
5. How many of these IP addresses are IP Version 6 (IPv6)?
6. So, now how many HOST IPv4 addresses are on this network?
7. How many IPv4 addresses are shown in Wireshark Endpoints?
8. What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
9. What can you tell me about the manufacturer of this device?
(Hint: use the Wireshark OUI Lookup Tool)
10. What would the Display Filter look like to filter out all traffic except that using the PLC?
11. What packet number did this occur?
12. What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
13. What packet number did this occur?
14. What packet is the CIP Connection closed?
15. Is this traffic likely to be Time Critical or Non-Time Critical?
Analyzing OPC Data Access (OPC-DA) Traffic
How long did it take you to complete the section on OPC-DA?
1. Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform operating system they are likely running, and what services and ports are being used.
2. What does DCOM stand for?
3. What packet number represents this action?
4. What endian is the data for this session using?
5. What username is used to authenticate against the client against the server?
6. Looking at the “RemoteCreateInstance request” packet, what frame number contains the response? (Hint: look in the Application Layer details)
7. What types of information can you decipher from this ASCII data?
8. What is this port number?
9. What number is shown for “StringBinding[2]” “NetworkAddr”?
10. What is the new TCP port number that will be used for the remaining data exchange session?
11. Is this the same port?
12. what is the new Display Filter that was automatically created?
PART 3: LAB EVALUATION
Did you find this lab useful?
What would you like to see changed?
Do not forget to submit your PCAP file used in the beginning of the lab under “Using Wireshark”. There is an 8MB site limit on file size of uploads. If your PCAP file is larger than 8MB, please notify the instructor for alternate instructions.
CSCI 397.01W | CSCI 397.61W © 2012-2020 ICSCSI LLC
Fundamentals of Industrial Control System Cyber Security Page L1-1 of 14
Fall 2020 CSCI 397 F20 – Lab Exercise 1 x
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 1/2
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
OBJECTIVES
Unlike the first part of this lab exercise that used a lot of illustrations to introduce new tools and capabilities, this part will focus on using these tools to
perform analysis of different types of industrial and business communications that occur on the network. Each section will ask you to perform a variety
of tasks using a set of network captures that should be downloaded from LAB EXERCISE 1. The lab exercise submittal document also contains a
sections that must be completed based on the tasks given within the lab exercise.
This exercise has the following objectives:
1. Download and open a network packet capture (pcap) file in each of the three network analysis tools. This pcap file contains a diversified
collection of network protocols where you will investigate the Server Message Block (SMB) used to exchange files between Windows host
computers.
2. Using the same pcap file as Step 1 above, isolate and analyze the Modbus/TCP traffic that occurs between a Windows computer and a PLC.
3. Download and open a pcap file containing Common Industrial Protocol (CIP) traffic that occurs between a Windows computer and a PLC.
4. Download and open a pcap file containing Open Platform Communication (OPC) Data Access traffic that occurs between an OPC Server
and a Windows computer.
LAB EXERCISE 1 contains the files downloads needed for this exercise, along with the submittal document containing questions that will be discussed
throughout the exercise. Do not forget to submit your files when you have completed this activity.
(Note: problems may occur if using Google Chrome as a browser where it tries to open links in Google Docs. The “Docs PDF/PowerPoint Viewer (by
Google)” extension must be disabled or removed.)
PREV < Introduction NEXT > Analyzing SMB Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://training.scadahacker.com/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 2/2
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 1/3
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING OPC-DATA ACCESS TRAFFIC
(EXPECTED TIME TO COMPLETE = 10 minutes | 2:20)
This section will use the “industrial-protocols-opc.pcap” network capture file downloaded in LAB EXERCISE 1 to study OPC Data Access (OPC-
DA) communications. Unlike the previous cases with SMB, Modbus, and EtherNet/IP where you were given the architecture, in this exercise you will
determine the hosts and their relationships without guidance.
QUESTION 1:
Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform
operating system they are likely running, and what services and ports are being used.
From the section heading, it is obvious that the OPC Data Access protocol will be analyzed. During lecture it was mentioned that “classic” OPC-DA
presented many new challenges to the manufacturing world. The dependence on the Microsoft COM/DCOM infrastructure limited the usability of the
technology to strictly Windows-based computing platforms.
QUESTION 2:
What does DCOM stand for?
OPC-DA was originally released in 1996, and in 2003 when the Blaster work exploited vulnerabilities in the Windows Remote Procedure Call (RPC)
service, Microsoft responded with the introduction of the Windows Firewall in Windows XP Service Pack 2. The design of OPC and how it performed a
“hand-off” from one communication port (135/tcp) to another service port caused by the dynamic port allocation within RPC made it inoperable
immediately after users installed XP-SP2.
The answer for many was to disable the Windows Firewall to keep their OPC-DA connections alive. This introduced even more problems as industry
worked to address security and usability at the same time.
In the lecture, the basic process of an OPC session was reviewed. In this part of the lab exercise, you will follow the session and observe how this
technology operates.
Most of this exercise will be at the packet level, so Wireshark will be the easiest tool to use.
The first step in establishing an OPC connect from the client to the server is using a Distributed Computing Environment (DCE) / Remote Procedure
Call (RPC) “Bind” command.
QUESTION 3:
What packet number represents this action?
Select the packet referenced with the “Bind” command, and expand the “Distributed Computing Environment / Remote Procedure Call” Application
Layer in the data panel on the bottom. Notice the “Data Representation” entry.
QUESTION 4:
What endian is the data for this session using?
The Bind is then acknowledged by the server and the client then attempts authentication against the server.
QUESTION 5:
What username is used to authenticate against the client against the server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 2/3
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
The client then establishes a “connection” by sending a “RemoteCreateInstance request” to the server.
QUESTION 6:
Looking at the “RemoteCreateInstance request” packet, what frame number contains the response?
(Hint: look in the Application Layer details)
Now using this response frame and the IP addresses for the client and the server, use the bottom “Packet Bytes” panel of Wireshark that shows raw
data to look for ASCII character-based patterns. You should be able to recognize a large portion of the data that is visible here.
QUESTION 7:
What types of information can you decipher from this ASCII data?
If you are having trouble, move to the first DCERPC “Request” frame in the capture list and notice the TCP Destination Port.
QUESTION 8:
What is this port number?
Now go back to the “RemoteCreateInstance response” frame at look again … look for a pattern of ASCII characters that represent an IPv4 address. If
you click the text panel over the ASCII numbers that look like an IPv4 address, Wireshark will find this dissected information in the other “Packet
Details” panel.
QUESTION 9:
What number is shown for “StringBinding[2]” “NetworkAddr”?
QUESTION 10:
What is the new TCP port number that will be used for the remaining data exchange session?
Go forward to the first DCERPC “Request” frame and look at the TCP Destination Port.
QUESTION 11:
Is this the same port?
This cleartext “handoff” resulting from the dynamic port allocation of RPC makes it easy for security appliances to follow this conversation and create a
dynamic rule that will open the newly assigned ports. Without this feature, a firewall would need to open a range of ports defined within the
DCOMCNFG service resulting in an unnecessary attack surface through the perimeter protected by the firewall.
It is possible to create a Wireshark Display Filter to look for this “handoff”. If you expand the “ISystemActivator” portion of the ADU in packet 9, you can
right-click on “Operation: RemoteCreateInstance (4)” and select “Apply as Filter” and “Selected”. The Display Filter is automatically generated and
placed in the Display Filter entry line at the top of Wireshark.
QUESTION 12:
What is the new Display Filter that was automatically created?
We will look at this in the last two lecture sections of the course.
PREV < Analyzing EtherNet/IP Traffic End of Lesson
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 3/3
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING SMB TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:20)
The remainder of the lab exercise will focus on applying some basis skills using the three network analysis tools. This first portion applies to common
IT protocols and services. You are encouraged to spend some free time experimenting on your personal network. This section will show you how to
extract file data from a network capture. You can re-create this on your home network by sharing a file between two devices while you run Wireshark
one of them. Feel free to share your thoughts in the LAB EXERCISE 1 submittal. Questions will be asked throughout this section – your answers
should be provided on the LAB EXERCISE 1 submittal document.
This section will use the “multi-network-architecture.pcap” network capture file downloaded in LAB EXERCISE 1. Begin by opening this file in all
three network analysis tools – GrassMarlin, NetworkMiner, and Wireshark.
The Server Message Block or SMB is an Application Layer protocol used by multiple operating systems to allow sharing of files across the network. It is
also known by the name Common Internet File System In a Windows environment, it can also be used for legacy NetBIOS traffic, and facilitates an
access mechanism for inter-process communications (IPC) via the $IPC administrative file share using named pipes.
In the network capture provided, there are primarily two major types of communications using 445/tcp: [1] authentication between Windows Domain
Members (10.1.1.60, 10.1.1.251) and Windows Domain Servers (10.1.1.1), and [2] file sharing services between clients (172.16.100.240) and the
Windows Server (10.1.1.1).
Using Wireshark, create a Display Filter that will narrow the traffic down to just these three assets.
QUESTION 1:
What would the Wireshark Display Filter look like?
Apply the filter now.
You will notice that there is more than just SMB traffic using 445/tcp. You should scroll down the filtered packet list and find the start of the 3-way
handshake for the first occurrence of traffic using 445/tcp.
QUESTION 2:
What packet number does this occur?
One of the protocols that SMB uses is the NetBIOS Session Service. This should be the first set of packets following the successful completion of the
3-way handshake. Using the data panel within Wireshark, along with what you learned during Week 3, you can identify the position in the OSI 7-Layer
Model for the protocol.
QUESTION 3:
What layer would you expect the “NetBIOS Session Service” to reside?
Now let us append to the existing Display Filter to limit the information displayed to only contain traffic using the SMB protocol.
QUESTION 4:
What would your new Display Filter look like?
(Hint: you will need to use a logical “AND”)
Apply the filter now.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 2/4
You should notice that the 3-way handshake is no longer displayed because the filter is looking for traffic using the SMB protocol. The 3-way handshake
is establishing a connection on 445/tcp which may not be for SMB in all cases.
Find the first SMB packet after the handshake completes between 10.1.1.60 (client) and 10.1.1.1 (server). This should be “Negotiate Protocol
Request”.
QUESTION 5:
What packet number contains this file?
Scroll down and observe the sessions that follows. Most of the traffic at this point is associated with a domain login occurring between 10.1.1.60 and
10.1.1.1 and the exchange of policy information that follows.
What we are really trying to find is the transferring of files across the network using SMB on 445/tcp. We can do this by appending a Display Filter that
displays SMB Transaction2 Extensions that will show the browsing of remote directories and identification of files that will be transferred. This is done
using “smb.trans2.cmd” and “ANDing” it with the previous Display Filter limiting traffic to SMB.
QUESTION 6:
What would your new Display Filter look like?
(Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices your have)
Your Display Filter should start to look like “… && smb && smb.trans2.cmd”.
Apply the filter now.
QUESTION 7:
List some of the files that you see transferred across this connection
It is important to understand that just because username/password authentication is encrypted does not mean that all the traffic that is transferred after
authentication is also encrypted. We are going to see what files have been transferred in cleartext across the network!
Wireshark provides the ability to export certain Objects that are contained in network traffic. You can access this by selecting “File” from the menu, and
“Export Objects” at the bottom. For this exercise, select “SMB”.
The packet numbers on the Export report correspond to the packet that “completed” the transfer. Search for the file “shared_file_on_server.txt”.
QUESTION 8:
What packet number contains this file?
QUESTION 9:
What other text file ending in “.txt” was transferred in this capture file?
Save the the contents of both .txt files to your local hard disk, and open each of them (using Notepad, Wordpad, Write, etc.).
QUESTION 10:
Provide the name and contents of the file(s)
Now, switch to NetworkMiner and if you have not already done so, select “File” -> “Open” to import the capture file. Notice how NetworkMiner provides
a basic inventory of devices on the network.
Select the “Files” tab at the top. You should see a similar list of files that were extracted from the capture file. You will notice on the “Files” tab that
information about the Source and Destination TCP port number is provided. You can also see that NetworkMiner has automatically downloaded the
files and placed them in a temporary directory on your local hard disk. This is listed in the “Reconstructed file path” column.
QUESTION 11:
What ports is the Domain Server servicing (e.g. the Destination port) in this example containing the two text files?
Go to the “Hosts” tab in NetworkMiner and expand the information for the Domain Server (10.1.1.1). It summarizes the Incoming and Outgoing
sessions. Expand the Incoming sessions by clicking the “+”. You will notice more than just our SMB traffic has been accessing the server. Four
additional TCP sessions have been enumerated.
QUESTION 12:
What service is used on each of these ports?
(Hint: use Wireshark and a web search)
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 3/4
NetworkMiner also enumerates Outgoing sessions for the Domain Server. Expand the Outgoing sessions and review the information presented.
QUESTION 13:
What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
QUESTION 14:
What service to you think that server is running?
Go back to the “Files” tab and look for the sessions between the Domain Server (10.1.1.1) and this other “server” (10.1.1.254). Notice that you see
additional files that were not available from Wireshark. These files are the TLS certificates used to connect to the other “server” using HTTPS on
443/tcp.
Find the file “shared_file_on_server…”, and open it by right-clicking and selecting “Open file” to view its contents.
QUESTION 15:
What are the contents of this file?
QUESTION 16:
What packet number was this file first referenced in?
Go back to Wireshark and look for this packet number. You will have to clear the Display Filter if you have not already done so. Right-click on the
packet and select “Follow” and “TCP Stream”. This will display all the packets in the session as a contiguous data stream.
Enter “abcd1234” in the Find field at the bottom and select “Find Next”.
QUESTION 17:
What did you find?
Now, go to GrassMarlin and look at the visualization of the packet capture data. If you have not already done so, import the capture file into
GrassMarlin. GrassMarlin defaults network definition using a CIDR /24. The networks are listed in a tabular fashion on the left, and visually in the center.
QUESTION 18:
How many “groups” or “networks” are shown?
(Consider a network as more than one device)
You should notice a couples networks that contain only two assets, one having an IP address that ends with .255. Remember that this is the Broadcast
Address for that particular network, and does not usually reflect a physical device. This can easily be confirmed by looking at the hardware MAC
address, and can be done by right-clicking the shaded area containing the address. If the MAC address is “FF:FF:FF:FF:FF:FF”, then it is the
Broadcast Address.
QUESTION 19:
Which network(s) appear to have connections to external devices on the public Internet?
QUESTION 20:
What countries do these addresses most likely reside in?
(Hint: View Details for the address by right-clicking)
QUESTION 21:
What transport, port number, and service(s) are used in the external connections?
(Hint: View Frames for the details of the packets)
QUESTION 22:
Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
QUESTION 23:
Do you know what the destination IP addresses represent?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
PREV < Objectives NEXT > Analyzing Modbus/TCP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING MODBUS/TCP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:40)
Using the same “multi-network-architecture.pcap” file from the Analysis of SMB Traffic section, let us now focus on ICS protocols and traffic. This
portion will analyzes traffic using the Modbus/TCP protocol over 502/tcp. The architecture consists of a PLC (192.168.1.5), an HMI (192.168.1.129),
and a SCADA Server (192.168.1.60).
You can use CIDR notation to create a Display Filter in Wireshark that will narrow the traffic down to just this 192.168.1.0/24 network.
QUESTION 1:
What would the Display Filter look like?
Apply the filter now.
Using Wireshark “Conversations” under the “Statistics” menu, select the “TCP” tab. The report shows all the traffic in the capture file, so look at the
bottom and select “Limit to display filter” to simply the report.
QUESTION 2:
What ports are being used by the PLC (192.168.1.5) for incoming sessions?
QUESTION 3:
What is the most common service used by each of the TCP port numbers?
QUESTION 4:
What is the manufacturer of the PLC?
QUESTION 5:
Where did you find this information?
Let us focus on the same host address using NetworkMiner. Find the PLC (192.168.1.5). Do you notice “Siemens” is presented with the IP Address.
Expand the device by clicking the “+” sign.
Is there more information about the manufacturer?
QUESTION 6:
Is there more information about the manufacturer?
Expand the “OS: Siemens” entry.
QUESTION 7:
What information is provided here that was not provided with Wireshark?
QUESTION 8:
What ports are listed under the “Incoming” sessions where the PLC would act as a server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 2/4
NetworkMiner uses device signatures to help enumerate the actual device that is present. A feature not possible with Wireshark. The Satori TCP
database was used to fingerprint the Siemens PLC. One of the instructors of this course has been actively working with the developer of NetworkMiner
to expand this library.
The one piece of information that NetworkMiner is not able to provide is that relating to the Application Layer and the associated ADUs. Recall from the
lecture that Wireshark has protocol “dissectors” that allow the packet to be broken down extracting headers from data units. These data units can be
further broken down into function codes and data elements.
So, let us return to Wireshark and analyze the Modbus/TCP Application Layer protocol.
QUESTION 9:
What TCP port is used by Modbus/TCP?
QUESTION 10:
What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way
handshakes if possible?
If you go to the very top of the display, you can see the actual handshake that took place. That is the benefit of generating traffic in a lab versus in the
real world. This handshake occurred only a single time throughout the five minutes of traffic collected.
Search for the first Modbus/TCP “Query” packet.
QUESTION 11:
What packet number did this occur?
Select the packet and observe the display panel below that displays the various layers of the OSI Model. Two Application Layer entries are provided:
Modbus/TCP and Modbus.
QUESTION 12:
Why does it show two in this case?
Referring to the lecture material (slide 35) and shown below as
Figure 81
, what is contained in the “Modbus/TCP” portion of the frame?
QUESTION 13:
What is contained in the “Modbus” portion of the frame?
Figure 81
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 3/4
QUESTION 14:
What Function Code is used here?
QUESTION 15:
What is the meaning of this Function Code?
QUESTION 16:
What is the meaning of the “Reference Number”?
QUESTION 17:
What is the meaning of the “Word Count”?
(Hint: several good documents were referenced in the lecture that dissect the complete Modbus/TCP frame)
Look at the associated Modbus/TCP “Response” packet. This might help you answer the question above!
QUESTION 18:
What packet number did this occur?
QUESTION 19:
What is the value stored in Register Number 12300?
QUESTION 20:
What does “UINT16” stand for?
QUESTION 21:
What is the “Byte Count” in the Response different from the “Word Count” in the Request?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Before leaving this portion of the lab exercise, you are encouraged to modify your Wireshark Display Filter and look at the ICS communication taking
place on 102/tcp using the Siemens S7COMM protocol. This PLC supports both Modbus/TCP and Siemens S7COMM, and can serve the same data
using either protocol. If you look at packets 11579 and 11580, you can see the data request and response. Notice the different syntax used to access
the PLC internal registers with S7COMM by expanding the details in the “S7 Communication” ADU in the request packet 11579.
PREV < Analyzing SMB Traffic NEXT > Analyzing EtherNet/IP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING ETHERNET/IP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 2:00)
This section will use the “industrial-protocols-cip.pcap” network capture file downloaded in LAB EXERCISE 1 to study the Common Industrial
Protocol (CIP) in its EtherNet/IP (EIP) form. This architecture consists of a Rockwell Automation Micro850 PLC (192.168.1.17), an engineering
workstations (192.168.1.97) running the Connected Components Workbench (CCW) software used to configure and monitor the PLC.
Open the file in all tools and provide anything you can find regarding the vendor, model, version, etc. of the PLC in the capture. Remember to consider
the OUI portion of the hardware MAC address. You can also look up MAC OUI’s on the Wireshark website ( https://www.wireshark.org/tools/oui-
lookup.html). The master list of registered OUI information can also be found on the IEEE standards website (http://standards-oui.ieee.org/oui.txt). This
latter site can also provide information pertaining the country of origin of the device.
QUESTION 1:
What can you determine me about the PLC?
Using NetworkMiner, expand the PLC (192.168.1.17) and notice that NetworkMiner could not fully enumerate the device in terms of OS and device
type like it was previously able to do with the Siemens S7 PLC.
Expand on the Incoming sessions and notice that the PLC is acting as a server using port 44818/tcp. Look at incoming sessions to reveal PLC as
server using 44818/tcp. Expand this further and reveal information about the client.
QUESTION 2:
What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
QUESTION 3:
How long did this session last?
QUESTION 4:
How many host IP addresses does NetworkMiner show?
If you have not already noticed, the number of hosts is shown next to the “Hosts” tab in the top of the NetworkMiner window.
QUESTION 5:
How many of these IP addresses are IP Version 6 (IPv6)?
One of the IPv4 addresses shown is for multicast traffic using address 224.0.0.106. This is not really a host or device, but rather an address that can
be used to send traffic to multiple devices that subscribe to the session. You might also recall from the lecture that IPv6 uses a multicast address that
begins with “ff0”, so ff02::1:2 is also a multicast address.
QUESTION 6:
So, now how many HOST IPv4 addresses are on this network?
Notice device NetworkMiner presents at IP address 169.254.2.2. This is known as a “self assigned” IP address and is what a device gives itself if it
does not receive one from a Dynamic Host Configuration Protocol (DHCP) server. This is also an address that can be manually entered in the device
network configuration allowing it to link and connect to an existing network.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://www.wireshark.org/tools/oui-lookup.html
http://standards-oui.ieee.org/oui.txt
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 2/4
From a cyber security perspective, these addresses are important because they can signify the presence of an authorized host on the network that is
trying to remain hidden. This is one way a device can connect to a network and “listen” for traffic to enumerate hosts and their communications.
Go back to Wireshark and open this packet capture file if not already done. Observe the first 25 packets and notice the broadcast traffic and other
layer 2 traffic like the Address Resolution Protocol (ARP), Link-Layer Discovery Protocol (LLDP), and Spanning Tree Protocol (STP).
Now let us look at the enumerated devices by selecting “Analyze” in the menu followed by “Endpoints” and look at the “IPv4” results.
QUESTION 7:
How many IPv4 addresses are shown in Wireshark Endpoints?
Notice that 169.254.2.2 is not on this list, but if you select “Ethernet” you see 23 entries.
QUESTION 8:
What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
You can right-click the FF:FF:FF:FF:FF:FF address from the Endpoints – Ethernet listing and select “Apply as Filter” and “Selected” to view this traffic
in Wireshark. You will notice Address Resolution Protocol (ARP) and NetBIOS Name Service (NBNS) traffic.
Close the Endpoints summary and return to the main display. Using the Find feature by type “Control+C” (that is the Control Key and the C character
key at the same time), enter “169.254.2.2”. If you expand the “Address Resolution Protocol (request)” shown in the Packet Details panel, you will find
the Sender IP address of 169.254.2.2.
QUESTION 9:
What can you tell me about the manufacturer of this device?
(Hint: first look at how Wireshark “resolves” the MAC address, and then use the Wireshark OUI Lookup Tool)
If you entered only the OUI that was found from Wireshark, you probably saw a long list of manufacturers. If you append additional MAC information to
the address, and enter “00:50:c2:b3”, you will see an entry “00:50:C2:B3:20:00/36 Byres Security Inc”. This is a CIDR type expression for a MAC
address. Using the same logic that was presented in the lecture, you can take a string of 36 1’s and logically “AND” it with the MAC address to extract
the base address registered to Byres Security, with the remaining 12 bits allowed for device-specific addressing.
Each hexadecimal number represents 4-bits. This means that the base address is “00:50:C2:B3:2”, and 2 1̂2 or 4,096 devices can be assigned by the
manufacturer to MAC addresses in the range of “00:50:C2:B3:20:00” to “00:50:C2:B3:2F:FF”.
Let us know focus on traffic with the PLC (192.168.1.17).
QUESTION 10:
What would the Display Filter look like to filter out all traffic except that using the PLC?
Apply the filter now.
We are now going to walk through the communication that was shown during the lecture for Week 3 (slide 48) shown below as
Figure 82
.
Figure 82
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 3/4
The first step is to create an EtherNet/IP Session. This is performed using the “RegisterSession” Request command.
QUESTION 11:
What packet number did this occur?
QUESTION 12:
What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
The next step that occurs is the establishment of a CIP Connection using the CIP Connection Manager (CM) and issuing a “Forward Open” command.
QUESTION 13:
What packet number did this occur?
Did you notice that Wireshark recognizes this and labels the packet with a protocol of “CIP CM”. Notice that the CIP Connection Manager is at the
highest part of the Application Layer in the Packet Details panel on the bottom.
QUESTION 14:
What packet is the CIP Connection closed
All of the communication between the opening and the closing of the CIP Connection is “explicit” “connected” CIP traffic using 44818/tcp. You might
want to refer back to lecture in Week 3 (slide 42) and shown below as Figure 83 to see what type of traffic was exchanged here.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Figure 83
QUESTION 15:
Is this traffic likely to be Critical or Non-Critical?
The application may or may not unregister the EtherNet/IP Session. This is not done with this session.
PREV < Analyzing Modbus/TCP Traffic NEXT > Analyzing OPC-DA Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
LAB EXERCISE 1 (W4):
NETWORK ANALYSIS TOOLS
|
Name |
|
|
|
|
|
Course Number |
CSCI 397.01W or CSCI 397.61W (select one) |
|
Course Time |
Tuesday: 1630 – 1900 h |
|
Semester |
Fall 2020 |
|
Submission |
Lab Exercise 1 |
|
Due Date |
September 21, 2020 |
|
Instructor |
Joel Langill |
|
joel.langill@tamuc.edu |
|
|
Phone |
+1 (920) 594-0321 |
|
Office Hours |
Monday: 1630 – 1900 h Thursday: 1630 – 1900 h By Appointment |
PART 1: DOWNLOADING AND USING NETWORK ANALYSIS TOOLS
Downloading Network Analysis Tools
How long did it take you to download the three network analysis tools?
Installing GrassMarlin
Did you experience any difficulties installing GrassMarlin? If so, please explain.
How long did it take for you to install GrassMarlin?
Installing Wireshark
Did you experience any difficulties installing an updated Wireshark after GrassMarlin? If so, please explain.
How long did it take for you to install the updated Wireshark?
Installing NetworkMiner
Did you experience any difficulties installing NetworkMiner? If so, please explain.
How long did it take for you to install NetworkMiner?
Using Wireshark
1. Can you explain why the following Wireshark expression returns a yellow warning? What could you do to make this expression work correctly
ip.addr != 172.16.100.36 && dns
2. What is the IP address of the DNS Server used to resolve the host ICSCSI.org ?
3. What is the IP address of the webserver hosting https://ICSCSI.org ?
4. Realizing this question is asked very early in this course – well ahead of the discussions that will take place during the last two lectures ….
What would be the security risk in using HTTPS to encrypt traffic between a client computer and a webserver? Do you have any ideas how to mitigate this risk?
Please submit your PCAP file with this lab exercise submittal document. There is currently an 8MB file size limit on assignment uploads. Your PCAP file should be relatively small because of its short duration. If your file size is greater than 8MB, please contact your instructor for further assistance.
PART 2: ANALYZING ICS NETWORK TRAFFIC WITH NETWORK ANALYSIS TOOLS
Analyzing SMB Traffic
How long did it take you to complete the section on SMB?
1. What would the Wireshark Display Filter look like?
2. What packet number does this occur in?
3. What layer would you expect the “NetBIOS Session Service” to reside?
4. What would your new Display Filter look like? (Hint: you will need to use a logical “AND”)
5. What packet number contains this file?
6. What would your new Display Filter look like? (Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices you have)
7. List some of the files that you see transferred across this connection.
8. What packet number contains this file?
9. What other text file ending in .txt was transferred in this capture file?
10. Provide the name and contents of this file(s)
11. What ports is the Domain Server servicing (e.g the Destination port) in this example containing the two text files?
12. What service is used on each of these ports? (Hint: use Wireshark and a web search)
13. What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
14. What service to you think that server is running?
15. What are the contents of this file?
16. What packet number was this file first referenced in?
17. What did you find?
18. How many “groups” or “networks” are shown?
(Consider a network as more than one device)
19. Which network(s) appear to have connections to external devices on the public Internet?
20. What countries do these addresses most likely reside in? (Hint: View Details for the address by right-clicking)
21. What transport, port number, and service(s) are used in the external connections? (Hint: View Frames for the details of the packets by right-clicking)
22. Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
23. Do you know what the destination IP addresses represent?
Analyzing Modbus/TCP (MBT) Traffic
How long did it take you to complete the section on Modbus/TCP?
1. What would the Display Filter look like?
2. What ports are being used by the PLC (192.168.1.5) for incoming sessions?
3. What is the most common service used by each of the TCP port numbers?
4. What is the manufacturer of the PLC?
5. Where did you find this information?
6. Is there more information about the manufacturer?
7. What information is provided here that was not provided with Wireshark?
8. What ports are listed under the “Incoming” sessions where the PLC would act as a server?
9. What TCP port is used by Modbus/TCP?
10. What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way handshakes if possible?
11. What packet number did this occur?
12. Why does it show two in this case?
13. What is contained in the “Modbus” portion of the frame?
14. What Function Code is used here?
15. What is the meaning of this Function Code?
16. What is the meaning of the “Reference Number”?
17. What is the meaning of the “Word Count”?
18. What packet number did this occur?
19. What is the value stored in Register Number 12300?
20. What does “UINT16” stand for?
21. What is the “Byte Count” in the Response different from the “Word Count” in the Request?
Analyzing EtherNet/IP (EIP) Traffic
How long did it take you to complete the section on EtherNet/IP?
1. What can you determine about this PLC?
2. What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
3. How long did this session last?
4. How many host IP addresses does NetworkMiner show?
5. How many of these IP addresses are IP Version 6 (IPv6)?
6. So, now how many HOST IPv4 addresses are on this network?
7. How many IPv4 addresses are shown in Wireshark Endpoints?
8. What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
9. What can you tell me about the manufacturer of this device?
(Hint: use the Wireshark OUI Lookup Tool)
10. What would the Display Filter look like to filter out all traffic except that using the PLC?
11. What packet number did this occur?
12. What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
13. What packet number did this occur?
14. What packet is the CIP Connection closed?
15. Is this traffic likely to be Time Critical or Non-Time Critical?
Analyzing OPC Data Access (OPC-DA) Traffic
How long did it take you to complete the section on OPC-DA?
1. Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform operating system they are likely running, and what services and ports are being used.
2. What does DCOM stand for?
3. What packet number represents this action?
4. What endian is the data for this session using?
5. What username is used to authenticate against the client against the server?
6. Looking at the “RemoteCreateInstance request” packet, what frame number contains the response? (Hint: look in the Application Layer details)
7. What types of information can you decipher from this ASCII data?
8. What is this port number?
9. What number is shown for “StringBinding[2]” “NetworkAddr”?
10. What is the new TCP port number that will be used for the remaining data exchange session?
11. Is this the same port?
12. what is the new Display Filter that was automatically created?
PART 3: LAB EVALUATION
Did you find this lab useful?
What would you like to see changed?
Do not forget to submit your PCAP file used in the beginning of the lab under “Using Wireshark”. There is an 8MB site limit on file size of uploads. If your PCAP file is larger than 8MB, please notify the instructor for alternate instructions.
CSCI 397.01W | CSCI 397.61W © 2012-2020 ICSCSI LLC
Fundamentals of Industrial Control System Cyber Security Page L1-1 of 14
Fall 2020 CSCI 397 F20 – Lab Exercise 1 x
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 1/2
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
OBJECTIVES
Unlike the first part of this lab exercise that used a lot of illustrations to introduce new tools and capabilities, this part will focus on using these tools to
perform analysis of different types of industrial and business communications that occur on the network. Each section will ask you to perform a variety
of tasks using a set of network captures that should be downloaded from LAB EXERCISE 1. The lab exercise submittal document also contains a
sections that must be completed based on the tasks given within the lab exercise.
This exercise has the following objectives:
1. Download and open a network packet capture (pcap) file in each of the three network analysis tools. This pcap file contains a diversified
collection of network protocols where you will investigate the Server Message Block (SMB) used to exchange files between Windows host
computers.
2. Using the same pcap file as Step 1 above, isolate and analyze the Modbus/TCP traffic that occurs between a Windows computer and a PLC.
3. Download and open a pcap file containing Common Industrial Protocol (CIP) traffic that occurs between a Windows computer and a PLC.
4. Download and open a pcap file containing Open Platform Communication (OPC) Data Access traffic that occurs between an OPC Server
and a Windows computer.
LAB EXERCISE 1 contains the files downloads needed for this exercise, along with the submittal document containing questions that will be discussed
throughout the exercise. Do not forget to submit your files when you have completed this activity.
(Note: problems may occur if using Google Chrome as a browser where it tries to open links in Google Docs. The “Docs PDF/PowerPoint Viewer (by
Google)” extension must be disabled or removed.)
PREV < Introduction NEXT > Analyzing SMB Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://training.scadahacker.com/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 2/2
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 1/3
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING OPC-DATA ACCESS TRAFFIC
(EXPECTED TIME TO COMPLETE = 10 minutes | 2:20)
This section will use the “industrial-protocols-opc.pcap” network capture file downloaded in LAB EXERCISE 1 to study OPC Data Access (OPC-
DA) communications. Unlike the previous cases with SMB, Modbus, and EtherNet/IP where you were given the architecture, in this exercise you will
determine the hosts and their relationships without guidance.
QUESTION 1:
Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform
operating system they are likely running, and what services and ports are being used.
From the section heading, it is obvious that the OPC Data Access protocol will be analyzed. During lecture it was mentioned that “classic” OPC-DA
presented many new challenges to the manufacturing world. The dependence on the Microsoft COM/DCOM infrastructure limited the usability of the
technology to strictly Windows-based computing platforms.
QUESTION 2:
What does DCOM stand for?
OPC-DA was originally released in 1996, and in 2003 when the Blaster work exploited vulnerabilities in the Windows Remote Procedure Call (RPC)
service, Microsoft responded with the introduction of the Windows Firewall in Windows XP Service Pack 2. The design of OPC and how it performed a
“hand-off” from one communication port (135/tcp) to another service port caused by the dynamic port allocation within RPC made it inoperable
immediately after users installed XP-SP2.
The answer for many was to disable the Windows Firewall to keep their OPC-DA connections alive. This introduced even more problems as industry
worked to address security and usability at the same time.
In the lecture, the basic process of an OPC session was reviewed. In this part of the lab exercise, you will follow the session and observe how this
technology operates.
Most of this exercise will be at the packet level, so Wireshark will be the easiest tool to use.
The first step in establishing an OPC connect from the client to the server is using a Distributed Computing Environment (DCE) / Remote Procedure
Call (RPC) “Bind” command.
QUESTION 3:
What packet number represents this action?
Select the packet referenced with the “Bind” command, and expand the “Distributed Computing Environment / Remote Procedure Call” Application
Layer in the data panel on the bottom. Notice the “Data Representation” entry.
QUESTION 4:
What endian is the data for this session using?
The Bind is then acknowledged by the server and the client then attempts authentication against the server.
QUESTION 5:
What username is used to authenticate against the client against the server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 2/3
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
The client then establishes a “connection” by sending a “RemoteCreateInstance request” to the server.
QUESTION 6:
Looking at the “RemoteCreateInstance request” packet, what frame number contains the response?
(Hint: look in the Application Layer details)
Now using this response frame and the IP addresses for the client and the server, use the bottom “Packet Bytes” panel of Wireshark that shows raw
data to look for ASCII character-based patterns. You should be able to recognize a large portion of the data that is visible here.
QUESTION 7:
What types of information can you decipher from this ASCII data?
If you are having trouble, move to the first DCERPC “Request” frame in the capture list and notice the TCP Destination Port.
QUESTION 8:
What is this port number?
Now go back to the “RemoteCreateInstance response” frame at look again … look for a pattern of ASCII characters that represent an IPv4 address. If
you click the text panel over the ASCII numbers that look like an IPv4 address, Wireshark will find this dissected information in the other “Packet
Details” panel.
QUESTION 9:
What number is shown for “StringBinding[2]” “NetworkAddr”?
QUESTION 10:
What is the new TCP port number that will be used for the remaining data exchange session?
Go forward to the first DCERPC “Request” frame and look at the TCP Destination Port.
QUESTION 11:
Is this the same port?
This cleartext “handoff” resulting from the dynamic port allocation of RPC makes it easy for security appliances to follow this conversation and create a
dynamic rule that will open the newly assigned ports. Without this feature, a firewall would need to open a range of ports defined within the
DCOMCNFG service resulting in an unnecessary attack surface through the perimeter protected by the firewall.
It is possible to create a Wireshark Display Filter to look for this “handoff”. If you expand the “ISystemActivator” portion of the ADU in packet 9, you can
right-click on “Operation: RemoteCreateInstance (4)” and select “Apply as Filter” and “Selected”. The Display Filter is automatically generated and
placed in the Display Filter entry line at the top of Wireshark.
QUESTION 12:
What is the new Display Filter that was automatically created?
We will look at this in the last two lecture sections of the course.
PREV < Analyzing EtherNet/IP Traffic End of Lesson
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 3/3
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING SMB TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:20)
The remainder of the lab exercise will focus on applying some basis skills using the three network analysis tools. This first portion applies to common
IT protocols and services. You are encouraged to spend some free time experimenting on your personal network. This section will show you how to
extract file data from a network capture. You can re-create this on your home network by sharing a file between two devices while you run Wireshark
one of them. Feel free to share your thoughts in the LAB EXERCISE 1 submittal. Questions will be asked throughout this section – your answers
should be provided on the LAB EXERCISE 1 submittal document.
This section will use the “multi-network-architecture.pcap” network capture file downloaded in LAB EXERCISE 1. Begin by opening this file in all
three network analysis tools – GrassMarlin, NetworkMiner, and Wireshark.
The Server Message Block or SMB is an Application Layer protocol used by multiple operating systems to allow sharing of files across the network. It is
also known by the name Common Internet File System In a Windows environment, it can also be used for legacy NetBIOS traffic, and facilitates an
access mechanism for inter-process communications (IPC) via the $IPC administrative file share using named pipes.
In the network capture provided, there are primarily two major types of communications using 445/tcp: [1] authentication between Windows Domain
Members (10.1.1.60, 10.1.1.251) and Windows Domain Servers (10.1.1.1), and [2] file sharing services between clients (172.16.100.240) and the
Windows Server (10.1.1.1).
Using Wireshark, create a Display Filter that will narrow the traffic down to just these three assets.
QUESTION 1:
What would the Wireshark Display Filter look like?
Apply the filter now.
You will notice that there is more than just SMB traffic using 445/tcp. You should scroll down the filtered packet list and find the start of the 3-way
handshake for the first occurrence of traffic using 445/tcp.
QUESTION 2:
What packet number does this occur?
One of the protocols that SMB uses is the NetBIOS Session Service. This should be the first set of packets following the successful completion of the
3-way handshake. Using the data panel within Wireshark, along with what you learned during Week 3, you can identify the position in the OSI 7-Layer
Model for the protocol.
QUESTION 3:
What layer would you expect the “NetBIOS Session Service” to reside?
Now let us append to the existing Display Filter to limit the information displayed to only contain traffic using the SMB protocol.
QUESTION 4:
What would your new Display Filter look like?
(Hint: you will need to use a logical “AND”)
Apply the filter now.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 2/4
You should notice that the 3-way handshake is no longer displayed because the filter is looking for traffic using the SMB protocol. The 3-way handshake
is establishing a connection on 445/tcp which may not be for SMB in all cases.
Find the first SMB packet after the handshake completes between 10.1.1.60 (client) and 10.1.1.1 (server). This should be “Negotiate Protocol
Request”.
QUESTION 5:
What packet number contains this file?
Scroll down and observe the sessions that follows. Most of the traffic at this point is associated with a domain login occurring between 10.1.1.60 and
10.1.1.1 and the exchange of policy information that follows.
What we are really trying to find is the transferring of files across the network using SMB on 445/tcp. We can do this by appending a Display Filter that
displays SMB Transaction2 Extensions that will show the browsing of remote directories and identification of files that will be transferred. This is done
using “smb.trans2.cmd” and “ANDing” it with the previous Display Filter limiting traffic to SMB.
QUESTION 6:
What would your new Display Filter look like?
(Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices your have)
Your Display Filter should start to look like “… && smb && smb.trans2.cmd”.
Apply the filter now.
QUESTION 7:
List some of the files that you see transferred across this connection
It is important to understand that just because username/password authentication is encrypted does not mean that all the traffic that is transferred after
authentication is also encrypted. We are going to see what files have been transferred in cleartext across the network!
Wireshark provides the ability to export certain Objects that are contained in network traffic. You can access this by selecting “File” from the menu, and
“Export Objects” at the bottom. For this exercise, select “SMB”.
The packet numbers on the Export report correspond to the packet that “completed” the transfer. Search for the file “shared_file_on_server.txt”.
QUESTION 8:
What packet number contains this file?
QUESTION 9:
What other text file ending in “.txt” was transferred in this capture file?
Save the the contents of both .txt files to your local hard disk, and open each of them (using Notepad, Wordpad, Write, etc.).
QUESTION 10:
Provide the name and contents of the file(s)
Now, switch to NetworkMiner and if you have not already done so, select “File” -> “Open” to import the capture file. Notice how NetworkMiner provides
a basic inventory of devices on the network.
Select the “Files” tab at the top. You should see a similar list of files that were extracted from the capture file. You will notice on the “Files” tab that
information about the Source and Destination TCP port number is provided. You can also see that NetworkMiner has automatically downloaded the
files and placed them in a temporary directory on your local hard disk. This is listed in the “Reconstructed file path” column.
QUESTION 11:
What ports is the Domain Server servicing (e.g. the Destination port) in this example containing the two text files?
Go to the “Hosts” tab in NetworkMiner and expand the information for the Domain Server (10.1.1.1). It summarizes the Incoming and Outgoing
sessions. Expand the Incoming sessions by clicking the “+”. You will notice more than just our SMB traffic has been accessing the server. Four
additional TCP sessions have been enumerated.
QUESTION 12:
What service is used on each of these ports?
(Hint: use Wireshark and a web search)
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 3/4
NetworkMiner also enumerates Outgoing sessions for the Domain Server. Expand the Outgoing sessions and review the information presented.
QUESTION 13:
What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
QUESTION 14:
What service to you think that server is running?
Go back to the “Files” tab and look for the sessions between the Domain Server (10.1.1.1) and this other “server” (10.1.1.254). Notice that you see
additional files that were not available from Wireshark. These files are the TLS certificates used to connect to the other “server” using HTTPS on
443/tcp.
Find the file “shared_file_on_server…”, and open it by right-clicking and selecting “Open file” to view its contents.
QUESTION 15:
What are the contents of this file?
QUESTION 16:
What packet number was this file first referenced in?
Go back to Wireshark and look for this packet number. You will have to clear the Display Filter if you have not already done so. Right-click on the
packet and select “Follow” and “TCP Stream”. This will display all the packets in the session as a contiguous data stream.
Enter “abcd1234” in the Find field at the bottom and select “Find Next”.
QUESTION 17:
What did you find?
Now, go to GrassMarlin and look at the visualization of the packet capture data. If you have not already done so, import the capture file into
GrassMarlin. GrassMarlin defaults network definition using a CIDR /24. The networks are listed in a tabular fashion on the left, and visually in the center.
QUESTION 18:
How many “groups” or “networks” are shown?
(Consider a network as more than one device)
You should notice a couples networks that contain only two assets, one having an IP address that ends with .255. Remember that this is the Broadcast
Address for that particular network, and does not usually reflect a physical device. This can easily be confirmed by looking at the hardware MAC
address, and can be done by right-clicking the shaded area containing the address. If the MAC address is “FF:FF:FF:FF:FF:FF”, then it is the
Broadcast Address.
QUESTION 19:
Which network(s) appear to have connections to external devices on the public Internet?
QUESTION 20:
What countries do these addresses most likely reside in?
(Hint: View Details for the address by right-clicking)
QUESTION 21:
What transport, port number, and service(s) are used in the external connections?
(Hint: View Frames for the details of the packets)
QUESTION 22:
Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
QUESTION 23:
Do you know what the destination IP addresses represent?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
PREV < Objectives NEXT > Analyzing Modbus/TCP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING MODBUS/TCP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:40)
Using the same “multi-network-architecture.pcap” file from the Analysis of SMB Traffic section, let us now focus on ICS protocols and traffic. This
portion will analyzes traffic using the Modbus/TCP protocol over 502/tcp. The architecture consists of a PLC (192.168.1.5), an HMI (192.168.1.129),
and a SCADA Server (192.168.1.60).
You can use CIDR notation to create a Display Filter in Wireshark that will narrow the traffic down to just this 192.168.1.0/24 network.
QUESTION 1:
What would the Display Filter look like?
Apply the filter now.
Using Wireshark “Conversations” under the “Statistics” menu, select the “TCP” tab. The report shows all the traffic in the capture file, so look at the
bottom and select “Limit to display filter” to simply the report.
QUESTION 2:
What ports are being used by the PLC (192.168.1.5) for incoming sessions?
QUESTION 3:
What is the most common service used by each of the TCP port numbers?
QUESTION 4:
What is the manufacturer of the PLC?
QUESTION 5:
Where did you find this information?
Let us focus on the same host address using NetworkMiner. Find the PLC (192.168.1.5). Do you notice “Siemens” is presented with the IP Address.
Expand the device by clicking the “+” sign.
Is there more information about the manufacturer?
QUESTION 6:
Is there more information about the manufacturer?
Expand the “OS: Siemens” entry.
QUESTION 7:
What information is provided here that was not provided with Wireshark?
QUESTION 8:
What ports are listed under the “Incoming” sessions where the PLC would act as a server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 2/4
NetworkMiner uses device signatures to help enumerate the actual device that is present. A feature not possible with Wireshark. The Satori TCP
database was used to fingerprint the Siemens PLC. One of the instructors of this course has been actively working with the developer of NetworkMiner
to expand this library.
The one piece of information that NetworkMiner is not able to provide is that relating to the Application Layer and the associated ADUs. Recall from the
lecture that Wireshark has protocol “dissectors” that allow the packet to be broken down extracting headers from data units. These data units can be
further broken down into function codes and data elements.
So, let us return to Wireshark and analyze the Modbus/TCP Application Layer protocol.
QUESTION 9:
What TCP port is used by Modbus/TCP?
QUESTION 10:
What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way
handshakes if possible?
If you go to the very top of the display, you can see the actual handshake that took place. That is the benefit of generating traffic in a lab versus in the
real world. This handshake occurred only a single time throughout the five minutes of traffic collected.
Search for the first Modbus/TCP “Query” packet.
QUESTION 11:
What packet number did this occur?
Select the packet and observe the display panel below that displays the various layers of the OSI Model. Two Application Layer entries are provided:
Modbus/TCP and Modbus.
QUESTION 12:
Why does it show two in this case?
Referring to the lecture material (slide 35) and shown below as
Figure 81
, what is contained in the “Modbus/TCP” portion of the frame?
QUESTION 13:
What is contained in the “Modbus” portion of the frame?
Figure 81
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 3/4
QUESTION 14:
What Function Code is used here?
QUESTION 15:
What is the meaning of this Function Code?
QUESTION 16:
What is the meaning of the “Reference Number”?
QUESTION 17:
What is the meaning of the “Word Count”?
(Hint: several good documents were referenced in the lecture that dissect the complete Modbus/TCP frame)
Look at the associated Modbus/TCP “Response” packet. This might help you answer the question above!
QUESTION 18:
What packet number did this occur?
QUESTION 19:
What is the value stored in Register Number 12300?
QUESTION 20:
What does “UINT16” stand for?
QUESTION 21:
What is the “Byte Count” in the Response different from the “Word Count” in the Request?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Before leaving this portion of the lab exercise, you are encouraged to modify your Wireshark Display Filter and look at the ICS communication taking
place on 102/tcp using the Siemens S7COMM protocol. This PLC supports both Modbus/TCP and Siemens S7COMM, and can serve the same data
using either protocol. If you look at packets 11579 and 11580, you can see the data request and response. Notice the different syntax used to access
the PLC internal registers with S7COMM by expanding the details in the “S7 Communication” ADU in the request packet 11579.
PREV < Analyzing SMB Traffic NEXT > Analyzing EtherNet/IP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING ETHERNET/IP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 2:00)
This section will use the “industrial-protocols-cip.pcap” network capture file downloaded in LAB EXERCISE 1 to study the Common Industrial
Protocol (CIP) in its EtherNet/IP (EIP) form. This architecture consists of a Rockwell Automation Micro850 PLC (192.168.1.17), an engineering
workstations (192.168.1.97) running the Connected Components Workbench (CCW) software used to configure and monitor the PLC.
Open the file in all tools and provide anything you can find regarding the vendor, model, version, etc. of the PLC in the capture. Remember to consider
the OUI portion of the hardware MAC address. You can also look up MAC OUI’s on the Wireshark website ( https://www.wireshark.org/tools/oui-
lookup.html). The master list of registered OUI information can also be found on the IEEE standards website (http://standards-oui.ieee.org/oui.txt). This
latter site can also provide information pertaining the country of origin of the device.
QUESTION 1:
What can you determine me about the PLC?
Using NetworkMiner, expand the PLC (192.168.1.17) and notice that NetworkMiner could not fully enumerate the device in terms of OS and device
type like it was previously able to do with the Siemens S7 PLC.
Expand on the Incoming sessions and notice that the PLC is acting as a server using port 44818/tcp. Look at incoming sessions to reveal PLC as
server using 44818/tcp. Expand this further and reveal information about the client.
QUESTION 2:
What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
QUESTION 3:
How long did this session last?
QUESTION 4:
How many host IP addresses does NetworkMiner show?
If you have not already noticed, the number of hosts is shown next to the “Hosts” tab in the top of the NetworkMiner window.
QUESTION 5:
How many of these IP addresses are IP Version 6 (IPv6)?
One of the IPv4 addresses shown is for multicast traffic using address 224.0.0.106. This is not really a host or device, but rather an address that can
be used to send traffic to multiple devices that subscribe to the session. You might also recall from the lecture that IPv6 uses a multicast address that
begins with “ff0”, so ff02::1:2 is also a multicast address.
QUESTION 6:
So, now how many HOST IPv4 addresses are on this network?
Notice device NetworkMiner presents at IP address 169.254.2.2. This is known as a “self assigned” IP address and is what a device gives itself if it
does not receive one from a Dynamic Host Configuration Protocol (DHCP) server. This is also an address that can be manually entered in the device
network configuration allowing it to link and connect to an existing network.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://www.wireshark.org/tools/oui-lookup.html
http://standards-oui.ieee.org/oui.txt
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 2/4
From a cyber security perspective, these addresses are important because they can signify the presence of an authorized host on the network that is
trying to remain hidden. This is one way a device can connect to a network and “listen” for traffic to enumerate hosts and their communications.
Go back to Wireshark and open this packet capture file if not already done. Observe the first 25 packets and notice the broadcast traffic and other
layer 2 traffic like the Address Resolution Protocol (ARP), Link-Layer Discovery Protocol (LLDP), and Spanning Tree Protocol (STP).
Now let us look at the enumerated devices by selecting “Analyze” in the menu followed by “Endpoints” and look at the “IPv4” results.
QUESTION 7:
How many IPv4 addresses are shown in Wireshark Endpoints?
Notice that 169.254.2.2 is not on this list, but if you select “Ethernet” you see 23 entries.
QUESTION 8:
What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
You can right-click the FF:FF:FF:FF:FF:FF address from the Endpoints – Ethernet listing and select “Apply as Filter” and “Selected” to view this traffic
in Wireshark. You will notice Address Resolution Protocol (ARP) and NetBIOS Name Service (NBNS) traffic.
Close the Endpoints summary and return to the main display. Using the Find feature by type “Control+C” (that is the Control Key and the C character
key at the same time), enter “169.254.2.2”. If you expand the “Address Resolution Protocol (request)” shown in the Packet Details panel, you will find
the Sender IP address of 169.254.2.2.
QUESTION 9:
What can you tell me about the manufacturer of this device?
(Hint: first look at how Wireshark “resolves” the MAC address, and then use the Wireshark OUI Lookup Tool)
If you entered only the OUI that was found from Wireshark, you probably saw a long list of manufacturers. If you append additional MAC information to
the address, and enter “00:50:c2:b3”, you will see an entry “00:50:C2:B3:20:00/36 Byres Security Inc”. This is a CIDR type expression for a MAC
address. Using the same logic that was presented in the lecture, you can take a string of 36 1’s and logically “AND” it with the MAC address to extract
the base address registered to Byres Security, with the remaining 12 bits allowed for device-specific addressing.
Each hexadecimal number represents 4-bits. This means that the base address is “00:50:C2:B3:2”, and 2 1̂2 or 4,096 devices can be assigned by the
manufacturer to MAC addresses in the range of “00:50:C2:B3:20:00” to “00:50:C2:B3:2F:FF”.
Let us know focus on traffic with the PLC (192.168.1.17).
QUESTION 10:
What would the Display Filter look like to filter out all traffic except that using the PLC?
Apply the filter now.
We are now going to walk through the communication that was shown during the lecture for Week 3 (slide 48) shown below as
Figure 82
.
Figure 82
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 3/4
The first step is to create an EtherNet/IP Session. This is performed using the “RegisterSession” Request command.
QUESTION 11:
What packet number did this occur?
QUESTION 12:
What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
The next step that occurs is the establishment of a CIP Connection using the CIP Connection Manager (CM) and issuing a “Forward Open” command.
QUESTION 13:
What packet number did this occur?
Did you notice that Wireshark recognizes this and labels the packet with a protocol of “CIP CM”. Notice that the CIP Connection Manager is at the
highest part of the Application Layer in the Packet Details panel on the bottom.
QUESTION 14:
What packet is the CIP Connection closed
All of the communication between the opening and the closing of the CIP Connection is “explicit” “connected” CIP traffic using 44818/tcp. You might
want to refer back to lecture in Week 3 (slide 42) and shown below as Figure 83 to see what type of traffic was exchanged here.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Figure 83
QUESTION 15:
Is this traffic likely to be Critical or Non-Critical?
The application may or may not unregister the EtherNet/IP Session. This is not done with this session.
PREV < Analyzing Modbus/TCP Traffic NEXT > Analyzing OPC-DA Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
LAB EXERCISE 1 (W4):
NETWORK ANALYSIS TOOLS
|
Name |
|
|
|
|
|
Course Number |
CSCI 397.01W or CSCI 397.61W (select one) |
|
Course Time |
Tuesday: 1630 – 1900 h |
|
Semester |
Fall 2020 |
|
Submission |
Lab Exercise 1 |
|
Due Date |
September 21, 2020 |
|
Instructor |
Joel Langill |
|
joel.langill@tamuc.edu |
|
|
Phone |
+1 (920) 594-0321 |
|
Office Hours |
Monday: 1630 – 1900 h Thursday: 1630 – 1900 h By Appointment |
PART 1: DOWNLOADING AND USING NETWORK ANALYSIS TOOLS
Downloading Network Analysis Tools
How long did it take you to download the three network analysis tools?
Installing GrassMarlin
Did you experience any difficulties installing GrassMarlin? If so, please explain.
How long did it take for you to install GrassMarlin?
Installing Wireshark
Did you experience any difficulties installing an updated Wireshark after GrassMarlin? If so, please explain.
How long did it take for you to install the updated Wireshark?
Installing NetworkMiner
Did you experience any difficulties installing NetworkMiner? If so, please explain.
How long did it take for you to install NetworkMiner?
Using Wireshark
1. Can you explain why the following Wireshark expression returns a yellow warning? What could you do to make this expression work correctly
ip.addr != 172.16.100.36 && dns
2. What is the IP address of the DNS Server used to resolve the host ICSCSI.org ?
3. What is the IP address of the webserver hosting https://ICSCSI.org ?
4. Realizing this question is asked very early in this course – well ahead of the discussions that will take place during the last two lectures ….
What would be the security risk in using HTTPS to encrypt traffic between a client computer and a webserver? Do you have any ideas how to mitigate this risk?
Please submit your PCAP file with this lab exercise submittal document. There is currently an 8MB file size limit on assignment uploads. Your PCAP file should be relatively small because of its short duration. If your file size is greater than 8MB, please contact your instructor for further assistance.
PART 2: ANALYZING ICS NETWORK TRAFFIC WITH NETWORK ANALYSIS TOOLS
Analyzing SMB Traffic
How long did it take you to complete the section on SMB?
1. What would the Wireshark Display Filter look like?
2. What packet number does this occur in?
3. What layer would you expect the “NetBIOS Session Service” to reside?
4. What would your new Display Filter look like? (Hint: you will need to use a logical “AND”)
5. What packet number contains this file?
6. What would your new Display Filter look like? (Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices you have)
7. List some of the files that you see transferred across this connection.
8. What packet number contains this file?
9. What other text file ending in .txt was transferred in this capture file?
10. Provide the name and contents of this file(s)
11. What ports is the Domain Server servicing (e.g the Destination port) in this example containing the two text files?
12. What service is used on each of these ports? (Hint: use Wireshark and a web search)
13. What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
14. What service to you think that server is running?
15. What are the contents of this file?
16. What packet number was this file first referenced in?
17. What did you find?
18. How many “groups” or “networks” are shown?
(Consider a network as more than one device)
19. Which network(s) appear to have connections to external devices on the public Internet?
20. What countries do these addresses most likely reside in? (Hint: View Details for the address by right-clicking)
21. What transport, port number, and service(s) are used in the external connections? (Hint: View Frames for the details of the packets by right-clicking)
22. Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
23. Do you know what the destination IP addresses represent?
Analyzing Modbus/TCP (MBT) Traffic
How long did it take you to complete the section on Modbus/TCP?
1. What would the Display Filter look like?
2. What ports are being used by the PLC (192.168.1.5) for incoming sessions?
3. What is the most common service used by each of the TCP port numbers?
4. What is the manufacturer of the PLC?
5. Where did you find this information?
6. Is there more information about the manufacturer?
7. What information is provided here that was not provided with Wireshark?
8. What ports are listed under the “Incoming” sessions where the PLC would act as a server?
9. What TCP port is used by Modbus/TCP?
10. What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way handshakes if possible?
11. What packet number did this occur?
12. Why does it show two in this case?
13. What is contained in the “Modbus” portion of the frame?
14. What Function Code is used here?
15. What is the meaning of this Function Code?
16. What is the meaning of the “Reference Number”?
17. What is the meaning of the “Word Count”?
18. What packet number did this occur?
19. What is the value stored in Register Number 12300?
20. What does “UINT16” stand for?
21. What is the “Byte Count” in the Response different from the “Word Count” in the Request?
Analyzing EtherNet/IP (EIP) Traffic
How long did it take you to complete the section on EtherNet/IP?
1. What can you determine about this PLC?
2. What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
3. How long did this session last?
4. How many host IP addresses does NetworkMiner show?
5. How many of these IP addresses are IP Version 6 (IPv6)?
6. So, now how many HOST IPv4 addresses are on this network?
7. How many IPv4 addresses are shown in Wireshark Endpoints?
8. What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
9. What can you tell me about the manufacturer of this device?
(Hint: use the Wireshark OUI Lookup Tool)
10. What would the Display Filter look like to filter out all traffic except that using the PLC?
11. What packet number did this occur?
12. What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
13. What packet number did this occur?
14. What packet is the CIP Connection closed?
15. Is this traffic likely to be Time Critical or Non-Time Critical?
Analyzing OPC Data Access (OPC-DA) Traffic
How long did it take you to complete the section on OPC-DA?
1. Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform operating system they are likely running, and what services and ports are being used.
2. What does DCOM stand for?
3. What packet number represents this action?
4. What endian is the data for this session using?
5. What username is used to authenticate against the client against the server?
6. Looking at the “RemoteCreateInstance request” packet, what frame number contains the response? (Hint: look in the Application Layer details)
7. What types of information can you decipher from this ASCII data?
8. What is this port number?
9. What number is shown for “StringBinding[2]” “NetworkAddr”?
10. What is the new TCP port number that will be used for the remaining data exchange session?
11. Is this the same port?
12. what is the new Display Filter that was automatically created?
PART 3: LAB EVALUATION
Did you find this lab useful?
What would you like to see changed?
Do not forget to submit your PCAP file used in the beginning of the lab under “Using Wireshark”. There is an 8MB site limit on file size of uploads. If your PCAP file is larger than 8MB, please notify the instructor for alternate instructions.
CSCI 397.01W | CSCI 397.61W © 2012-2020 ICSCSI LLC
Fundamentals of Industrial Control System Cyber Security Page L1-1 of 14
Fall 2020 CSCI 397 F20 – Lab Exercise 1 x
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 1/2
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
OBJECTIVES
Unlike the first part of this lab exercise that used a lot of illustrations to introduce new tools and capabilities, this part will focus on using these tools to
perform analysis of different types of industrial and business communications that occur on the network. Each section will ask you to perform a variety
of tasks using a set of network captures that should be downloaded from LAB EXERCISE 1. The lab exercise submittal document also contains a
sections that must be completed based on the tasks given within the lab exercise.
This exercise has the following objectives:
1. Download and open a network packet capture (pcap) file in each of the three network analysis tools. This pcap file contains a diversified
collection of network protocols where you will investigate the Server Message Block (SMB) used to exchange files between Windows host
computers.
2. Using the same pcap file as Step 1 above, isolate and analyze the Modbus/TCP traffic that occurs between a Windows computer and a PLC.
3. Download and open a pcap file containing Common Industrial Protocol (CIP) traffic that occurs between a Windows computer and a PLC.
4. Download and open a pcap file containing Open Platform Communication (OPC) Data Access traffic that occurs between an OPC Server
and a Windows computer.
LAB EXERCISE 1 contains the files downloads needed for this exercise, along with the submittal document containing questions that will be discussed
throughout the exercise. Do not forget to submit your files when you have completed this activity.
(Note: problems may occur if using Google Chrome as a browser where it tries to open links in Google Docs. The “Docs PDF/PowerPoint Viewer (by
Google)” extension must be disabled or removed.)
PREV < Introduction NEXT > Analyzing SMB Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://training.scadahacker.com/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 2/2
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 1/3
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING OPC-DATA ACCESS TRAFFIC
(EXPECTED TIME TO COMPLETE = 10 minutes | 2:20)
This section will use the “industrial-protocols-opc.pcap” network capture file downloaded in LAB EXERCISE 1 to study OPC Data Access (OPC-
DA) communications. Unlike the previous cases with SMB, Modbus, and EtherNet/IP where you were given the architecture, in this exercise you will
determine the hosts and their relationships without guidance.
QUESTION 1:
Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform
operating system they are likely running, and what services and ports are being used.
From the section heading, it is obvious that the OPC Data Access protocol will be analyzed. During lecture it was mentioned that “classic” OPC-DA
presented many new challenges to the manufacturing world. The dependence on the Microsoft COM/DCOM infrastructure limited the usability of the
technology to strictly Windows-based computing platforms.
QUESTION 2:
What does DCOM stand for?
OPC-DA was originally released in 1996, and in 2003 when the Blaster work exploited vulnerabilities in the Windows Remote Procedure Call (RPC)
service, Microsoft responded with the introduction of the Windows Firewall in Windows XP Service Pack 2. The design of OPC and how it performed a
“hand-off” from one communication port (135/tcp) to another service port caused by the dynamic port allocation within RPC made it inoperable
immediately after users installed XP-SP2.
The answer for many was to disable the Windows Firewall to keep their OPC-DA connections alive. This introduced even more problems as industry
worked to address security and usability at the same time.
In the lecture, the basic process of an OPC session was reviewed. In this part of the lab exercise, you will follow the session and observe how this
technology operates.
Most of this exercise will be at the packet level, so Wireshark will be the easiest tool to use.
The first step in establishing an OPC connect from the client to the server is using a Distributed Computing Environment (DCE) / Remote Procedure
Call (RPC) “Bind” command.
QUESTION 3:
What packet number represents this action?
Select the packet referenced with the “Bind” command, and expand the “Distributed Computing Environment / Remote Procedure Call” Application
Layer in the data panel on the bottom. Notice the “Data Representation” entry.
QUESTION 4:
What endian is the data for this session using?
The Bind is then acknowledged by the server and the client then attempts authentication against the server.
QUESTION 5:
What username is used to authenticate against the client against the server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 2/3
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
The client then establishes a “connection” by sending a “RemoteCreateInstance request” to the server.
QUESTION 6:
Looking at the “RemoteCreateInstance request” packet, what frame number contains the response?
(Hint: look in the Application Layer details)
Now using this response frame and the IP addresses for the client and the server, use the bottom “Packet Bytes” panel of Wireshark that shows raw
data to look for ASCII character-based patterns. You should be able to recognize a large portion of the data that is visible here.
QUESTION 7:
What types of information can you decipher from this ASCII data?
If you are having trouble, move to the first DCERPC “Request” frame in the capture list and notice the TCP Destination Port.
QUESTION 8:
What is this port number?
Now go back to the “RemoteCreateInstance response” frame at look again … look for a pattern of ASCII characters that represent an IPv4 address. If
you click the text panel over the ASCII numbers that look like an IPv4 address, Wireshark will find this dissected information in the other “Packet
Details” panel.
QUESTION 9:
What number is shown for “StringBinding[2]” “NetworkAddr”?
QUESTION 10:
What is the new TCP port number that will be used for the remaining data exchange session?
Go forward to the first DCERPC “Request” frame and look at the TCP Destination Port.
QUESTION 11:
Is this the same port?
This cleartext “handoff” resulting from the dynamic port allocation of RPC makes it easy for security appliances to follow this conversation and create a
dynamic rule that will open the newly assigned ports. Without this feature, a firewall would need to open a range of ports defined within the
DCOMCNFG service resulting in an unnecessary attack surface through the perimeter protected by the firewall.
It is possible to create a Wireshark Display Filter to look for this “handoff”. If you expand the “ISystemActivator” portion of the ADU in packet 9, you can
right-click on “Operation: RemoteCreateInstance (4)” and select “Apply as Filter” and “Selected”. The Display Filter is automatically generated and
placed in the Display Filter entry line at the top of Wireshark.
QUESTION 12:
What is the new Display Filter that was automatically created?
We will look at this in the last two lecture sections of the course.
PREV < Analyzing EtherNet/IP Traffic End of Lesson
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 3/3
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING SMB TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:20)
The remainder of the lab exercise will focus on applying some basis skills using the three network analysis tools. This first portion applies to common
IT protocols and services. You are encouraged to spend some free time experimenting on your personal network. This section will show you how to
extract file data from a network capture. You can re-create this on your home network by sharing a file between two devices while you run Wireshark
one of them. Feel free to share your thoughts in the LAB EXERCISE 1 submittal. Questions will be asked throughout this section – your answers
should be provided on the LAB EXERCISE 1 submittal document.
This section will use the “multi-network-architecture.pcap” network capture file downloaded in LAB EXERCISE 1. Begin by opening this file in all
three network analysis tools – GrassMarlin, NetworkMiner, and Wireshark.
The Server Message Block or SMB is an Application Layer protocol used by multiple operating systems to allow sharing of files across the network. It is
also known by the name Common Internet File System In a Windows environment, it can also be used for legacy NetBIOS traffic, and facilitates an
access mechanism for inter-process communications (IPC) via the $IPC administrative file share using named pipes.
In the network capture provided, there are primarily two major types of communications using 445/tcp: [1] authentication between Windows Domain
Members (10.1.1.60, 10.1.1.251) and Windows Domain Servers (10.1.1.1), and [2] file sharing services between clients (172.16.100.240) and the
Windows Server (10.1.1.1).
Using Wireshark, create a Display Filter that will narrow the traffic down to just these three assets.
QUESTION 1:
What would the Wireshark Display Filter look like?
Apply the filter now.
You will notice that there is more than just SMB traffic using 445/tcp. You should scroll down the filtered packet list and find the start of the 3-way
handshake for the first occurrence of traffic using 445/tcp.
QUESTION 2:
What packet number does this occur?
One of the protocols that SMB uses is the NetBIOS Session Service. This should be the first set of packets following the successful completion of the
3-way handshake. Using the data panel within Wireshark, along with what you learned during Week 3, you can identify the position in the OSI 7-Layer
Model for the protocol.
QUESTION 3:
What layer would you expect the “NetBIOS Session Service” to reside?
Now let us append to the existing Display Filter to limit the information displayed to only contain traffic using the SMB protocol.
QUESTION 4:
What would your new Display Filter look like?
(Hint: you will need to use a logical “AND”)
Apply the filter now.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 2/4
You should notice that the 3-way handshake is no longer displayed because the filter is looking for traffic using the SMB protocol. The 3-way handshake
is establishing a connection on 445/tcp which may not be for SMB in all cases.
Find the first SMB packet after the handshake completes between 10.1.1.60 (client) and 10.1.1.1 (server). This should be “Negotiate Protocol
Request”.
QUESTION 5:
What packet number contains this file?
Scroll down and observe the sessions that follows. Most of the traffic at this point is associated with a domain login occurring between 10.1.1.60 and
10.1.1.1 and the exchange of policy information that follows.
What we are really trying to find is the transferring of files across the network using SMB on 445/tcp. We can do this by appending a Display Filter that
displays SMB Transaction2 Extensions that will show the browsing of remote directories and identification of files that will be transferred. This is done
using “smb.trans2.cmd” and “ANDing” it with the previous Display Filter limiting traffic to SMB.
QUESTION 6:
What would your new Display Filter look like?
(Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices your have)
Your Display Filter should start to look like “… && smb && smb.trans2.cmd”.
Apply the filter now.
QUESTION 7:
List some of the files that you see transferred across this connection
It is important to understand that just because username/password authentication is encrypted does not mean that all the traffic that is transferred after
authentication is also encrypted. We are going to see what files have been transferred in cleartext across the network!
Wireshark provides the ability to export certain Objects that are contained in network traffic. You can access this by selecting “File” from the menu, and
“Export Objects” at the bottom. For this exercise, select “SMB”.
The packet numbers on the Export report correspond to the packet that “completed” the transfer. Search for the file “shared_file_on_server.txt”.
QUESTION 8:
What packet number contains this file?
QUESTION 9:
What other text file ending in “.txt” was transferred in this capture file?
Save the the contents of both .txt files to your local hard disk, and open each of them (using Notepad, Wordpad, Write, etc.).
QUESTION 10:
Provide the name and contents of the file(s)
Now, switch to NetworkMiner and if you have not already done so, select “File” -> “Open” to import the capture file. Notice how NetworkMiner provides
a basic inventory of devices on the network.
Select the “Files” tab at the top. You should see a similar list of files that were extracted from the capture file. You will notice on the “Files” tab that
information about the Source and Destination TCP port number is provided. You can also see that NetworkMiner has automatically downloaded the
files and placed them in a temporary directory on your local hard disk. This is listed in the “Reconstructed file path” column.
QUESTION 11:
What ports is the Domain Server servicing (e.g. the Destination port) in this example containing the two text files?
Go to the “Hosts” tab in NetworkMiner and expand the information for the Domain Server (10.1.1.1). It summarizes the Incoming and Outgoing
sessions. Expand the Incoming sessions by clicking the “+”. You will notice more than just our SMB traffic has been accessing the server. Four
additional TCP sessions have been enumerated.
QUESTION 12:
What service is used on each of these ports?
(Hint: use Wireshark and a web search)
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 3/4
NetworkMiner also enumerates Outgoing sessions for the Domain Server. Expand the Outgoing sessions and review the information presented.
QUESTION 13:
What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
QUESTION 14:
What service to you think that server is running?
Go back to the “Files” tab and look for the sessions between the Domain Server (10.1.1.1) and this other “server” (10.1.1.254). Notice that you see
additional files that were not available from Wireshark. These files are the TLS certificates used to connect to the other “server” using HTTPS on
443/tcp.
Find the file “shared_file_on_server…”, and open it by right-clicking and selecting “Open file” to view its contents.
QUESTION 15:
What are the contents of this file?
QUESTION 16:
What packet number was this file first referenced in?
Go back to Wireshark and look for this packet number. You will have to clear the Display Filter if you have not already done so. Right-click on the
packet and select “Follow” and “TCP Stream”. This will display all the packets in the session as a contiguous data stream.
Enter “abcd1234” in the Find field at the bottom and select “Find Next”.
QUESTION 17:
What did you find?
Now, go to GrassMarlin and look at the visualization of the packet capture data. If you have not already done so, import the capture file into
GrassMarlin. GrassMarlin defaults network definition using a CIDR /24. The networks are listed in a tabular fashion on the left, and visually in the center.
QUESTION 18:
How many “groups” or “networks” are shown?
(Consider a network as more than one device)
You should notice a couples networks that contain only two assets, one having an IP address that ends with .255. Remember that this is the Broadcast
Address for that particular network, and does not usually reflect a physical device. This can easily be confirmed by looking at the hardware MAC
address, and can be done by right-clicking the shaded area containing the address. If the MAC address is “FF:FF:FF:FF:FF:FF”, then it is the
Broadcast Address.
QUESTION 19:
Which network(s) appear to have connections to external devices on the public Internet?
QUESTION 20:
What countries do these addresses most likely reside in?
(Hint: View Details for the address by right-clicking)
QUESTION 21:
What transport, port number, and service(s) are used in the external connections?
(Hint: View Frames for the details of the packets)
QUESTION 22:
Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
QUESTION 23:
Do you know what the destination IP addresses represent?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
PREV < Objectives NEXT > Analyzing Modbus/TCP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING MODBUS/TCP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:40)
Using the same “multi-network-architecture.pcap” file from the Analysis of SMB Traffic section, let us now focus on ICS protocols and traffic. This
portion will analyzes traffic using the Modbus/TCP protocol over 502/tcp. The architecture consists of a PLC (192.168.1.5), an HMI (192.168.1.129),
and a SCADA Server (192.168.1.60).
You can use CIDR notation to create a Display Filter in Wireshark that will narrow the traffic down to just this 192.168.1.0/24 network.
QUESTION 1:
What would the Display Filter look like?
Apply the filter now.
Using Wireshark “Conversations” under the “Statistics” menu, select the “TCP” tab. The report shows all the traffic in the capture file, so look at the
bottom and select “Limit to display filter” to simply the report.
QUESTION 2:
What ports are being used by the PLC (192.168.1.5) for incoming sessions?
QUESTION 3:
What is the most common service used by each of the TCP port numbers?
QUESTION 4:
What is the manufacturer of the PLC?
QUESTION 5:
Where did you find this information?
Let us focus on the same host address using NetworkMiner. Find the PLC (192.168.1.5). Do you notice “Siemens” is presented with the IP Address.
Expand the device by clicking the “+” sign.
Is there more information about the manufacturer?
QUESTION 6:
Is there more information about the manufacturer?
Expand the “OS: Siemens” entry.
QUESTION 7:
What information is provided here that was not provided with Wireshark?
QUESTION 8:
What ports are listed under the “Incoming” sessions where the PLC would act as a server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 2/4
NetworkMiner uses device signatures to help enumerate the actual device that is present. A feature not possible with Wireshark. The Satori TCP
database was used to fingerprint the Siemens PLC. One of the instructors of this course has been actively working with the developer of NetworkMiner
to expand this library.
The one piece of information that NetworkMiner is not able to provide is that relating to the Application Layer and the associated ADUs. Recall from the
lecture that Wireshark has protocol “dissectors” that allow the packet to be broken down extracting headers from data units. These data units can be
further broken down into function codes and data elements.
So, let us return to Wireshark and analyze the Modbus/TCP Application Layer protocol.
QUESTION 9:
What TCP port is used by Modbus/TCP?
QUESTION 10:
What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way
handshakes if possible?
If you go to the very top of the display, you can see the actual handshake that took place. That is the benefit of generating traffic in a lab versus in the
real world. This handshake occurred only a single time throughout the five minutes of traffic collected.
Search for the first Modbus/TCP “Query” packet.
QUESTION 11:
What packet number did this occur?
Select the packet and observe the display panel below that displays the various layers of the OSI Model. Two Application Layer entries are provided:
Modbus/TCP and Modbus.
QUESTION 12:
Why does it show two in this case?
Referring to the lecture material (slide 35) and shown below as
Figure 81
, what is contained in the “Modbus/TCP” portion of the frame?
QUESTION 13:
What is contained in the “Modbus” portion of the frame?
Figure 81
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 3/4
QUESTION 14:
What Function Code is used here?
QUESTION 15:
What is the meaning of this Function Code?
QUESTION 16:
What is the meaning of the “Reference Number”?
QUESTION 17:
What is the meaning of the “Word Count”?
(Hint: several good documents were referenced in the lecture that dissect the complete Modbus/TCP frame)
Look at the associated Modbus/TCP “Response” packet. This might help you answer the question above!
QUESTION 18:
What packet number did this occur?
QUESTION 19:
What is the value stored in Register Number 12300?
QUESTION 20:
What does “UINT16” stand for?
QUESTION 21:
What is the “Byte Count” in the Response different from the “Word Count” in the Request?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Before leaving this portion of the lab exercise, you are encouraged to modify your Wireshark Display Filter and look at the ICS communication taking
place on 102/tcp using the Siemens S7COMM protocol. This PLC supports both Modbus/TCP and Siemens S7COMM, and can serve the same data
using either protocol. If you look at packets 11579 and 11580, you can see the data request and response. Notice the different syntax used to access
the PLC internal registers with S7COMM by expanding the details in the “S7 Communication” ADU in the request packet 11579.
PREV < Analyzing SMB Traffic NEXT > Analyzing EtherNet/IP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING ETHERNET/IP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 2:00)
This section will use the “industrial-protocols-cip.pcap” network capture file downloaded in LAB EXERCISE 1 to study the Common Industrial
Protocol (CIP) in its EtherNet/IP (EIP) form. This architecture consists of a Rockwell Automation Micro850 PLC (192.168.1.17), an engineering
workstations (192.168.1.97) running the Connected Components Workbench (CCW) software used to configure and monitor the PLC.
Open the file in all tools and provide anything you can find regarding the vendor, model, version, etc. of the PLC in the capture. Remember to consider
the OUI portion of the hardware MAC address. You can also look up MAC OUI’s on the Wireshark website ( https://www.wireshark.org/tools/oui-
lookup.html). The master list of registered OUI information can also be found on the IEEE standards website (http://standards-oui.ieee.org/oui.txt). This
latter site can also provide information pertaining the country of origin of the device.
QUESTION 1:
What can you determine me about the PLC?
Using NetworkMiner, expand the PLC (192.168.1.17) and notice that NetworkMiner could not fully enumerate the device in terms of OS and device
type like it was previously able to do with the Siemens S7 PLC.
Expand on the Incoming sessions and notice that the PLC is acting as a server using port 44818/tcp. Look at incoming sessions to reveal PLC as
server using 44818/tcp. Expand this further and reveal information about the client.
QUESTION 2:
What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
QUESTION 3:
How long did this session last?
QUESTION 4:
How many host IP addresses does NetworkMiner show?
If you have not already noticed, the number of hosts is shown next to the “Hosts” tab in the top of the NetworkMiner window.
QUESTION 5:
How many of these IP addresses are IP Version 6 (IPv6)?
One of the IPv4 addresses shown is for multicast traffic using address 224.0.0.106. This is not really a host or device, but rather an address that can
be used to send traffic to multiple devices that subscribe to the session. You might also recall from the lecture that IPv6 uses a multicast address that
begins with “ff0”, so ff02::1:2 is also a multicast address.
QUESTION 6:
So, now how many HOST IPv4 addresses are on this network?
Notice device NetworkMiner presents at IP address 169.254.2.2. This is known as a “self assigned” IP address and is what a device gives itself if it
does not receive one from a Dynamic Host Configuration Protocol (DHCP) server. This is also an address that can be manually entered in the device
network configuration allowing it to link and connect to an existing network.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://www.wireshark.org/tools/oui-lookup.html
http://standards-oui.ieee.org/oui.txt
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 2/4
From a cyber security perspective, these addresses are important because they can signify the presence of an authorized host on the network that is
trying to remain hidden. This is one way a device can connect to a network and “listen” for traffic to enumerate hosts and their communications.
Go back to Wireshark and open this packet capture file if not already done. Observe the first 25 packets and notice the broadcast traffic and other
layer 2 traffic like the Address Resolution Protocol (ARP), Link-Layer Discovery Protocol (LLDP), and Spanning Tree Protocol (STP).
Now let us look at the enumerated devices by selecting “Analyze” in the menu followed by “Endpoints” and look at the “IPv4” results.
QUESTION 7:
How many IPv4 addresses are shown in Wireshark Endpoints?
Notice that 169.254.2.2 is not on this list, but if you select “Ethernet” you see 23 entries.
QUESTION 8:
What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
You can right-click the FF:FF:FF:FF:FF:FF address from the Endpoints – Ethernet listing and select “Apply as Filter” and “Selected” to view this traffic
in Wireshark. You will notice Address Resolution Protocol (ARP) and NetBIOS Name Service (NBNS) traffic.
Close the Endpoints summary and return to the main display. Using the Find feature by type “Control+C” (that is the Control Key and the C character
key at the same time), enter “169.254.2.2”. If you expand the “Address Resolution Protocol (request)” shown in the Packet Details panel, you will find
the Sender IP address of 169.254.2.2.
QUESTION 9:
What can you tell me about the manufacturer of this device?
(Hint: first look at how Wireshark “resolves” the MAC address, and then use the Wireshark OUI Lookup Tool)
If you entered only the OUI that was found from Wireshark, you probably saw a long list of manufacturers. If you append additional MAC information to
the address, and enter “00:50:c2:b3”, you will see an entry “00:50:C2:B3:20:00/36 Byres Security Inc”. This is a CIDR type expression for a MAC
address. Using the same logic that was presented in the lecture, you can take a string of 36 1’s and logically “AND” it with the MAC address to extract
the base address registered to Byres Security, with the remaining 12 bits allowed for device-specific addressing.
Each hexadecimal number represents 4-bits. This means that the base address is “00:50:C2:B3:2”, and 2 1̂2 or 4,096 devices can be assigned by the
manufacturer to MAC addresses in the range of “00:50:C2:B3:20:00” to “00:50:C2:B3:2F:FF”.
Let us know focus on traffic with the PLC (192.168.1.17).
QUESTION 10:
What would the Display Filter look like to filter out all traffic except that using the PLC?
Apply the filter now.
We are now going to walk through the communication that was shown during the lecture for Week 3 (slide 48) shown below as
Figure 82
.
Figure 82
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 3/4
The first step is to create an EtherNet/IP Session. This is performed using the “RegisterSession” Request command.
QUESTION 11:
What packet number did this occur?
QUESTION 12:
What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
The next step that occurs is the establishment of a CIP Connection using the CIP Connection Manager (CM) and issuing a “Forward Open” command.
QUESTION 13:
What packet number did this occur?
Did you notice that Wireshark recognizes this and labels the packet with a protocol of “CIP CM”. Notice that the CIP Connection Manager is at the
highest part of the Application Layer in the Packet Details panel on the bottom.
QUESTION 14:
What packet is the CIP Connection closed
All of the communication between the opening and the closing of the CIP Connection is “explicit” “connected” CIP traffic using 44818/tcp. You might
want to refer back to lecture in Week 3 (slide 42) and shown below as Figure 83 to see what type of traffic was exchanged here.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Figure 83
QUESTION 15:
Is this traffic likely to be Critical or Non-Critical?
The application may or may not unregister the EtherNet/IP Session. This is not done with this session.
PREV < Analyzing Modbus/TCP Traffic NEXT > Analyzing OPC-DA Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
LAB EXERCISE 1 (W4):
NETWORK ANALYSIS TOOLS
|
Name |
|
|
|
|
|
Course Number |
CSCI 397.01W or CSCI 397.61W (select one) |
|
Course Time |
Tuesday: 1630 – 1900 h |
|
Semester |
Fall 2020 |
|
Submission |
Lab Exercise 1 |
|
Due Date |
September 21, 2020 |
|
Instructor |
Joel Langill |
|
joel.langill@tamuc.edu |
|
|
Phone |
+1 (920) 594-0321 |
|
Office Hours |
Monday: 1630 – 1900 h Thursday: 1630 – 1900 h By Appointment |
PART 1: DOWNLOADING AND USING NETWORK ANALYSIS TOOLS
Downloading Network Analysis Tools
How long did it take you to download the three network analysis tools?
Installing GrassMarlin
Did you experience any difficulties installing GrassMarlin? If so, please explain.
How long did it take for you to install GrassMarlin?
Installing Wireshark
Did you experience any difficulties installing an updated Wireshark after GrassMarlin? If so, please explain.
How long did it take for you to install the updated Wireshark?
Installing NetworkMiner
Did you experience any difficulties installing NetworkMiner? If so, please explain.
How long did it take for you to install NetworkMiner?
Using Wireshark
1. Can you explain why the following Wireshark expression returns a yellow warning? What could you do to make this expression work correctly
ip.addr != 172.16.100.36 && dns
2. What is the IP address of the DNS Server used to resolve the host ICSCSI.org ?
3. What is the IP address of the webserver hosting https://ICSCSI.org ?
4. Realizing this question is asked very early in this course – well ahead of the discussions that will take place during the last two lectures ….
What would be the security risk in using HTTPS to encrypt traffic between a client computer and a webserver? Do you have any ideas how to mitigate this risk?
Please submit your PCAP file with this lab exercise submittal document. There is currently an 8MB file size limit on assignment uploads. Your PCAP file should be relatively small because of its short duration. If your file size is greater than 8MB, please contact your instructor for further assistance.
PART 2: ANALYZING ICS NETWORK TRAFFIC WITH NETWORK ANALYSIS TOOLS
Analyzing SMB Traffic
How long did it take you to complete the section on SMB?
1. What would the Wireshark Display Filter look like?
2. What packet number does this occur in?
3. What layer would you expect the “NetBIOS Session Service” to reside?
4. What would your new Display Filter look like? (Hint: you will need to use a logical “AND”)
5. What packet number contains this file?
6. What would your new Display Filter look like? (Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices you have)
7. List some of the files that you see transferred across this connection.
8. What packet number contains this file?
9. What other text file ending in .txt was transferred in this capture file?
10. Provide the name and contents of this file(s)
11. What ports is the Domain Server servicing (e.g the Destination port) in this example containing the two text files?
12. What service is used on each of these ports? (Hint: use Wireshark and a web search)
13. What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
14. What service to you think that server is running?
15. What are the contents of this file?
16. What packet number was this file first referenced in?
17. What did you find?
18. How many “groups” or “networks” are shown?
(Consider a network as more than one device)
19. Which network(s) appear to have connections to external devices on the public Internet?
20. What countries do these addresses most likely reside in? (Hint: View Details for the address by right-clicking)
21. What transport, port number, and service(s) are used in the external connections? (Hint: View Frames for the details of the packets by right-clicking)
22. Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
23. Do you know what the destination IP addresses represent?
Analyzing Modbus/TCP (MBT) Traffic
How long did it take you to complete the section on Modbus/TCP?
1. What would the Display Filter look like?
2. What ports are being used by the PLC (192.168.1.5) for incoming sessions?
3. What is the most common service used by each of the TCP port numbers?
4. What is the manufacturer of the PLC?
5. Where did you find this information?
6. Is there more information about the manufacturer?
7. What information is provided here that was not provided with Wireshark?
8. What ports are listed under the “Incoming” sessions where the PLC would act as a server?
9. What TCP port is used by Modbus/TCP?
10. What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way handshakes if possible?
11. What packet number did this occur?
12. Why does it show two in this case?
13. What is contained in the “Modbus” portion of the frame?
14. What Function Code is used here?
15. What is the meaning of this Function Code?
16. What is the meaning of the “Reference Number”?
17. What is the meaning of the “Word Count”?
18. What packet number did this occur?
19. What is the value stored in Register Number 12300?
20. What does “UINT16” stand for?
21. What is the “Byte Count” in the Response different from the “Word Count” in the Request?
Analyzing EtherNet/IP (EIP) Traffic
How long did it take you to complete the section on EtherNet/IP?
1. What can you determine about this PLC?
2. What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
3. How long did this session last?
4. How many host IP addresses does NetworkMiner show?
5. How many of these IP addresses are IP Version 6 (IPv6)?
6. So, now how many HOST IPv4 addresses are on this network?
7. How many IPv4 addresses are shown in Wireshark Endpoints?
8. What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
9. What can you tell me about the manufacturer of this device?
(Hint: use the Wireshark OUI Lookup Tool)
10. What would the Display Filter look like to filter out all traffic except that using the PLC?
11. What packet number did this occur?
12. What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
13. What packet number did this occur?
14. What packet is the CIP Connection closed?
15. Is this traffic likely to be Time Critical or Non-Time Critical?
Analyzing OPC Data Access (OPC-DA) Traffic
How long did it take you to complete the section on OPC-DA?
1. Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform operating system they are likely running, and what services and ports are being used.
2. What does DCOM stand for?
3. What packet number represents this action?
4. What endian is the data for this session using?
5. What username is used to authenticate against the client against the server?
6. Looking at the “RemoteCreateInstance request” packet, what frame number contains the response? (Hint: look in the Application Layer details)
7. What types of information can you decipher from this ASCII data?
8. What is this port number?
9. What number is shown for “StringBinding[2]” “NetworkAddr”?
10. What is the new TCP port number that will be used for the remaining data exchange session?
11. Is this the same port?
12. what is the new Display Filter that was automatically created?
PART 3: LAB EVALUATION
Did you find this lab useful?
What would you like to see changed?
Do not forget to submit your PCAP file used in the beginning of the lab under “Using Wireshark”. There is an 8MB site limit on file size of uploads. If your PCAP file is larger than 8MB, please notify the instructor for alternate instructions.
CSCI 397.01W | CSCI 397.61W © 2012-2020 ICSCSI LLC
Fundamentals of Industrial Control System Cyber Security Page L1-1 of 14
Fall 2020 CSCI 397 F20 – Lab Exercise 1 x
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 1/2
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
OBJECTIVES
Unlike the first part of this lab exercise that used a lot of illustrations to introduce new tools and capabilities, this part will focus on using these tools to
perform analysis of different types of industrial and business communications that occur on the network. Each section will ask you to perform a variety
of tasks using a set of network captures that should be downloaded from LAB EXERCISE 1. The lab exercise submittal document also contains a
sections that must be completed based on the tasks given within the lab exercise.
This exercise has the following objectives:
1. Download and open a network packet capture (pcap) file in each of the three network analysis tools. This pcap file contains a diversified
collection of network protocols where you will investigate the Server Message Block (SMB) used to exchange files between Windows host
computers.
2. Using the same pcap file as Step 1 above, isolate and analyze the Modbus/TCP traffic that occurs between a Windows computer and a PLC.
3. Download and open a pcap file containing Common Industrial Protocol (CIP) traffic that occurs between a Windows computer and a PLC.
4. Download and open a pcap file containing Open Platform Communication (OPC) Data Access traffic that occurs between an OPC Server
and a Windows computer.
LAB EXERCISE 1 contains the files downloads needed for this exercise, along with the submittal document containing questions that will be discussed
throughout the exercise. Do not forget to submit your files when you have completed this activity.
(Note: problems may occur if using Google Chrome as a browser where it tries to open links in Google Docs. The “Docs PDF/PowerPoint Viewer (by
Google)” extension must be disabled or removed.)
PREV < Introduction NEXT > Analyzing SMB Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://training.scadahacker.com/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 2/2
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 1/3
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING OPC-DATA ACCESS TRAFFIC
(EXPECTED TIME TO COMPLETE = 10 minutes | 2:20)
This section will use the “industrial-protocols-opc.pcap” network capture file downloaded in LAB EXERCISE 1 to study OPC Data Access (OPC-
DA) communications. Unlike the previous cases with SMB, Modbus, and EtherNet/IP where you were given the architecture, in this exercise you will
determine the hosts and their relationships without guidance.
QUESTION 1:
Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform
operating system they are likely running, and what services and ports are being used.
From the section heading, it is obvious that the OPC Data Access protocol will be analyzed. During lecture it was mentioned that “classic” OPC-DA
presented many new challenges to the manufacturing world. The dependence on the Microsoft COM/DCOM infrastructure limited the usability of the
technology to strictly Windows-based computing platforms.
QUESTION 2:
What does DCOM stand for?
OPC-DA was originally released in 1996, and in 2003 when the Blaster work exploited vulnerabilities in the Windows Remote Procedure Call (RPC)
service, Microsoft responded with the introduction of the Windows Firewall in Windows XP Service Pack 2. The design of OPC and how it performed a
“hand-off” from one communication port (135/tcp) to another service port caused by the dynamic port allocation within RPC made it inoperable
immediately after users installed XP-SP2.
The answer for many was to disable the Windows Firewall to keep their OPC-DA connections alive. This introduced even more problems as industry
worked to address security and usability at the same time.
In the lecture, the basic process of an OPC session was reviewed. In this part of the lab exercise, you will follow the session and observe how this
technology operates.
Most of this exercise will be at the packet level, so Wireshark will be the easiest tool to use.
The first step in establishing an OPC connect from the client to the server is using a Distributed Computing Environment (DCE) / Remote Procedure
Call (RPC) “Bind” command.
QUESTION 3:
What packet number represents this action?
Select the packet referenced with the “Bind” command, and expand the “Distributed Computing Environment / Remote Procedure Call” Application
Layer in the data panel on the bottom. Notice the “Data Representation” entry.
QUESTION 4:
What endian is the data for this session using?
The Bind is then acknowledged by the server and the client then attempts authentication against the server.
QUESTION 5:
What username is used to authenticate against the client against the server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 2/3
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
The client then establishes a “connection” by sending a “RemoteCreateInstance request” to the server.
QUESTION 6:
Looking at the “RemoteCreateInstance request” packet, what frame number contains the response?
(Hint: look in the Application Layer details)
Now using this response frame and the IP addresses for the client and the server, use the bottom “Packet Bytes” panel of Wireshark that shows raw
data to look for ASCII character-based patterns. You should be able to recognize a large portion of the data that is visible here.
QUESTION 7:
What types of information can you decipher from this ASCII data?
If you are having trouble, move to the first DCERPC “Request” frame in the capture list and notice the TCP Destination Port.
QUESTION 8:
What is this port number?
Now go back to the “RemoteCreateInstance response” frame at look again … look for a pattern of ASCII characters that represent an IPv4 address. If
you click the text panel over the ASCII numbers that look like an IPv4 address, Wireshark will find this dissected information in the other “Packet
Details” panel.
QUESTION 9:
What number is shown for “StringBinding[2]” “NetworkAddr”?
QUESTION 10:
What is the new TCP port number that will be used for the remaining data exchange session?
Go forward to the first DCERPC “Request” frame and look at the TCP Destination Port.
QUESTION 11:
Is this the same port?
This cleartext “handoff” resulting from the dynamic port allocation of RPC makes it easy for security appliances to follow this conversation and create a
dynamic rule that will open the newly assigned ports. Without this feature, a firewall would need to open a range of ports defined within the
DCOMCNFG service resulting in an unnecessary attack surface through the perimeter protected by the firewall.
It is possible to create a Wireshark Display Filter to look for this “handoff”. If you expand the “ISystemActivator” portion of the ADU in packet 9, you can
right-click on “Operation: RemoteCreateInstance (4)” and select “Apply as Filter” and “Selected”. The Display Filter is automatically generated and
placed in the Display Filter entry line at the top of Wireshark.
QUESTION 12:
What is the new Display Filter that was automatically created?
We will look at this in the last two lecture sections of the course.
PREV < Analyzing EtherNet/IP Traffic End of Lesson
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 3/3
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING SMB TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:20)
The remainder of the lab exercise will focus on applying some basis skills using the three network analysis tools. This first portion applies to common
IT protocols and services. You are encouraged to spend some free time experimenting on your personal network. This section will show you how to
extract file data from a network capture. You can re-create this on your home network by sharing a file between two devices while you run Wireshark
one of them. Feel free to share your thoughts in the LAB EXERCISE 1 submittal. Questions will be asked throughout this section – your answers
should be provided on the LAB EXERCISE 1 submittal document.
This section will use the “multi-network-architecture.pcap” network capture file downloaded in LAB EXERCISE 1. Begin by opening this file in all
three network analysis tools – GrassMarlin, NetworkMiner, and Wireshark.
The Server Message Block or SMB is an Application Layer protocol used by multiple operating systems to allow sharing of files across the network. It is
also known by the name Common Internet File System In a Windows environment, it can also be used for legacy NetBIOS traffic, and facilitates an
access mechanism for inter-process communications (IPC) via the $IPC administrative file share using named pipes.
In the network capture provided, there are primarily two major types of communications using 445/tcp: [1] authentication between Windows Domain
Members (10.1.1.60, 10.1.1.251) and Windows Domain Servers (10.1.1.1), and [2] file sharing services between clients (172.16.100.240) and the
Windows Server (10.1.1.1).
Using Wireshark, create a Display Filter that will narrow the traffic down to just these three assets.
QUESTION 1:
What would the Wireshark Display Filter look like?
Apply the filter now.
You will notice that there is more than just SMB traffic using 445/tcp. You should scroll down the filtered packet list and find the start of the 3-way
handshake for the first occurrence of traffic using 445/tcp.
QUESTION 2:
What packet number does this occur?
One of the protocols that SMB uses is the NetBIOS Session Service. This should be the first set of packets following the successful completion of the
3-way handshake. Using the data panel within Wireshark, along with what you learned during Week 3, you can identify the position in the OSI 7-Layer
Model for the protocol.
QUESTION 3:
What layer would you expect the “NetBIOS Session Service” to reside?
Now let us append to the existing Display Filter to limit the information displayed to only contain traffic using the SMB protocol.
QUESTION 4:
What would your new Display Filter look like?
(Hint: you will need to use a logical “AND”)
Apply the filter now.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 2/4
You should notice that the 3-way handshake is no longer displayed because the filter is looking for traffic using the SMB protocol. The 3-way handshake
is establishing a connection on 445/tcp which may not be for SMB in all cases.
Find the first SMB packet after the handshake completes between 10.1.1.60 (client) and 10.1.1.1 (server). This should be “Negotiate Protocol
Request”.
QUESTION 5:
What packet number contains this file?
Scroll down and observe the sessions that follows. Most of the traffic at this point is associated with a domain login occurring between 10.1.1.60 and
10.1.1.1 and the exchange of policy information that follows.
What we are really trying to find is the transferring of files across the network using SMB on 445/tcp. We can do this by appending a Display Filter that
displays SMB Transaction2 Extensions that will show the browsing of remote directories and identification of files that will be transferred. This is done
using “smb.trans2.cmd” and “ANDing” it with the previous Display Filter limiting traffic to SMB.
QUESTION 6:
What would your new Display Filter look like?
(Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices your have)
Your Display Filter should start to look like “… && smb && smb.trans2.cmd”.
Apply the filter now.
QUESTION 7:
List some of the files that you see transferred across this connection
It is important to understand that just because username/password authentication is encrypted does not mean that all the traffic that is transferred after
authentication is also encrypted. We are going to see what files have been transferred in cleartext across the network!
Wireshark provides the ability to export certain Objects that are contained in network traffic. You can access this by selecting “File” from the menu, and
“Export Objects” at the bottom. For this exercise, select “SMB”.
The packet numbers on the Export report correspond to the packet that “completed” the transfer. Search for the file “shared_file_on_server.txt”.
QUESTION 8:
What packet number contains this file?
QUESTION 9:
What other text file ending in “.txt” was transferred in this capture file?
Save the the contents of both .txt files to your local hard disk, and open each of them (using Notepad, Wordpad, Write, etc.).
QUESTION 10:
Provide the name and contents of the file(s)
Now, switch to NetworkMiner and if you have not already done so, select “File” -> “Open” to import the capture file. Notice how NetworkMiner provides
a basic inventory of devices on the network.
Select the “Files” tab at the top. You should see a similar list of files that were extracted from the capture file. You will notice on the “Files” tab that
information about the Source and Destination TCP port number is provided. You can also see that NetworkMiner has automatically downloaded the
files and placed them in a temporary directory on your local hard disk. This is listed in the “Reconstructed file path” column.
QUESTION 11:
What ports is the Domain Server servicing (e.g. the Destination port) in this example containing the two text files?
Go to the “Hosts” tab in NetworkMiner and expand the information for the Domain Server (10.1.1.1). It summarizes the Incoming and Outgoing
sessions. Expand the Incoming sessions by clicking the “+”. You will notice more than just our SMB traffic has been accessing the server. Four
additional TCP sessions have been enumerated.
QUESTION 12:
What service is used on each of these ports?
(Hint: use Wireshark and a web search)
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 3/4
NetworkMiner also enumerates Outgoing sessions for the Domain Server. Expand the Outgoing sessions and review the information presented.
QUESTION 13:
What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
QUESTION 14:
What service to you think that server is running?
Go back to the “Files” tab and look for the sessions between the Domain Server (10.1.1.1) and this other “server” (10.1.1.254). Notice that you see
additional files that were not available from Wireshark. These files are the TLS certificates used to connect to the other “server” using HTTPS on
443/tcp.
Find the file “shared_file_on_server…”, and open it by right-clicking and selecting “Open file” to view its contents.
QUESTION 15:
What are the contents of this file?
QUESTION 16:
What packet number was this file first referenced in?
Go back to Wireshark and look for this packet number. You will have to clear the Display Filter if you have not already done so. Right-click on the
packet and select “Follow” and “TCP Stream”. This will display all the packets in the session as a contiguous data stream.
Enter “abcd1234” in the Find field at the bottom and select “Find Next”.
QUESTION 17:
What did you find?
Now, go to GrassMarlin and look at the visualization of the packet capture data. If you have not already done so, import the capture file into
GrassMarlin. GrassMarlin defaults network definition using a CIDR /24. The networks are listed in a tabular fashion on the left, and visually in the center.
QUESTION 18:
How many “groups” or “networks” are shown?
(Consider a network as more than one device)
You should notice a couples networks that contain only two assets, one having an IP address that ends with .255. Remember that this is the Broadcast
Address for that particular network, and does not usually reflect a physical device. This can easily be confirmed by looking at the hardware MAC
address, and can be done by right-clicking the shaded area containing the address. If the MAC address is “FF:FF:FF:FF:FF:FF”, then it is the
Broadcast Address.
QUESTION 19:
Which network(s) appear to have connections to external devices on the public Internet?
QUESTION 20:
What countries do these addresses most likely reside in?
(Hint: View Details for the address by right-clicking)
QUESTION 21:
What transport, port number, and service(s) are used in the external connections?
(Hint: View Frames for the details of the packets)
QUESTION 22:
Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
QUESTION 23:
Do you know what the destination IP addresses represent?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
PREV < Objectives NEXT > Analyzing Modbus/TCP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING MODBUS/TCP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:40)
Using the same “multi-network-architecture.pcap” file from the Analysis of SMB Traffic section, let us now focus on ICS protocols and traffic. This
portion will analyzes traffic using the Modbus/TCP protocol over 502/tcp. The architecture consists of a PLC (192.168.1.5), an HMI (192.168.1.129),
and a SCADA Server (192.168.1.60).
You can use CIDR notation to create a Display Filter in Wireshark that will narrow the traffic down to just this 192.168.1.0/24 network.
QUESTION 1:
What would the Display Filter look like?
Apply the filter now.
Using Wireshark “Conversations” under the “Statistics” menu, select the “TCP” tab. The report shows all the traffic in the capture file, so look at the
bottom and select “Limit to display filter” to simply the report.
QUESTION 2:
What ports are being used by the PLC (192.168.1.5) for incoming sessions?
QUESTION 3:
What is the most common service used by each of the TCP port numbers?
QUESTION 4:
What is the manufacturer of the PLC?
QUESTION 5:
Where did you find this information?
Let us focus on the same host address using NetworkMiner. Find the PLC (192.168.1.5). Do you notice “Siemens” is presented with the IP Address.
Expand the device by clicking the “+” sign.
Is there more information about the manufacturer?
QUESTION 6:
Is there more information about the manufacturer?
Expand the “OS: Siemens” entry.
QUESTION 7:
What information is provided here that was not provided with Wireshark?
QUESTION 8:
What ports are listed under the “Incoming” sessions where the PLC would act as a server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 2/4
NetworkMiner uses device signatures to help enumerate the actual device that is present. A feature not possible with Wireshark. The Satori TCP
database was used to fingerprint the Siemens PLC. One of the instructors of this course has been actively working with the developer of NetworkMiner
to expand this library.
The one piece of information that NetworkMiner is not able to provide is that relating to the Application Layer and the associated ADUs. Recall from the
lecture that Wireshark has protocol “dissectors” that allow the packet to be broken down extracting headers from data units. These data units can be
further broken down into function codes and data elements.
So, let us return to Wireshark and analyze the Modbus/TCP Application Layer protocol.
QUESTION 9:
What TCP port is used by Modbus/TCP?
QUESTION 10:
What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way
handshakes if possible?
If you go to the very top of the display, you can see the actual handshake that took place. That is the benefit of generating traffic in a lab versus in the
real world. This handshake occurred only a single time throughout the five minutes of traffic collected.
Search for the first Modbus/TCP “Query” packet.
QUESTION 11:
What packet number did this occur?
Select the packet and observe the display panel below that displays the various layers of the OSI Model. Two Application Layer entries are provided:
Modbus/TCP and Modbus.
QUESTION 12:
Why does it show two in this case?
Referring to the lecture material (slide 35) and shown below as
Figure 81
, what is contained in the “Modbus/TCP” portion of the frame?
QUESTION 13:
What is contained in the “Modbus” portion of the frame?
Figure 81
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 3/4
QUESTION 14:
What Function Code is used here?
QUESTION 15:
What is the meaning of this Function Code?
QUESTION 16:
What is the meaning of the “Reference Number”?
QUESTION 17:
What is the meaning of the “Word Count”?
(Hint: several good documents were referenced in the lecture that dissect the complete Modbus/TCP frame)
Look at the associated Modbus/TCP “Response” packet. This might help you answer the question above!
QUESTION 18:
What packet number did this occur?
QUESTION 19:
What is the value stored in Register Number 12300?
QUESTION 20:
What does “UINT16” stand for?
QUESTION 21:
What is the “Byte Count” in the Response different from the “Word Count” in the Request?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Before leaving this portion of the lab exercise, you are encouraged to modify your Wireshark Display Filter and look at the ICS communication taking
place on 102/tcp using the Siemens S7COMM protocol. This PLC supports both Modbus/TCP and Siemens S7COMM, and can serve the same data
using either protocol. If you look at packets 11579 and 11580, you can see the data request and response. Notice the different syntax used to access
the PLC internal registers with S7COMM by expanding the details in the “S7 Communication” ADU in the request packet 11579.
PREV < Analyzing SMB Traffic NEXT > Analyzing EtherNet/IP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING ETHERNET/IP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 2:00)
This section will use the “industrial-protocols-cip.pcap” network capture file downloaded in LAB EXERCISE 1 to study the Common Industrial
Protocol (CIP) in its EtherNet/IP (EIP) form. This architecture consists of a Rockwell Automation Micro850 PLC (192.168.1.17), an engineering
workstations (192.168.1.97) running the Connected Components Workbench (CCW) software used to configure and monitor the PLC.
Open the file in all tools and provide anything you can find regarding the vendor, model, version, etc. of the PLC in the capture. Remember to consider
the OUI portion of the hardware MAC address. You can also look up MAC OUI’s on the Wireshark website ( https://www.wireshark.org/tools/oui-
lookup.html). The master list of registered OUI information can also be found on the IEEE standards website (http://standards-oui.ieee.org/oui.txt). This
latter site can also provide information pertaining the country of origin of the device.
QUESTION 1:
What can you determine me about the PLC?
Using NetworkMiner, expand the PLC (192.168.1.17) and notice that NetworkMiner could not fully enumerate the device in terms of OS and device
type like it was previously able to do with the Siemens S7 PLC.
Expand on the Incoming sessions and notice that the PLC is acting as a server using port 44818/tcp. Look at incoming sessions to reveal PLC as
server using 44818/tcp. Expand this further and reveal information about the client.
QUESTION 2:
What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
QUESTION 3:
How long did this session last?
QUESTION 4:
How many host IP addresses does NetworkMiner show?
If you have not already noticed, the number of hosts is shown next to the “Hosts” tab in the top of the NetworkMiner window.
QUESTION 5:
How many of these IP addresses are IP Version 6 (IPv6)?
One of the IPv4 addresses shown is for multicast traffic using address 224.0.0.106. This is not really a host or device, but rather an address that can
be used to send traffic to multiple devices that subscribe to the session. You might also recall from the lecture that IPv6 uses a multicast address that
begins with “ff0”, so ff02::1:2 is also a multicast address.
QUESTION 6:
So, now how many HOST IPv4 addresses are on this network?
Notice device NetworkMiner presents at IP address 169.254.2.2. This is known as a “self assigned” IP address and is what a device gives itself if it
does not receive one from a Dynamic Host Configuration Protocol (DHCP) server. This is also an address that can be manually entered in the device
network configuration allowing it to link and connect to an existing network.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://www.wireshark.org/tools/oui-lookup.html
http://standards-oui.ieee.org/oui.txt
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 2/4
From a cyber security perspective, these addresses are important because they can signify the presence of an authorized host on the network that is
trying to remain hidden. This is one way a device can connect to a network and “listen” for traffic to enumerate hosts and their communications.
Go back to Wireshark and open this packet capture file if not already done. Observe the first 25 packets and notice the broadcast traffic and other
layer 2 traffic like the Address Resolution Protocol (ARP), Link-Layer Discovery Protocol (LLDP), and Spanning Tree Protocol (STP).
Now let us look at the enumerated devices by selecting “Analyze” in the menu followed by “Endpoints” and look at the “IPv4” results.
QUESTION 7:
How many IPv4 addresses are shown in Wireshark Endpoints?
Notice that 169.254.2.2 is not on this list, but if you select “Ethernet” you see 23 entries.
QUESTION 8:
What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
You can right-click the FF:FF:FF:FF:FF:FF address from the Endpoints – Ethernet listing and select “Apply as Filter” and “Selected” to view this traffic
in Wireshark. You will notice Address Resolution Protocol (ARP) and NetBIOS Name Service (NBNS) traffic.
Close the Endpoints summary and return to the main display. Using the Find feature by type “Control+C” (that is the Control Key and the C character
key at the same time), enter “169.254.2.2”. If you expand the “Address Resolution Protocol (request)” shown in the Packet Details panel, you will find
the Sender IP address of 169.254.2.2.
QUESTION 9:
What can you tell me about the manufacturer of this device?
(Hint: first look at how Wireshark “resolves” the MAC address, and then use the Wireshark OUI Lookup Tool)
If you entered only the OUI that was found from Wireshark, you probably saw a long list of manufacturers. If you append additional MAC information to
the address, and enter “00:50:c2:b3”, you will see an entry “00:50:C2:B3:20:00/36 Byres Security Inc”. This is a CIDR type expression for a MAC
address. Using the same logic that was presented in the lecture, you can take a string of 36 1’s and logically “AND” it with the MAC address to extract
the base address registered to Byres Security, with the remaining 12 bits allowed for device-specific addressing.
Each hexadecimal number represents 4-bits. This means that the base address is “00:50:C2:B3:2”, and 2 1̂2 or 4,096 devices can be assigned by the
manufacturer to MAC addresses in the range of “00:50:C2:B3:20:00” to “00:50:C2:B3:2F:FF”.
Let us know focus on traffic with the PLC (192.168.1.17).
QUESTION 10:
What would the Display Filter look like to filter out all traffic except that using the PLC?
Apply the filter now.
We are now going to walk through the communication that was shown during the lecture for Week 3 (slide 48) shown below as
Figure 82
.
Figure 82
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 3/4
The first step is to create an EtherNet/IP Session. This is performed using the “RegisterSession” Request command.
QUESTION 11:
What packet number did this occur?
QUESTION 12:
What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
The next step that occurs is the establishment of a CIP Connection using the CIP Connection Manager (CM) and issuing a “Forward Open” command.
QUESTION 13:
What packet number did this occur?
Did you notice that Wireshark recognizes this and labels the packet with a protocol of “CIP CM”. Notice that the CIP Connection Manager is at the
highest part of the Application Layer in the Packet Details panel on the bottom.
QUESTION 14:
What packet is the CIP Connection closed
All of the communication between the opening and the closing of the CIP Connection is “explicit” “connected” CIP traffic using 44818/tcp. You might
want to refer back to lecture in Week 3 (slide 42) and shown below as Figure 83 to see what type of traffic was exchanged here.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Figure 83
QUESTION 15:
Is this traffic likely to be Critical or Non-Critical?
The application may or may not unregister the EtherNet/IP Session. This is not done with this session.
PREV < Analyzing Modbus/TCP Traffic NEXT > Analyzing OPC-DA Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
LAB EXERCISE 1 (W4):
NETWORK ANALYSIS TOOLS
|
Name |
|
|
|
|
|
Course Number |
CSCI 397.01W or CSCI 397.61W (select one) |
|
Course Time |
Tuesday: 1630 – 1900 h |
|
Semester |
Fall 2020 |
|
Submission |
Lab Exercise 1 |
|
Due Date |
September 21, 2020 |
|
Instructor |
Joel Langill |
|
joel.langill@tamuc.edu |
|
|
Phone |
+1 (920) 594-0321 |
|
Office Hours |
Monday: 1630 – 1900 h Thursday: 1630 – 1900 h By Appointment |
PART 1: DOWNLOADING AND USING NETWORK ANALYSIS TOOLS
Downloading Network Analysis Tools
How long did it take you to download the three network analysis tools?
Installing GrassMarlin
Did you experience any difficulties installing GrassMarlin? If so, please explain.
How long did it take for you to install GrassMarlin?
Installing Wireshark
Did you experience any difficulties installing an updated Wireshark after GrassMarlin? If so, please explain.
How long did it take for you to install the updated Wireshark?
Installing NetworkMiner
Did you experience any difficulties installing NetworkMiner? If so, please explain.
How long did it take for you to install NetworkMiner?
Using Wireshark
1. Can you explain why the following Wireshark expression returns a yellow warning? What could you do to make this expression work correctly
ip.addr != 172.16.100.36 && dns
2. What is the IP address of the DNS Server used to resolve the host ICSCSI.org ?
3. What is the IP address of the webserver hosting https://ICSCSI.org ?
4. Realizing this question is asked very early in this course – well ahead of the discussions that will take place during the last two lectures ….
What would be the security risk in using HTTPS to encrypt traffic between a client computer and a webserver? Do you have any ideas how to mitigate this risk?
Please submit your PCAP file with this lab exercise submittal document. There is currently an 8MB file size limit on assignment uploads. Your PCAP file should be relatively small because of its short duration. If your file size is greater than 8MB, please contact your instructor for further assistance.
PART 2: ANALYZING ICS NETWORK TRAFFIC WITH NETWORK ANALYSIS TOOLS
Analyzing SMB Traffic
How long did it take you to complete the section on SMB?
1. What would the Wireshark Display Filter look like?
2. What packet number does this occur in?
3. What layer would you expect the “NetBIOS Session Service” to reside?
4. What would your new Display Filter look like? (Hint: you will need to use a logical “AND”)
5. What packet number contains this file?
6. What would your new Display Filter look like? (Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices you have)
7. List some of the files that you see transferred across this connection.
8. What packet number contains this file?
9. What other text file ending in .txt was transferred in this capture file?
10. Provide the name and contents of this file(s)
11. What ports is the Domain Server servicing (e.g the Destination port) in this example containing the two text files?
12. What service is used on each of these ports? (Hint: use Wireshark and a web search)
13. What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
14. What service to you think that server is running?
15. What are the contents of this file?
16. What packet number was this file first referenced in?
17. What did you find?
18. How many “groups” or “networks” are shown?
(Consider a network as more than one device)
19. Which network(s) appear to have connections to external devices on the public Internet?
20. What countries do these addresses most likely reside in? (Hint: View Details for the address by right-clicking)
21. What transport, port number, and service(s) are used in the external connections? (Hint: View Frames for the details of the packets by right-clicking)
22. Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
23. Do you know what the destination IP addresses represent?
Analyzing Modbus/TCP (MBT) Traffic
How long did it take you to complete the section on Modbus/TCP?
1. What would the Display Filter look like?
2. What ports are being used by the PLC (192.168.1.5) for incoming sessions?
3. What is the most common service used by each of the TCP port numbers?
4. What is the manufacturer of the PLC?
5. Where did you find this information?
6. Is there more information about the manufacturer?
7. What information is provided here that was not provided with Wireshark?
8. What ports are listed under the “Incoming” sessions where the PLC would act as a server?
9. What TCP port is used by Modbus/TCP?
10. What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way handshakes if possible?
11. What packet number did this occur?
12. Why does it show two in this case?
13. What is contained in the “Modbus” portion of the frame?
14. What Function Code is used here?
15. What is the meaning of this Function Code?
16. What is the meaning of the “Reference Number”?
17. What is the meaning of the “Word Count”?
18. What packet number did this occur?
19. What is the value stored in Register Number 12300?
20. What does “UINT16” stand for?
21. What is the “Byte Count” in the Response different from the “Word Count” in the Request?
Analyzing EtherNet/IP (EIP) Traffic
How long did it take you to complete the section on EtherNet/IP?
1. What can you determine about this PLC?
2. What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
3. How long did this session last?
4. How many host IP addresses does NetworkMiner show?
5. How many of these IP addresses are IP Version 6 (IPv6)?
6. So, now how many HOST IPv4 addresses are on this network?
7. How many IPv4 addresses are shown in Wireshark Endpoints?
8. What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
9. What can you tell me about the manufacturer of this device?
(Hint: use the Wireshark OUI Lookup Tool)
10. What would the Display Filter look like to filter out all traffic except that using the PLC?
11. What packet number did this occur?
12. What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
13. What packet number did this occur?
14. What packet is the CIP Connection closed?
15. Is this traffic likely to be Time Critical or Non-Time Critical?
Analyzing OPC Data Access (OPC-DA) Traffic
How long did it take you to complete the section on OPC-DA?
1. Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform operating system they are likely running, and what services and ports are being used.
2. What does DCOM stand for?
3. What packet number represents this action?
4. What endian is the data for this session using?
5. What username is used to authenticate against the client against the server?
6. Looking at the “RemoteCreateInstance request” packet, what frame number contains the response? (Hint: look in the Application Layer details)
7. What types of information can you decipher from this ASCII data?
8. What is this port number?
9. What number is shown for “StringBinding[2]” “NetworkAddr”?
10. What is the new TCP port number that will be used for the remaining data exchange session?
11. Is this the same port?
12. what is the new Display Filter that was automatically created?
PART 3: LAB EVALUATION
Did you find this lab useful?
What would you like to see changed?
Do not forget to submit your PCAP file used in the beginning of the lab under “Using Wireshark”. There is an 8MB site limit on file size of uploads. If your PCAP file is larger than 8MB, please notify the instructor for alternate instructions.
CSCI 397.01W | CSCI 397.61W © 2012-2020 ICSCSI LLC
Fundamentals of Industrial Control System Cyber Security Page L1-1 of 14
Fall 2020 CSCI 397 F20 – Lab Exercise 1 x
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 1/2
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
OBJECTIVES
Unlike the first part of this lab exercise that used a lot of illustrations to introduce new tools and capabilities, this part will focus on using these tools to
perform analysis of different types of industrial and business communications that occur on the network. Each section will ask you to perform a variety
of tasks using a set of network captures that should be downloaded from LAB EXERCISE 1. The lab exercise submittal document also contains a
sections that must be completed based on the tasks given within the lab exercise.
This exercise has the following objectives:
1. Download and open a network packet capture (pcap) file in each of the three network analysis tools. This pcap file contains a diversified
collection of network protocols where you will investigate the Server Message Block (SMB) used to exchange files between Windows host
computers.
2. Using the same pcap file as Step 1 above, isolate and analyze the Modbus/TCP traffic that occurs between a Windows computer and a PLC.
3. Download and open a pcap file containing Common Industrial Protocol (CIP) traffic that occurs between a Windows computer and a PLC.
4. Download and open a pcap file containing Open Platform Communication (OPC) Data Access traffic that occurs between an OPC Server
and a Windows computer.
LAB EXERCISE 1 contains the files downloads needed for this exercise, along with the submittal document containing questions that will be discussed
throughout the exercise. Do not forget to submit your files when you have completed this activity.
(Note: problems may occur if using Google Chrome as a browser where it tries to open links in Google Docs. The “Docs PDF/PowerPoint Viewer (by
Google)” extension must be disabled or removed.)
PREV < Introduction NEXT > Analyzing SMB Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://training.scadahacker.com/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/assign/view.php?id=1851
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: OBJECTIVES
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=175 2/2
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 1/3
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING OPC-DATA ACCESS TRAFFIC
(EXPECTED TIME TO COMPLETE = 10 minutes | 2:20)
This section will use the “industrial-protocols-opc.pcap” network capture file downloaded in LAB EXERCISE 1 to study OPC Data Access (OPC-
DA) communications. Unlike the previous cases with SMB, Modbus, and EtherNet/IP where you were given the architecture, in this exercise you will
determine the hosts and their relationships without guidance.
QUESTION 1:
Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform
operating system they are likely running, and what services and ports are being used.
From the section heading, it is obvious that the OPC Data Access protocol will be analyzed. During lecture it was mentioned that “classic” OPC-DA
presented many new challenges to the manufacturing world. The dependence on the Microsoft COM/DCOM infrastructure limited the usability of the
technology to strictly Windows-based computing platforms.
QUESTION 2:
What does DCOM stand for?
OPC-DA was originally released in 1996, and in 2003 when the Blaster work exploited vulnerabilities in the Windows Remote Procedure Call (RPC)
service, Microsoft responded with the introduction of the Windows Firewall in Windows XP Service Pack 2. The design of OPC and how it performed a
“hand-off” from one communication port (135/tcp) to another service port caused by the dynamic port allocation within RPC made it inoperable
immediately after users installed XP-SP2.
The answer for many was to disable the Windows Firewall to keep their OPC-DA connections alive. This introduced even more problems as industry
worked to address security and usability at the same time.
In the lecture, the basic process of an OPC session was reviewed. In this part of the lab exercise, you will follow the session and observe how this
technology operates.
Most of this exercise will be at the packet level, so Wireshark will be the easiest tool to use.
The first step in establishing an OPC connect from the client to the server is using a Distributed Computing Environment (DCE) / Remote Procedure
Call (RPC) “Bind” command.
QUESTION 3:
What packet number represents this action?
Select the packet referenced with the “Bind” command, and expand the “Distributed Computing Environment / Remote Procedure Call” Application
Layer in the data panel on the bottom. Notice the “Data Representation” entry.
QUESTION 4:
What endian is the data for this session using?
The Bind is then acknowledged by the server and the client then attempts authentication against the server.
QUESTION 5:
What username is used to authenticate against the client against the server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 2/3
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
The client then establishes a “connection” by sending a “RemoteCreateInstance request” to the server.
QUESTION 6:
Looking at the “RemoteCreateInstance request” packet, what frame number contains the response?
(Hint: look in the Application Layer details)
Now using this response frame and the IP addresses for the client and the server, use the bottom “Packet Bytes” panel of Wireshark that shows raw
data to look for ASCII character-based patterns. You should be able to recognize a large portion of the data that is visible here.
QUESTION 7:
What types of information can you decipher from this ASCII data?
If you are having trouble, move to the first DCERPC “Request” frame in the capture list and notice the TCP Destination Port.
QUESTION 8:
What is this port number?
Now go back to the “RemoteCreateInstance response” frame at look again … look for a pattern of ASCII characters that represent an IPv4 address. If
you click the text panel over the ASCII numbers that look like an IPv4 address, Wireshark will find this dissected information in the other “Packet
Details” panel.
QUESTION 9:
What number is shown for “StringBinding[2]” “NetworkAddr”?
QUESTION 10:
What is the new TCP port number that will be used for the remaining data exchange session?
Go forward to the first DCERPC “Request” frame and look at the TCP Destination Port.
QUESTION 11:
Is this the same port?
This cleartext “handoff” resulting from the dynamic port allocation of RPC makes it easy for security appliances to follow this conversation and create a
dynamic rule that will open the newly assigned ports. Without this feature, a firewall would need to open a range of ports defined within the
DCOMCNFG service resulting in an unnecessary attack surface through the perimeter protected by the firewall.
It is possible to create a Wireshark Display Filter to look for this “handoff”. If you expand the “ISystemActivator” portion of the ADU in packet 9, you can
right-click on “Operation: RemoteCreateInstance (4)” and select “Apply as Filter” and “Selected”. The Display Filter is automatically generated and
placed in the Display Filter entry line at the top of Wireshark.
QUESTION 12:
What is the new Display Filter that was automatically created?
We will look at this in the last two lecture sections of the course.
PREV < Analyzing EtherNet/IP Traffic End of Lesson
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 3/3
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING SMB TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:20)
The remainder of the lab exercise will focus on applying some basis skills using the three network analysis tools. This first portion applies to common
IT protocols and services. You are encouraged to spend some free time experimenting on your personal network. This section will show you how to
extract file data from a network capture. You can re-create this on your home network by sharing a file between two devices while you run Wireshark
one of them. Feel free to share your thoughts in the LAB EXERCISE 1 submittal. Questions will be asked throughout this section – your answers
should be provided on the LAB EXERCISE 1 submittal document.
This section will use the “multi-network-architecture.pcap” network capture file downloaded in LAB EXERCISE 1. Begin by opening this file in all
three network analysis tools – GrassMarlin, NetworkMiner, and Wireshark.
The Server Message Block or SMB is an Application Layer protocol used by multiple operating systems to allow sharing of files across the network. It is
also known by the name Common Internet File System In a Windows environment, it can also be used for legacy NetBIOS traffic, and facilitates an
access mechanism for inter-process communications (IPC) via the $IPC administrative file share using named pipes.
In the network capture provided, there are primarily two major types of communications using 445/tcp: [1] authentication between Windows Domain
Members (10.1.1.60, 10.1.1.251) and Windows Domain Servers (10.1.1.1), and [2] file sharing services between clients (172.16.100.240) and the
Windows Server (10.1.1.1).
Using Wireshark, create a Display Filter that will narrow the traffic down to just these three assets.
QUESTION 1:
What would the Wireshark Display Filter look like?
Apply the filter now.
You will notice that there is more than just SMB traffic using 445/tcp. You should scroll down the filtered packet list and find the start of the 3-way
handshake for the first occurrence of traffic using 445/tcp.
QUESTION 2:
What packet number does this occur?
One of the protocols that SMB uses is the NetBIOS Session Service. This should be the first set of packets following the successful completion of the
3-way handshake. Using the data panel within Wireshark, along with what you learned during Week 3, you can identify the position in the OSI 7-Layer
Model for the protocol.
QUESTION 3:
What layer would you expect the “NetBIOS Session Service” to reside?
Now let us append to the existing Display Filter to limit the information displayed to only contain traffic using the SMB protocol.
QUESTION 4:
What would your new Display Filter look like?
(Hint: you will need to use a logical “AND”)
Apply the filter now.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 2/4
You should notice that the 3-way handshake is no longer displayed because the filter is looking for traffic using the SMB protocol. The 3-way handshake
is establishing a connection on 445/tcp which may not be for SMB in all cases.
Find the first SMB packet after the handshake completes between 10.1.1.60 (client) and 10.1.1.1 (server). This should be “Negotiate Protocol
Request”.
QUESTION 5:
What packet number contains this file?
Scroll down and observe the sessions that follows. Most of the traffic at this point is associated with a domain login occurring between 10.1.1.60 and
10.1.1.1 and the exchange of policy information that follows.
What we are really trying to find is the transferring of files across the network using SMB on 445/tcp. We can do this by appending a Display Filter that
displays SMB Transaction2 Extensions that will show the browsing of remote directories and identification of files that will be transferred. This is done
using “smb.trans2.cmd” and “ANDing” it with the previous Display Filter limiting traffic to SMB.
QUESTION 6:
What would your new Display Filter look like?
(Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices your have)
Your Display Filter should start to look like “… && smb && smb.trans2.cmd”.
Apply the filter now.
QUESTION 7:
List some of the files that you see transferred across this connection
It is important to understand that just because username/password authentication is encrypted does not mean that all the traffic that is transferred after
authentication is also encrypted. We are going to see what files have been transferred in cleartext across the network!
Wireshark provides the ability to export certain Objects that are contained in network traffic. You can access this by selecting “File” from the menu, and
“Export Objects” at the bottom. For this exercise, select “SMB”.
The packet numbers on the Export report correspond to the packet that “completed” the transfer. Search for the file “shared_file_on_server.txt”.
QUESTION 8:
What packet number contains this file?
QUESTION 9:
What other text file ending in “.txt” was transferred in this capture file?
Save the the contents of both .txt files to your local hard disk, and open each of them (using Notepad, Wordpad, Write, etc.).
QUESTION 10:
Provide the name and contents of the file(s)
Now, switch to NetworkMiner and if you have not already done so, select “File” -> “Open” to import the capture file. Notice how NetworkMiner provides
a basic inventory of devices on the network.
Select the “Files” tab at the top. You should see a similar list of files that were extracted from the capture file. You will notice on the “Files” tab that
information about the Source and Destination TCP port number is provided. You can also see that NetworkMiner has automatically downloaded the
files and placed them in a temporary directory on your local hard disk. This is listed in the “Reconstructed file path” column.
QUESTION 11:
What ports is the Domain Server servicing (e.g. the Destination port) in this example containing the two text files?
Go to the “Hosts” tab in NetworkMiner and expand the information for the Domain Server (10.1.1.1). It summarizes the Incoming and Outgoing
sessions. Expand the Incoming sessions by clicking the “+”. You will notice more than just our SMB traffic has been accessing the server. Four
additional TCP sessions have been enumerated.
QUESTION 12:
What service is used on each of these ports?
(Hint: use Wireshark and a web search)
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 3/4
NetworkMiner also enumerates Outgoing sessions for the Domain Server. Expand the Outgoing sessions and review the information presented.
QUESTION 13:
What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
QUESTION 14:
What service to you think that server is running?
Go back to the “Files” tab and look for the sessions between the Domain Server (10.1.1.1) and this other “server” (10.1.1.254). Notice that you see
additional files that were not available from Wireshark. These files are the TLS certificates used to connect to the other “server” using HTTPS on
443/tcp.
Find the file “shared_file_on_server…”, and open it by right-clicking and selecting “Open file” to view its contents.
QUESTION 15:
What are the contents of this file?
QUESTION 16:
What packet number was this file first referenced in?
Go back to Wireshark and look for this packet number. You will have to clear the Display Filter if you have not already done so. Right-click on the
packet and select “Follow” and “TCP Stream”. This will display all the packets in the session as a contiguous data stream.
Enter “abcd1234” in the Find field at the bottom and select “Find Next”.
QUESTION 17:
What did you find?
Now, go to GrassMarlin and look at the visualization of the packet capture data. If you have not already done so, import the capture file into
GrassMarlin. GrassMarlin defaults network definition using a CIDR /24. The networks are listed in a tabular fashion on the left, and visually in the center.
QUESTION 18:
How many “groups” or “networks” are shown?
(Consider a network as more than one device)
You should notice a couples networks that contain only two assets, one having an IP address that ends with .255. Remember that this is the Broadcast
Address for that particular network, and does not usually reflect a physical device. This can easily be confirmed by looking at the hardware MAC
address, and can be done by right-clicking the shaded area containing the address. If the MAC address is “FF:FF:FF:FF:FF:FF”, then it is the
Broadcast Address.
QUESTION 19:
Which network(s) appear to have connections to external devices on the public Internet?
QUESTION 20:
What countries do these addresses most likely reside in?
(Hint: View Details for the address by right-clicking)
QUESTION 21:
What transport, port number, and service(s) are used in the external connections?
(Hint: View Frames for the details of the packets)
QUESTION 22:
Is this traffic legitimate? Why or why not?
(Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
QUESTION 23:
Do you know what the destination IP addresses represent?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING SMB TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=81 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
PREV < Objectives NEXT > Analyzing Modbus/TCP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING MODBUS/TCP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 1:40)
Using the same “multi-network-architecture.pcap” file from the Analysis of SMB Traffic section, let us now focus on ICS protocols and traffic. This
portion will analyzes traffic using the Modbus/TCP protocol over 502/tcp. The architecture consists of a PLC (192.168.1.5), an HMI (192.168.1.129),
and a SCADA Server (192.168.1.60).
You can use CIDR notation to create a Display Filter in Wireshark that will narrow the traffic down to just this 192.168.1.0/24 network.
QUESTION 1:
What would the Display Filter look like?
Apply the filter now.
Using Wireshark “Conversations” under the “Statistics” menu, select the “TCP” tab. The report shows all the traffic in the capture file, so look at the
bottom and select “Limit to display filter” to simply the report.
QUESTION 2:
What ports are being used by the PLC (192.168.1.5) for incoming sessions?
QUESTION 3:
What is the most common service used by each of the TCP port numbers?
QUESTION 4:
What is the manufacturer of the PLC?
QUESTION 5:
Where did you find this information?
Let us focus on the same host address using NetworkMiner. Find the PLC (192.168.1.5). Do you notice “Siemens” is presented with the IP Address.
Expand the device by clicking the “+” sign.
Is there more information about the manufacturer?
QUESTION 6:
Is there more information about the manufacturer?
Expand the “OS: Siemens” entry.
QUESTION 7:
What information is provided here that was not provided with Wireshark?
QUESTION 8:
What ports are listed under the “Incoming” sessions where the PLC would act as a server?
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 2/4
NetworkMiner uses device signatures to help enumerate the actual device that is present. A feature not possible with Wireshark. The Satori TCP
database was used to fingerprint the Siemens PLC. One of the instructors of this course has been actively working with the developer of NetworkMiner
to expand this library.
The one piece of information that NetworkMiner is not able to provide is that relating to the Application Layer and the associated ADUs. Recall from the
lecture that Wireshark has protocol “dissectors” that allow the packet to be broken down extracting headers from data units. These data units can be
further broken down into function codes and data elements.
So, let us return to Wireshark and analyze the Modbus/TCP Application Layer protocol.
QUESTION 9:
What TCP port is used by Modbus/TCP?
QUESTION 10:
What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way
handshakes if possible?
If you go to the very top of the display, you can see the actual handshake that took place. That is the benefit of generating traffic in a lab versus in the
real world. This handshake occurred only a single time throughout the five minutes of traffic collected.
Search for the first Modbus/TCP “Query” packet.
QUESTION 11:
What packet number did this occur?
Select the packet and observe the display panel below that displays the various layers of the OSI Model. Two Application Layer entries are provided:
Modbus/TCP and Modbus.
QUESTION 12:
Why does it show two in this case?
Referring to the lecture material (slide 35) and shown below as
Figure 81
, what is contained in the “Modbus/TCP” portion of the frame?
QUESTION 13:
What is contained in the “Modbus” portion of the frame?
Figure 81
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 3/4
QUESTION 14:
What Function Code is used here?
QUESTION 15:
What is the meaning of this Function Code?
QUESTION 16:
What is the meaning of the “Reference Number”?
QUESTION 17:
What is the meaning of the “Word Count”?
(Hint: several good documents were referenced in the lecture that dissect the complete Modbus/TCP frame)
Look at the associated Modbus/TCP “Response” packet. This might help you answer the question above!
QUESTION 18:
What packet number did this occur?
QUESTION 19:
What is the value stored in Register Number 12300?
QUESTION 20:
What does “UINT16” stand for?
QUESTION 21:
What is the “Byte Count” in the Response different from the “Word Count” in the Request?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING MODBUS/TCP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=168 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Before leaving this portion of the lab exercise, you are encouraged to modify your Wireshark Display Filter and look at the ICS communication taking
place on 102/tcp using the Siemens S7COMM protocol. This PLC supports both Modbus/TCP and Siemens S7COMM, and can serve the same data
using either protocol. If you look at packets 11579 and 11580, you can see the data request and response. Notice the different syntax used to access
the PLC internal registers with S7COMM by expanding the details in the “S7 Communication” ADU in the request packet 11579.
PREV < Analyzing SMB Traffic NEXT > Analyzing EtherNet/IP Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 1/4
Dashboard / My courses / CSCI 397 F20 / Week 4 – Lab Exercise – Network Analysis Tools
/ Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber
Security
Analyzing ICS Network Traffic with Network Analysis Tools
ANALYZING ETHERNET/IP TRAFFIC
(EXPECTED TIME TO COMPLETE = 20 minutes | 2:00)
This section will use the “industrial-protocols-cip.pcap” network capture file downloaded in LAB EXERCISE 1 to study the Common Industrial
Protocol (CIP) in its EtherNet/IP (EIP) form. This architecture consists of a Rockwell Automation Micro850 PLC (192.168.1.17), an engineering
workstations (192.168.1.97) running the Connected Components Workbench (CCW) software used to configure and monitor the PLC.
Open the file in all tools and provide anything you can find regarding the vendor, model, version, etc. of the PLC in the capture. Remember to consider
the OUI portion of the hardware MAC address. You can also look up MAC OUI’s on the Wireshark website ( https://www.wireshark.org/tools/oui-
lookup.html). The master list of registered OUI information can also be found on the IEEE standards website (http://standards-oui.ieee.org/oui.txt). This
latter site can also provide information pertaining the country of origin of the device.
QUESTION 1:
What can you determine me about the PLC?
Using NetworkMiner, expand the PLC (192.168.1.17) and notice that NetworkMiner could not fully enumerate the device in terms of OS and device
type like it was previously able to do with the Siemens S7 PLC.
Expand on the Incoming sessions and notice that the PLC is acting as a server using port 44818/tcp. Look at incoming sessions to reveal PLC as
server using 44818/tcp. Expand this further and reveal information about the client.
QUESTION 2:
What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
QUESTION 3:
How long did this session last?
QUESTION 4:
How many host IP addresses does NetworkMiner show?
If you have not already noticed, the number of hosts is shown next to the “Hosts” tab in the top of the NetworkMiner window.
QUESTION 5:
How many of these IP addresses are IP Version 6 (IPv6)?
One of the IPv4 addresses shown is for multicast traffic using address 224.0.0.106. This is not really a host or device, but rather an address that can
be used to send traffic to multiple devices that subscribe to the session. You might also recall from the lecture that IPv6 uses a multicast address that
begins with “ff0”, so ff02::1:2 is also a multicast address.
QUESTION 6:
So, now how many HOST IPv4 addresses are on this network?
Notice device NetworkMiner presents at IP address 169.254.2.2. This is known as a “self assigned” IP address and is what a device gives itself if it
does not receive one from a Dynamic Host Configuration Protocol (DHCP) server. This is also an address that can be manually entered in the device
network configuration allowing it to link and connect to an existing network.
https://training.icscsi.org/my/
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/course/view.php?id=21§ion=4
https://training.icscsi.org/mod/lesson/view.php?id=1813
https://www.wireshark.org/tools/oui-lookup.html
http://standards-oui.ieee.org/oui.txt
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 2/4
From a cyber security perspective, these addresses are important because they can signify the presence of an authorized host on the network that is
trying to remain hidden. This is one way a device can connect to a network and “listen” for traffic to enumerate hosts and their communications.
Go back to Wireshark and open this packet capture file if not already done. Observe the first 25 packets and notice the broadcast traffic and other
layer 2 traffic like the Address Resolution Protocol (ARP), Link-Layer Discovery Protocol (LLDP), and Spanning Tree Protocol (STP).
Now let us look at the enumerated devices by selecting “Analyze” in the menu followed by “Endpoints” and look at the “IPv4” results.
QUESTION 7:
How many IPv4 addresses are shown in Wireshark Endpoints?
Notice that 169.254.2.2 is not on this list, but if you select “Ethernet” you see 23 entries.
QUESTION 8:
What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
You can right-click the FF:FF:FF:FF:FF:FF address from the Endpoints – Ethernet listing and select “Apply as Filter” and “Selected” to view this traffic
in Wireshark. You will notice Address Resolution Protocol (ARP) and NetBIOS Name Service (NBNS) traffic.
Close the Endpoints summary and return to the main display. Using the Find feature by type “Control+C” (that is the Control Key and the C character
key at the same time), enter “169.254.2.2”. If you expand the “Address Resolution Protocol (request)” shown in the Packet Details panel, you will find
the Sender IP address of 169.254.2.2.
QUESTION 9:
What can you tell me about the manufacturer of this device?
(Hint: first look at how Wireshark “resolves” the MAC address, and then use the Wireshark OUI Lookup Tool)
If you entered only the OUI that was found from Wireshark, you probably saw a long list of manufacturers. If you append additional MAC information to
the address, and enter “00:50:c2:b3”, you will see an entry “00:50:C2:B3:20:00/36 Byres Security Inc”. This is a CIDR type expression for a MAC
address. Using the same logic that was presented in the lecture, you can take a string of 36 1’s and logically “AND” it with the MAC address to extract
the base address registered to Byres Security, with the remaining 12 bits allowed for device-specific addressing.
Each hexadecimal number represents 4-bits. This means that the base address is “00:50:C2:B3:2”, and 2 1̂2 or 4,096 devices can be assigned by the
manufacturer to MAC addresses in the range of “00:50:C2:B3:20:00” to “00:50:C2:B3:2F:FF”.
Let us know focus on traffic with the PLC (192.168.1.17).
QUESTION 10:
What would the Display Filter look like to filter out all traffic except that using the PLC?
Apply the filter now.
We are now going to walk through the communication that was shown during the lecture for Week 3 (slide 48) shown below as
Figure 82
.
Figure 82
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 3/4
The first step is to create an EtherNet/IP Session. This is performed using the “RegisterSession” Request command.
QUESTION 11:
What packet number did this occur?
QUESTION 12:
What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
The next step that occurs is the establishment of a CIP Connection using the CIP Connection Manager (CM) and issuing a “Forward Open” command.
QUESTION 13:
What packet number did this occur?
Did you notice that Wireshark recognizes this and labels the packet with a protocol of “CIP CM”. Notice that the CIP Connection Manager is at the
highest part of the Application Layer in the Packet Details panel on the bottom.
QUESTION 14:
What packet is the CIP Connection closed
All of the communication between the opening and the closing of the CIP Connection is “explicit” “connected” CIP traffic using 44818/tcp. You might
want to refer back to lecture in Week 3 (slide 42) and shown below as Figure 83 to see what type of traffic was exchanged here.
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 4/4
You are logged in as Manish Khatri (Log out)
CSCI 397 F20
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.
Figure 83
QUESTION 15:
Is this traffic likely to be Critical or Non-Critical?
The application may or may not unregister the EtherNet/IP Session. This is not done with this session.
PREV < Analyzing Modbus/TCP Traffic NEXT > Analyzing OPC-DA Traffic
You have completed 33% of the lesson
33%
◄ Downloading and Using Network
Analysis Tools
Jump to… QUIZ 2 – ICS Fundamentals 2 ►
https://training.icscsi.org/user/profile.php?id=196
https://training.icscsi.org/login/logout.php?sesskey=M0zJTSEUSI
https://training.icscsi.org/course/view.php?id=21
https://training.icscsi.org/mod/lesson/view.php?id=1812&forceview=1
https://training.icscsi.org/mod/quiz/view.php?id=1479&forceview=1