SolarDisruption Lab
Last updated
Last updated
Q1) In the provided packet capture, several protocols are present, but one stands out for its popularity in Industrial Control Systems and Programmable Logic Controllers (PLCs). It is used to transmit data between devices like PLCs and sensors, allowing real-time monitoring and process control. What is the name of this protocol?
The protocol commonly used in Industrial Control Systems (ICS) and Programmable Logic Controllers (PLCs) for real-time monitoring and process control is Modbus. Specifically, the Modbus/TCP variant is popular in networked environments.
Answer: modbus
Q2) Some analysis tools offer a histogram view of the packet capture, which visualizes network activity over time and helps analysts identify patterns, trends, or anomalies such as traffic spikes. What is the duration of the traffic spike in the packet capture, rounded to the nearest second, and provide your answer in seconds?
Go to the Statistics menu and select I/O Graph.
Here is the highest spike.
Let’s determine the start and end times, then subtract them to calculate the duration.
Answer: 9
Q3) Traffic spikes are often linked to scanning activities by adversaries, which become evident when a single host IP generates a large number of requests within a short period. What is the IP address responsible for the traffic spike?
Select any point within the spike.
Answer: 192.168.228.203
Q4) After identifying the attacker's IP address, the next step is to determine which network hosts the attacker interacted with, a process known as host discovery. This involves analyzing the traffic to see how many devices or systems the attacker communicated with on the network. Based on the packet capture analysis, how many hosts did the attacker discover?
Let's begin by filtering using the attacker's IP address.
Next, select the "Statistics" tab, followed by "Conversations."
6 unique internal devices in the 192.168.228.x
range + 1 broadcast/multicast device (192.168.228.254) + the attacker’s own IP address (192.168.228.203
if it was involved) = 8 hosts discovered.
I also solve this using Zui.
Answer: 8
Q5) After completing host discovery, adversaries typically conduct a port scan to identify potential vulnerabilities and determine their attack surface. How many ports did the attacker scan on each of the discovered hosts?
I used Zui to get the solution, focusing only on the 8 hosts that the attacker interacted with and excluding the others.
Answer: 1000
Q6) Now that we have confirmed the attacker's IP and intentions, let's begin analyzing their actions. Which HTTP host did the attacker first interact with after completing their enumeration?
Answer: 192.168.228.138:8080
Q7) The first host the attacker interacted with is a PLC (Programmable Logic Controller) device. To understand the attack better, it's important to identify the specific PLC runtime being used on this host, as this could give insights into the attack methods and vulnerabilities. What is the name of the PLC runtime used by this host?
I filtered the traffic using the attacker's IP as the source and the victim's IP as the destination. During the analysis, I identified an endpoint named runtime_logs
. Next, I will follow the TCP stream for further investigation.
Answer: OpenPLC
Q8) The attacker appears to have successfully logged into the PLC's configuration webserver. What credentials did they use to gain access?
Or using NetworkMiner.
Answer: openplc:openplc
Q9) According to the incident report, the credentials for the OpenPLC configuration webserver were changed by the attacker. Can you identify the new password that the attacker set?
Then I followed the HTTP stream.
Or using NetworkMiner.
Answer: d1srupt10n
Q10) The PLC's configuration webserver enables engineers to configure and monitor various parameters of the PLC device. This access can also allow an attacker to identify the I/O points or the registers/coils numbers and their mappings. How many I/O points were in use on the PLC?