TECH 581 W Computer Network Operations: Laboratory 2, Team 2

Abstract

The exploration of network penetration does not stop with just an overview of penetration testing.  Digging deeper, just below the umbrella topic of penetration testing is network reconnaissance.  Network reconnaissance, the act of observing network activity, can be classified into active network reconnaissance and passive network reconnaissance.  This is based on whether the network being targeted could be aware of the efforts (active), or could not be aware of the efforts (passive).

In the second lab for course we deal with network reconnaissance.  Specifically we deal with active network reconnaissance, and the tools and techniques that go with it.  As before the first part of the lab is a current literature review on the topic, followed by the methods used to answer the questions presented, the answers themselves and finally our conclusions.  The focus these activates being the TCP/IP model and how they relate to SCADA systems.

Literature Review

About Penetration Testing, by Matt Bishop

The article, About Penetration Testing by Matt Bishop of the University of California, Davis, talks about red teaming and what red teaming is. Bishop answers different questions in his article, such as what is a penetration test, what do the attackers know, and what resources do the attackers have?  He gives an example of a police officer examining a car that they are unfamiliar with to see how a car thief would steal the car. The examining is an example of penetration testing, “it’s an analysis of some aspect of a system  (Bishop, About Penetration Testing, 2007).” Bishop describes that penetration testing needs to have a goal such as informing the sponsors “how easy (or hard) breaking into the system is  (Bishop, About Penetration Testing, 2007)?” Bishop continues on to talk about how a skilled attacker may have more of a willingness to break into the system if the desire is great enough over a penetration tester. He also says that attackers have more time then a tester to bypass and acquire the desired information. Bishop states that if the goal of the test is to handle all classes, then the testers should have access to all tools unless there is a way to deny them of that resource.

Bishop makes some good point that attacks do have more time to spend running recon against a system they want to infiltrate. An attacker(s) with the desire and enough motivation can find ways into a system that a penetration tester may not find. New tools and modified tools may arise that unlock a path that was previously blocking an attacker and penetration testers. A motivated attacker can quickly take advantage of this opening of the systems thus while a penetration tester is learning and finding ways to protect the system from this tool.
Security Plan for Red Team Testing, by Matt Bishop

According to Matt Bishop “The goal of security plan is to ensure that proprietary and confidential information remains proprietary and confidential (Bishop, Security Plan for Red Team Testing, 2007)”. He goes on to describe proprietary as “the vendor and the Secretary of State agree that the information or device is proprietary… (Bishop, Security Plan for Red Team Testing, 2007)” They plan on having two types of secure facilities at a remote institution and at the Secretary of State’s office. The remote institution is to be used for planning and preparation while at the Secretary of State’s office will house the testing. At these facilities they will be testing the e-voting systems and there source code. While at the remote facility no actual e-voting machines will be there, only the access to the source code. Bishop does not have a research question but is simply running tests against source code.

Bishop takes good tests to ensure data is protect by keeping an internal network, physically secure and unconnected to the outside world. He goes on to mark the internal network with red to clearly identity which systems are for sensitive information. He also has another set of systems that is connected to the outside world by way of DSL line. This network is identified by green tape or tags. This is a great why to retrieve information from the internet while not contaminating the internal private network.

Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs by Michael Gegick and Laurie Williams
This article is about software patches that fix vulnerabilities and how these patches can cost several times more than the release. They go on to talk about how vulnerabilities shows patterns in which can lead to where the vulnerable areas exist in a system. Applied within the software community was Christopher Alexander’s, “where a problem recurs and provides a solution that can be applied regardless of the environment in which the problem occurs  (Gegick & Williams, 2005)” They try to use the SAFE-T as a means of security to identify the potential vulnerabilities that can exits. They have researched four different web-based security vulnerability databases which lead to 244 previously reported vulnerabilities. These four web-based security vulnerability companies that house the vulnerability databases are SecurityFocus, Help Net Security, Secunia, and SecurityTracker. Gegick and Williams’ study targeted undergraduate students mainly because of there inexperience and how they are not security experts. They used the students as a test bed for how easily software systems can be inclined to attacks.

An important way to help discover attacks is by creating an attack tree. This diagram will help “show the goals of an attacker (Gegick & Williams, 2005)”. Another form of diagram is an attack net which is a graphical representation of a where a system penetration test should happen. There are three taxonomies that were examined, forty-nine attack patterns, answers there questions: “How did it enter the system? When did it enter the system? Where in the system is the vulnerability manifest?  (Gegick & Williams, 2005)”, and four hierarchical classes: “Design Flaws, Environmental Flaws, Coding Flaws, and Configuration Flaws  (Gegick & Williams, 2005)”.

They have substantial amount of research and data about vulnerabilities with systems. They also supply ways of discovering vulnerabilities before software is released to the public and save on releasing patches that the user may not install. The use of the three taxonomies is also a great way for software developers to answer while software is still being developed.

Grammar Based Whitebox Fuzzing by Patrice Godefroid, Adam Kiezum, and Michael Y. Levin

This article is about how they “enhance whitebox fuzzing of complex structured-input applications with a grammar based specification  (Godefroid, Kiezun, & Levin, 2008)” and they test there algorithm on a JavaScript interpreter in Internet Explorer 7. This algorithm increased the grammar-based coverage from 53% to 81%. They give examples of code for interpreter and algorithm. There new algorithm two key components, high-level symbolic constraints and custom constraint solver. With grammer-based whitebox fuzzing, more paths and deeper processing maybe done instead of possible going into a infinite loop because of where a path lead.
Fast Model-Based Penetration Testing by Sankalp Singh, James Lyons, and David M. Nicol

In this article they propose a different approach to penetration testing called Model-Based Penetration Testing. This new approach gathers detailed information about the host such as the “configurations, attacks, vulnerabilities, critical assets, and connectivity  (Singh, Lyons, & Nicol, 2004)” then it will create independent attack paths. Model-checking tools attempts to determine the capabilities the attacker may have during the current state then generates the next states. There is a major difficulty when using model-checking, it can quickly explode the number of hosts and exploits available to the attacker thus increasing the number of vulnerabilities to the host. They present a mechanism which will build repeated random paths and can estimate “the total number of paths or the total number of paths of a particular length or less  (Singh, Lyons, & Nicol, 2004)”. Through out the paper they use three levels of privilege, none, user, or root.

They provide several formulas for ternary relation, binary relation, estimating the probability and more.

Attack Net Penetration Testing by J.P. McDermott

McDermott talks about how penetration testing is more of an art then science, and how testers need to have knowledge of products and systems. This article is about usefulness of penetration testing as a Petri net. This technique has the depicting refinement of specific attacks and attack alternatives which is similar to attack trees. He then draws out an attack tree for opening a safe. Open Safe is at the top, then four ways of opening the safe are listed below from there the tree counties to grow blackmail, eavesdrop and so forth in order to open the safe. Looking at every possible way to access what is desired is important for an attack tree. He also talks about six flaw hypothesis approach, ”

1. Define penetration testing goals.

2. Perform background study.

3. Generate hypothetical flaws.

4. Confirm hypothesis.

5 Generalize discovered flaws

6. Eliminate discovered flaws.  (McDermott, 2001)”

McDermott then goes on to give an example using Mitnick attack, which using SYN flooding, TCP session hijacking, and UNIX .rhosts trust relationship spoofing, to represent the exploit.

McDermott attack net approach to penetration testing is a good approach to follow. He may not provide any supporting data but does have several diagrams that show an adherent to the brainstorming activity while at the same time not restricting the free range of ideas.

Three Different Shades of Ethical Hacking: Black, White and Gray by David M. Hafeele

Hafeele starts off talking about how corporations have to defend there networks against several different kinds of attacks. They have several different type of tools, such as firewalls, intrusion detection devices, which help organizations fight off attacks. Hafeele claims that his paper “seeks to investigate the rationale for using there penetration experts in order to determine the level of security (Hafele, 2004)” he also examines the philosophy behind black, white and gray box testing. Hafeele says “I think my network is secure, therefore, it is secure, no matter what the security experts may say (Hafele, 2004).” He explains that his is a common assumption among management because there may be a firewall in place, not knowing how it works completely. The ethical hacker needs not to be kept out of the loop “when it comes to assessing the business and political climate of the customer (Hafele, 2004)”. The ethical hacker has three different models, black box, white box, and gray box model. The black box model is when the ethical hacker is left with little information and needs to gather information to discover the rest. White box model is when they are given an unreserved amount of knowledge. Gray box model is when the ethical hacker is given certain information about the system. He explains that retrieving information by way of black box testing can be possible by means of different databases such as WHOIS. This paper is about how ethical hacking is needed, is a tool, and which can provided useful understand of weaknesses that can be exploited on a network.

Ethical hacking is something that is needed. Ethical hackers provide more of an insight to protecting systems that are constantly attacked. Each model has there advantages and different viewpoint.

Automated Red Teaming: A Proposed Framework for Military Application by Chwee Seng Choo, Ching Lian Chua, and Su-Han Victor Tay

This paper is about automated red teaming using evolutionary algorithm, parallel computing and simulation. They have an overall goal “to reduce surprises, improve and ensure the robustness of the Blue ops concepts (Choo, Chua, & Tay, 2007)”. According to Choo, Chua, and Tay the military commonly uses red teaming as a technique to gather system vulnerabilities or to discover gaps which can be exploitable. They describe the concept of automated red teaming using evolutionary algorithm in the military context using an architecture design of the automated red teaming framework. They processed the MANA model with an automated red teaming 26 nodes processor cluster which tool around 8 hours for a total of 40 iterations. There results indicated “effective Red force would be highly stealthy (Red Inf Stealthiness = 89.19), slightly aggressive individually (Red Inf Individual Aggression = 6.879) and as a group Red Inf Squad Aggressiveness = 16.30) with a propensity to move towards fellow injured Red (Red Inf Response To Injured Red = 11.04) (Choo, Chua, & Tay, 2007)”. This shows that the “Red Force survivability can be improved by 27% just by modifying behavioral parameters alone (Choo, Chua, & Tay, 2007)” There results show an increase for red force survivability, which is always good. A 27% increase for the military is good however further work should be done to develop further the automated red teaming framework; this could scientifically increase the percentage.

Methods

The methods for completing this lab are based around an existing literature driven empirical study of topics in penetration testing and active network recon. The completion of the second lab in the course involved five steps.  The first step as before was the literature review of a selection of current literature on active network reconnaissance which is detailed above.

The second step was the installation of tools such as NAMP and NESSUS to perform active network reconnaissance.  These tools came from the grid in lab one, as well as a reading on obscuring actual location on the part of the penetration tester. The installation of the active recon tools was rather simple since the all of the tools that were defined by team two in lab one were the tools of the backtrack tool suite.  These tools are available as a pre-built Linux virtual machine for VMware which was downloaded from the backtrack website and copied into our lab virtual machine repository.  That pre-built VM was added to team two’s VM team configuration inside VMware workstation.  Once the VM was booted all the tools of the suite were available to us for testing.

The third step was to complete an active network recon exploit taxonomy based on the nine layers of the OSI reference model as presented in Lab one. This was completed by locating the documentation on the tools of Backtrack through the backtrack website and using their tool categorization as well as the penetration testing taxonomy from lab one to create a new active recon taxonomy.

The fourth step was to align the layers of the TCP/IP model to the layers of the OSI model as well as answer the question does the TCP/IP model have four or five layers? The alignment performed and questions answered through studying existing research in the TCP/IP model.

The fifth and final step of the lab was to align the given SCADA protocols to the TCP/IP and OSI model layers in a second grid and add a couple of our own SCADA protocols while explaining the chosen alignment. Again this was accomplished through studying existing research on SCADA and the TCP/IP model.

Findings & Answers

The installation of the active recon tools was rather simple since the all of the tools that were defined by team two in lab one were the tools of the backtrack tool suite.  These tools are available as a pre-built Linux virtual machine for VMware which was downloaded from the backtrack website and copied into our lab virtual machine repository.  That pre-built VM was added to team two’s VM team configuration inside VMware workstation.  Once the VM was booted all the tools of the suite were available to us for testing.

Active Network Recon Taxonomy

OSI Layer

Active Recon Exploit

8

Facebook

8

Myspace

8

LinkedIn

7

Amap

7

Autoscan

7

DNSEnum

7

dnsmap

7

dnsmap-bulk

7

dnstracer

7

dnswalk

7

Gooscan

7

httprint

7

httprint GUI

7

HttSquash

7

lbd

7

Maltego

7

MetaGooFil

7

Netifera

7

onesixtyone

7

p0f

7

propecia

7

ReverseRaider

7

SEAT

7

Xprobe2

7

nessus

6

SSLScan

5

nbtscan

5

Smb4K

5

5NMP

4

0trace

4

hping2

4

LetDown

4

Nmap

4

tcptraceroute

4

tctrace

4

Unicornscan

4

Zenmap

3

Fierce

3

fping

3

hping3

3

ike-scan

3

itrace

3

lanmap

3

Netdiscover

3

netenum

3

netmask

3

protos

3

psk-crack

2

Solarwinds Switchport Mapper

2

Solarwinds MAC Address Discovery

2

Kismet

2

KisMAC

1

Wiretap

1

Fibertap

0

Binoculars

0

Telescope

The use of this active recon taxonomy is not in and of itself without issue.  As pointed out in the lab obscuring the true source of the recon tool (aka system hosting the tool being used) can also be quite valuable.  The article presented by Professor Liles suggests that using an encrypted write blocking USB storage device containing a Virtual Machine image to boot on a system is part of the answer. Besides the use of the USB storage device creating a routine that prevents writing to the systems hard drive is also required.  Where the exploit taxonomy comes in is with the routing of information across the network. The network packets would make singling out the “invaded” system quite easy.  Making use of a VPN connection over the Onion router or TOR network is Professor Liles approach.  Taking this stance would create an active recon system that would be untraceable to a forensic expert (Liles, Anti-forensics: Obfuscating the path to forensic examination, 2009)

OSI to TCP/IP Model Comparison

OSI Layer

TCP/IP Layer

Application

Application

Presentation

Session

Transport

Transport or H2H

Network

Internet

Data Link

Network Access

Physical

Hardware

According to Comer in Internetworking with TCP/IP Principals Protocols and Architectures Fourth Edition the TCP/IP model is a four layer plus one model.  There are four major software layer which build on a fifth hardware layer.  That fifth layer consists of network specific frames of information (Comer, 2000).  This is because TCP/IP was designed to be physical connection agnostic. There needs to be a consideration of how information is sent to the hosts requesting information possibly not using TCP/IP connected by the numerous methods of physical interconnect available today.

In aligning the OSI & TCP/IP models with SCADA protocols the first consideration was determining if various SCADA protocols can be molded to fit the OSI seven layer model.  The answer is an unequivocal yes.  Professor Sam Liles has stated in his review of Securing SCADA Systems by Ronald Krutz that SCADA systems use the OSI seven layer model and are often simply layered on top of the OSI model (Liles, Review: Securing SCADA systems by Ronald Krutz, 2009).  With that consideration in mind five SCADA protocols are considered for review.

SCADA MODBUS

OSI Layer

TCP/IP Layer

SCADA MODBUS

Application

Application

Application

Presentation

MODBUS TCP

Session

Transport

Transport or H2H

Transport

Network

Internet

Network

Data Link

Network Access

Data Link

Physical

Hardware

Physical Ethernet

MODBUS is a SCADA protocol that according to the MODBUS organization is an application-layer messaging protocol, positioned at level seven of the OSI model. It provides client/server communication between devices connected on different types of buses or networks.  MODBUS is available to be used through serial interconnect or TCP/IP.  MODBUS has a common port reserved for it in the TCP stack that port is 502 (Modbus Organization).  Based on this information MODBUS fits very nicely into the OSI / TCP/IP model because it is DIRECTLY accessible via TCP port 502.  This is why there is a MODBUS TCP layer in its implementation stack.  In order for network traffic to be translated to MODBUS traffic that layer must be present, hence its existence above the transport layer, and positioned at the OSI session and Presentation layers.

SCADA DNP3

OSI Layer

TCP/IP Layer

SCADA DNP3

Application

Application

Application

Presentation

Session

Transport

Transport or H2H

Pseudo Transport

Network

Internet

Data Link

Network Access

Data Link

Physical

Hardware

Physical

According to the DNP users group The development of DNP3 was a comprehensive effort to achieve open, standards-based Interoperability between substation computers, RTUs, IEDs (Intelligent Electronic Devices) and master stations (except inter-master station communications) for the electric utility industry (DNP Users Group).  DNP3 was designed to work in a round robin fashion (like Token ring), polling each station that is connected to a DNP3 network.  DNP3 was also designed to be carried over TCP/IP.  DNP3 does not have a dedicated port like MODBUS. DNP3 is also not a Layer 7 protocol but rather, primarily a layer 2 protocol.  Not in conflict with Ethernet, but rather encapsulating it’s communications in Ethernet layer 2 frames (Curtis, 2005).  Hence the addition of the pseudo transport layer above the Data Link layer.  Like MODBUS, this layering approach makes DNP3 fit very nicely if in even more simply into the OSI model.  Interaction can occur without the need for any specialized tools.

SCADA DeviceNet

OSI Layer

TCP/IP Layer

SCADA DeviceNet

Application

Application

Application

Presentation

Presentation

Session

Session

Transport

Transport or H2H

Transport

Network

Internet

Data Link

Network Access

Data Link

Physical

Hardware

Physical

The ODVA states that DeviceNet is a digital, multi-drop network that connects and serves as a communication network between industrial controllers and I/O devices.  DeviceNet Follows the OSI reference model.  DeviceNet was DESIGNED from the beginning with the OSI model in mind (ODVA).  Making DeviceNet fit the model even better than MODBUS, or DNP3.  There is no need to consider any additional or “vender-controlled” layers in the DeviceNet system.  Not only does this make for a SCADA protocol that is easy to implement and troubleshoot for facilities that already have Ethernet networks, it is also an attackers dream.  The only way to insure that a DeviceNet system would not be broken into would be the air-gap firewall method.  By not connecting the SCADA network to any publicly addressable network and by not making use of wireless LAN technologies could a production company be reasonably sure their DeviceNet systems were secure (except for physical connection issues such as cable breaks and interference).

SCADA PROFIBUS

OSI Layer

TCP/IP Layer

SCADA Profibus

Application

Application

Application

Presentation

Session

Transport

Transport or H2H

Field Bus Data Link

Network

Internet

Data Link

Network Access

Physical

Hardware

Bit-Transmission

Profibus is a more propriety SCADA protocol.  While Profibus International claims that Profibus is the world’s most successful field bus technology through it being a very open and vendor independent protocol they do not follow the OSI model very well at all (Profibus International).  Profibus has created its own protocol stack that bypasses many of the standard layers of the OSI model to create what would seem to be an independent and secure system.  This is however not the case.  Even though Profibus was not designed with the OSI model in mind, the Physical or Bit-Transmission layer makes use of RS485 (PROFIBUS, 2002).  Therefore, anything that connects RS485 to a network, like an RS485 “modem” if you will can make a Profibus network attackable.  This presents a major issue because based on the Profibus layer design security was probably not a major issue for the makers of Profibus.  Finally, Profibus is based on a single cable bus technology; any break in the cable would render the system useless (Profibus International).

SCADA RP570

OSI Layer

TCP/IP Layer

SCADA RP570

Application

Application

Application

Presentation

Session

Transport

Transport or H2H

Link

Network

Internet

Data Link

Network Access

Physical

Hardware

Physical

RP570 was designed in the 1990’s by the ABB group to work at a low-level based on IEC 57 Part 5-1.  According to ABB the RP 570 protocol is a high-level communication protocol used between the front-end computer (FE) and the substation to be controlled (ABB, 1997).  Like Profibus RP570 bypasses OSI layers that it does not have any need for.  This make RP570 fit less well into the OSI model.  That does not mean fitting RP570 in would be impossible.  As shown above, while RP570 has just three layers, they do align at a high level with the OSI model.  RP570 is a serial based communications system.  RP570 would in its initial design not be connected to a network, but instead just a computer.  However, because RP570 is based in serial communications, and IEC 57, anything that would convert a Front End Computer to a network device would make RP570 a very possible attack vector.

Issues

There were no issues or problems with the lab.

Conclusions

This lab was a discovery of active network recon as it pertains to penetration testing.  The taxonomy that was built will help us in future labs by allowing us to better understand what tools we should use and when.  It also required that we take a deeper dive than usual into the workings of the “standard” TCP/IP model.  With a better understanding of the TCP/IP model it also got us thinking about how device automation systems, commonly used in major physical infrastructure such as electric utilities, could fall victim to network eavesdropping, and even service disruption through cyber activity.  This lab also made it very clear that SCADA systems are not considered to be part of the IT realm where standard practices of information security at least should be considered. Meaning that with a little “outside the box” thinking the lack of security minded design, install, and maintenance of SCADA system by electrical engineers could be used to potentially destroy plants, factories, or even the distribution of water and electricity.

Works Cited
ABB. (1997). REC 501 RP 570 Protocol Description Technical Description Manual. VAASA: ABB Oy.

Bishop, M. (2007). About Penetration Testing. IEEE Security & Privacy , 84-87.

Bishop, M. (2007). Security Plan for Red Team Testing. Davis: University of Califorina.

Choo, C. S., Chua, C. L., & Tay, S.-H. V. (2007). Automated Red Teaming: A Proposed Framework for Military Application. ACM , 1936-1942.

Comer, D. E. (2000). Internetworking with TCP/IP Principles, Protocols, and Archtiectures. Upper Saddle River: Prentice Hall.

Curtis, K. (2005). A DNP3 Protocol Primer. Calgary: DNP Users Group.

DNP Users Group. (n.d.). Overview of the DNP3 Protocol. Retrieved June 20, 2009, from DNP: http://www.dnp.org/About/Default.aspx

Gegick, M., & Williams, L. (2005). Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs. ACM , 1-7.

Godefroid, P., Kiezun, A., & Levin, M. Y. (2008). Grammar-based Whitebox Fuzzing. ACM , 206-215.

Hafele, D. M. (2004). Three Different Shades of Ethical Hacking: Black, White and Gray. SANS Institute.

Liles, S. (2009, January 4). Anti-forensics: Obfuscating the path to forensic examination. Retrieved June 20, 2009, from Selil Blog: http://selil.com/?p=518

Liles, S. (2009, June 3). Review: Securing SCADA systems by Ronald Krutz. Retrieved June 20, 2009, from Selil Blog: http://selil.com/?p=766

McDermott, J. (2001). Attack Net Penetration Testing. ACM , 15-21.

Modbus Organization. (n.d.). Modbus Specifications and Implamentation Guides. Retrieved June 20, 2009, from Modbus Organization: http://www.modbus.org/specs.php

ODVA. (n.d.). DeviceNet Technology Overview. Retrieved June 20, 2009, from ODVA: http://www.odva.org/Home/ODVATECHNOLOGIES/DeviceNet/DeviceNetTechnologyOverview/tabid/72/Default.aspx

Profibus International. (n.d.). THE WORLD’S MOST POPULAR FIELDBUS. Retrieved June 20, 2009, from PI – Profibus & Profinet International: http://www.profibus.com/index.php?id=63

PROFIBUS. (2002). Profibus Technology and Application System Description. Scottsdale: PROFIBUS Trade Organization PTO.

Singh, S., Lyons, J., & Nicol, D. M. (2004). FAST MODEL-BASED PENETRATION TESTING. Winter Simulation Conference (pp. 309-317). Urbana: University of Illinois at Urbana-Champaign.

10 comments for “TECH 581 W Computer Network Operations: Laboratory 2, Team 2

  1. mvanbode
    June 23, 2009 at 10:37 pm

    Unlike the group’s last lab report, this lab report’s literature review read more like a list. The group did not cite the references in the proper APA 5 format. The group did clearly state the points that they agree with in the articles but failed to answer all of the questions required for the literature review. I felt that some of the articles did not get enough attention or they were not scrutinized as the rest of them. The Active Reconnaissance tool table was not complete. It was missing the entire column where the tools are placed into their proper dimension of the McCumber cube. Only one tool was found to be in layer 6, I would like to have seen some more tools in this layer.
    I liked this group’s tools for layer 0. I thought that they were unique and actually fit quite well with the active reconnaissance tools. The group stated that there were no problems or issues with this lab, but right after the active reconnaissance tools table the group states “The use of this active recon taxonomy is not in and of itself without issue. As pointed out in the lab obscuring the true source of the recon tool (aka system hosting the tool being used) can also be quite valuable.” This should have been places into the proper section and elaborated on and go into more depth about the issue. The group did state that the TCP/IP model can have 4 or 5 layers in it, but failed to state which side of the argument that they agree with and why. I liked that the group separated the different SCADA models and compared them with the OSI and the TCP/IP models. I also like that the group described the models after displaying the graphs. It was nice to see that the group cited the places that they found the different models from. It looks like the group copied and pasted a paragraph from their methods section and put it in the findings section two paragraphs later. I agree with the group’s placement of the SCADA models in correspondence with the OSI model as well as the TCP/IP model. This group’s lab report was better structured than their first lab report was. The group just needs to makes sure that they include all parts of the lab exercise. I am looking forward to this group’s next lab report to see how they work together to get a cohesive lab report.

  2. June 24, 2009 at 12:10 am

    The literature review lacks any cohesion and is simply a list of the articles that were provided with the lab exercises. This literature review, specifically for this group, is a step in the wrong direction from last week where the articles were treated by the topics that they addressed. At the end of each article’s summary is a paragraph summarizing the author’s ideas and agreeing with them. The literature review doesn’t mention the lab assignments or tie any of the articles to any of the exercises in the lab. Some of the literature summaries are poorly written, one example would be Matt Bishop’s paper on Security Plan for Red Team Testing where the review states: He goes on to describe proprietary as “the vendor and the Secretary of State agree that the information or device is proprietary…”. Is this defining proprietary?
    The methods section lacks a lot of detail as to what specifically was going to be done in the lab exercises but did give a general overview of what was going to be done and how it was going to be accomplished. The methodology about the active reconnaissance taxonomy only mentions that the Backtrack tools were used, while this is a large repository of tools to use, it would’ve been better to include some tools from some other sources.
    The findings paragraph about the active recon tools is almost verbatim what the methodology section’s paragraph was. The table with the active recon tools is a little difficult to read with each tool occupying one row, the McCumber cube coordinates were missing from the table, and links to each of the technical tools would have been helpful. The anti-forensics methods were interesting but only looked at what Professor Liles had posted in his anti-forensics post, some additional sources would’ve been good to see.
    The TCP/IP and OSI comparison detailed the five layer TCP/IP model but only described Comer’s view of the five layers without any mention of the four layer model and why there was discussion between the two competing views. The SCADA comparisons were well laid out in the tables with the detailed descriptions about each of the protocols.
    The conclusion made an excellent point about the relationship between SCADA systems and standard penetration testing. SCADA systems could allow an attacker to use tools that target TCP/IP systems and cause a kinetic, and possibly dangerous, effect.

  3. mafaulkn
    June 24, 2009 at 9:54 am

    Team 2’s abstract did a good job of explain what they were going to do in their lab Their literature review was well organized which made it easy to read and helped to convey what the authors were trying to say. The methods section discusses the process of how the lab was completed. In regards to their Recon tool table they were missing the column that that showed the McCumber cube hierarchy. I think there are a lot more recon tools they could have researched and found to complete their table. Layer 0 was very light. I thought the way the group organized the different SCADA models and compared them with the OSI and the TCP/IP models was excellent. They did have a findings and answers section and seemed to answer the required questions. I agree with the group’s placement of the SCADA models in correspondence with the OSI model as well as the TCP/IP model. As with some of the other groups I’m surprised they didn’t have any issues, particularly in finding additional recon tools. I agree with their conclusions. Overall their paper was good.

  4. jeikenbe
    June 24, 2009 at 11:54 am

    The group starts off with an abstract that does a nice job of quickly explaining what reconnaissance is and the two types of reconnaissance there are. The abstract also briefly explains what will be involved in this lab. The next part of this groups paper is the literature review. The group takes each article and does a review on them individually. The group does a nice job in explaining the ideas behind the articles. The problem with these reviews is that they don’t explain how these articles ties into this lab and the other articles. The group does mention the theme or topic of each article and also the research methodology of each article. They also do mention a research question if the article has one. Next the group goes into the methodology of the way they approached the lab. The group explained each step of the lab in a short but complete description of that step. The one thing that I did not see in the methodology that should have been there was the explanation of aligning the tools to McCumber’s cube along with aligning the tools to the extended OSI model. In the next part of this group’s paper they talk about the findings they got from this lab and the answers to the questions in the lab. The first part of this section talks about how they setup their lab using the Backtrack tool suite built into a virtual Linux environment. They did not detail how they did this though. After that section they show the table that they constructed for the active recon exploits. This table was not that extensive. I believe that they could have found more to put into this table. Another major thing missing from this table is the alignment to McCumber’s cube for each of the tools. The table also did not contain any anti-forensic tools that should have been included in with the active recon tools. The group did explain how the lab is set up to accompany anti-forensics at the end of the table. Next the group tackled the question of whether there should be four or five layers in the TCP/IP model. According to this group there should be five layers to the TCP/IP model. They argue that there are four layers that are major software layers that build on a fifth hardware layer. They say that there has to be a fifth layer to get the information to the requester, but this connection might not be TCP/IP though. The group also provides a table depicting the alignment of the TCP/IP model to the OSI model. Next the group discusses the alignment of different SCADA protocols to the TCP/IP model and the OSI model. They start off with a brief explanation of why the SCADA models do align to the OSI model. Then they go into the different protocols. In each explanation they briefly explain how each layer fits into the OSI model, but they do not explain any details of each layer. They go over some of the most important aspects of each of the protocols, but again they do not go into details. They talk about the SCADA protocols given in the lab and they also cover the PROFIBUS protocol and the RP570 protocol. Next they mentioned that they did not encounter any problems in this lab. Last they concluded the lab. In the conclusion they talk about how the table that they created with the active recon tools would help aid in future labs. Then they talk about how they gained better incite on the TCP/IP model and how device automation systems could become vulnerable. Last they explained that with a little “outside the box” thinking could penetrate a SCADA system and be used to do great damage to a plant, factory, or even a distribution of water and electricity.

  5. gdekkerj
    June 24, 2009 at 3:28 pm

    This lab write up was nicely structured. The literature review was in depth, and covered each article quite nicely. I also thought that the section which addressed anonymization techniques was interesting. The tables for active tool listing and the TCP/IP and SCADA stacks were clear, and easy to read. The dialogue which discussed the TCP/IP controversy and the SCADA protocols with their exploitability was significant: it presented well chosen and useful information. Overall, this was a very solid report with a lot of subject coverage.

    That is not to say that I did not find a number of areas which could benefit from more attention. With regard to the literature review: I found no direct relation to the lab exercises mentioned for any of the articles. A short description of how the team felt the articles reviewed addressed areas of the lab exercise (if at all) would address this deficiency. Additionally, similar to the first team’s approach to the lab, I found no mention of how this team determined what ‘active reconnaissance’ actually was, and what properties defined a tool grouped into this category. This becomes an issue, as several tools in the tool chart are of a questionable nature with regard to classification in this category.

    The inclusion of such tools as ‘Gooscan’ and ‘lanmap’ are unsatisfactory without a rationale for their inclusion. As mentioned in a prior review, ‘Gooscan’ is almost certainly passive in nature-just because ‘scan’ appears in the tool name does not mean it is an active scanning tool. Additionally, having experimented with ‘lanmap’, I found no way to cause it to act in an ‘active’ way. It is a tool which builds a graphical depiction of the network ‘as information is overheard’: it does not broadcast to or ‘ping’ any network hosts to accomplish this. I would therefore call it a ‘passive’ tool, and find it erroneous to include it in a table of ‘active’ tools-unless, of course, a specific reason exists for its inclusion, but this is nowhere to be found. I also wonder in these regards to the inclusion of tools such as ‘psk-crack’, which is an offline cracker with no network connectivity functions.

    The discussion on anonymization tools is interesting, and draws heavily on Professor Liles’ article. I would comment that the Tor network, or onion routing systems (as currently implemented) are not ‘impossible’ to compromise, they simply make it ‘very’ difficult to correlate specific connections to a single origin. As mentioned in the Tor network documentation, organizations with sufficient resources, in theory, could monitor specific input and output nodes, and make accurate assumptions about usage patterns-I would not consider this perfect anonymization with respect to network connections, but rather merely ‘of low risk’ for an attacker to use. Furthermore, I would suggest that the encrypted ‘VM on USB key’ is of limited worth with respect to an active attack. If such a device is used on a host located within the target’s premises, nothing is gained, as the attacker must be physically present: and so therefore exposes himself to a high risk of direct capture. If the encrypted ‘VM on USB key’ system is used from a remote location, no real risk is mitigated in this case, either. As a remote attacker primarily seeks to hide his whereabouts, and this encrypted ‘VM on USB key’ is actually designed to defeat forensic investigation; I would submit that it is ‘far’ too late for the attacker if forensic investigation is being done on the machine used for a remote attack: his connection anonymization means has failed, and he is already caught, or very close to it. I would add that this encrypted ‘VM on USB key’ has very specific application in the referenced article: to a traitor passing information to some other party; in the role of attack it accomplishes little.

  6. shumpfer
    June 24, 2009 at 3:30 pm

    The lab starts off with the abstract defining what is going to be done within the lab and they unlike the other groups add passive attacks along with the idea of active attacks. This gives me the question is it possible to be active while being passive? I would think yes because even though the attacker is waiting there is still that time where they are actively collecting information. Just that question made me want to know more about the group’s thoughts with this idea. Next they go into the literature review and do a good job at describing the Literature/papers, and how it relates and their thoughts on the different information presented to them. Again this group also did split the reviews up instead of creating a more cohesive literature review that would spark differences between the papers and create more questions that would make the group think about when dealing with the topics presented. The group then goes onto describing their methodologies and how they went about the lab outside of the literature. The group describes what tools they where using for the active reconnaissance and why they where being used. This was a well added point to their lab because some of the other ones left me with the question on why they did not put that aspect in. The team was able to describe the methods that they used well which they carried over to the findings and results sections. Here they used various tools and plotted them within a table. They where able to plot the various tools they used into the first table comparing the tools and what level of operation. They also compared the OSI, TCP/IP, and SCADA protocols in different tables. Breaking the tables down allowed the readers to take out the clutter and get a better understanding of each protocol and its relations to the OSI seven layer model. After each table they where also able to explain why they put the layers in the locations presented. This gave me a better understanding on what their thought process was behind the placement. It also gives the question is there a possibility that some of these protocols may be placed differently? Is there something that can be argued when dividing the line of the protocols and essential breaking down the protocols to the OSI model into fewer layers? The team then goes onto state that they had not issues with the lab and go into the conclusion. They conclusion gave me an ending thought when they stated that SCADA protocols should not be used within the IT fields standard realm of practices. Will the comparison of SCADA protocols and the OSI model eventually lead into another area when thinking about the equipment that is used? They are communication protocols and Information Technology is about the sharing of information. So will the field start to relate more with the combination of SCADA and OSI? This sparks a good conversation and may eventual happen.

  7. Borton
    June 24, 2009 at 4:24 pm

    The literature review is NOT a list of articles. Your team presents a thorough synopsis of each of the articles in the literature review, but you don’t relate the content to the lab. You fail to evaluate the information presented. The methods section does a good job of telling the reader what you did in a repeatable manner. In this section the group states that NESSUS is an example of an active scanning tool. Is it? Your results section is on the thin side. Do your Tools map to the McCumber cube? How? Could the same tool work on more than one layer? When discussing the TCP/IP stack, you tell me what Comer thinks about the TCP/IP model, but what do you think? What is your reasoning? How does it compare to what other people think? The discussion of MODBUS only includes one version of the protocol. Are there others? How do they interact? Does DeviceNet always align as clearly to the OSI as presented in your work? PROFIBUS and RP 570 are very similar. Why? It would be nice to see the SCADA protocols compared to each other as well as OSI and TCP/IP. You had no issues with the lab? The group’s conclusion does a good job of summarizing the process and telling the reader what was gained. I would have liked to see a more detailed discussion of the SCADA protocols, but overall the lab flowed well.

  8. dkender
    June 24, 2009 at 4:35 pm

    I reviewed the lab report for Team 2 and found several misspellings, such as using there instead of their, or namp instead of nmap. I was also a bit confused about using the word agnostic when describing the TCP/IP physical connection. There were also a few sentences that didn’t make sense, such as ” The installation of the active recon tools was rather simple since the all of the tools that were defined by team two in lab one were the tools of the backtrack tool suite”. This sentence could have used some revision to make more sense. I would have also liked to have seen an attempt to describe how the article on automated red teaming may apply to our lab assignment. Unfortunately, I was unable to furnish a more thorough review due to my work schedule that past few days.

  9. prennick
    June 24, 2009 at 4:39 pm

    I think that group 2’s write-up for lab 2 was good overall. The abstract for this lab was good. The literary review was adequate. Group 2 answered almost all of the required questions. The group did not discuss how the reading related to the lab, and did not discuss whether or not they agreed with each reading. All of the citing for the literary review was done well. The table containing the penetration testing tools was adequate. More depth could have been put into how these tools are actually installed. What if you needed to make your own Live CD or install these on a computer that BackTrack is not compatible with? I think the group could have gone into more depth about why they chose the 4-layer plus 1 TCP/IP model. What about the DoD model or the 5-layer model? How are these not correct? Also, do these layers match up exactly with the OSI model? Or is it fuzzy where layers like the session and transport layers meet? When dealing with SCADA, what about the Kinetic layer? When dealing with the DeviceNet protocol, what about the Pseudo Transport Layer? Is it really its own layer or does it exist in another layer?

  10. tnovosel
    June 24, 2009 at 4:47 pm

    In the abstract , team 2 was able to differentiate active tools from passive by stating” This is based on whether the network being targeted could be aware of the efforts (active), or could not be aware of the efforts (passive).” The group then gave an overview of the laboratory assignment. I did not understand what was meant by the statement” The focus these activates being the TCP/IP model and how they relate to SCADA systems.”

    In the literature review, the group needed to address the theme of the articles and relate the articles to the lab. The group also needed to relate the articles to each other. In the first article, About Penetration Testing group seemed to accidently confuse author’s names when the group stated “ The article, About Penetration Testing by Matt Bishop of the University of California, Davis, talks about red teaming and what red teaming is.” In the article Three Different Shades of Ethical Hacking: Black, White and Gray when he said “I think my network is secure, therefore, it is secure, no matter what the security experts may say “ he was stating a common view held by management, not himself(Hafele, 2004).

    Team two gave an overview of what was to be done in the lab within the methodology section. Team 2 differed from other teams in that they went into a brief explanation on some of the active reconnaissance tools that they installed onto their virtual machines. I had to disagree with the group in their claim that NESSUS was available on the backtrack ISO, for my team was not able to locate it within the ISO and had to install it on a different virtual machine. When the setup of the active reconnaissance tools table was described, the McCumber cube requirement was not mentioned. This lab required to categorize the tools in relation to both the extended 7 layer OSI model and the McCumber cube.

    Team 2’s active reconnaissance table seemed to be missing the McCumber cube column to describe how the attack tool or method fits within McCumber’s Cube. I was not sure how Telescopes and Binoculars could fit into the Kinetic layer. The team appeared to struggle with finding active reconnaissance for the extended OSI model table. However, there were a few layers that all of the groups seemed to have found a limited selection of tools. Team 2 gave a brief explanation of anonymity by using the example of an encrypted write blocking USB storage device containing a Virtual Machine image to boot on a system.

    In the OSI and TCP/IP alignment section Team 2 sided with those who thought the TCP/IP model should have five layers instead of four due to the importance of physical connections, thus aligning the five layer version to the OSI model.

    Within the SCADA protocol section, which aligned the SCADA protocols individually to the OSI model MODBUS, DNP3, and DeviceNet were aligned and their layers were explained .Team two also included the Profibus and RP570 SCADA protocols.

    The team did not encounter any problems in the lab, as stated in their issues section and then gave an overview of the lab again in the conclusion.

Leave a Reply