Pentesting ICS (DNP3)

What is DNP3?

https://gamayan.com/knowledge-base/dnp3/

DNP3 Simulators

C++: https://github.com/automatak/dnp3 Docs: https://www.automatak.com/opendnp3/docs/guide/current/build/cmake/

Use –recursive when cloning:

git clone --recursive https://github.com/automatak/dnp3.git

Qt4: https://sourceforge.net/projects/dnp/

DNP3 Identification:

  1. Shodanhq dork: port:20000
  2. Using nmap with script dnp3-info.nsehttps://github.com/sjhilt/Nmap-NSEs/blob/master/dnp3-info.nse
# Add script to nmap directory
$ sudo mv dnp3-info.nse /usr/share/nmap/scripts/

# Update nmap db
$ sudo nmap --script-updatedb

# Start scanner
$ nmap 10.0.13.37 --script=dnp3-info
  1. When you identified the host, the DNP3_RAW, my C client to interact with devices with DNP3 enabled 🙂

Exploit and stuff:

MiTM, packet replay? To be continued…

Fuzzers:

Conclusions

Resources:

Leave a Reply

Your email address will not be published. Required fields are marked *