Dear PenTest Readers,
In this issue of PenTest Magazine we’d like to get back to the topic we presented a couple of years ago in one of our previous editions - the cybersecurity of Industrial Control Systems. While the general awareness of information security of critical infrastructure, OT/ICS and SCADA systems has substantially increased over the recent years, there is still a lot to improve. That’s why, our contributors prepared a few articles and tutorials on the current and upcoming challenges related to the topic, as well as some methodologies and techniques to apply in ICS environments.
Danielle Jablanski from Nozomi Networks opens the issue with her article that discusses building intuition into monitoring for OT/ICS security, based on behavioral analytics that capture and analyze communications traffic and process variables simultaneously.
Leonard Jacobs, the instructor of our bestselling “Cybersecurity Testing for Industrial Control Systems” online course, brings in a really interesting practical tutorial on Threat Hunting in ICS environments.
Michael Mossad presents future scenarios for ICS information security, presenting the biggest current challenges and the most interesting perspectives for the future of the industry, such as ICSaaS, or the reshaping the role of OEMs.
Jose J Perez shares his rich experience and knowledge on the topic, presenting the detailed review of the PURDUE model, which is a standard methodology for Industrial Control Systems.
The other half of this edition is dedicated to practical WiFi Hacking tools & techniques, and the contributors for this topic did a wonderful job too! Anderson Bechelli and Cleber Soares provide a great tutorial on WiFi deauthentication attack with ESP 8266. Ricardo Jose Ruiz Fernandez presents a very valuable case study on the uses of WiFi technologies in Red Team operations. Jamel Metmati contributes with a very important perspective on the 5G pentesting toolkit. Juan Morales prepared a really good tutorial on using Aircrack Suite, and last but not least, Andrea Cavallini presents you with the Cain and Abel tool.
As you can see, with this edition you can get into both ICS cybersecurity and WiFi pentesting on a practical level with a wide scope of presented tools, techniques, and methodologies.
Without further ado,
Enjoy the content!
PenTest Magazine’s Editorial Team.
Table of Contents
Building Intuition into Monitoring for OT/ICS Security
by Danielle Jablanski
The current state of Operational Technology and Industrial Control Systems cybersecurity is turning a corner. From decades of admiring hypothetical scenarios, to realizing the significance of very real threats and vulnerabilities that exist across critical infrastructure all over the globe. Recent revelations from Industroyer2 and INCONTROLLER teach us that you can only alert on and potentially catch what you know how to look for in these environments when it comes to Threat Intelligence capabilities.
Industrial Control System Cybersecurity Threat Hunting
by Leonard Jacobs
ICS are generally very static in design and with configurations. This characteristic can make it easier to protect ICS. Additionally, this characteristic makes it easier for cyber threat hunters to distinguish when changes occur in ICS. Any changes could be the result of a cyber-attack and is what the cyber threat hunter is to determine. However, cybersecurity is not always perfect. Cybersecurity protections are often circumvented by cyber attackers and allowing them to take advantage of cybersecurity weaknesses in ICS. This is when cyber threat hunting techniques come to the rescue and allow cybersecurity defenders to explore for cyber attackers that have possibly invaded the ICS.
ICS Security: What’s Next
by Michael Mossad
The focus of the Original Equipment Manufacturers (OEMs) has always revolved around the availability and safety of ICSs rather than security; more specifically, when it comes to the CIA triad, availability must take precedence over confidentiality and integrity. Additionally, ICSs are installed with a lengthy service life expectancy, which is anywhere between 20 and 30 years. As a result, ICSs are extremely vulnerable due to running outdated operating systems, limitations around patch deployment as organizations cannot afford any sort of downtime, and the challenges with standard security controls implementation either because OEMs cannot guarantee the systems’ reliability with these controls (e.g., anti-malware solutions) or lack of compatibility as some ICSs do not support basic security controls such as strong passwords.
ICS Cyber Security Resilience, Enduring "The Perfect Storm"
by Jose Perez
There are many industrial control processes within Operational Technology, discrete, batch, continuous, and hybrids. Each of these processes has its own characteristics and may be used in many different industries, but they all contain the same basic architectural structure. Like the OSI model, we refer to this as the PURDUE Model. The Purdue model, formally the Purdue Enterprise Reference Architecture (PERA), is a structural model for Industrial Control System (ICS) security concerning physical processes, sensors, supervisory controls, operations, and logistics.
WiFi Deauthenticator Attack with ESP8266
by Anderson Bechelli and Cleber Soares
In our study, we used ESP8266 hardware to be our WiFi antenna and provider of the deauthentication attack. ESP8266 is a microcontroller that allows the connection between devices via WiFi using TCP/IP protocol. It became very popular for its low initial cost, coming in at less than 10 dollars. Originally, the ESP8266 did not have an SDK, which makes its use possible only with the use of a microcontroller, but in 2014, an SDK was developed for the device that allows the programming of its chip eliminating the need for a microcontroller. Thanks to ESP8266, different types of automation and communication studies are possible via WiFi, from web servers and APS to different ESPs, such as mesh network nodes.
Uses of WiFi Technology in Red Team Operations [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]
by Ricardo Jose Ruiz Fernandez
As explained, WiFi networks may grant access to the internal network of a company, making them an interesting attack vector to investigate in Red Team operations. Depending on the type of network, the attack carried out will be different, but the case scenario explains two very typical attacks against these networks and how to execute them in a stealthy manner.
THE 5G Wireless Pentesting Toolkit
by Jamel Metmati
The 5G networks increase the potential of wireless in terms of range and availability for the users, the resources, the assets in a cyber architecture. The features of 5G networks show the points need to be checked to realise a pentest in or out of the 5G architecture. The mix of 5G network with 3G/4G network shall be taken account to get tools kit to practise the penetration test for the bandwidth of a network that always adopts the least powerful.
Cain & Abel, THE Oxid Child
by Andrea Cavallini
Starting from the past, password and key recovery (with brute forcing or approaching other attacks) is one of the most important activities of an attacker. Impersonation of who can access a network or read confidential and unauthorized information is the goal of everyone who wants to test for ethics or obtain for money. A lot of tools were created in order to reach it, both in Linux and Windows. The largest part of these is developed for Linux, for all the known reasons for comparison among the two operating systems. One of these tools can be identified as important in order to reach the forcing of a key: Cain & Abel.
Testing Different WiFi Standards with Aircrack Suite
by Juan Morales
The purpose of this article is to demonstrate different forms of Wi-Fi network attacks (with permission of course!) using none other than the Aircrack Suite. We will cover a slew of different attacks and capabilities of the Aircrack Suite. For the purposes of demonstration, I will be using an Alfa AWUS036ACH Wi-Fi USB adaptor though you can use any compatible wireless network adaptor that supports monitor and AP modes as well as packet injection. Without further ado, let’s go ahead and demonstrate how we can test different Wi-Fi standards.
The Basics of the Kerberos Authentication
by Vinod Gupta
Kerberos is a network security protocol that authenticates the service requests between multiple hosts across untrusted networks. It is an authentication mechanism that uses the Symmetric key Encryption while transferring the information between Kerberos components.