Cyber security
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 1/3
Dashboard / My courses / CSCI 397 F20 / Week 4 - Lab Exercise - Network Analysis Tools / Analyzing ICS Network Traffic with Network Analysis Tools
Fundamentals of Industrial Control System Cyber Security
Analyzing ICS Network Traffic with Network Analysis Tools ANALYZING OPC-DATA ACCESS TRAFFIC
(EXPECTED TIME TO COMPLETE = 10 minutes | 2:20)
This section will use the “industrial-protocols-opc.pcap” network capture file downloaded in LAB EXERCISE 1 to study OPC Data Access (OPC- DA) communications. Unlike the previous cases with SMB, Modbus, and EtherNet/IP where you were given the architecture, in this exercise you will determine the hosts and their relationships without guidance.
QUESTION 1: Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform operating system they are likely running, and what services and ports are being used.
From the section heading, it is obvious that the OPC Data Access protocol will be analyzed. During lecture it was mentioned that “classic” OPC-DA presented many new challenges to the manufacturing world. The dependence on the Microsoft COM/DCOM infrastructure limited the usability of the technology to strictly Windows-based computing platforms.
QUESTION 2: What does DCOM stand for?
OPC-DA was originally released in 1996, and in 2003 when the Blaster work exploited vulnerabilities in the Windows Remote Procedure Call (RPC) service, Microsoft responded with the introduction of the Windows Firewall in Windows XP Service Pack 2. The design of OPC and how it performed a “hand-off” from one communication port (135/tcp) to another service port caused by the dynamic port allocation within RPC made it inoperable immediately after users installed XP-SP2.
The answer for many was to disable the Windows Firewall to keep their OPC-DA connections alive. This introduced even more problems as industry worked to address security and usability at the same time.
In the lecture, the basic process of an OPC session was reviewed. In this part of the lab exercise, you will follow the session and observe how this technology operates.
Most of this exercise will be at the packet level, so Wireshark will be the easiest tool to use.
The first step in establishing an OPC connect from the client to the server is using a Distributed Computing Environment (DCE) / Remote Procedure Call (RPC) “Bind” command.
QUESTION 3: What packet number represents this action?
Select the packet referenced with the “Bind” command, and expand the “Distributed Computing Environment / Remote Procedure Call” Application Layer in the data panel on the bottom. Notice the “Data Representation” entry.
QUESTION 4: What endian is the data for this session using?
The Bind is then acknowledged by the server and the client then attempts authentication against the server.
QUESTION 5: What username is used to authenticate against the client against the server?
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 2/3
You are logged in as Manish Khatri (Log out) CSCI 397 F20
The client then establishes a “connection” by sending a “RemoteCreateInstance request” to the server.
QUESTION 6: Looking at the “RemoteCreateInstance request” packet, what frame number contains the response? (Hint: look in the Application Layer details)
Now using this response frame and the IP addresses for the client and the server, use the bottom "Packet Bytes" panel of Wireshark that shows raw data to look for ASCII character-based patterns. You should be able to recognize a large portion of the data that is visible here.
QUESTION 7: What types of information can you decipher from this ASCII data?
If you are having trouble, move to the first DCERPC “Request” frame in the capture list and notice the TCP Destination Port.
QUESTION 8: What is this port number?
Now go back to the “RemoteCreateInstance response” frame at look again … look for a pattern of ASCII characters that represent an IPv4 address. If you click the text panel over the ASCII numbers that look like an IPv4 address, Wireshark will find this dissected information in the other "Packet Details" panel.
QUESTION 9: What number is shown for “StringBinding[2]” “NetworkAddr”?
QUESTION 10: What is the new TCP port number that will be used for the remaining data exchange session?
Go forward to the first DCERPC “Request” frame and look at the TCP Destination Port.
QUESTION 11: Is this the same port?
This cleartext “handoff” resulting from the dynamic port allocation of RPC makes it easy for security appliances to follow this conversation and create a dynamic rule that will open the newly assigned ports. Without this feature, a firewall would need to open a range of ports defined within the DCOMCNFG service resulting in an unnecessary attack surface through the perimeter protected by the firewall.
It is possible to create a Wireshark Display Filter to look for this “handoff”. If you expand the “ISystemActivator” portion of the ADU in packet 9, you can right-click on “Operation: RemoteCreateInstance (4)” and select “Apply as Filter” and “Selected”. The Display Filter is automatically generated and placed in the Display Filter entry line at the top of Wireshark.
QUESTION 12: What is the new Display Filter that was automatically created?
We will look at this in the last two lecture sections of the course.
PREV < Analyzing EtherNet/IP Traffic End of Lesson
You have completed 33% of the lesson 33%
◄ Downloading and Using Network Analysis Tools
Jump to... QUIZ 2 - ICS Fundamentals 2 ►
9/19/2020 CSCI 397 F20: Analyzing ICS Network Traffic with Network Analysis Tools: ANALYZING OPC-DATA ACCESS TRAFFIC
https://training.icscsi.org/mod/lesson/view.php?id=1813&pageid=83 3/3
Copyright (c) 2016-2020 ICSCSI LLC. All rights reserved.