This Tools for Research and Learning Purpose Only!
The goal of SIXNETtools was to demonstrate the critical lack of security inherent in certain applications on a SCADA network. This goal was soundly reached and the result is an easy to use tool that can gain root-level permissions on a SIXNET PLC or RTU. With the exception of the Blinkenlights option, this tool set was designed to be very general and accommodate just about every device running the Sixnet software suite.
Supervisory Control and Data Acquisition (SCADA) networks and devices are the computational brains behind the nation’s infrastructure. They monitor and control industrial machinery in power plants, oil and gas lines, assembly lines, and etcetera. There exist programmable logic controllers and remote terminal units sitting on these SCADA networks that are critically lacking in some of the most basic security processes and controls. This paper and the corresponding project are meant to highlight such a weakness at the application level of Sixnet SCADA devices. The tool detailed in this project is written in Python and allows an attacker to gain root level access to these Sixnet devices with very little effort.
There are three aspects to a basic SCADA network. The network itself is the medium through which the endpoints communicate with each other. These networks are very similar to corporate local area or wide area networks and may consist of various routing and switching components. Ideally a SCADA network is a completely isolated subnet of a greater corporate network and out of reach of the internet. Another aspect of a SCADA network is the human-machine interface (HMI). This is the vendor-specific monitoring and control software that presents easily readable data from the endpoints of the network to the engineer in charge. For this particular project the HMI used is Sixnet’s I/O toolkit, available free from their website. The final aspect is the endpoints of the network. These are the Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) that interface directly with the industrial machinery.
This final aspect is the focus of this paper. There is a very serious lack of system and application security with Sixnet’s PLC and RTU families and this projects sets out to show why. The device used for this project was Sixnet’s VersaTRAK Mini iPm Open RTU/Controller 2 Series. It was running the latest firmware version, 4.3.144, and Linux 2.4 as the base operating system. It had 12 discreet inputs, 4 discreet outputs, 8 analog inputs, 2 analog outputs, an RS232 port, and RS485 port, and two Ethernet ports. For the experiments the device was connected to a small lab network consisting of a switch, a lab computer acting as an Engineer’s computer, a router for DHCP, and a laptop acting as an attacker. All three endpoints were connected to the switch and resided on the same subnet.
Sixnet Tools was created by reverse engineering the Sixnet Universal Protocol. This protocol is a proprietary communication standard supported by most, if not all, of Sixnet’s PLCs and RTUs, including VersaTRAK RTUs, SIXTRAK, RemoteTRAK and EtherTRAK, IOMUX, VERSAMUX RTUs . Depending on the device it can be used over Ethernet, serial, or Modbus communication. The protocol has built-in commands for data acquisition related tasks such as reading and setting I/O and was created as a way to make managing a distributed Sixnet SCADA network easier.
The reversing process entailed generating traffic from the HMI to simulate a live environment and snooping the traffic going across the network using Wireshark. Common tasks like verifying the I/O and configuring network protocols were kicked off using the HMI while monitoring the traffic. Certain patterns arose from this. For instance, all of the traffic between the two points was sent over UDP. Also, even though the port was not detected as open from an Nmap scan all traffic was sent on port 1594. After dissecting and analyzing innumerable packets a specialized driver for the Sixnet Universal Protocol was created. The fields of the protocol are described below as seen for a basic Set Discreet command. A couple notes on the fields: all alphanumeric characters are encoded in ASCII hex values and the destination, source, session, sequence, and CRC fields are left as seen below for every packet sent by Sixnet Tools regardless of command.
+ Visual Studio
+ Python2 Environment Visual Studio
Use and Download:
git clone https://github.com/mssabr01/sixnet-tools && cd sixnet-tools
msbuild SIXNET tools.sln
python SIXNET_tools.py -h