TECH 581 W Computer Network Operations: Laboratory 2, Team 4

Abstract

Laboratory two will require the student team to identify and tabulate active reconnaissance tools   and tools that could give an individual anonymity on a network based on where they lie in OSI model and McCumber’s Cube. The student team will install these tools into the virtual environment. The team will align the TCP/IP model to the OSI model and determine if the model should contain four or five layers. The team will align layers from MODBUS, DNP3 and DeviceNet, as well as two other SCADA protocols to the OSI and TCP/IP models. The student team will also explain the functionality of each of the applicable layers within these SCADA standards.

When this lab exercise has been completed, the student team will have developed a table of active reconnaissance tools and tools that could give one anonymity on a network and installed these tools into the virtual environment .The student team  will have taken a stance on whether the TCP/IP model should contain a fifth layer. The team will have also researched the different layers of different SCADA protocols to understand their functionality and alignment to the OSI and TCP/IP models.

Literature Review

About Penetration Testing

This article describes what a penetration test is and compares what the testers are usually given in a test and what the actual attackers would have. The article gives two examples. The first example deals with a friend asking another friend, who is a police officer that deals with car thefts, if she could break into his brand-new car to report what security flaws are in the car. The other is an examination of an electronic voting application. In the scenario with the policewoman the question of what should the penetration tester be provided with. The article argues that the penetration tester would be better off given as much information as possible for the test so that she doesn’t have to fight with the small details and waist time and cause possible damage to get the proper results. The reasoning behind this is that we would not know exactly what tools and knowledge the attacker would have at his arsenal. An example was given in trying to break into the car. If the tester wasn’t given the keys then she would have had to pick the locks, were the attacker would probably not have even bothered and broke the window or pied the door open. Also a question of what information is safe to give the testers. Can the testers be trusted not to directly or indirectly cause damage with the knowledge given to them to perform the test? Also the article describes different reasons why different attackers would steal information and what resources each of the attackers would have available to them. Later in the article the example of the electronic voting application was used to give an example of how to determine what the goals of the penetration tests should be. Also in this example the writer explains that the goals overlap and the specific goal depends on what the study aims to show. With the example of the electronic voting the writer identifies the different type of attackers that would have access to the voting application. All most all of the supporting data that the writer used is other writings that he had done in the past, and because of this the article shows a lack of supporting research. This article gives us an idea of what should be provided to us for the penetration testing that we are to do on various computers. It also makes us look into the different type of attackers, whether it is someone trying to gain from the attack, someone looking for revenge, or someone just doing the attack as a prank or just for spite.

Security Plan for Red Team Testing

This article was a “to do” list of setting up a read teaming environment. This article did not have a research question because it was a how to article and not a research article. The article details out how a red teaming lab for the testing of an electronic voting application should be set up. The lab’s equipment was divided up into three categories. First category was the red tagged equipment. The red equipment was equipment that had no outside contact and held all the data, source code, and tools to perform the test. The red equipment was to be kept completely separated from the rest of the equipment at all times. The second was the green equipment this equipment was allowed external contact to gather further resources as the team needs them from the internet or other places. The last was the blue tagged equipment. The blue equipment was equipment that was used to transfer information from place to place. This included equipment like removable drives or memory disks. Because this was a “How to” article there was not much research involved in this article. This article develops a red team environment that would be good to incorporate into our lab. This article shows how keeping the actual testing environment isolated would keep the important data from leaking out and keep others from getting into the system during the tests. This method shows a good way to control the test environment.

Automated Red Teaming: A Proposed Framework for Military Application

This article describes the concept of an Automated Red Teaming (ART) simulator that was developed by the writers of this article. The question that the article is trying to answer is can an automated red teaming simulator help improve the Blue Ops of the military by showing vulnerabilities or weaknesses in the red teams methods? The ART simulator uses Evolutionary Algorithms (EA) and parallel computing to produce an automated red teaming simulator that is able to uncover system vulnerabilities and exploits in military operations. The article first explains the goal and objective of this project. The objective of this project is to use the red teaming results to strengthen the militaries Blue Ops. Then the article breaks down the framework of the simulators architecture and describes each part of the simulator. Then the article explains the type of EA they used and why. The EA they used was called Strength Pareto Evolutionary Algorithm Version 2 (SPEA2). The SPEA2 was chosen because of its simple to implement algorithm and also its performance in finding the Pareto front. Then writers tested the ART simulator using an urban ops simulation. In the end they tweaked the way the Blue Ops team and the civilians operated to increase the probability that the objective of the Blue Ops team’s objectives would be achieved with greater results using the vulnerabilities of the red team as a guide. This article could be used in our lab environment to show how an automated simulation could be set up that would use the red teaming concept to expose vulnerabilities and weaknesses in a network or computer and then use the results to determine what would be the best plan to reduce those vulnerabilities or weaknesses.

Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs

This paper was a proposal for a way to incorporate security into software at the design level so that any vulnerability will be handled before the product is released into the public. This means of capturing vulnerabilities early prevents time and money from being wasted later in creating patches. The writers also note that even if the patches are made the users or owners of the software will not incorporate the patches into the software to get rid of the vulnerability. The writers goes about creating a method to isolate the vulnerabilities by gathering a list of attack patterns from three papers written by (G. Houglund and G. McGraw, 2004), (C. Lander, et al. 1994), and (I. Krsul, 1998) and comparing them to system designs. They called this method of isolating vulnerabilities security analysis for existing threats (SAFE – T). The writers then came up with a means of identifying and relaying each attack pattern quick and easily using symbols. After that they selected 414 vulnerabilities from various vulnerability databases and chose 244 vulnerabilities and developed 53 attack patterns from these vulnerabilities. In this selection of vulnerabilities, I believe that the writers greatly reduced their scope on this study of vulnerabilities. After creating the attack patterns they compared them to the taxonomies of the three people mentioned earlier. This showed that some of the classifications among the different taxonomies refer to the same vulnerabilities. Last they did two case studies using several undergraduate students to determine how easy it is to match the attack patterns to the vulnerabilities. They found out that about 90% of the vulnerabilities were matched properly, about 4% were false negatives, and 6% were false positives. This paper could be very beneficial in showing how important it is to incorporate security in every step of the development process from conceptual work to post release of the product. In this lab we could use these attack patterns to help identify ways of pinpointing vulnerabilities in systems and gives us a better way of securing those vulnerabilities.

Fast model-based penetration testing

In the article Fast model-based penetration testing, an approach was proposed to obtain statistically valid estimates of security metrics by performing repeated penetration testing of detailed system models (Singh, Lyons & Nicol 2004, p.309). The model created, which was labeled Model-Based Penetration Testing (MBPT),  took detailed information of the host congregations, attacks, vulnerabilities, critical assets, and connectivity to build complex models of the system that allowed for automatic generation of repeated, independent attack paths (Singh et al, 2004, p.309). The authors also provided a precise mathematical formula to explain how to use importance sampling techniques to estimate security metrics, such as the total number of attack paths that lead to the compromise of a particular asset. (Singh et al, 2004, p.316). The implicit research question appeared to be how could One overcome the limitations on the detail that could be supported by current security analysis models. The methodology of the paper consisted of constructing formal state/transition models of the networked system. Importance sampling techniques were used to reduce the variance of our estimates by biasing transitions according to some heuristic and then taking the bias into account when building the estimate (Singh et al, 2004, p.311). The security metric to be estimated was the total number of attack paths in the model that end up negatively affecting a given asset (Singh et al, 2004, p.311).

Grammar-based white box fuzzing

In the paper, Grammar-based white box fuzzing, the authors pointed out that the current effectiveness of white box fuzzing is limited when testing applications with highly-structured inputs (Godefroid et al., 2008, p.206). White box fuzzing is a form of automatic dynamic test generation, based on symbolic execution and constraint solving, designed for the security testing of large applications (Godefroid et al., 2008, p.206).    The authors developed a dynamic test generation algorithm where symbolic execution directly generated grammar-based constraints whose satis?ability was checked using a custom grammar-based constraint solver (Godefroid et al., 2008, p.206). Due to its ability to restrict the search space to valid inputs, grammar-based white box fuzzing can implement deeper paths, and focus the search on the harder-to-test, deeper processing stages (Godefroid et al., 2008, p.207). How to enhance white box fuzzing of complex structured-input applications with a grammar based specification of their valid inputs? The methodology that was used in the paper was an experimental design, which involved the use of a JavaScript interpreter embedded in an Internet Explorer 7 Web-browser (Godefroid et al., 2008, p.211). The experiment required the use of 50 seed inputs with 15 to 20 tokens generated randomly from the grammar, which avoided bias when using test generation strategies that require seed inputs (Godefroid et al., 2008, p.211).Within the experiment, Grammar-based white box fuzzing was compared to black box, grammar-based black box, white box, and white box+tokens (Godefroid et al., 2008, p.211). All of the experiments were also conducted within the same test harness (Godefroid et al., 2008, p.211). This paper related to the lab in that it described a possible way to find vulnerabilities in applications, which would affect the application layer of the OSI model.

Attack net penetration testing

In the paper,  Attack net penetration testing , the author  described a new process model  for penetration  testing  that used  the Petri net as its paradigm, for   this approach provided increased  structure  to flaw generation  activities, without restricting  the free range of inquiry(McDermott,n.d.,p.15).  A large part of penetration testing is perceived to be more of an art rather than a science. The effectiveness of penetration testing depends on the skill and experience of the testers (McDermott, n.d., p.15).  Penetration testing also requires a special kind of insight that cannot be systematized (McDermott, n.d., p.15).  Penetration testing usually follows the flaw hypothesis or attack tree approach (McDermott, n.d., p.15).  The attack tree approach was intended  for penetration  testing where  there  was less background information  about  the system to be  tested(McDermott,n.d.,p.16). An attack net is a Petri net with a set of places representing states or modes of the security relevant entities of the system of interest (McDermott, n.d., p.16). The attack net also has a set of transitions that represent input events, commands, or data that cause one or more security relevant entities to change state McDermott, n.d., p.16).  Attack nets are not intended to model the actual behavior of a system or component during an attack, but are used as a notation for discovering and discussing scenarios under development (McDermott, n.d., p.19). Attack nets provide a graphical way of showing how a collection of flaws may be combined to achieve a significant system penetration (McDermott, n.d., p.21). The author applied an attack net to a case study about a Mitnick attack. A noticeable error in the paper was that the abstract was too short to give a sufficient overview of the paper. This paper related to the lab exercise in that it gives penetration testers a graphical solution to accomplish an attack.

Three different shades of ethical hacking: black, white and gray

In the paper, Three different shades of ethical hacking: black, white and gray  , gave a brief history if hacking, described the necessity for ethical hacking, explained the role of penetration testing within the realm of network security,  and went on to describe the philosophies and methods used by the different types of  attack models. In the black box model, the penetration test is only revealed to a very few members of the network security team in order to ascertain their response to the attack (Hafele, 2004, p.6). In the White box approach, the White Box ethical hacking team will have much more information revealed to them prior to the penetration test, so there will be fewer unknowns or variables (Hafele, 2004, p.12). The Gray Box approach is a hybrid attack model, which incorporates elements of both the Black Box and the White Box methods (Hafele, 2004, p.17). The statement “There is no individual, group or organization, which is insulated from possible attacks, and each may offer something of intrinsic value to a determined criminal hacker” seemed ridiculous because presuming that every individual, group, or organization is connected to the Internet, it is possible for a individual, group, or organization to have computers that are intentionally left isolated from the network to keep the data protected from the outside (Hafele, 2004, p.3). This paper related to the lab exercise in that active reconnaissance tools would be used in a black box method since they reveal information about the systems without the owner’s explanation of what is on the network.

Methodology

With this lab we are looking at different ways that information can be recovered in an active manner. We also will be taking a closer look at the different protocols that are associated with the OSI 7 layer model. We will take an even greater look into different types of SCADA protocols. We started the lab off by reading a group of articles and performing a literature review. In the literature review we discuss the theme and methodology of each of the articles. Then we describe how each of the articles related to the current lab. Next all the active reconnaissance tools will be extracted from the table in the first lab as well as extras found by further research. These tools will then be categorized into the OSI 7 layer model and also McCumber’s cube. In the last part of the lab different protocols will be analyzed and aligned in comparison to the OSI 7 layer model. The first to be analyzed and aligned will be the TCP/IP model and then the MODBUS, DNP3 and DeviceNet SCADA protocols as well as two to other SCADA protocols. For each of the protocols that we align to the OSI 7 layer model we will define each protocol and its layers.

Part 1

Part one of the lab is the gathering of several active reconnaissance tools and tools that provide anonymity. These tools were then categorized into an extended 9 layer OSI model as well as McCumber’s cube. The following table shows the results.

OSI 9 Layer Model Exploit Table

OSI Layer

Technology

Exploit Method

McCumber

Layer 8/People

N / A

Get them drunk or high

Confidentiality, Process, Human Factors

Layer 8/People

N / A

Plant an insider

Confidentiality, Process, Human Factors

Layer 8/People

N / A

Espionage

Confidentiality, Process, Human Factors

Layer 8/People

N / A

Torture

Confidentiality, Process, Human Factors

Layer 8/People

N / A

Scopolamine

Confidentiality, Process, Human Factors

Layer 8/People

N / A

Sodium pentothal

Confidentiality, Process, Human Factors

Layer 8/People

N / A

Interviewing  terminated employees

Confidentiality, Process, Human Factors

Layer 8/People

N / A

Masquerade as employee

Confidentiality, Process, Human Factors

Layer 8/People

N / A

Quid Pro Quo

Confidentiality, Process, Human Factors

Layer 8/People

N / A

Casual inquiry about passwords

Confidentiality, Process, Human Factors

Layer 7 /Application

Buffers and Strings

BED

Integrity, Process, Technology

Layer 7 /Application

SNMP

5NMP

Integrity, Processing, Technology

Layer 7 /Application

Log

Clearlogs

Availability, Storage, Technology

Layer 7 /Application

SNMP

onesixtyone

Confidentiality, Process, Technology

Layer 7 /Application

Browsers

bf2

Integrity, Process, Technology

Layer 7 /Application

Fuzzer for C programs

Bunny

Integrity, Process, Technology

Layer 7 /Application

Web Applications

JBroFuzz

Integrity, Process, Technology

Layer 7 /Application

Web Apps, SQL, .Net, etc.

Peach

Integrity, Process, Technology

Layer 7 /Application

HTTP SOAP

WSFuzzer

Integrity, Process, Technology

Layer 7 /Application

Applications

zzuf

Integrity, Process, Technology

Layer 7 /Application

SNMP

ADMsnmp

Integrity, Storage, Technology

Layer 7 /Application

SNMP

Braa

Integrity, Process, Technology

Layer 7 /Application

SNMP

Snmpcheck

Confidentiality, Process, Technology

Layer 7 /Application

SNMP

SNMPEnum

Confidentiality, Storage, Technology

Layer 7 /Application

SNMP

Snmpwalk

Confidentiality, Storage, Technology

Layer 7 /Application

File

Wipe

Availability, Storage, Technology

Layer 7 /Application

Log files

Evidence eliminator

Availability, Storage, Technology

Layer 7 /Application

Log

Clearlogs

Availability, Storage, Technology

Layer 6 /Presentation

Application Protocols

Amap

Confidentiality, Process, Technology

Layer 6 /Presentation

Web Server

httprint

Confidentiality, Process, Technology

Layer 6 /Presentation

Web Server

HTTSquash

Confidentiality, Process, Technology

Layer 6 /Presentation

IPsec VPN Servers

ike-scan

Confidentiality, Process, Technology

Layer 6 /Presentation

Kerberos Logins

KerbCrack

Confidentiality, Transmitted, Technology

Layer 6 /Presentation

File  System/volumes

Autopsy

Confidentiality, Storage, Technology

Layer 6 /Presentation

Recover syskey bootkey

Bkhive

Availability, Storage, Technology

Layer 6 /Presentation

Password

CUPP

Confidentiality, Storage, Technology

Layer 6 /Presentation

Password

John the ripper

Confidentiality, Storage, Technology

Layer 6 /Presentation

Hashes

RainbowCrack

Confidentiality, Storage, Technology

Layer 6 /Presentation

Windows password  hashes

Samdump2

Confidentiality, Storage, Technology

Layer 6 /Presentation

Password

Wyd

Confidentiality, Storage, Technology

Layer 6 /Presentation

sshd password

BruteSSH

Confidentiality, Storage, Technology

Layer 6 /Presentation

network logon

Hydra

Confidentiality, Storage, Technology

Layer 6 /Presentation

Passwords on Lotus Domino webserver system

Lodowep

Confidentiality, Storage, Technology

Layer 6 /Presentation

Login

Medusa

Confidentiality, Storage, Technology

Layer 6 /Presentation

Login into SSH server

SSHatter

Confidentiality, Storage, Technology

Layer 6 /Presentation

Windows passwords

chntpw

Confidentiality, Storage, Technology

Layer 6 /Presentation

CISCO Routers

Cisco Auditing Tool

Integrity, Process, Technology

Layer 6 /Presentation

CISCO Router Passwords

Cisco Passwd Scanner

Integrity, Process, Technology

Layer 6 /Presentation

Windows Server

enum

Confidentiality, Storage, Technology

Layer 6 /Presentation

Windows Server

winfo

Confidentiality, Storage, Technology

Layer 5/ Session

SSL

SSLScan

Confidentiality, Process, Technology

Layer 5/ Session

TCP/IP

Hping

Confidentiality, Transmission, Technology

Layer 5/ Session

NetBIOS

nbtscan

Confidentiality, Process, Technology

Layer 5/ Session

SIP

sipsak

Confidentiality, Transmission, Technology

Layer 5/ Session

TCP SYN

tctrace

Integrity, Processing, Technology

Layer 4/ Transport

TCP

tcptraceroute

Integrity, Processing, Technology

Layer 4/ Transport

Ports

procecia

Confidentiality, Process, Technology

Layer 4/ Transport

TCP

Unicornscan

Confidentiality, Process, Technology

Layer 4/ Transport

OS Fingering

Xprobe2

Confidentiality, Process, Technology

Layer 4/ Transport

Ports

Netcat

Availability, Transmission, Technology

Layer 4/ Transport

TCP/UDP

Fport

Confidentiality, Transmission, Technology

Layer 4/ Transport

TCP/UDP

Attacker

Confidentiality, Transmission, Technology

Layer 4 / Transport

TCP

0trace

Confidentiality, Transmission, Technology

Layer 3/Network

IP

DNSEenum

Confidentiality, Storage, Technology

Layer 3/Network

DNS

dnstracer

Confidentiality, Storage, Technology

Layer 3/Network

IP

Fierce

Integrity, Process, Technology

Layer 3/Network

ICMP

itrace

Integrity, Processing, Technology

Layer 3/Network

IP

Maltego

Confidentiality, Transmission, Technology

Layer 3/Network

ICMP

netenum

Confidentiality, Process, Technology

Layer 3/Network

ICMP

Netmask

Confidentiality, Process, Technology

Layer 3/Network

IP

protos

Confidentiality, Process, Technology

Layer 3/Network

Subnets

Autoscan

Confidentiality, Transmission, Technology

Layer 3/Network

Subnets

Autoscan

Confidentiality, Transmission, Technology

Layer 3/Network

ICMP

fping

Confidentiality, Process, Technology

Layer 3/Network

Packets

hping2

Confidentiality, Process, Technology

Layer 3/Network

ICMP

hping3

Confidentiality, Process, Technology

Layer 3/Network

IP

Netdiscover

Confidentiality, Process, Technology

Layer 3/Network

IP

Nmap

Confidentiality, Process, Technology

Layer 3/Network

Sub-domains

ReverseRaider

Confidentiality, Process, Technology

Layer 3/Network

IP

Zenmap

Confidentiality, Process, Technology

Layer 3/Network

CISCO Routers

Cisco OCS Mass Scanner

Integrity, Process, Technology

Layer 3/Network

Bluetooth devices

Btscanner

Confidentiality, Process, Technology

Layer 3/Network

Cisco Routers

Cisco Passwrd Scanner

Confidentiality, Process, Technology

Layer 3/Network

Asp servers

asp-audit

Confidentiality, Process, Technology

Layer 2/ Datalink

Cisco device information

CDP

Confidentiality, Transmission, Technology

Layer 2/ Datalink

Cisco Equipment

CIScan

Confidentiality, Storage, Technology

Layer 2/ Datalink

802.11

Baffle

Confidentiality, Process, Technology

Layer 1/ Physical

USB  devices

USBView

Confidentiality, Storage, Technology

Layer 1/ Physical

SIP devices

Smap

Confidentiality, Storage , Technology

Layer 1/ Physical

disks

Diskzapper

Availability, Storage , Technology

Layer 0 / Kinetic

Contractor information

Damaging computer equipment to discover who the contractor is

Confidentiality, Process, Policies and Procedures

Layer 0 / Kinetic

Cameras

Gaining control of cameras to get information

Confidentiality, Process, Technology

Layer 0 / Kinetic

Fire Alarms

Discovering fire routs or gaining access

Confidentiality, Process, Policies and Procedures

Part 2a

For this part of the lab, the team addressed the question: Why the Physical Layer Should Be Separate in the TCP/IP Model?

The purpose of the physical layer of the OSI model is to transfer the raw signals along some type of medium to the destination. This raw signal can be in the form of electrical pulses, light waves, or radio waves (Joesph & Thomas, 2003, p.1). The physical layer also describes related details such as connectors, channel codes and modulation, signal strengths, wavelength, low-level synchronization and timing and maximum distances (Joesph & Thomas, 2003, p.1).

The purpose of the data link layer is to convert the packet of data sent from the upper layers into raw bits to be passed onto the physical layer for transmission.

The team concluded that the physical layer and the data link layer should be separated in the TCP/IP model. In the data link layer there is still the manipulation of packets going on, be it encryption, adding on data link layer headers, or other information for the destination data link layer. The physical layer only is responsible for the transmission of the data from one computer to another and there is no new information added onto that packet. Taking all that into consideration a manipulation of the packet could still happen at the data link layer causing the packet to be altered or the information inside to be revealed.

After it was determined how many layers the TCP/IP model should have included, the TCP/IP model was aligned to the OSI model. Besides aligning the TCP/IP table to the OSI model, the MODBUS, DNP3 and DeviceNet, as well as the EtherNet/IP and Profibus SCADA protocols were also aligned. The table below depicts this alignment.

OSI

TCP/IP

MODBUS

DNP3

DeviceNet

EtherNet/IP

Profibus

Application

Application

Application

Application

Application

CIP  App Object Library

Application

CIP  App Object Library

FMS/DP-V0/DP-V1/DP-V2

Presentation

N/A

Presentation  CIP data management I/O messages

Presentation  CIP data management I/O messages

N/A

Session

N/A

Session

CIP message Routing  Managing Connections

Session

CIP message Routing  Managing Connections

N/A

Transport

Transport

Transport Transmission Control Protocol,

MODBUS TCP

Pseudo Transport

Transport Transmission Protocol

Transport DeviceNet  Transport Layer

TCP/UDP

N/A

Network

Internet

Network Internet Protocol

IP

N/A

Data link

Network Access

Data Link Ethernet 802.2/802.3

Data Link

DNPS

Data Link

CAN CSMA/CD with arbitration on Message Priority

EtherNet

CAN CSMA/CD

FDL

Physical

Physical

Physical Ethernet

Physical

EIA-232/EIA-485

Physical

DeviceNet Physical  Layer

IEEE 802.3 Ethernet

RS485/Fiber optic/MBP

Part 2b

The following section describes the different layers of the SCADA protocols that were depicted in the table:

MODBUS

Application Layer

MODBUS is an application layer messaging protocol, positioned at level 7, the application layer of the OSI model, which provides client/server communication between devices connected on different types of buses or networks (Modbus, 2006, p.2). MODBUS defines the rules for organizing and interpreting the data independent of the data transmission medium (Acromag, 2005, p.4).

Transport Layer

The MODBUS TCP protocol embeds a Modbus frame into a TCP frame (   INTELLICOM, p.1). The Modbus commands and user data are themselves encapsulated into the data container of a TCP/IP telegram without being modified in any way (Acromag, 2005, p.4).The Modbus error checking field (checksum) is not used, as the standard Ethernet TCP/IP link layer checksum methods are instead used to ensure data integrity. Further, the Modbus frame address field is replaced by the unit identifier in Modbus TCP/IP, and becomes part of the Modbus Application Protocol (MBAP) header (Acromag, 2005, p.4). A Modbus TCP/IP Application Data Unit is embedded into the data field of a standard TCP frame and sent via TCP to system port 502, which is specifically reserved for Modbus applications. ModbusTCP/IP clients and servers listen and receive Modbus data via port 502(Acromag, 2005, p.5).

Network Layer

All devices and infrastructure components with added diagnostic capabilities (managed switches and routers) on an industrial Ethernet-based system must be assigned an IP address (ODVA, 2006, p.4).

Data Link and Physical Layer

Ethernet 802.2/802.3

MODBUS devices use typical Ethernet standards to interface with the network.

DNP3

Application Layer

The application layer of the DNP3 protocol uses a human machine interface (HMI), remote terminal unit (RTU), or other system to pass services from the application layer to the program (Clarke, Reynders, n.d. p. 79). The application layer divides the data into packets that are 2 to 3 bytes in length. These packets consist of the data called the application protocol data units (ASDU) and a header. This packet with the header is an application protocol data unit (APDU). These packets are then sent down to a pseudo – transport layer.

Pseudo – Transport Layer

The next layer is a pseudo transport layer of the OSI model (Clarke, Reynders, n.d. p. 80). This layer takes the packet coming down from the application layer and splits it up into smaller packets called transport service data units (TSDU). These TSDUs have a one byte header followed by a data packet that is no larger than 249 bytes of data. The TSDU is then passed on to the data link layer.

Data Link Layer

The data link layer takes the TPDU from the transport layer and adds header information like redundancy code and error checking code (Clarke, Reynders, n.d. p. 80). The header is up to 292 bytes in length. The TPDU with the data link layer header is now known as a FT3 frame. This frame is then sent down to the physical layer to be sent across the network to the destination.

Physical Layer

The physical layer takes the FT3 frame from the data link layer and streams the bits onto a physical media. The physical media uses 8-bit data, one start bit, one stop bit, no parity, and the RS-232C voltage standards and controls.

DeviceNet

Application Layer

CIP App Object Library

CIP includes a widespread object library to support general-purpose network communications, network services such as file transfer, and typical automation functions such as analog and digital input/output devices, HMI, motion control, and position feedback (ODVA, 2009, p.1).

CIP data management I/O messages

I/O messages are considered to be implicit and typically contain time-critical control data (ODVA, 2006, p.2). The data field contains no protocol information, only real-time I/O data (ODVA, 2006, p.5).  Since the meaning of the data is pre-defined at the time the connection is established, processing time is minimized during runtime (ODVA, 2006, p.5).

CIP message Routing Managing Connections

Seamless bridging and routing between both homogeneous and heterogeneous CIP Networks is enabled by a set of objects that defines routing mechanisms for a device to use when forwarding the contents of a message produced on one network port to another(ODVA, 2006, p.7).This mechanism does not modify the contents of a message during the routing process(ODVA, 2006, p.7). When using this mechanism, the user’s only responsibility is to express the path that a given message must follow, because CIP ensures that the message is handled correctly, independent of the CIP Networks involved (ODVA, 2006, p.7).

Transport and Network Layers

The transport layer and the network layer of the OSI model are combined into one layer in the DeviceNet protocol(ODVA, 2004, p. 4-5). In this paper I will refer to the combination of the transport layer and the network layer as just the transport layer. The transport layer uses either an unconnected message manager (UCMM) or a group 2 unconnected port. Once one of these connections are established data can be sent over the connection or other I/O connections can be established which data will be sent over those connections. An 11-bit CAN identifier is used to define the connection ID. Connection IDs are kept unique. Two fields in the connection ID combine to define the connection ID. One field is a MAC address and the other is a message ID. DeviceNet uses client server architecture. Devices on the network can be either clients, servers, or both. Nodes in a DeviceNet system manage their own identifiers. Uniqueness of ID is managed through a duplicate MAC ID algorithm. A CAN identifier field detects nodes with duplicate addresses. Because of the CAN identifier nodes can be added and removed at any time without having to change a centralized map of the system.

Data Link Layer

As with the physical layer, the data link layer is also defined in the CAN specifications(ODVA, 2004, p. 3-4). DeviceNet uses a high pulse to represent a logical 0 and a low pulse for a logical 1. DeviceNet uses data frames that contain a one bit start frame, 11 bit arbitration field, 6 bit control field, 0-8 bytes of data, 15 bit CRC sequence field, 1 bit CRC delimiter, 1 bit ACK delimiter, and 7 bit end of frame field. CAN is a carrier sense network. Collisions are handled by a non-destructive, bit-wise arbitration mechanism with no loss of data or bandwidth. Timing on the network is handled by the start of frame bit. There is a bit called the remote transmission request (RTR) that is used in other protocols using the CAN specifications that is not used in the DeviceNet protocol. The arbitration field is used to detect if simultaneous transmissions are occurring on the bus. Another field that is not used by DeviceNet is a 29-bit identifier field. The length field has two fixed bits and 0-4 bits that represent the number of bytes in the data field. The CRC sequence and delimiter are fields that do cyclic redundancy checks on the data being went. The ACK delimiter is used to transmit that more than one receiver heard the transmission if it is high.

Physical Layer

The physical layer of the DeviceNet protocol is defined in the CAN specifications(ODVA, 2004, p. 1-3). The physical layer uses a trunk-line/drop-line topology that uses separate twisted pair busses for both signal and power distribution. Thick or thin cable can be used. It uses both isolated and non-isolated physical layer design of devices. DeviceNet has additional information concerning component requirements, protection from miss-wiring, and examples. DeviceNet uses either screw or clamp connectors that can be large or small. The nodes in the DeviceNet protocol can be removed or inserted from the network without powering-down. DeviceNet also allows the use of power taps making redundant power supplies possible. The trunk line current rating is 8 amps.

EtherNet/IP

Application Layer

CIP  App Object Library

CIP includes an widespread object library to support general-purpose network communications, network services such as file transfer, and typical automation functions such as analog and digital input/output devices, HMI, motion control, and position feedback (ODVA, 2009, p.1).

CIP data management I/O messages

I/O messages are considered to be implicit and typically contain time-critical control data (ODVA, 2006, p.2). The data field contains no protocol information, only real-time I/O data (ODVA, 2006, p.5).  Since the meaning of the data is pre-defined at the time the connection is established, processing time is minimized during runtime (ODVA, 2006, p.5).

CIP message Routing Managing Connections

Seamless bridging and routing between both homogeneous and heterogeneous CIP Networks is enabled by a set of objects that defines routing mechanisms for a device to use when forwarding the contents of a message produced on one network port to another (ODVA, 2006, p.7).This mechanism does not modify the contents of a message during the routing process(ODVA, 2006, p.7). When using this mechanism, the user’s only responsibility is to express the path that a given message must follow, because CIP ensures that the message is handled correctly, independent of the CIP Networks involved (ODVA, 2006, p.7).

Transport Layer

EtherNet/IP uses TCP/IP to encapsulate CIP explicit messages, which are generally used to transmit configuration, diagnostic and event data (ODVA, 2006, p.4).For real-time messaging, EtherNet/IP also employs UDP over IP, which allows messages to be multicast to a group of destination addresses(ODVA, 2006, p.4). This is how CIP I/O data transfers (implicit messaging) are sent on EtherNet/IP (ODVA, 2006, p.4).  The CIP Connection mechanism provides timeout mechanisms that can detect data delivery problems, a capacity that is essential for reliable control system performance (ODVA, 2006, p.5).

Network Layer

All devices and infrastructure components with added diagnostic capabilities (managed switches and routers) on an industrial Ethernet-based system must be assigned an IP address (ODVA, 2006, p.4).

Data Link Layer

CSMA/CD (Carrier Sense Multiple Access/Collision Detection) is a set of rules for determining how network devices respond when two devices attempt to use a data channel simultaneously and how devices share a bus(ODVA, 2006, pp.2-3).

Physical Layer

The Ethernet standard provides a specification for physical media, defines a simple frame format for moving packets of data between devices and supplies CSMA/CD (ODVA, 2006, p.2).

PROFIBUS DP

Application Layer

PROFIBUS has a version called the decentralized peripheral (DP) PROFIBUS. PROFIBUS DP protocol uses one of the following three protocols: DP-V0, DP-V1, or DP-V2(Fieldbus Center, 2003). Each protocol is an enhancement of the previous one. Thus the DP-V0 protocol is the first version and is a bases from which the others are derived from. The DP-V0 protocol is responsible for the basic functionality of DP which includes things like cyclic data exchange, station, module and channel-specific diagnostics and four different interrupt types for diagnostics and process interrupts. Using a cyclic exchange a master receives requests from slaves and cyclically writes output information back to the slaves. Each module attaches diagnostic messages to each exchange that is read by the master module. This allows for fast location of faults. This protocol allows for multiple master modules. There are three types of devices in this protocol: class 1 master, class 2 master, and slaves. Class 1 masters are controllers that read and respond to the slave’s requests. Class 2 masters are the engineering and configuration stations. The DP-V1 incorporated enhancements that enhanced process automation. The protocol used acyclic data communication along with cyclic data communication for control messages. The acyclic data communication is used in parallel with the cyclic data communication. Last DP-V2 enhances the demands of drive technology and safety. DP-V2 introduces slave to slave communication through the use of a broadcast and subscription method. The masters also produce the timing for all the slaves on the network.

Data Link Layer

The Field Bus Data Link Layer (FDL) work with a hybrid bus access protocol (Chipkin Automation, 2007, p.1).  It combines token passing with a master slave method. The token passing procedure guarantees that the bus access gets assigned to a specific master node for a defined time frame (Chipkin Automation, 2007, p.1). In the time frame the master node can access the bus and request data from any master or slave device (Chipkin Automation, 2007, p.1). After the time frame expires the current master node will pass the token to the next master node on the bus. (Chipkin Automation, 2007, p.1). This layer also includes the handling of data security and the transmission protocol of telegrams (Chipkin Automation, 2007, p.1).

Physical Layer

The physical layer can be in accordance to either the DP/FMS (RS 485) or DP/FMS (Fiber Optic Cable) (Weigmann, Kilian, n.d. p.16 – 21). Specifications for the RS 485 are as follows. The RS 485 model uses symmetrical data transmission under the EIA RS 485 standards. The bus is a shielded twisted pair, terminated at both ends. The transmission rate is 9.6 kbit/s to 12 Mbit/s. The RS 485 model uses semi-duplex, asynchronous, gap-free synchronization. An 11-bit frame is used to do data transmission using NRZ code. A logical 1 is a positive level on the line while a logical 0 is a negative on the line. There are two configurations to the fiber optic use in the DP/FMS specifications. The first is a bus configuration using optical link modules (OLM). This configuration has the master connected to one of the OLMs using a RS 485 connection and from there a fiber line connects each other OLM in a serial fashion. Each of the slave modules connect to the OLMs using a RS 485 connection with termination plugs in them. The second configuration has the master connected to one of the OLM using a RS 485 connection. Then from that OLM the slaves are connected to it in a ring fashion.

Issues

The team did not encounter any major issues when going through this lab.

Results

In the first part of the lab the team constructed a table that depicted a list of active reconnaissance tool and tools that provided anonymity. When the table was completed it was observed that there was a lack in tools for the session layer, data link layer, physical layer, and the kinetic layer of the OSI model. The team concluded that the reason for the lack in tools for the session layer was due to the nature of the session layer. The session layer is responsible for managing connections with other computers. Most of the tools that lie in the session layer of the OSI model tend to be either DoS attacks or sniffing tools. As far as the data link layer and the physical layers the team discovered that there are very few tools that did anything else than either passively listened on the line or caused some type of interruption. Last the team found that there aren’t very many active reconnaissance tools in the kinetic layer. The reason for a lack in kinetic layer tools is because there are very few things that can be done to cause a reaction that will produce information about that object.

The second part of the lab was divided up into two sections. In the first section the lab concentrates on the TCP/IP model. In the lab the team gathered from some research that a 5 layer TCP/IP model is more suited than a 4 layer TCP/IP model. The reasoning behind splitting the data link layer and the physical layer is that the data link layer still has the ability to manipulate the packet as it passes through the layer while the physical layer is only concerned with the transmission of the raw bits.

In the second section of the second part of the lab the team aligned SCADA protocols to the OSI 7 layer model and described each layer of each of the protocols. In doing this we discovered that a lot of the SCADA protocols use similar protocols just with different variations in some of the layers.

Conclusion

Now that this lab this lab exercise has been completed, the student team has developed a table of active reconnaissance tools and tools that could give one anonymity on a network. When it came to active reconnaissance tools, it seemed that the Application, Presentation and Network layers were most prone to this type of reconnaissance. The team also researched the different layers of different SCADA protocols to understand their functionality and alignment to the OSI and TCP/IP models.

References

Acromag(2005). Introduction to modbus tcp/ip. Retrieved June 17 ,2009 from,

http://www.acromag.com/pdf/intro_modbusTCP_765a.pdf

Bishop, M. (2007).About penetration testing.IEEE.

Bishop, M. (2007).Security Plan for Red Team Testing.

Chipkin Automation, (2007). PROFIBUS THE Field Bus Communication Standard. Retrieved

June 17 ,2009 from, http://www.chipkin.com/articles/profibus-the-field-bus-communication-standard

Choo,S.,Chua,C.& Tay, V.(2007). Automated Red Teaming: A Proposed Framework

for Military Application.ACM.

Davies, Joesph and Lee, Thomas. (2003). Microsoft® Windows® Server 2003 TCP/IP Protocols and Services Technical Reference. Micosoft Press, Redmond Washington, USA

Fieldbus Center(2003). Profibus. Retrieved June 17 ,2009 from,

http://www.knowthebus.org/fieldbus/profibus.asp

Gegick,M.&Williams, L.(2005). Matching attack patterns to security vulnerabilities in software-intensive system designs.ACM.

Godefroid, P., Kiezun, A.& Levin, M .(2008). Grammar-based whitebox fuzzing. ACM.

Hafele, D. (2004). Three different shades of ethical hacking: black, white and gray.  SANS

Institute.

Intellicom.(n.d.)Modbus TCP – An introduction. Retrieved June 17 ,2009 from,

http://www.intellicom.se/ModbusTCP_overview.shtml

IPCOMM(2008).DNP 3.0. Retrieved June 18 ,2009 from,

http://www.ipcomm.de/protocol/DNP3/en/sheet.html)

Gordon R. Clarke,G. ,Reynders, D. &  Wright, E. .(n.d.). Practical modern scada protocols. Retrieved June 19 ,2009 from,

(http://books.google.com/books?id=l99Gj7hcCkkC&pg=PA335&lpg=PA335&dq=dnp3+osi&source=bl&ots=A1RLimVhcB&sig=jbhmK7kFR37B7arXPNbEcLJeqe4&hl=en&ei=q6Q6SqKxF4nUNKvOyK4F&sa=X&oi=book_result&ct=result&resnum=9)

McDermott, J.(n.d.). Attack net penetration testing.

Modbus(2006). Modbus application protocol specificationv1.1b . Retrieved June 16 ,2009 from,

http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf

ODVA.(2006).DeviceNet Technical Overview. Retrieved June 16 ,2009 from, http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00026R1.pdf

ODVA.(2006). Ethernet/ipTM – cip on ethernet technology. Retrieved June 16 ,2009 from,

http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00138R2_CIP_Adv_Tech_Series_EtherNetIP.pdf

ODVA.(2009). CIP technology overview. Retrieved June 17 ,2009 from,

http://www.odva.org/Home/ODVATECHNOLOGIES/CIP/CIPTechnologyOverview/tabid/68/Default.aspx

Rockwell Automation.(2008). Fundamentals of EtherNet/IP. Retrieved June 18 ,2009 from,

http://domino.automation.rockwell.com/applications/gs/emea/GSDK.nsf/files/au_dk_09_material/$file/BT3PPT.pdf

Singh, S. Lyons, J. & Nicol, D. (2004). Fast model-based penetration testing.

Weigmann,J.& Kilian,G.(n.d.). Decentralization with profibus dp/dpv1. Retrieved June 18 ,2009 from, http://books.google.com/books?id=8xYtXmxVuikC&pg=PA13&lpg=PA13&dq=profibus OSI&source=bl&ots=OAVcEPUU7m&sig=aWxOUARPm8hoh-nLLfZiEK5zAuc&hl=en&ei=d-M7SoLsIJDWMMK8rcMO&sa=X&oi=book_result&ct=result&resnum=4)

10 comments for “TECH 581 W Computer Network Operations: Laboratory 2, Team 4

  1. nbakker
    June 23, 2009 at 7:07 pm

    Team four has posted a lab that is much the same as their first lab. The MSO issues seem to have disappeared, which is an improvement over lab one. However, due to my own inability to remove MSO issues I am hardly in a position to criticize that aspect. I did notice how long it took team four to update their lab after the initial issue which does seem to call into question the ability of team four to present a well formatted lab on time. Beyond that, team four presents an abstract that meets the requirements of the syllabus as per length, but that abstract reads like it was copied and pasted from the lab design document rather than an original idea, but does cover the steps of the lab as well be completed. Team four’s literature review is the same as their lab one, as well as most other literature reviews submitted for both labs from most teams. The Literature review is not cohesive, and is a list of reviewed readings with APA citations, and answers to the questions as listed in the syllabus. This is not a scholarly literature review, and does need to be improved for the future. The methods section is almost nonexistent and does not meet the requirements of being a scholarly explanation of the strategy and techniques used to complete the lab. After the methods section there is no listing of findings and answers and the lab just lists the sections of the lab design document. The active recon table is complete and easy to read and understand. The technology column does not fit with the other tables presented in other labs, and I question the usefulness. I also question the placement of Quid Pro Quo on the table at all, it does not make sense to me. I also question the placement of HTTP based tools at layer 6, HTTP is an application layer protocol. Finally, I question the placement of SIP tools at layer one. SIP is by no means a electrical or light based transmission medium, but rather a Voice over IP control protocol running at layer 7. Team five took a different stance on the fifth layer of the TCP/IP model, adding in that layer. I disagree, until the DoD changes the model, there are four layers. The SCADA table as presented by team four is better than the one presented by team one, and less confusing than the one presented by team three. However that does not make it correct. I still believe that each SCADA protocol should have been broken into individual tables, each comparing the selected protocol to the OSI model. Team four then breaks down each layer of each SCADA protocol each of these explanations seems to be a direct copy and paste from the specified sources rather than providing and synthesis on the topics. I do agree with their conclusion on how active recon does seem to favor layers seven and three. I do not agree with them on active recon favoring layer six, this seems to be on faulty placement of protocols on the exploit table.

  2. mvanbode
    June 23, 2009 at 10:39 pm

    The group kept saying “student team”. Try to avoid saying that, instead say “group”. The literature review reads very much like a list. This group needs to make more of a cohesive literature review. The group wrote the literature review like they are just answering the required parts and not really comparing the papers to each other as well as not taking a stance on whether they agree or not with what the authors have to say. Some of the group’s literature review did not cite anything from the papers yet they were put into the bibliography. Not all pages were cited, as stated before the group only answered some of the required questions. It was obvious that different people wrote different parts of the literature review. Time needs to be taken to make sure that that literature review is cohesive and flows together smoothly.
    The group keeps stating that the tools will be placed into the OSI 7 layer model, yet the tools were put into the OSI 9 layer model. To me, this table looks like the group just took their table from lab one and just deleted some rows. I do not agree with many of the tools the group placed in layer 8. I don’t think that getting someone drunk or high would be an active reconnaissance tools, nor many of the other tools that were placed in layer 8. I do not agree with fire alarms being an active reconnaissance tool. I would like to have seen the tables split apart for the different models being compared to each other. The chart was very long and hard to compare to the group’s descriptions. If the chart was separated the descriptions could have followed the separated tables. I find it very hard to believe that the group had no issues with this lab, considering the questions that the group asked in a discussion. This group had no issues or problems in their last lab report either so they must be doing something different from the other groups. Any problems or questions that the group had during the entire process should be put into this section and discussed thoroughly. The tables should be placed into the results section. The methodology are the steps of the process for performing the lab, this would include any research done or any items performed in the virtual environment. The tables made would be the results of the research putting them into the results section. The group’s results section sounded like a summary or abstract of the lab exercise. The results section should be the results, answers to any questions, and any discussion the group wants to include. The conclusion needs to be more in depth, not a summary of the lab.

  3. June 24, 2009 at 12:11 am

    The abstract simply restates the requirements and objectives for the lab. While this isn’t incorrect, it could use a little more cohesion and synthesis with the work that was actually performed in the lab.
    The literature review is simply a list of the assigned readings with a lengthy summary. While none of the articles are compared and contrasted against each other in the broader context of the topic at hand, the lab exercises are taken in to consideration. Some of the tie-ins to the lab exercises were good starting points for further discussion and research but ultimately fell short.
    The methodologies section discusses the different parts of the lab but lacks detail. One part of the lab exercises was to test the active reconnaissance tools after creating the table in our lab environment but no mention is made of this at all in the methodologies section. The latter parts of the methodologies section discusses the alignment of the OSI model and SCADA protocols but there is not mention of how this is going to be done. It would aid the reader to know how, specifically, this was being done.
    The discussion on why the physical fifth layer should be present is probably the most detailed of all of the group labs but missed the mention of two of the main proponents of the five layer model, Comer and Stallings. The conclusion that the data link layer and physical layer should be separated implies that they would be in the same layer were they not. That alone should have some discussion around it as to why the data link layer doesn’t server this function. RFC 1122 (http://tools.ietf.org/html/rfc1122) has some good information on the layers.
    The treatment of the SCADA protocols in the table was difficult to read. Instead of putting all of the protocols in the same table, it would have been easier to read with each protocol treated separately. Putting the SCADA protocols together does show the relationship between the components and possibly some avenues of attack or, at least, areas that could be focused on for attack. It’s likely that an organization would be standardized on a single protocol for their SCADA infrastructure so combining them wouldn’t have an immediate advantage for the would-be attacker. The descriptions of the various protocols are unnecessary as most are quotations from the vendors. For brevity’s sake it would’ve been easier to just include links for further information on the protocols.
    The results section mentions valid findings on the concentration of tools in the various layers of the OSI model but still lacks any mention of testing the tools in the test environment which was a major part of the lab exercises. This section is also the first to mention the anonymity principle that was supposed to be considered in the first section of the lab. The conclusions also lack detail and synthesis between the tasks performed. Simply restating what was done doesn’t suffice, the findings and results should be reviewed and discussed.

  4. mafaulkn
    June 24, 2009 at 9:24 am

    Team 4 did a better job this time using their abstract to describe what they were going to do in Lab 2. One thing I noticed that seemed odd is they referred to themselves as “the student team”, I think “group” would have been fine. The reviews of their articles were more comprehensive than their last review lit; however improvement in writing skills would make the writings easier to follow. I’m surprised they didn’t have any issues with this lab. Once again I found their tables to be confusing, not sure what the column for technology was supposed to explain. In my readings I have not heard the OSI 7 layer model referred to the OSI 9 layer model? The formatting of the tables in part 2a was very confusing. The methods section should be the steps of the process for performing the lab; this would include any research done or any items performed in the virtual environment. Their methods section read more like a summary of the abstract. Just like the methods section the results section read more like a summary of their process. The results section should be the results, answers to any questions, and any discussion items they may have. The conclusion was very light and should have contained more of their analysis of the overall process. Their conclusion seemed to be a summary of the lab.

  5. shumpfer
    June 24, 2009 at 2:16 pm

    Overall the formatting was done better this time around. So starting with the abstract I found that there are a couple of point that are repeated and almost sound repeated. It is almost as if the first paragraph was rephrased. In the future try and make sure the point is not redundant but it is clear. I was able to understand what the lab was about and ready to see what team 4 had for their literature review. Upon reading the literature review I still found it broken into different pieces. From having talked about what a literature review actually is my understanding that it is a cohesive collaboration of all the literature that was read and then taking the subject or subjects of all of them and then discussing them together to find a common area. Then to discus points of each piece of literature and included some different view points that may contrast with one piece but agree with the other. While looking more closely at the groups reviews I only noticed a comparison of the pieces of literature to the actual lab or class it self only in some of the reviews. Next the group goes on to discuss their methodologies and what is going to happen within the section. The part that I miss was between the TCP and OSI comparison. I did notice that they put in a table just like in the first lab with attacks but did not notice the comparison with TCP/IP model and the OSI model. This was the whole first section yes they did take the active resonances and pair it with the OSI model but left a big part of the TCP/IP. Next the team goes on to comparing the SCADA protocols and now they included the TCP/IP that was needed for the first part of the lab. One thing that can be questioned is the placement of where the team put the layers for each of the SCADA protocols and what their decision behind them was. Some of the teams have some at least three of the same protocols but place items differently. Just understanding why they put the layers where they did would be a help, and give the reader a better understanding from their perspective and why the tables should be formed in this way. The team then goes into detail and describes what each protocol is and what the purpose of it. After the methodologies the group goes into their findings. It seems that the group was learning a lot and then it kind of slowed down when it was down to the SCADA protocols. Lastly they concluded the lab very briefly. This seemed really short for a conclusion and some of the information could have been used in their findings. In the end the team did do what was needed but next time they will be able to tweak their lit reviews to be more cohesive and have a stronger ending that will not fizzle out.

  6. gdekkerj
    June 24, 2009 at 3:30 pm

    I thought this overall to be a well thought out lab write up. The literature review made specific mention of relevance to the lab exercise for each article. The tools table was cleanly laid out, with discernable consistency in the tool layer classifications. The SCADA stack tables were very nice, and easy to understand: a real strong point in this write up. Also, the discussion of SCADA protocols was ‘very’ detailed. Finally, it was nice to find a discussion of some of the logic used to classify the ‘active reconnaissance’ tools in the ‘results’ section. I believe this is also an area where this team stood out, as some other teams did not detail this process in any way.

    However, a number of obvious deficiencies existed within the scope of this write up. Conspicuously absent is a mention of any type of anonymization techniques. While I do believe the issue was examined, due to inclusion of such anti-forensic tools as ‘Clearlogs’ in the tool chart, I find no discussion of the concept in general. As noted in other lab teams write ups, some of these techniques are general concepts, and not necessarily addressed fully by a tool listing alone. This lab would benefit from a short discussion in the ‘results’ section of the what makes a tool an anonymization means, or at the very least some sort of descriptive label in the tools table would be in order. I also noticed the somewhat confusing ‘Technology’ column remained from last week’s tool table. I would reiterate that while the additional column for descriptive purposes is a nice idea, the label is a poor choice due to its collision with the McCumber cube ‘namespace.’

    As noted with other groups, I take exception to the inclusion of offline password cracking tools in a list for ‘active reconnaissance’ application. Password cracking is in nearly all cases done on previously collected data, mostly ‘sniffed’ off of the network with passive means. I cannot rectify this type of program to any ‘active’ role, even by stretch of the imagination. Of course, a logically constructed discussion of ‘why’ you chose to include these types of programs, which is not present, might provide reason for me to reconsider my conception of ‘active’.

    Finally, a few problems were noticeable within the SCADA discussion. While the write up in this area was extensive, it seemed to me to be more of a random ‘information dump’ exposition, rather than a concise description. For instance, in the discussion of DeviceNet, why was it mentioned that “a high pulse… represent[s] a logical 0 and a low pulse … a logical 1” (and does really belong under a discussion of the ‘link’ layer proper)? If the goal was to compare physical layer signals, Ethernet uses an interesting system of Manchester encoding which is ‘far’ more intriguing than a simple pulse system, yet this in not mentioned. Additionally, the inclusion of the bit fields of the DeviceNet protocol seemed spurious, for reasons similar to the prior point. Furthermore, I could not locate a discussion of SCADA vulnerabilities, which was one of the primary concerns of this lab exercise. I would recommend condensing the information in this section, and then addressing points which pertain in a more direct way to SCADA security issues.

  7. Borton
    June 24, 2009 at 4:27 pm

    Team four’s offering is much improved over last week. There are some important general issues that need to be addressed up front. A literature review is NOT a list of articles. Relate them to each other and to the task at hand in narrative form. Evaluate the work. Is it good, garbage, useful or a waste of time? Why? Even though you are directly discussion the work, citations are still necessary. Please have a third party proof read your work.

    There are some specific points in the literature that need to be addressed. When discussing the article About Penetration Testing the group states that because the author sites his own previous work there is a lack of research. However, this may not be the case. What research did the author do for those articles? Why duplicate the effort? In Automated Red Teaming: A Proposed Framework for Military Application the group says, “This article could be used in our lab environment to show how an automated simulation could be set up that would use the red teaming concept to expose vulnerabilities and weaknesses in a network or computer and then use the results to determine what would be the best plan to reduce those vulnerabilities or weaknesses.” But isn’t that the point of red teaming in general? While discussing Geigick and Williams’ article, the group states, “In this selection of vulnerabilities, I believe that the writers greatly reduced their scope on this study of vulnerabilities”. Can you clarify this for me? Does this paper lend credibility to what we’re doing? Would something like what we’ve done with the table be useful in Godefroid’s process? The group quotes McDermott as saying that attacks cannot be patterned. Is he right? You go on to say that his abstract is too short, but this is not really a critical fault.

    The group’s methods and results section was thin. In your results section, you call for a five layer TCP/IP model, but your findings section doesn’t strongly support it. Do you discuss the TCP/IP stack at all beyond this? You mention anonymity tools in the abstract but never discuss them again. You never really explain the reconciliation of the SCADA protocols to the OSI model, you just tell me about them. The question asked was not why the physical layer should be separate, it was does it exist? I do think the group’ Kinetic layer active reconnaissance tools are interesting. It shows some thought. I would have liked to see that developed more. In the deviceNet section, you talk about CAN. What is it? Is EtherNet/IP really any different from TCP/IP?

    In the issues section the group states that there were no issues at all. I don’t believe it. The conclusion doesn’t tell me what the value of the lab was. Did you get anything out of it?

  8. prennick
    June 24, 2009 at 4:38 pm

    I think that group 4’s write-up for lab 2 was good overall. The abstract for this lab was adequate in terms of length, but the content seem copied and pasted. Each sentence started or contained either “the team” or “the student team”. The abstract might as well have had bullet points. The literary review was good. Group 4 answered almost all of the required questions. The group did discuss how the reading related to the lab, but did not discuss whether or not they agreed with each reading. All of the citing for the literary review was done well and the page numbers for the references were also included. However, I’m still a firm believer in citing too much. I do not think you should cite a source eight times in one paragraph, even if it is a semi-large paragraph. The table containing the penetration testing tools was very good in many areas because they added upon the many tools and techniques that they had added in the first lab. However, I still think that many tools and techniques included are not appropriate or already covered by existing entries. I think the group could have gone into more depth about why they chose the 5-layer TCP/IP model. What about the DoD model? How is that not correct? Also, do these layers match up exactly with the OSI model? Or is it fuzzy where layers like the session and transport layers meet? When dealing with SCADA, what about the Kinetic layer? The issues and problems section could have had a lot more depth. The conclusion for this lab was weak at best.

  9. dkender
    June 24, 2009 at 4:48 pm

    I reviewed the lab report for Team 4 and found that I agree with most of it. I do think that needed to take the time to proofread the document before submitting it. They would have also done well to run spell check grammar check.
    Unfortunately, due to my work schedule the past few days I was unable to furnish a more thorough review.

  10. chaveza
    June 24, 2009 at 4:55 pm

    Team 4’s OSI layer Model Exploit Table; the first row “Get them drunk or high”, perhaps a better use of words would have better suited this row. The following two rows, “Plant an insider” and “Espionage” that is pretty much the same thing they even fall in the same McCumber cube coordinates. “Scopoamine”, and “Sodium Pentothal” would most likely all count as “Torture” and have the same McCumber cube coordinates. Interviewing terminated employees, that is a great idea. This one might be odd, but can you give an example of how damaging computer equipment to discover who the contractor information be that much useful? Even if you discover the contractor information are you then going to bribe a possible employee, how maybe or may not be the responder to that incident? The chart is structured very well, which makes it easier to read and understand unlike the chart from lab 1. Overall the reviews of the readings were good; they offered more detail then the first lab.

Leave a Reply