TECH 581 W Computer Network Operations: Laboratory 2, Team 4

Abstract

Laboratory two will require the student team to identify and tabulate active reconnaissance tools   and tools that could give an individual anonymity on a network based on where they lie in OSI model and McCumber’s Cube. The student team will install these tools into the virtual environment. The team will align the TCP/IP model to the OSI model and determine if the model should contain four or five layers. The team will align layers from MODBUS, DNP3 and DeviceNet, as well as two other SCADA protocols to the OSI and TCP/IP models. The student team will also explain the functionality of each of the applicable layers within these SCADA standards.

When this lab exercise has been completed, the student team will have developed a table of active reconnaissance tools and tools that could give one anonymity on a network and installed these tools into the virtual environment .The student team  will have taken a stance on whether the TCP/IP model should contain a fifth layer. The team will have also researched the different layers of different SCADA protocols to understand their functionality and alignment to the OSI and TCP/IP models.

Literature Review

About Penetration Testing

This article describes what a penetration test is and compares what the testers are usually given in a test and what the actual attackers would have. The article gives two examples. The first example deals with a friend asking another friend, who is a police officer that deals with car thefts, if she could break into his brand-new car to report what security flaws are in the car. The other is an examination of an electronic voting application. In the scenario with the policewoman the question of what should the penetration tester be provided with. The article argues that the penetration tester would be better off given as much information as possible for the test so that she doesn’t have to fight with the small details and waist time and cause possible damage to get the proper results. The reasoning behind this is that we would not know exactly what tools and knowledge the attacker would have at his arsenal. An example was given in trying to break into the car. If the tester wasn’t given the keys then she would have had to pick the locks, were the attacker would probably not have even bothered and broke the window or pied the door open. Also a question of what information is safe to give the testers. Can the testers be trusted not to directly or indirectly cause damage with the knowledge given to them to perform the test? Also the article describes different reasons why different attackers would steal information and what resources each of the attackers would have available to them. Later in the article the example of the electronic voting application was used to give an example of how to determine what the goals of the penetration tests should be. Also in this example the writer explains that the goals overlap and the specific goal depends on what the study aims to show. With the example of the electronic voting the writer identifies the different type of attackers that would have access to the voting application. All most all of the supporting data that the writer used is other writings that he had done in the past, and because of this the article shows a lack of supporting research. This article gives us an idea of what should be provided to us for the penetration testing that we are to do on various computers. It also makes us look into the different type of attackers, whether it is someone trying to gain from the attack, someone looking for revenge, or someone just doing the attack as a prank or just for spite.

Security Plan for Red Team Testing

This article was a “to do” list of setting up a read teaming environment. This article did not have a research question because it was a how to article and not a research article. The article details out how a red teaming lab for the testing of an electronic voting application should be set up. The lab’s equipment was divided up into three categories. First category was the red tagged equipment. The red equipment was equipment that had no outside contact and held all the data, source code, and tools to perform the test. The red equipment was to be kept completely separated from the rest of the equipment at all times. The second was the green equipment this equipment was allowed external contact to gather further resources as the team needs them from the internet or other places. The last was the blue tagged equipment. The blue equipment was equipment that was used to transfer information from place to place. This included equipment like removable drives or memory disks. Because this was a “How to” article there was not much research involved in this article. This article develops a red team environment that would be good to incorporate into our lab. This article shows how keeping the actual testing environment isolated would keep the important data from leaking out and keep others from getting into the system during the tests. This method shows a good way to control the test environment.

Automated Red Teaming: A Proposed Framework for Military Application

This article describes the concept of an Automated Red Teaming (ART) simulator that was developed by the writers of this article. The question that the article is trying to answer is can an automated red teaming simulator help improve the Blue Ops of the military by showing vulnerabilities or weaknesses in the red teams methods? The ART simulator uses Evolutionary Algorithms (EA) and parallel computing to produce an automated red teaming simulator that is able to uncover system vulnerabilities and exploits in military operations. The article first explains the goal and objective of this project. The objective of this project is to use the red teaming results to strengthen the militaries Blue Ops. Then the article breaks down the framework of the simulators architecture and describes each part of the simulator. Then the article explains the type of EA they used and why. The EA they used was called Strength Pareto Evolutionary Algorithm Version 2 (SPEA2). The SPEA2 was chosen because of its simple to implement algorithm and also its performance in finding the Pareto front. Then writers tested the ART simulator using an urban ops simulation. In the end they tweaked the way the Blue Ops team and the civilians operated to increase the probability that the objective of the Blue Ops team’s objectives would be achieved with greater results using the vulnerabilities of the red team as a guide. This article could be used in our lab environment to show how an automated simulation could be set up that would use the red teaming concept to expose vulnerabilities and weaknesses in a network or computer and then use the results to determine what would be the best plan to reduce those vulnerabilities or weaknesses.

Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs

This paper was a proposal for a way to incorporate security into software at the design level so that any vulnerability will be handled before the product is released into the public. This means of capturing vulnerabilities early prevents time and money from being wasted later in creating patches. The writers also note that even if the patches are made the users or owners of the software will not incorporate the patches into the software to get rid of the vulnerability. The writers goes about creating a method to isolate the vulnerabilities by gathering a list of attack patterns from three papers written by (G. Houglund and G. McGraw, 2004), (C. Lander, et al. 1994), and (I. Krsul, 1998) and comparing them to system designs. They called this method of isolating vulnerabilities security analysis for existing threats (SAFE – T). The writers then came up with a means of identifying and relaying each attack pattern quick and easily using symbols. After that they selected 414 vulnerabilities from various vulnerability databases and chose 244 vulnerabilities and developed 53 attack patterns from these vulnerabilities. In this selection of vulnerabilities, I believe that the writers greatly reduced their scope on this study of vulnerabilities. After creating the attack patterns they compared them to the taxonomies of the three people mentioned earlier. This showed that some of the classifications among the different taxonomies refer to the same vulnerabilities. Last they did two case studies using several undergraduate students to determine how easy it is to match the attack patterns to the vulnerabilities. They found out that about 90% of the vulnerabilities were matched properly, about 4% were false negatives, and 6% were false positives. This paper could be very beneficial in showing how important it is to incorporate security in every step of the development process from conceptual work to post release of the product. In this lab we could use these attack patterns to help identify ways of pinpointing vulnerabilities in systems and gives us a better way of securing those vulnerabilities.

Fast model-based penetration testing

In the article Fast model-based penetration testing, an approach was proposed to obtain statistically valid estimates of security metrics by performing repeated penetration testing of detailed system models (Singh, Lyons & Nicol 2004, p.309). The model created, which was labeled Model-Based Penetration Testing (MBPT),  took detailed information of the host congregations, attacks, vulnerabilities, critical assets, and connectivity to build complex models of the system that allowed for automatic generation of repeated, independent attack paths (Singh et al, 2004, p.309). The authors also provided a precise mathematical formula to explain how to use importance sampling techniques to estimate security metrics, such as the total number of attack paths that lead to the compromise of a particular asset. (Singh et al, 2004, p.316). The implicit research question appeared to be how could One overcome the limitations on the detail that could be supported by current security analysis models. The methodology of the paper consisted of constructing formal state/transition models of the networked system. Importance sampling techniques were used to reduce the variance of our estimates by biasing transitions according to some heuristic and then taking the bias into account when building the estimate (Singh et al, 2004, p.311). The security metric to be estimated was the total number of attack paths in the model that end up negatively affecting a given asset (Singh et al, 2004, p.311).

Grammar-based white box fuzzing

In the paper, Grammar-based white box fuzzing, the authors pointed out that the current effectiveness of white box fuzzing is limited when testing applications with highly-structured inputs (Godefroid et al., 2008, p.206). White box fuzzing is a form of automatic dynamic test generation, based on symbolic execution and constraint solving, designed for the security testing of large applications (Godefroid et al., 2008, p.206).    The authors developed a dynamic test generation algorithm where symbolic execution directly generated grammar-based constraints whose satis?ability was checked using a custom grammar-based constraint solver (Godefroid et al., 2008, p.206). Due to its ability to restrict the search space to valid inputs, grammar-based white box fuzzing can implement deeper paths, and focus the search on the harder-to-test, deeper processing stages (Godefroid et al., 2008, p.207). How to enhance white box fuzzing of complex structured-input applications with a grammar based specification of their valid inputs? The methodology that was used in the paper was an experimental design, which involved the use of a JavaScript interpreter embedded in an Internet Explorer 7 Web-browser (Godefroid et al., 2008, p.211). The experiment required the use of 50 seed inputs with 15 to 20 tokens generated randomly from the grammar, which avoided bias when using test generation strategies that require seed inputs (Godefroid et al., 2008, p.211).Within the experiment, Grammar-based white box fuzzing was compared to black box, grammar-based black box, white box, and white box+tokens (Godefroid et al., 2008, p.211). All of the experiments were also conducted within the same test harness (Godefroid et al., 2008, p.211). This paper related to the lab in that it described a possible way to find vulnerabilities in applications, which would affect the application layer of the OSI model.

Attack net penetration testing

In the paper,  Attack net penetration testing , the author  described a new process model  for penetration  testing  that used  the Petri net as its paradigm, for   this approach provided increased  structure  to flaw generation  activities, without restricting  the free range of inquiry(McDermott,n.d.,p.15).  A large part of penetration testing is perceived to be more of an art rather than a science. The effectiveness of penetration testing depends on the skill and experience of the testers (McDermott, n.d., p.15).  Penetration testing also requires a special kind of insight that cannot be systematized (McDermott, n.d., p.15).  Penetration testing usually follows the flaw hypothesis or attack tree approach (McDermott, n.d., p.15).  The attack tree approach was intended  for penetration  testing where  there  was less background information  about  the system to be  tested(McDermott,n.d.,p.16). An attack net is a Petri net with a set of places representing states or modes of the security relevant entities of the system of interest (McDermott, n.d., p.16). The attack net also has a set of transitions that represent input events, commands, or data that cause one or more security relevant entities to change state McDermott, n.d., p.16).  Attack nets are not intended to model the actual behavior of a system or component during an attack, but are used as a notation for discovering and discussing scenarios under development (McDermott, n.d., p.19). Attack nets provide a graphical way of showing how a collection of flaws may be combined to achieve a significant system penetration (McDermott, n.d., p.21). The author applied an attack net to a case study about a Mitnick attack. A noticeable error in the paper was that the abstract was too short to give a sufficient overview of the paper. This paper related to the lab exercise in that it gives penetration testers a graphical solution to accomplish an attack.

Three different shades of ethical hacking: black, white and gray

In the paper, Three different shades of ethical hacking: black, white and gray  , gave a brief history if hacking, described the necessity for ethical hacking, explained the role of penetration testing within the realm of network security,  and went on to describe the philosophies and methods used by the different types of  attack models. In the black box model, the penetration test is only revealed to a very few members of the network security team in order to ascertain their response to the attack (Hafele, 2004, p.6). In the White box approach, the White Box ethical hacking team will have much more information revealed to them prior to the penetration test, so there will be fewer unknowns or variables (Hafele, 2004, p.12). The Gray Box approach is a hybrid attack model, which incorporates elements of both the Black Box and the White Box methods (Hafele, 2004, p.17). The statement “There is no individual, group or organization, which is insulated from possible attacks, and each may offer something of intrinsic value to a determined criminal hacker” seemed ridiculous because presuming that every individual, group, or organization is connected to the Internet, it is possible for a individual, group, or organization to have computers that are intentionally left isolated from the network to keep the data protected from the outside (Hafele, 2004, p.3). This paper related to the lab exercise in that active reconnaissance tools would be used in a black box method since they reveal information about the systems without the owner’s explanation of what is on the network.

Methodology

With this lab we are looking at different ways that information can be recovered in an active manner. We also will be taking a closer look at the different protocols that are associated with the OSI 7 layer model. We will take an even greater look into different types of SCADA protocols. We started the lab off by reading a group of articles and performing a literature review. In the literature review we discuss the theme and methodology of each of the articles. Then we describe how each of the articles related to the current lab. Next all the active reconnaissance tools will be extracted from the table in the first lab as well as extras found by further research. These tools will then be categorized into the OSI 7 layer model and also McCumber’s cube. In the last part of the lab different protocols will be analyzed and aligned in comparison to the OSI 7 layer model. The first to be analyzed and aligned will be the TCP/IP model and then the MODBUS, DNP3 and DeviceNet SCADA protocols as well as two to other SCADA protocols. For each of the protocols that we align to the OSI 7 layer model we will define each protocol and its layers.

Part 1

Part one of the lab is the gathering of several active reconnaissance tools and tools that provide anonymity. These tools were then categorized into an extended 9 layer OSI model as well as McCumber’s cube. The following table shows the results.

OSI 9 Layer Model Exploit Table

Part 2a

For this part of the lab, the team addressed the question: Why the Physical Layer Should Be Separate in the TCP/IP Model?

The purpose of the physical layer of the OSI model is to transfer the raw signals along some type of medium to the destination. This raw signal can be in the form of electrical pulses, light waves, or radio waves (Joesph & Thomas, 2003, p.1). The physical layer also describes related details such as connectors, channel codes and modulation, signal strengths, wavelength, low-level synchronization and timing and maximum distances (Joesph & Thomas, 2003, p.1).

The purpose of the data link layer is to convert the packet of data sent from the upper layers into raw bits to be passed onto the physical layer for transmission.

The team concluded that the physical layer and the data link layer should be separated in the TCP/IP model. In the data link layer there is still the manipulation of packets going on, be it encryption, adding on data link layer headers, or other information for the destination data link layer. The physical layer only is responsible for the transmission of the data from one computer to another and there is no new information added onto that packet. Taking all that into consideration a manipulation of the packet could still happen at the data link layer causing the packet to be altered or the information inside to be revealed.

After it was determined how many layers the TCP/IP model should have included, the TCP/IP model was aligned to the OSI model. Besides aligning the TCP/IP table to the OSI model, the MODBUS, DNP3 and DeviceNet, as well as the EtherNet/IP and Profibus SCADA protocols were also aligned. The table below depicts this alignment.

Part 2b

The following section describes the different layers of the SCADA protocols that were depicted in the table:

MODBUS

Application Layer

MODBUS is an application layer messaging protocol, positioned at level 7, the application layer of the OSI model, which provides client/server communication between devices connected on different types of buses or networks (Modbus, 2006, p.2). MODBUS defines the rules for organizing and interpreting the data independent of the data transmission medium (Acromag, 2005, p.4).

Transport Layer

The MODBUS TCP protocol embeds a Modbus frame into a TCP frame (   INTELLICOM, p.1). The Modbus commands and user data are themselves encapsulated into the data container of a TCP/IP telegram without being modified in any way (Acromag, 2005, p.4).The Modbus error checking field (checksum) is not used, as the standard Ethernet TCP/IP link layer checksum methods are instead used to ensure data integrity. Further, the Modbus frame address field is replaced by the unit identifier in Modbus TCP/IP, and becomes part of the Modbus Application Protocol (MBAP) header (Acromag, 2005, p.4). A Modbus TCP/IP Application Data Unit is embedded into the data field of a standard TCP frame and sent via TCP to system port 502, which is specifically reserved for Modbus applications. ModbusTCP/IP clients and servers listen and receive Modbus data via port 502(Acromag, 2005, p.5).

Network Layer

All devices and infrastructure components with added diagnostic capabilities (managed switches and routers) on an industrial Ethernet-based system must be assigned an IP address (ODVA, 2006, p.4).

Data Link and Physical Layer

Ethernet 802.2/802.3

MODBUS devices use typical Ethernet standards to interface with the network.

DNP3

Application Layer

The application layer of the DNP3 protocol uses a human machine interface (HMI), remote terminal unit (RTU), or other system to pass services from the application layer to the program (Clarke, Reynders, n.d. p. 79). The application layer divides the data into packets that are 2 to 3 bytes in length. These packets consist of the data called the application protocol data units (ASDU) and a header. This packet with the header is an application protocol data unit (APDU). These packets are then sent down to a pseudo – transport layer.

Pseudo – Transport Layer

The next layer is a pseudo transport layer of the OSI model (Clarke, Reynders, n.d. p. 80). This layer takes the packet coming down from the application layer and splits it up into smaller packets called transport service data units (TSDU). These TSDUs have a one byte header followed by a data packet that is no larger than 249 bytes of data. The TSDU is then passed on to the data link layer.

Data Link Layer

The data link layer takes the TPDU from the transport layer and adds header information like redundancy code and error checking code (Clarke, Reynders, n.d. p. 80). The header is up to 292 bytes in length. The TPDU with the data link layer header is now known as a FT3 frame. This frame is then sent down to the physical layer to be sent across the network to the destination.

Physical Layer

The physical layer takes the FT3 frame from the data link layer and streams the bits onto a physical media. The physical media uses 8-bit data, one start bit, one stop bit, no parity, and the RS-232C voltage standards and controls.

DeviceNet

Application Layer

CIP App Object Library

CIP includes a widespread object library to support general-purpose network communications, network services such as file transfer, and typical automation functions such as analog and digital input/output devices, HMI, motion control, and position feedback (ODVA, 2009, p.1).

CIP data management I/O messages

I/O messages are considered to be implicit and typically contain time-critical control data (ODVA, 2006, p.2). The data field contains no protocol information, only real-time I/O data (ODVA, 2006, p.5).  Since the meaning of the data is pre-defined at the time the connection is established, processing time is minimized during runtime (ODVA, 2006, p.5).

CIP message Routing Managing Connections

Seamless bridging and routing between both homogeneous and heterogeneous CIP Networks is enabled by a set of objects that defines routing mechanisms for a device to use when forwarding the contents of a message produced on one network port to another(ODVA, 2006, p.7).This mechanism does not modify the contents of a message during the routing process(ODVA, 2006, p.7). When using this mechanism, the user’s only responsibility is to express the path that a given message must follow, because CIP ensures that the message is handled correctly, independent of the CIP Networks involved (ODVA, 2006, p.7).

Transport and Network Layers

The transport layer and the network layer of the OSI model are combined into one layer in the DeviceNet protocol(ODVA, 2004, p. 4-5). In this paper I will refer to the combination of the transport layer and the network layer as just the transport layer. The transport layer uses either an unconnected message manager (UCMM) or a group 2 unconnected port. Once one of these connections are established data can be sent over the connection or other I/O connections can be established which data will be sent over those connections. An 11-bit CAN identifier is used to define the connection ID. Connection IDs are kept unique. Two fields in the connection ID combine to define the connection ID. One field is a MAC address and the other is a message ID. DeviceNet uses client server architecture. Devices on the network can be either clients, servers, or both. Nodes in a DeviceNet system manage their own identifiers. Uniqueness of ID is managed through a duplicate MAC ID algorithm. A CAN identifier field detects nodes with duplicate addresses. Because of the CAN identifier nodes can be added and removed at any time without having to change a centralized map of the system.

Data Link Layer

As with the physical layer, the data link layer is also defined in the CAN specifications(ODVA, 2004, p. 3-4). DeviceNet uses a high pulse to represent a logical 0 and a low pulse for a logical 1. DeviceNet uses data frames that contain a one bit start frame, 11 bit arbitration field, 6 bit control field, 0-8 bytes of data, 15 bit CRC sequence field, 1 bit CRC delimiter, 1 bit ACK delimiter, and 7 bit end of frame field. CAN is a carrier sense network. Collisions are handled by a non-destructive, bit-wise arbitration mechanism with no loss of data or bandwidth. Timing on the network is handled by the start of frame bit. There is a bit called the remote transmission request (RTR) that is used in other protocols using the CAN specifications that is not used in the DeviceNet protocol. The arbitration field is used to detect if simultaneous transmissions are occurring on the bus. Another field that is not used by DeviceNet is a 29-bit identifier field. The length field has two fixed bits and 0-4 bits that represent the number of bytes in the data field. The CRC sequence and delimiter are fields that do cyclic redundancy checks on the data being went. The ACK delimiter is used to transmit that more than one receiver heard the transmission if it is high.

Physical Layer

The physical layer of the DeviceNet protocol is defined in the CAN specifications(ODVA, 2004, p. 1-3). The physical layer uses a trunk-line/drop-line topology that uses separate twisted pair busses for both signal and power distribution. Thick or thin cable can be used. It uses both isolated and non-isolated physical layer design of devices. DeviceNet has additional information concerning component requirements, protection from miss-wiring, and examples. DeviceNet uses either screw or clamp connectors that can be large or small. The nodes in the DeviceNet protocol can be removed or inserted from the network without powering-down. DeviceNet also allows the use of power taps making redundant power supplies possible. The trunk line current rating is 8 amps.

EtherNet/IP

Application Layer

CIP  App Object Library

CIP includes an widespread object library to support general-purpose network communications, network services such as file transfer, and typical automation functions such as analog and digital input/output devices, HMI, motion control, and position feedback (ODVA, 2009, p.1).

CIP data management I/O messages

I/O messages are considered to be implicit and typically contain time-critical control data (ODVA, 2006, p.2). The data field contains no protocol information, only real-time I/O data (ODVA, 2006, p.5).  Since the meaning of the data is pre-defined at the time the connection is established, processing time is minimized during runtime (ODVA, 2006, p.5).

CIP message Routing Managing Connections

Seamless bridging and routing between both homogeneous and heterogeneous CIP Networks is enabled by a set of objects that defines routing mechanisms for a device to use when forwarding the contents of a message produced on one network port to another (ODVA, 2006, p.7).This mechanism does not modify the contents of a message during the routing process(ODVA, 2006, p.7). When using this mechanism, the user’s only responsibility is to express the path that a given message must follow, because CIP ensures that the message is handled correctly, independent of the CIP Networks involved (ODVA, 2006, p.7).

Transport Layer

EtherNet/IP uses TCP/IP to encapsulate CIP explicit messages, which are generally used to transmit configuration, diagnostic and event data (ODVA, 2006, p.4).For real-time messaging, EtherNet/IP also employs UDP over IP, which allows messages to be multicast to a group of destination addresses(ODVA, 2006, p.4). This is how CIP I/O data transfers (implicit messaging) are sent on EtherNet/IP (ODVA, 2006, p.4).  The CIP Connection mechanism provides timeout mechanisms that can detect data delivery problems, a capacity that is essential for reliable control system performance (ODVA, 2006, p.5).

Network Layer

All devices and infrastructure components with added diagnostic capabilities (managed switches and routers) on an industrial Ethernet-based system must be assigned an IP address (ODVA, 2006, p.4).

Data Link Layer

CSMA/CD (Carrier Sense Multiple Access/Collision Detection) is a set of rules for determining how network devices respond when two devices attempt to use a data channel simultaneously and how devices share a bus(ODVA, 2006, pp.2-3).

Physical Layer

The Ethernet standard provides a specification for physical media, defines a simple frame format for moving packets of data between devices and supplies CSMA/CD (ODVA, 2006, p.2).

PROFIBUS DP

Application Layer

PROFIBUS has a version called the decentralized peripheral (DP) PROFIBUS. PROFIBUS DP protocol uses one of the following three protocols: DP-V0, DP-V1, or DP-V2(Fieldbus Center, 2003). Each protocol is an enhancement of the previous one. Thus the DP-V0 protocol is the first version and is a bases from which the others are derived from. The DP-V0 protocol is responsible for the basic functionality of DP which includes things like cyclic data exchange, station, module and channel-specific diagnostics and four different interrupt types for diagnostics and process interrupts. Using a cyclic exchange a master receives requests from slaves and cyclically writes output information back to the slaves. Each module attaches diagnostic messages to each exchange that is read by the master module. This allows for fast location of faults. This protocol allows for multiple master modules. There are three types of devices in this protocol: class 1 master, class 2 master, and slaves. Class 1 masters are controllers that read and respond to the slave’s requests. Class 2 masters are the engineering and configuration stations. The DP-V1 incorporated enhancements that enhanced process automation. The protocol used acyclic data communication along with cyclic data communication for control messages. The acyclic data communication is used in parallel with the cyclic data communication. Last DP-V2 enhances the demands of drive technology and safety. DP-V2 introduces slave to slave communication through the use of a broadcast and subscription method. The masters also produce the timing for all the slaves on the network.

Data Link Layer

The Field Bus Data Link Layer (FDL) work with a hybrid bus access protocol (Chipkin Automation, 2007, p.1).  It combines token passing with a master slave method. The token passing procedure guarantees that the bus access gets assigned to a specific master node for a defined time frame (Chipkin Automation, 2007, p.1). In the time frame the master node can access the bus and request data from any master or slave device (Chipkin Automation, 2007, p.1). After the time frame expires the current master node will pass the token to the next master node on the bus. (Chipkin Automation, 2007, p.1). This layer also includes the handling of data security and the transmission protocol of telegrams (Chipkin Automation, 2007, p.1).

Physical Layer

The physical layer can be in accordance to either the DP/FMS (RS 485) or DP/FMS (Fiber Optic Cable) (Weigmann, Kilian, n.d. p.16 – 21). Specifications for the RS 485 are as follows. The RS 485 model uses symmetrical data transmission under the EIA RS 485 standards. The bus is a shielded twisted pair, terminated at both ends. The transmission rate is 9.6 kbit/s to 12 Mbit/s. The RS 485 model uses semi-duplex, asynchronous, gap-free synchronization. An 11-bit frame is used to do data transmission using NRZ code. A logical 1 is a positive level on the line while a logical 0 is a negative on the line. There are two configurations to the fiber optic use in the DP/FMS specifications. The first is a bus configuration using optical link modules (OLM). This configuration has the master connected to one of the OLMs using a RS 485 connection and from there a fiber line connects each other OLM in a serial fashion. Each of the slave modules connect to the OLMs using a RS 485 connection with termination plugs in them. The second configuration has the master connected to one of the OLM using a RS 485 connection. Then from that OLM the slaves are connected to it in a ring fashion.

Issues

The team did not encounter any major issues when going through this lab.

Results

In the first part of the lab the team constructed a table that depicted a list of active reconnaissance tool and tools that provided anonymity. When the table was completed it was observed that there was a lack in tools for the session layer, data link layer, physical layer, and the kinetic layer of the OSI model. The team concluded that the reason for the lack in tools for the session layer was due to the nature of the session layer. The session layer is responsible for managing connections with other computers. Most of the tools that lie in the session layer of the OSI model tend to be either DoS attacks or sniffing tools. As far as the data link layer and the physical layers the team discovered that there are very few tools that did anything else than either passively listened on the line or caused some type of interruption. Last the team found that there aren’t very many active reconnaissance tools in the kinetic layer. The reason for a lack in kinetic layer tools is because there are very few things that can be done to cause a reaction that will produce information about that object.

The second part of the lab was divided up into two sections. In the first section the lab concentrates on the TCP/IP model. In the lab the team gathered from some research that a 5 layer TCP/IP model is more suited than a 4 layer TCP/IP model. The reasoning behind splitting the data link layer and the physical layer is that the data link layer still has the ability to manipulate the packet as it passes through the layer while the physical layer is only concerned with the transmission of the raw bits.

In the second section of the second part of the lab the team aligned SCADA protocols to the OSI 7 layer model and described each layer of each of the protocols. In doing this we discovered that a lot of the SCADA protocols use similar protocols just with different variations in some of the layers.

Conclusion

Now that this lab this lab exercise has been completed, the student team has developed a table of active reconnaissance tools and tools that could give one anonymity on a network. When it came to active reconnaissance tools, it seemed that the Application, Presentation and Network layers were most prone to this type of reconnaissance. The team also researched the different layers of different SCADA protocols to understand their functionality and alignment to the OSI and TCP/IP models.

References

Acromag(2005). Introduction to modbus tcp/ip. Retrieved June 17 ,2009 from,

http://www.acromag.com/pdf/intro_modbusTCP_765a.pdf

Bishop, M. (2007).About penetration testing.IEEE.

Bishop, M. (2007).Security Plan for Red Team Testing.

Chipkin Automation, (2007). PROFIBUS THE Field Bus Communication Standard. Retrieved

June 17 ,2009 from, http://www.chipkin.com/articles/profibus-the-field-bus-communication-standard

Choo,S.,Chua,C.& Tay, V.(2007). Automated Red Teaming: A Proposed Framework

for Military Application.ACM.

Davies, Joesph and Lee, Thomas. (2003). Microsoft® Windows® Server 2003 TCP/IP Protocols and Services Technical Reference. Micosoft Press, Redmond Washington, USA

Fieldbus Center(2003). Profibus. Retrieved June 17 ,2009 from,

http://www.knowthebus.org/fieldbus/profibus.asp

Gegick,M.&Williams, L.(2005). Matching attack patterns to security vulnerabilities in software-intensive system designs.ACM.

Godefroid, P., Kiezun, A.& Levin, M .(2008). Grammar-based whitebox fuzzing. ACM.

Hafele, D. (2004). Three different shades of ethical hacking: black, white and gray.  SANS

Institute.

Intellicom.(n.d.)Modbus TCP – An introduction. Retrieved June 17 ,2009 from,

http://www.intellicom.se/ModbusTCP_overview.shtml

IPCOMM(2008).DNP 3.0. Retrieved June 18 ,2009 from,

http://www.ipcomm.de/protocol/DNP3/en/sheet.html)

Gordon R. Clarke,G. ,Reynders, D. &  Wright, E. .(n.d.). Practical modern scada protocols. Retrieved June 19 ,2009 from,

(http://books.google.com/books?id=l99Gj7hcCkkC&pg=PA335&lpg=PA335&dq=dnp3+osi&source=bl&ots=A1RLimVhcB&sig=jbhmK7kFR37B7arXPNbEcLJeqe4&hl=en&ei=q6Q6SqKxF4nUNKvOyK4F&sa=X&oi=book_result&ct=result&resnum=9)

McDermott, J.(n.d.). Attack net penetration testing.

Modbus(2006). Modbus application protocol specificationv1.1b . Retrieved June 16 ,2009 from,

http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf

ODVA.(2006).DeviceNet Technical Overview. Retrieved June 16 ,2009 from, http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00026R1.pdf

ODVA.(2006). Ethernet/ip^TM – cip on ethernet technology. Retrieved June 16 ,2009 from,

http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00138R2_CIP_Adv_Tech_Series_EtherNetIP.pdf

ODVA.(2009). CIP technology overview. Retrieved June 17 ,2009 from,

http://www.odva.org/Home/ODVATECHNOLOGIES/CIP/CIPTechnologyOverview/tabid/68/Default.aspx

Rockwell Automation.(2008). Fundamentals of EtherNet/IP. Retrieved June 18 ,2009 from,

http://domino.automation.rockwell.com/applications/gs/emea/GSDK.nsf/files/au_dk_09_material/$file/BT3PPT.pdf

Singh, S. Lyons, J. & Nicol, D. (2004). Fast model-based penetration testing.

Weigmann,J.& Kilian,G.(n.d.). Decentralization with profibus dp/dpv1. Retrieved June 18 ,2009 from, http://books.google.com/books?id=8xYtXmxVuikC&pg=PA13&lpg=PA13&dq=profibus OSI&source=bl&ots=OAVcEPUU7m&sig=aWxOUARPm8hoh-nLLfZiEK5zAuc&hl=en&ei=d-M7SoLsIJDWMMK8rcMO&sa=X&oi=book_result&ct=result&resnum=4)