This SANS ICS concept overview covers conducting a Man-in-the-Middle attack to modify Modbus data between an HMI and a PLC. This attack is performed using a specially crafted Ettercap filter to identify Modbus writes and drop the packets so that they are not delivered to the endpoint. The Ettercap filter will not block or modify Modbus read traffic allowing. This situation results in a normal view of the process but implements a loss of control.
Script by Don C. Weber (@cutaway), Certified SANS Instructor and Cutaway Security, LLC
Don C. Weber is the Principal Consultant and Founder at Cutaway Security, LLC, an information security consulting company based in Texas. Don's previous experiences include large-scale incident response efforts for organizations with international assets and interests, the certification and accreditation of classified federal and military systems, assessment and penetration testing of worldwide commercial assets, and, as a Navy contractor, the management of a team of distributed security professionals responsible for the security of mission-critical Navy assets. Don has achieved his master's degree in network security, the Certified Information Systems Security Professional (CISSP) certification, and many GIAC certifications. Don was a founding member of the GIAC Ethics Council of which he was the GIAC EC Chair in 2009. Don regularly contributes to a wide variety of open source projects involving information security and incident response. Learn more about Don at www.sans.org/profiles/don-c-w...
CISA Alerts:
Alert (TA15-120A) Securing End-to-End Communications - us-cert.cisa.gov/ncas/alerts/...
Alert (TA17-075A) HTTPS Interception Weakens TLS Security - us-cert.cisa.gov/ncas/alerts/...
ICS MitM Research:
Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark - www.sans.org/reading-room/whi...
Man-in-the-SCADA - www.blackhat.com/docs/asia-17...
Overview of Cyber Vulnerabilities - us-cert.cisa.gov/ics/content/...
0x5 Modbus Security - Modbus and IOT MiTM - • 0x5 Modbus Security - ...
Packet Modification Attack on PLC with ARP Spoofing (MITM Attack) - / packet-modification-at...
An Analytics Framework for Heuristic Inference Attacks against Industrial Control Systems - arxiv.org/pdf/2101.11866.pdf
Towards Understanding Man-In-The-Middle Attacks on IEC 60870-5-104 SCADA Networks - www.iqpc.com/media/1001897/45...
References:
Modbus Ettercap Filter - github.com/cutaway-security/c...
Modbus - en.wikipedia.org/wiki/Modbus
rodbus-client - github.com/stepfunc/rodbus
Ettercap - www.ettercap-project.org/
etterfilter - linux.die.net/man/8/etterfilter
etterfilter Examples - github.com/Ettercap/ettercap/...
SANS ICS Training:
ICS410: ICS/SCADA Security Essentials - www.sans.org/cyber-security-c...
ICS456: Essentials for NERC Critical Infrastructure Protection - www.sans.org/cyber-security-c...
ICS515: ICS Active Defense and Incident Response - www.sans.org/cyber-security-c...
ICS612: ICS Cybersecurity In-Depth - www.sans.org/cyber-security-c...