Cyber security

profileJohn@123
CSCI397F20_AnalyzingICSNetworkTrafficwithNetworkAnalysisTools_ANALYZINGETHERNET_IPTRAFFIC.pdf

9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC

https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 1/4

Dashboard / My courses / CSCI 397 F20 / Week 4 - Lab Exercise - Network Analysis Tools / Analyzing ICS Network Traffic with Network Analysis Tools

Fundamentals of Industrial Control System Cyber Security

Analyzing ICS Network Traffic with Network Analysis Tools ANALYZING ETHERNET/IP TRAFFIC

(EXPECTED TIME TO COMPLETE = 20 minutes | 2:00)

This section will use the “industrial-protocols-cip.pcap” network capture file downloaded in LAB EXERCISE 1 to study the Common Industrial Protocol (CIP) in its EtherNet/IP (EIP) form. This architecture consists of a Rockwell Automation Micro850 PLC (192.168.1.17), an engineering workstations (192.168.1.97) running the Connected Components Workbench (CCW) software used to configure and monitor the PLC.

Open the file in all tools and provide anything you can find regarding the vendor, model, version, etc. of the PLC in the capture. Remember to consider the OUI portion of the hardware MAC address. You can also look up MAC OUI’s on the Wireshark website ( https://www.wireshark.org/tools/oui- lookup.html). The master list of registered OUI information can also be found on the IEEE standards website (http://standards-oui.ieee.org/oui.txt). This latter site can also provide information pertaining the country of origin of the device.

QUESTION 1: What can you determine me about the PLC?

Using NetworkMiner, expand the PLC (192.168.1.17) and notice that NetworkMiner could not fully enumerate the device in terms of OS and device type like it was previously able to do with the Siemens S7 PLC.

Expand on the Incoming sessions and notice that the PLC is acting as a server using port 44818/tcp. Look at incoming sessions to reveal PLC as server using 44818/tcp. Expand this further and reveal information about the client.

QUESTION 2: What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?

QUESTION 3: How long did this session last?

QUESTION 4: How many host IP addresses does NetworkMiner show?

If you have not already noticed, the number of hosts is shown next to the “Hosts” tab in the top of the NetworkMiner window.

QUESTION 5: How many of these IP addresses are IP Version 6 (IPv6)?

One of the IPv4 addresses shown is for multicast traffic using address 224.0.0.106. This is not really a host or device, but rather an address that can be used to send traffic to multiple devices that subscribe to the session. You might also recall from the lecture that IPv6 uses a multicast address that begins with “ff0”, so ff02::1:2 is also a multicast address.

QUESTION 6: So, now how many HOST IPv4 addresses are on this network?

Notice device NetworkMiner presents at IP address 169.254.2.2. This is known as a “self assigned” IP address and is what a device gives itself if it does not receive one from a Dynamic Host Configuration Protocol (DHCP) server. This is also an address that can be manually entered in the device network configuration allowing it to link and connect to an existing network.

9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC

https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 2/4

From a cyber security perspective, these addresses are important because they can signify the presence of an authorized host on the network that is trying to remain hidden. This is one way a device can connect to a network and “listen” for traffic to enumerate hosts and their communications.

Go back to Wireshark and open this packet capture file if not already done. Observe the first 25 packets and notice the broadcast traffic and other layer 2 traffic like the Address Resolution Protocol (ARP), Link-Layer Discovery Protocol (LLDP), and Spanning Tree Protocol (STP).

Now let us look at the enumerated devices by selecting “Analyze” in the menu followed by “Endpoints” and look at the “IPv4” results.

QUESTION 7: How many IPv4 addresses are shown in Wireshark Endpoints?

Notice that 169.254.2.2 is not on this list, but if you select “Ethernet” you see 23 entries.

QUESTION 8: What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?

You can right-click the FF:FF:FF:FF:FF:FF address from the Endpoints – Ethernet listing and select “Apply as Filter” and “Selected” to view this traffic in Wireshark. You will notice Address Resolution Protocol (ARP) and NetBIOS Name Service (NBNS) traffic.

Close the Endpoints summary and return to the main display. Using the Find feature by type “Control+C” (that is the Control Key and the C character key at the same time), enter “169.254.2.2”. If you expand the “Address Resolution Protocol (request)” shown in the Packet Details panel, you will find the Sender IP address of 169.254.2.2.

QUESTION 9: What can you tell me about the manufacturer of this device? (Hint: first look at how Wireshark "resolves" the MAC address, and then use the Wireshark OUI Lookup Tool)

If you entered only the OUI that was found from Wireshark, you probably saw a long list of manufacturers. If you append additional MAC information to the address, and enter “00:50:c2:b3”, you will see an entry “00:50:C2:B3:20:00/36 Byres Security Inc”. This is a CIDR type expression for a MAC address. Using the same logic that was presented in the lecture, you can take a string of 36 1’s and logically “AND” it with the MAC address to extract the base address registered to Byres Security, with the remaining 12 bits allowed for device-specific addressing.

Each hexadecimal number represents 4-bits. This means that the base address is “00:50:C2:B3:2”, and 2 1̂2 or 4,096 devices can be assigned by the manufacturer to MAC addresses in the range of “00:50:C2:B3:20:00” to “00:50:C2:B3:2F:FF”.

Let us know focus on traffic with the PLC (192.168.1.17).

QUESTION 10: What would the Display Filter look like to filter out all traffic except that using the PLC?

Apply the filter now.

We are now going to walk through the communication that was shown during the lecture for Week 3 (slide 48) shown below as Figure 82.

Figure 82

9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC

https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 3/4

The first step is to create an EtherNet/IP Session. This is performed using the “RegisterSession” Request command.

QUESTION 11: What packet number did this occur?

QUESTION 12: What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?

The next step that occurs is the establishment of a CIP Connection using the CIP Connection Manager (CM) and issuing a “Forward Open” command.

QUESTION 13: What packet number did this occur?

Did you notice that Wireshark recognizes this and labels the packet with a protocol of “CIP CM”. Notice that the CIP Connection Manager is at the highest part of the Application Layer in the Packet Details panel on the bottom.

QUESTION 14: What packet is the CIP Connection closed

All of the communication between the opening and the closing of the CIP Connection is “explicit” “connected” CIP traffic using 44818/tcp. You might want to refer back to lecture in Week 3 (slide 42) and shown below as Figure 83 to see what type of traffic was exchanged here.

9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING ETHERNET/IP TRAFFIC

https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=174 4/4

You are logged in as Manish Khatri (Log out) CSCI 397 F20 Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.

Figure 83

QUESTION 15: Is this traffic likely to be Critical or Non-Critical?

The application may or may not unregister the EtherNet/IP Session. This is not done with this session.

PREV < Analyzing Modbus/TCP Traffic NEXT > Analyzing OPC-DA Traffic

You have completed 33% of the lesson 33%

◄ Downloading and Using Network Analysis Tools

Jump to... QUIZ 2 - ICS Fundamentals 2 ►