ethical hacking of an industrial control system
TRANSCRIPT
IN DEGREE PROJECT ELECTRICAL ENGINEERING,SECOND CYCLE, 30 CREDITS
, STOCKHOLM SWEDEN 2020
Ethical Hacking Of An Industrial Control System
DANIEL CONDE ORTIZ
KTH ROYAL INSTITUTE OF TECHNOLOGYSCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE
Abstract
Almost no software is exempt of vulnerabilities. Penetration testing or ethical
hacking can be used to identify them. This thesis conducts a series of tests
following the penetration testing method on a large scale industrial control
system. The goal is to discover which kind of vulnerabilities exist in these
systems, focusing on attacks from inside of their network. Several approaches
were taken in relation on how to attack the servers and services that form the
network, both from outside and inside the machines. Critical vulnerabilities
were found in relation to using services unauthenticated and disrupting
communication between servers, which should bemitigated correctly in order
to prevent further potential attacks.
ii
Sammanfattning
De flesta av programvaror har sårbarheter. Penetrationstest eller etisk
hacking kan användas för att identifiera dem. Denna avhandling utför tester
enligt penetrationstestmetoden i ett industriellt kontrollsystem i stor skala.
Målet är att upptäcka vilka sårbarheter som finns i dessa system, med fokus
på attacker från deras nätverk. Flera tillvägagångssätt användes för att
attackera servrar och tjänster på nätverket, både från in- och utsidan av
maskinera. Kritiska sårbarheter hittades i samband med autentisering och
störande kommunikation mellan servrar, som bör åtgärdas för att förhindra
ytterligare potentiella attacker.
iii
Acknowledgements
Firstly, I would like to thanks my thesis supervisor, Professor Pontus
Johnson. I found this thesis thanks to him and he has providedmewith quick
and really useful feedback and support whenever I needed it, which has been
essential for the development of this project.
I would also like to extendmy sincere thanks to all the peoplewho have helped
me carry out this project in the company, answering all of my numerous
questions, providing assistance and recommendations of where to continue
testing and guiding me to not get lost through their systems.
I can’t express enough my gratitude to my partner Virginia because, even
though we are in different countries, she has always been by my side and has
made this two-year crazy adventure much, much better. I can’t wait for our
next one.
Then, I want to thanks my parents for all of their support through all my
life, for introducing me in the telecommunications world and for always
encouraging me to never stop and to look for the best. All of this would have
not been possible without them.
Finally, I would like to thanksmy sister Yaiza for her courage and for showing
me to never give up, always wearing a smile. I wish you could have seen all of
this. I hope you are proud of me.
¡Gracias a todos! Thank you!
Daniel Conde Ortiz
June 2020
iv
AuthorDaniel Conde Ortiz <[email protected]>Information and Communication TechnologyKTH Royal Institute of Technology
Place for ProjectStockholm, Sweden
ExaminerMathias EkstedtStockholmKTH Royal Institute of Technology
SupervisorPontus JohnsonStockholmKTH Royal Institute of Technology
Contents
1 Introduction 1
1.1 Problem statement . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 Research question . . . . . . . . . . . . . . . . . . . . . 2
1.1.2 Hypothesis . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Motivation and goal of the thesis . . . . . . . . . . . . . . . . . 3
1.3 Scope and delimitations . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Background 4
2.1 Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1 CIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Network Communication . . . . . . . . . . . . . . . . . . . . . 6
2.3.1 Transmission Control Protocol . . . . . . . . . . . . . . 9
2.3.2 Address Resolution Protocol . . . . . . . . . . . . . . . 10
2.3.3 Remote Procedure Call . . . . . . . . . . . . . . . . . . 11
2.4 Windows Authentication . . . . . . . . . . . . . . . . . . . . . 12
2.4.1 Active Directory . . . . . . . . . . . . . . . . . . . . . . 12
2.4.2 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4.3 SMB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3 Penetration Testing Methods 16
3.1 Target System . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.1 Attacking Machine . . . . . . . . . . . . . . . . . . . . . 18
3.2 Threat modelling . . . . . . . . . . . . . . . . . . . . . . . . . . 18
vi
CONTENTS vii
3.3 Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3.1 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.4 Post Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.5 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4 Exploitation 22
4.1 Threat model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2 Network attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.3 Active Directory attacks . . . . . . . . . . . . . . . . . . . . . . 25
4.4 Attacks from inside of Windows machines . . . . . . . . . . . 26
5 Results 30
5.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.2 Network Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . 32
5.3 Active Directory Vulnerabilities . . . . . . . . . . . . . . . . . 33
5.4 Vulnerabilities inside of Windows machine . . . . . . . . . . . 34
5.5 Traceability Matrix . . . . . . . . . . . . . . . . . . . . . . . . . 36
6 Discussion 39
6.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.2 Attacks Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . 41
6.3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
6.4 Sustainability and Ethical Considerations . . . . . . . . . . . . 43
6.5 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
7 Conclusions 46
References 47
List of Figures
2.3.1 The layers of the OSI model . . . . . . . . . . . . . . . . . . . . 7
2.3.2TCP three-way handshake . . . . . . . . . . . . . . . . . . . . . 9
2.3.3MITM attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4.1 Kerberos authentication process . . . . . . . . . . . . . . . . . 14
3.1.1 Simplified view of the computer network . . . . . . . . . . . . 17
5.1.1 Threat model of the system . . . . . . . . . . . . . . . . . . . . 32
List of Tables
5.1.1 Vulnerability enumeration of the system using STRIDE . . . . 31
5.5.1 Traceability matrix for the attacks performed . . . . . . . . . . 38
viii
ACRONYMS
AD Active Directory
ARP Address Resolution Protocol
BIOS Basic Input/Output System
CIA Confidentiality Integrity Availability
CORBA Common Object Request Broker Architecture
CVE Common Vulnerabilities and Exposures
DOS Denial Of Service
HTTPHypertext Transfer Protocol
IBM International Business Machines
IP Internet Protocol
IPC Inter-Process Communication
IT Information Technology
KDC Key Distribution Center
KTH Kungliga Tekniska Högskolan
LAN Local Area Network
LAND Local Area Network Denial
LLMNR Link-Local Multicast Name Resolution
MITMMan In The Middle
ix
x ACRONYMS
MITMassachusetts Institute of Technology
NBT NetBIOS over TCP/IP
NDR Network Data Representation
NTLM New Technology LANManager
OSI Open Systems Interconnection
RDP Remote Desktop Protocol
RPC Remote Procedure Call
RTCP RTP Control Protocol
RTP Real-time Transport Protocol
SID Security ID
SMB Server Message Block
SSO Single Sign-On
SSSD System Security Services Daemon
STRIDE Spoofing, Tampering, Repudiation, Information disclosure,
Denial of service, Elevation of privilege
TCP Transport Control Protocol
TGT Ticket Granting Ticket
TGS Ticket Granting Service
UDP User Datagram Protocol
XDR External Data Representation
ZIP Zone Information Protocol
Chapter 1
Introduction
“There are only two types of companies—those that know they’ve been
compromised, and those that don’t know.” - Dmitri Alperovitch
It’s not uncommon to hear everyday in the news something related to
cybersecurity. For example, just recently there has been concerns about
hackers, malware and foreign surveillance in the platform Zoom [1]. Other
news also reported attacks towards many hospitals and facilities researching
vaccine against COVID-19 [2].
The Common Vulnerabilities and Exposures (CVE) list is a database of
publicly disclosed security flaws in software and machines [3]. Currently, it
has over 137000 vulnerabilities registered and it increases everyday.
Understanding that no system is free of vulnerabilities is key for designing and
building software that is secure. The consequences of overlooking this can be
devastating for companies or even life threatening for people. depending on
the importance of the software.
Usually, companies make a trade-off between security, usability and costs,
but, even though all possible attacks have to be prevented, it only takes one
flaw to make everything useless. Because of that, security should be the basis
of their project instead of being an inconvenience or an add-on.
Penetration testing, or ethical hacking, is the method used to test the security
1
2 CHAPTER 1. INTRODUCTION
in IT-systems and find potential vulnerabilities in them. Usually, it involves
access to the systems and their structure, threat modelling and authorised
attacks into the tested systems.
1.1 Problem statement
Software and systems inevitably have flaws. When these systems are
connected to the Internet, a network that everybody can access, they are
exposed to people that will exploit these flaws for many reasons (own gain,
fun, hate, etc.). This can cause harm to a company and the lose of trust and
customers.
Industrial control systems are usually big, complex and important for the
core development of companies. Their failure or mismanagement can lead
to economic damage in most of the cases. For these reasons, their security is
carefully revised and constantly improved.
An organisation with an industrial control system wants an assessment of
the security of their systems, thus, a penetration testing research will be
conducted to see what vulnerabilities can be exploited.
1.1.1 Research question
This thesis is done in collaboration with KTH and a company that will remain
anonymous. The research question on which this thesis will be focused
is:
What kind of vulnerabilities can be found in industrial control systems and
what can be done to prevent attacks?
1.1.2 Hypothesis
One or more vulnerabilities exist in the system and could be vectors for
possible intrusions.
CHAPTER 1. INTRODUCTION 3
1.2 Motivation and goal of the thesis
The motivation behind this thesis is to gain and provide a better
understanding about security threats to modern industrial control systems
and how the attacks can be mitigated. The goal of the thesis is to contribute
and improve the security of the system that will be analyzed.
1.3 Scope and delimitations
The focus of the thesis will be on discovering vulnerabilities in systems
and building exploits for them, to finally, hypothetically, be able to disrupt
services or cause damage. The perimeter of the systemwill not be tested as we
already suppose that the attacker is inside the network and social engineering
attacks will not be performed. No deliverables such as security patches will
be built and, when a vulnerability is found, it will be properly disclosed to the
company.
1.4 Outline
This chapter has introduced the problem and the goals of the thesis. The rest
of the thesis follows the phases of penetration testing. First with theoretic
explanation about concepts related to ethical hacking and security in chapter
2, then the methodology and methods are described in chapter 3, the exploit
development, in chapter 4 and the results in chapter 5. Finally, it concludes
with a discussion of the results in chapter 6 and conclusions from the whole
thesis in chapter 7
Chapter 2
Background
This chapter presents theoretical concepts about security and penetration
testing used, to fully understand the thesis.
2.1 Cybersecurity
Information security, computer security or cybersecurity can be defined as the
body of technologies, processes, and practices designed to protect networks,
devices, programs, and data from attack, damage, or unauthorized access, as
well as from the disruption or misdirection of the services they provide. [4,
5]
2.1.1 CIA
A very important term related to cybersecurity is the CIA triad
(Confidentiality Integrity Availability). According to Walkowski [6] they can
be defined in the following way:
• Confidentiality: Is is roughly equivalent to privacy. Involves ensuring
that only those who are authorized have access to specific assets and
that those who are unauthorized are actively prevented from obtaining
access.
4
CHAPTER 2. BACKGROUND 5
• Integrity: Consists in ensuring that data has not been tampered with
and, therefore, can be trusted. It is correct, authentic and reliable. This
means that data changes and system functions should only be done in
authorised manners.
• Availability: Means that authorized users have timely, reliable access
to resources when they are needed. Authenticationmechanisms, access
channels and systems all have to work properly for the information they
protect and ensure it’s available when it is needed.
There can be augmentations to this triad, such as [7]:
• Authenticity: The property of being genuine and being able to be
verified and trusted.
• Accountability: The requirement for every action or data to be able to
be traced back to its origin entity.
• Non-repudiation: Assurance that someone cannot deny the validity of
something. It involves providing proof of the origin of data and the
integrity of the data.
2.2 Penetration Testing
Apenetration test (also called ethical hacking) is an authorized cyberattack on
a computer system, performed in order to assess its security [8]. It is usually
done by establishing a certain goal and reviewing available information and
ways to reach that goal. The tested system can be a white box (all information
is available to us) or black box (little or no information is available).
The Penetration Testing Execution Standard [9] divides this process in 7
phases:
1. Pre-engagement. Preparation phase, tool gathering and agreeing on
the scope and goals of the test.
2. Intelligence Gathering. Obtaining all available information about the
6 CHAPTER 2. BACKGROUND
system and ways to attack.
3. Threat Modelling. Procedure to identify objectives and impact of
attacks.
4. Vulnerability analysis. Discovering vulnerabilities in the system.
5. Exploitation. Using those vulnerabilities to gain access to systems and
bypass security measures.
6. Post Exploitation. Maintaining control on the system and collecting
data.
7. Reporting. Documenting the entire process and handing the results to
the client.
2.2.1 Terms
Several terms have been and will be used throughout the whole thesis in
relation to ethical hacking.
• Threat: The possibility of harm, trouble of danger. The risk of security
violations.
• Vulnerability: Flaw in a system or software that can be used to
overcome security policies in place.
• Exploit: Software specifically designed to attack a vulnerability or the
act of attacking it.
• Disclosure: Act of communicating found vulnerabilities, either publicly
or privately.
2.3 Network Communication
All the communication between twoormoremachines is standardized, so that
if the communicating systems are different, they can still understand each
other. This standardization is based on the OSI Model [10].
CHAPTER 2. BACKGROUND 7
This model represents the communication in 7 layers, shown in Figure 2.3.1.
Each layer has a specific set of tasks and only transfers information to the
layer on top or below. Packets (information containers)move vertically in this
structure and each layer only communicates with a layer in the same level on
other devices. Many protocols exist for each layer, but the samemust be used
on both ends of the communication for it to succeed.
Figure 2.3.1: The layers of the OSI model
A brief explanation of each layer:
Application layer
The user interacts with this layer, it is the beginning and end of almost all
network communication. It is probably the layer with the most protocols,
some of them are: HTTP, RDP and SMB.
Presentation layer
It’s responsible for data formatting and delivery between different end-user
systems, for example, different text encodings. Some of the protocols in this
layer are: NDR and XDR.
8 CHAPTER 2. BACKGROUND
Session layer
Provides mechanisms for opening, managing and closing sessions (semi-
permanent dialogues). It also provides authentication and authorization
services. Some of its protocols are: NetBIOS, ZIP and RTCP.
Transport layer
This layer is responsible for delivering packets to the corresponding
application process once it reaches the destination machine. It provides
services such as connection-oriented communication, reliability, flow control
andmultiplexing. Themost used protocols in this layer are TCP (reliable) and
UDP (fast and simple).
Network layer
It is the layer in charge of transmitting packets between different networks,
that is, between two machines that are not directly connected. The most
known protocol from this layer is IP.
Link layer
This layer transmits information between two machines that are directly
connected. It also provides error correction. Some of its protocols are
Ethernet and Wi-Fi.
Physical layer
It is physically connected to another system (cable, fiber, air, etc.) and
transmits and detects the information in the form of electromagnetic waves.
It makes the transformation from and to this electromagnetic waves to
bits.
CHAPTER 2. BACKGROUND 9
2.3.1 Transmission Control Protocol
The Transmission Control Protocol or TCP [11] is one of the fundamental
protocols in Internet. It is a transport layer protocol and provides reliable,
error-free and ordered stream delivery between applications. Also, TCP
provides flow control, allowing both sides to control how much information
is sent in a given period if they are overwhelmed or the link in between is
congested.
The most important aspect about TCP is that it is connection-oriented,
meaning that a connectionmust be established before transmitting data. The
receiving endmust be listening for connection requests andwhen a new one is
received, the three-way handshake process is initiated, shown in Figure 2.3.2
and known as SYN, SYNACK and ACK.
Figure 2.3.2: TCP three-way handshake
Once this process is done, information can be transmitted. If any packet is
lost, the receiving end can request it or it is knownby the sending side, because
all received packets are acknowledged. This handshake can also be used to
scan open ports or exploited to perform some Denial of Service attacks.
TCP encapsulates the information adding a header for processing in the
10 CHAPTER 2. BACKGROUND
receiving end. This header has several parameters such as the origin and
destination ports. The order of the data is controlled by sequence numbers
and flow control by a parameter calledwindow size.
2.3.2 Address Resolution Protocol
The Address Resolution Protocol or ARP [12] is a protocol used for
discovering link layer addresses, most of the time MAC addresses, from a
given IP address and inside the same network.
The way it works is that each host keeps a mapping table with MAC and
corresponding IPs. If a host wants to know another host’s MAC, it sends a
broadcast ARP query message asking with the corresponding IP. If that host
exists in the same subnetwork, it will reply with its own MAC address.
Sometimes hosts can also send actively their MAC/IP relation to the network
and other hosts will register this in their tables. This can be exploited to
spoof other machines and receive packets and information that was destined
to them. This is called ARP spoofing and can be used to perform a man-in-
the-middle attack.
Man-In-The-Middle (MITM)
A man-in-the-middle attack [13] happens when the attacker is, secretly, in
the middle of the communication between two victims. The attacking agent
receives traffic from one or both sides and relays it to the other part. Because
of this, it can read the traffic, modify it, drop some packets or replay them
later.
Most cryptographic protocols include endpoint authentication to prevent the
attacker from reading the traffic if this kind of attack happens.
CHAPTER 2. BACKGROUND 11
Figure 2.3.3: MITM attack
2.3.3 Remote Procedure Call
A Remote Procedure Call or RPC [14] happens when a program provokes
that a subroutine starts executing in another machine (usually in the same
network), but this is coded in the software as a normal procedure call, where
the program does not specify the explicit details of the interaction; the code
is essentially the same as if the call was local.
RPCs are a form of inter-process communication (IPC) and are based on
client-server interaction, where the client always starts the procedure. During
the time that the server is processing the request, the client remains blocked,
unless it is an asynchronous request. Also, the communication can fail and
clients should account for these failures.
RPC can be an important security factor since its an entrance for request to
execute programs inside the machine. Because of this, it must be adequately
secured. A secure RPC requires: an encrypted communication path, the
authentication of identity of the requesting client, and the authorization
on the serving side that the client making the request is allowed to do so.
Usually, this is achieved by using Kerberos (or a similar system), which will
be explained later.
12 CHAPTER 2. BACKGROUND
2.4 Windows Authentication
Authentication is a process for verifying the identity of an object, service or
person and proving that they are genuine or authentic [15]. Usually, this is
done signing data with a cryptographic operation using a key that only the
user knows or a shared key.
The server in charge of authentication compares the signed data from the user
with known cryptographic keys. Storing the keys in a secure central location
makes the authentication process scalable and maintainable. Microsoft
provides a solution for this, called Active Directory.
In a business environment, services or users might want to access multiple
applications or resources on many types of servers from one or several
locations. For these reasons, authentication servers must support a wide
range of environments and operating systems.
2.4.1 Active Directory
Active Directory is a directory service included in most Windows Server
operating systems and stores information about objects (user accounts) on
the network and makes this information easy for administrators and users to
find and use.
This service also includes a set of rules that defines the constraints and limits
of these objects; a query and indexmechanism so objects and their properties
can be queried; a replication service that distributes directory data across a
network and a global catalog that contains information about every object in
the directory [16].
A server running Active Directory is called a domain controller and is in
charge of authenticating and authorizing all users and computers in the
network, assigning and enforcing security policies. In order to include Linux
servers into this authentication network, System Security Services Daemon
or SSSD [17] is used.
CHAPTER 2. BACKGROUND 13
2.4.2 Kerberos
Kerberos is a network authentication protocol developed by MIT and
designed to provide strong authentication to client/server applications,
replacing password-based authentication methods [18]. It reduces the risk of
MITM attacks since all communication is encrypted and it is widely used as
Single Sign-On (SSO) service, meaning that an user only has to authenticate
once to use as many services as they want.
Kerberos is the default authenticationmethod inWindows, but usuallyNTLM
is used as a fallback when a service does not implement Kerberos. Apart from
that, every service needs to be registered to the AD for Kerberos to work.
Kerberos uses tickets instead of passwords and its basic architecture consists
in a client, the service that the client wants to authenticate to and a
authentication server, that in this case is called Key Distribution Center or
KDC.
An overview of the steps in the authentication process can be seen in Figure
2.4.1 and they are:
1. The client presents itself to the KDC and asks for a ticket for the Ticket
Granting Service (inside the KDC).
2. The Authentication Service (also inside the KDC) sends back the
requested ticked encrypted with the client’s password as well as a
session key that can’t be decrypted.
3. The client uses this ticket and session key to request a service ticket to
the TGS.
4. The TGS answers with the corresponding ticket and a service session
key.
5. Using this, the client authenticates to the service.
6. If everything is correct, the servicewill answerwith some authentication
information back and now the client can use the service.
14 CHAPTER 2. BACKGROUND
Figure 2.4.1: Kerberos authentication process
CHAPTER 2. BACKGROUND 15
2.4.3 SMB
SMB or Server Message Block [19] is a protocol used for providing shared
access to files, serial ports and printers and authenticated inter-process
communication (IPC), all within a network. It was originally designed by
IBM but Microsoft made substantial modifications to it, creating the most
commonly used version and including it in most Windows versions.
SMB servers allow clients on the network to access their file systems and
other resources, provided that they authenticate first, for example, by being a
domain user.
Samba [20] is a free-software implementation of the SMB protocol for
Unix-like systems. It allows systems that are not Windows to access and
communicate with SMB servers. On a more general scope, it integrates Unix
systems into Active Directory environments.
Chapter 3
Penetration Testing Methods
Themain focus of this project degree is to perform a security assessment on a
system, i.e. penetration testing. This chapter explains how this investigation
was conducted and in the next chapter the results will be presented. The
methodology used is based on the phases explained in section 2.2.
3.1 Target System
This thesis was performed in a provided simulated system. This system was
a virtualized identical representation of the real-world systems used in this
company. It has been tried to set up the systems in the same way a client
would do andwith the same securitymeasures, firewalls included. The system
is shown in Figure 5.1.1.
The system is composed by several Windows and Linux servers, connected to
the same network and in the same domain. We could say that the control
system (back-end) is in the middle of everything, with clients on one side
and the actuating components on the other side. This system also includes
databases and load balancers (middle tier servers) and can be configured to
have redundancy in various degrees.
16
CHAPTER 3. PENETRATION TESTING METHODS 17
Figure 3.1.1: Simplified view of the computer network. The systems in theblue zone will be the target for the security assessment in this thesis.
A Microsoft Active Directory system for authentication and authorization is
also part of the complete system. The operating systems used are: Windows
Server 2012, Windows 10, and Red Hat Linux v7.
For this thesis, we suppose that an attacker has reached inside the network,
is connected somehow and could attack from there. Of course, this part of
the network is segmented from other parts, depending on their importance
for the whole system. Before accessing it, the attacker has had to go through
several layers of firewalls, finding flaws or exploits in them, but that is not in
the scope of this thesis.
The security of this network and systems is a crucial element and it is
continuously revised and improved. It already has strong and advanced
security measures so we cannot expect to find common vulnerabilities or
security issues at first glance. Also, the operating systems and services
used are part of a testing environment and could not be updated with the
latest versions, so specific vulnerability attacks could not be feasible in real
18 CHAPTER 3. PENETRATION TESTING METHODS
life.
Previous research was focused in the security between the control system and
the actuators. It was decided that the focus of this thesis would be on the part
concerning the clients and control system.
3.1.1 Attacking Machine
In order to perform a better analysis and have a wider selection of tools
available, a (virtualized) Kali 2020 Linux machine was directly connected to
the network. This provides a huge toolset for pentesting and a environment
in which experiments can be made without security constraints from the
operating system.
3.2 Threat modelling
Previous security assessments on this system developed extensive threat
models following the STRIDE modelling technique [21]. These models have
been the basis on which this project started and was developed from. Because
of this, no threat modelling was done. An extract of the threat modelling
report can be read in section 4.1.
3.3 Exploitation
The exploitation phase was conducted from the Kali Linux machine, as
previously mentioned. The main focus of this phase was on network traffic,
SMB and RPC ports.
CHAPTER 3. PENETRATION TESTING METHODS 19
3.3.1 Tools
Some of the main tools used for finding and exploiting vulnerabilities are the
following ones. They have been chosen by a combination of their capabilities,
how much they are used on the ethical hacking world and their availability
(for example, they already are installed in the OS used or can be easily
downloaded).
Metasploit
Metasploit [22] is an open-source vulnerability validation and exploitation
tool. It is mainly developed by Rapid7 but any user can create and add
their own modules, written in Ruby. It provides many tools but its main
use is remote code execution and getting a connection to the exploited
machine.
Nmap
Nmap [23] is an open-source network scanner and security auditor. With this
tool we can survey a network, discover live hosts and open ports and finding
what software they are using. It works by sending different kind of packets
and analyzing the responses.
PowerShell Empire
PowerShell Empire [24] is a post-exploitation tool that implements the ability
to run PowerShell agents without needing to execute powershell.exe. It also
allows to run tools such as Mimikatz and keyloggers.
Wireshark
Wireshark [25] is a packet sniffing tool and protocol analyzer. It is usually
used for network and communications analysis. It allows the user to see every
packet that the computer receives, with all the possible information that it can
extract from it.
20 CHAPTER 3. PENETRATION TESTING METHODS
SMB discovery
Several tools were used for discovering SMB shares, users within the
system and more information. Some of these tools were: smbclient
[26], enum4linux [27], CrackMapExec [28], and rpcclient [29], along with
Metasploit, previously mentioned. Most of these tools work similarly, by
sending specific SMB requests (authenticated or not) to the servers and
figuring out how much information they can get from the answer.
Own Programs
Some other programs were developed to complement the already available
tools. Some of these programs are:
1. MITMpacket sniffer, replayer andmodifier. Wireshark is a great
tool for sniffing traffic, but some specific conditions were tested, such
as becoming a Man In The Middle machine (as explained in 2.3.2) and
replaying past traffic or modifying current traffic passing through. For
this, a specific script in Python was created.
2. Basic clients to the servers to test specific commands and situations.
These were done by looking at the original source code and having
meetings with the corresponding engineers to get a better glance of the
way that the system works.
3. Blaster Developed by past penetration testing researches.
Complimentary tool to Nmap which takes as input a list of TCP ports
and tries to read and write random data for 5 seconds. This is used to
discover processes which allow unauthorised data reading or writing.
3.4 Post Exploitation
In general, the goal of penetration testing is to acquire root or administrator
privileges on the exploited system. This can be done, for example, by running
unprotected programs that act as higher privileged users. Another method
CHAPTER 3. PENETRATION TESTING METHODS 21
is to get and use credentials from other users in the same machine to move
horizontally in the network, for example, Kerberos tickets, if one can find a
way to get them.
In the case of this thesis, the goal is to affect the network or, if not, exfiltrate
information about it. Since most machines in the system are connected
in sequence, once reached inside of one, little horizontal movement is
needed.
Even though 2 users in the same machine can have different privileges, they
sharemany things, for example, the IP address. Also, a process can be started
by an user or the machine, and another user without privileges can access its
information, if unprotected, and use it to spoof that process.
All of this was used to create scripts so that, from one of the server
machines, commands could be sent to another servers from an unprivileged
account.
3.5 Reporting
While this project was conducted, all vulnerabilities found were reported
to the company using responsible disclosure [30]. This means that the
vulnerability is first disclosed to the company to give a grace period for it to
be fixed before publishing about it, as it’s the case with this report.
To protect the company and its systems, the results are anonymized in this
report. At the end of the project, a presentation was given to coworkers and
project managers about the vulnerabilities found in their systems.
Chapter 4
Exploitation
In this chapter, it is explained how the exploitation process was conducted
and how each attack lead to the next ones.
4.1 Threat model
As mentioned in the previous chapter, threat modelling of the system was
already done by past security assessments using the STRIDE modelling
technique. The results can be seen in the next chapter with a picture of the
threat model and how servers communicate on Figure 5.1.1 and an extract of
the STRIDE enumeration of vulnerabilities on Table 5.1.1.
Most of the exploitation phase and attacks are based or inspired by this
information, which helps to understand better the system and how it can be
attacked.
Many of the threats come from spoofing any of the servers, having a MITM
attack or some sort of server crash or denial of service, so that’s where most
effort was put in this security assessment.
22
CHAPTER 4. EXPLOITATION 23
4.2 Network attacks
Both superficial and deep port scans were conducted with Nmap to detect
possible vulnerable ports. The control system is protected by reliable
and stateful firewalls, with rules generated automatically depending on the
system and its configuration. The ruleset were examined but no flaw was
found. Apart from this, some information could be extracted from the other
systems.
Using the Blaster tool mentioned in 3.3.1, some ports were found to be
vulnerable to raw reading and writing and could be attack vectors, but other
information gathering methods should be executed before preparing specific
attacks.
To get a better grasp of how the processes and services communicate, the
traffic from their normal behaviour as well as their startup and stopping was
analyzed with Wireshark.
All the traffic is encrypted (as a result of using Kerberos) so no specific
messages could be seen, but the order in which processes started and the
amount of messages sent could be observed. This helped to decide what
processes to attack or try to spoof. For example, the more messages a process
exchanges, the more important it is, probably.
After this and talking with the engineers who developed the system, it was
decided that the following attacks and the thesis in general should focus on
the process in charge of sending commands, since it was the most capable of
causing damage.
A MITM script was created (as mentioned in 3.3.1) to intercept and replay
or modify the traffic between servers. This could be done since the attacking
machine is connected to the same network as the servers.
For this program towork, first the arpspoof commandneeded to be executed,
in order to trick the 2 desired servers that the attacking machine is the real
one. Then, this script used the pyshark library to capture packets, filtering
24 CHAPTER 4. EXPLOITATION
them by IP and MAC. These packets were stored in cache for replaying them
later, depending on the attack. This replaying was done by using the scapy
library. The anonymized script has been uploaded to GitHub and can be
found in [31].
With this program, several kind of attacks were performed, both to try to
affect the network and to see how it reacted in different situations:
• Packet storage and replay:
– Forwarding only packets which had payload (i.e. no Keep-Alive
packets).
– Including the payload of one packet into another one.
– Adding payloads to Keep-Alive packets, including very big ones.
– Modifying TCP window size.
– Modifying random bits in packets.
– Actively delaying packets in a range of times (e.g. from 0.1s to 1s).
• DoS attacks:
– SYN Flood: Not sending the last ACK in TCP handshake, causing
the target server to wait for it and consume resources.
– Banana attack: Redirecting outgoingmessages froma client to that
same client, flooding it.
– LANDAttack: Sending a spoofed TCP SYN packet with the target’s
IP address as both source and destination to an open port in the
same target, causing it to reply to itself continuously.
– Smurf attack: Spoofing an ICMP Echo request broadcasted to all
members in the network.
– Ping of death: Sending several malformed ICMP packets with a
resulting payload bigger than 65535 bytes (the commonmaximum
limit).
CHAPTER 4. EXPLOITATION 25
– And many more similar.
The complete results are explained in Chapter 5 but the main takeaway was
that, since Kerberos provides both encryption and protection against packet
replay, this was a dead end. Because of this, the next step was to infiltrate
inside any machine and attack from there.
4.3 Active Directory attacks
In this part the focus is not to attack directly any of the control services but to
get access to any of the machines connected to the network and then perform
the attack from the inside. All of the access and authentication in the network
is controlled by a Windows Active Directory server and the authentication to
services works by using Kerberos.
Most of the Kerberos attacks, such as Pass the ticket, Golden Ticket or Silver
Ticket, allow to act as another user and use services. The problem is that first
it is needed to have administrator access on the systems. Since the attacks are
performed from the outside and no access is had yet, they won’t work.
Brute forcing passwords inmachines that use Kerberos is not really an option
because the KDC is usually configured to lock the account after a number of
intents and has to be manually unlocked.
Another attack could be looking for users without Kerberos
pre-authentication required and send a request to the KDC on their behalf.
This was unsuccessful because the network’s security rules force that these
users don’t exist. Similar attacks to the SSSD protocol in Linux servers were
considered, but the limitations were the same.
A different way to access a computer is by using the SMB protocol, which is
usually open in most Windows servers. The tools mentioned in 3.3.1 could
be used with or without authentication. Obviously, more information can be
obtained if it is done with authentication than if not and the more privileges
the user has, the more information can be retrieved too. All of the results can
26 CHAPTER 4. EXPLOITATION
be seen in the next chapter.
More tools than the specified were used, such as NBTScan [32], SMBmap
[33] and impacket [34], but the results were mostly the same or no useful
results were found. Similarly, other attacks related to AD and SMB, such as
Kerberoasting, psexec and wmiexec, were carried out but no useful results
were obtained.
In relation to this, there are plenty of tools which allow for similar attacks but
using a Windows machine instead of a Kali one as the attacker. These tools
were considered at first but disregarded because of the similarity with the
Linux ones and the unavailability of an outsider Windows machine. Finally,
other attacks try to exploit SMB to increase privileges starting inside one of
the domain machines. Such attacks were also disregarded because of the
necessity being able to get inside a machine first.
Apart from these kind of attacks, it is known that computers and servers in
industrial control networks need to be used and managed by different people
in different locations. The most common way to solve this is by using Remote
Desktop Protocol, which is an easy way to access a machine given its IP and
some user in the same domain. It can be accessed using Remote Desktop
Connection in Windows and FreeRDP [35] in Linux.
Other attacks related to this topic, such as LLMNR Poisoning or SMB Relay,
were not performed because they were already tested on previous security
assessments.
4.4 Attacks from inside of Windows
machines
Once access (in anyway) inside amachine is available, there aremultipleways
to attack the processes and other machines. The accounts in this network are
divided in a number of levels, depending the privileges they have. The higher
the level, the more difficult the access is to that account.
CHAPTER 4. EXPLOITATION 27
The goal of this project is to affect the control system but the only processes
that can do this are run by high level accounts. Because of this, there are three
options:
a) Get access to a Administrator account and use tools such asMimikatz to
get the passwords of other users or forgeKerberos tickets to use services.
This is very unlikely to happen as these accounts are incredibly well
protected by various methods, such as constantly changing passwords
or can’t even bemanually accessed and the administration of the system
is done externally.
b) Get access to an account that can run the processes. Also very unlikely
and, if this was the case, there is no much left to do as the attacker can
manipulate the system freely.
c) Get access to an account with no privileges. This is the only scenario in
which some investigation can be done, as this kind of accounts should
not be able to interact with the system.
Because of this, the focus was on scenario c). As the user doesn’t have
permission to run the programs, the goal is to fool the other end as if it was
an authorized user. Test client programs were created with basic functions
to spoof the selected services. This was done by having code reviews and
meeting with the engineers who wrote the programs but without exceeding
the limit which would mean doing code testing instead of actual penetration
testing.
These clients used the system services APIs, which are not public and should
normally only be used by the own system. The two most important services
(or the two that could cause the most damage if manipulated) were selected
to be tested. Theoretically, if an unauthorized user sends a request, the
destination server must discard it right away.
Through manual testing it was discovered which methods and parameters
could be exploited. Testing these methods could vary from just using them to
including malicious parameters, such as extensive strings or illegal settings.
28 CHAPTER 4. EXPLOITATION
Also, if the language used for the APIs is object-oriented, which in this case it
is, objects’ properties can also provide useful information.
These clients were programmed in C#, which needs to be compiled for
execution. Servers don’t usually have the tools needed for compiling code,
so this compilation is done in the attacker machine. Because of this, the
compiled code along with the used libraries would have to be copied to the
attacked machine, which usually is a considerable amount of data, not so big
to affect most machines’ memory but the file transfer could take some time
depending on the network.
The libraries used are already in the machine, as they belong to the whole
system and the servers use them. In addition to this, Powershell allows to
execute C# code without compiling it, by using the following command and,
later, creating an object of that type:
Add-Type -ReferencedAssemblies $assemblies
-TypeDefinition $code -Language CSharp
Where $assemblies is the location of the libraries that the code uses and
$code is the code in plain text, previously introduced. The code can even be
obfuscated in base64 encoding to prevent some early detection.
Furthermore, the company provides an easy process in which actual clients
can program their own tools and integrate them into the servers, for example
for specific repetitive tasks. This could be a threat since injecting malicious
code into these programs or even getting own programs to execute in the
server with this method can lead to the same catastrophic failures as previous
attacks.
This process was investigated with the idea of, for example, using it by
creating some program which could be placed in some folder in the server
machine and it would be executed by the main server regularly and without
user interaction. Another idea is that it could be included in the operator’s
interface and they would execute it not knowing that it is a malicious
software.
CHAPTER 4. EXPLOITATION 29
It was also checked if there were any traces of passwords or other information
in the files installed and used by the software and if they could be accessed
without proper authorization.
Finally, the tool Powershell empire was tried, as it provides a extensive array
of tools to execute within Powershell and could allow to move vertically or
horizontally within the network. This tool couldn’t have been used previously
as it needs to be executed on aWindows machine and the only (theoretically)
accessible computer was the Kali machine.
While developing and executing all the exploitation tests mentioned in this
chapter, several vulnerabilities were found and the results will be reported in
the next chapter.
Chapter 5
Results
In this chapter, the results from the threat modelling and exploitation phases
are presented. As in the previous chapter, the exploitation results are divided
into Network Vulnerabilities, Active Directory Vulnerabilities and Windows
Vulnerabilities.
All of the results in this chapter and more information about them were
reported to the software engineers so they could be fixed as soon as
possible.
5.1 Threat Model
As explained before, the threat model for this system was already available
to continue with the other phases of penetration testing. A picture of the
threatmodel and how servers communicate can be seen on Figure 5.1.1 and an
extract of the STRIDE enumeration of vulnerabilities is on Table 5.1.1.
30
CHAPTER 5. RESULTS 31
STRIDE Threats
Spoofing• Spoofing servers.• Spoofing clients.
Tampering• Modify packet traffic between servers.
Repudiation• Removing logs from servers.
Information Disclosure• Information in communication leakagethrough MITM attack.
• Leakage of credentials or encryptionkeys.
Denial of Service• Crashing servers or services.• Unable to authenticate due to AD beingunavailable.
Elevation of Privilege• Sniffing and cracking hashes.• Overprivileged users.
Table 5.1.1: Vulnerability enumeration of the system using STRIDE
32 CHAPTER 5. RESULTS
Figure 5.1.1: Threat model of the system
5.2 Network Vulnerabilities
During the first rounds of research, one vulnerability discovered was that the
control server (or servers) could be forced into a blocking state by disrupting
the communication.
Due to how control systems work in general, there is one control server which
is in charge and the others that could be in the network act as backup servers,
keeping in touch with themain one periodically. If the communication is lost,
one of the backup servers assumes control of the network.
If there is only one network interface in eachmachine, the communication can
be disrupted and many would assume the control of the network. When the
communication is restored, they would observe that there are other servers
controlling the systems and enter a blocking state, in order to not send
contradictory orders.
Another vulnerability discovered, and more critical than the previous one, is
that you can perform ARP spoofing between 2 machines for a MITM attack,
and disrupt the connection very easily or even capture and try to modify and
resend packets.
CHAPTER 5. RESULTS 33
With the MITM script created, the traffic could be delayed by modifying the
TCP window size up until not ending the connection but delaying common
tasks for more than 40 seconds, which was achieved with a window size of 10
bytes. Decreasing the TCP window below this size made the connection reset,
probably because of some TCP or software timer. If the traffic was delayed
manually (capturing the packets and waiting some time before forwarding),
the largest delay achieved was about 1.5 seconds.
DoS attacks were attempted but no disruption or crash was achieved and
repeating packets or modifying their content caused the connection to reset.
There is also some intrinsic protection in the protocols used against this kind
of attacks, for example TCP and Kerberos provide sequence numbers against
replaying and the latter provides encryption against reading and modifying
packets.
Somemachine’s ports were not protected and open and it was possible to scan
them for protocol information and more. This could lead to further specific
attacks, depending on the data available. Also, it was possible to raw write
and read to some ports, which could lead to, for example, excessive CPU and
RAM consumption or data corruption.
5.3 Active Directory Vulnerabilities
The most critical vulnerability in this stage of research was that you could
access critical servers with low level (no special permissions) domain users.
The worst outcome from this is that attackers could able to access servers
through Remote Desktop having some valid credentials, without the need for
being in the same domain. The next section focuses on attacks after accessing
machines using this method.
Apart from using Remote Desktop, SMB could also be used to get information
from servers in some way or another. Using the software enum4linux
[27] and authenticating as a low privileged user, a substantial amount of
information could be acquired, such as domain names, OS information, share
34 CHAPTER 5. RESULTS
enumeration and attempts to map them, users and their SID (number which
identifies each user) and group names.
The most common attack is to find an open share and upload some file
through there that allows to continue infiltrating, for example, initiating a
remote connection. In this case, all the shares were closed to low level domain
users.
With certain Metasploit modules, information such as IPC pipes’ names, a
complete list of users and all of the information before could also be found.
Using RPCClient the IPC pipes of the system could be accessed but with a
low level user authentication, no substantially useful information could be
extracted. Continuing investigating with this tool (there are lots of available
commands for each of the pipes) was out of reach of the scope of the
thesis.
Finally, it was found that user access could be locked after several failed login
attempts due to restrictive Kerberos policies, needingmanual unlocking. This
does not provide access into the machines but is of great disturbance if done
to critical users and their settings are misconfigured.
5.4 Vulnerabilities inside of Windows
machine
After creating the client for the servers, it was found that an unauthorized
user was able to access services through interfaces. Some of the commands
sent were accepted and some were rejected. Theoretically, all the commands
should have been rejected and it is unclear in which stage they were rejected,
whether right at the arrival of after a processing chain. If it were the latter,
this processing chain could also be exploited.
With these commands, information such as servers’ statuses, names and
information about the control system could be requested. Also, some of the
objects from the interfaces had important or useful information in a similar
CHAPTER 5. RESULTS 35
way.
The most critical result found in this section is that a server could be crashed
(paralyzing the whole network) by sending a request with a 1000 characters
string as a parameter. Also, fake messages could be inserted in the users’
interface by similarmethods. Thesemessages would appear as critical alarms
in the software used by users that control the systems and their content could
be any text message and sent as many times as wanted. This could disturb
or annoy their tasks. Other specific information about this vulnerability is
unmentioned to avoid confidentiality concerns.
The same attacks to the servers’ interfaces explained before can be performed
by running the client code in Powershell and using the libraries already
installed in the system, instead of compiling the C# code in another machine
and transferring the files. The exact same vulnerabilities and results are
obtained.
Looking at the process described in section 4.4 in which companies could
write their own modules for the servers, it was concluded that there are
security measures strong enough (such as authentication measures, the code
being interpreted on the fly and not being stored in the server machine). The
only way of attacking this would be to create similar clients as before that
used this process’s API. Because of the scope range and similarity to previous
attacks, this was discontinued and left for future investigations. Some other
information is not mentioned to maintain confidentiality.
The servers had a implementation of CORBA so other servers or clients
could request ports for specific services and it was discovered that it could
be accessed by any user if the address and port of this CORBA service
were found. It was also noticed that this information could be located in
unprotected files in some systems. This could be used, for example, to
intercept communication for only one service knowing its ports or to attack
one specific port.
While scanning themachines’ files, no passwords were found in, for example,
36 CHAPTER 5. RESULTS
configuration scripts. Additionally, all of the files had the correct permissions
and could not be accessed with the low-level account used.
The use of PowershellEmpire was ineffective because of two issues. On one
side, this tool ismore of a post-exploitation tool which creates files that should
reach inside of the desired machine somehow and then executed, creating a
reverse connection to the attacker machine (stagers). It doesn’t provide tools
to help this file transfer happen as far as it has been researched.
But the second one, and most important, is that, even if these stagers could
reach inside of the servers, the machines had a strong antivirus installed
which thwarted every attempt to create a connection or execute anymalicious
file.
5.5 Traceability Matrix
A traceability matrix has been created as a significant amount of attacks have
been performed and it is useful to summarize the results.
Exploitation
GroupTest Result
Network
Attacks
Nmap port scanningSuccess: Open ports for getting
information
Blaster port scanningSuccess: Open ports for raw
reading and writing
Firewall inspection Failed: No flaws
Wireshark traffic inspection
Success: Can see which ports are
used more
Failed: Cannot read information
from packets
ARP Spoofing Success
Communication disruption Success
DoS AttacksFailed to crash.
Success to reset connections
CHAPTER 5. RESULTS 37
Packet replaying and forging Failed
Traffic delaying
(TCP Window)Success: Up to 40s per task
Forcing server blocking state Success: If only one interface
Active
Directory
Attacks
Remote Desktop AccessSuccess: If in possession of
some credentials
SMB scan with enum4linux,
smbclient, rpcclient, etc.
Success: If in possession of some
credentials. Can even get user
names and OS information
Kerberos attacks: Pass the
ticket, Golden ticket, etc.
Failed: Need previous
administrator access
Brute forcing passwords Success: If goal is to block account
Kerberos pre-authenticated
accountFailed
Kerberoasting Failed
Psexec, wmiexec, etc. Failed
Attacks from
inside of
Windows
machines (no
authorization
for using
systems)
API Clients:
Getting informationSuccess
API Clients:
Sending commandsFailed but some get interpreted.
API Clients:
Sending messages to users’
interfaces
Success
API Clients: Crashing control
serverSuccess
Executing C# code in
PowershellSuccess
Tool for writing own
programs
Not continued because of
similarity
Password lookup Failed
Unauthorized file access Failed
38 CHAPTER 5. RESULTS
Powershell Empire Failed
Use of CORBA interfaceSuccess: Also its information was
stored in plain text
Table 5.5.1: Traceability matrix for the attacks performed
Chapter 6
Discussion
This chapter presents a discussion of the results, their mitigation, ethical
considerations about the penetration testing process, a review of the
methodology and ideas on future work.
6.1 Results
Several flaws were found in the system, some of them critical, so
the hypothesis was proven true. Proofs of concepts were created for
most vulnerabilities so they could be tested and fixed. These results
will help increase the security of the system by fixing them and also
taking into consideration, in the future, practices that weren’t thought of
previously.
With the network attacks, it has been proven that communication between
servers can be easily intercepted and disrupted. Numerous tools exist for this
purpose and one can even create them easily. This is one of the first lines of
defense, which means that it will receive most of the attacks andmust endure
them.
Regarding SMB and Active Directory attacks, not many have been successful
in this project but some of them have reported a significant amount
of information which can lead to more specific attacks or give clues of
39
40 CHAPTER 6. DISCUSSION
confidential information, such as user names.
Also, it has be seen that the strength of a system resides its weakest point, in
this case it could be the remote desktop access. If some credentials are gotten
through anymethod, for example social engineering, almost no other security
method could stop the access to the servers.
Finally, reaching inside of a machine is not the end of the penetration testing,
since there are many different ways to access and each gives more or less
power on other elements. Starting with the least power possible inside of
the system, it is achievable to affect other systems in critical ways and use
processes without being unauthorized. One example of this could be APIs
which have not been properly secured.
It has also been proven the ability to execute not-compiled code inside of the
machine using the system’s own libraries and Powershell, which could be
limited by applying stricter security measures such as disabling Powershell
entirely.
It should be noted that some of the results of this project are consciously
implemented on the system but are considered vulnerabilities regardless of
that because they can be exploited to affect the control system.
All of the testing has been done in a virtual scenario and, if it had been done
in real life systems, attackers would had to go through several security layers,
such as firewalls. Because of this, even though the results can be seen as
critical, they are always relative to the situation in which the testing was
started.
Apart from that, it has been verified that the system is not vulnerable against
most of the popular penetration tools and it is well protected from common
attacks.
As a final note, due to the size and complexity of the system, a considerable
amount of time was spent throughout the thesis trying to understand it and
figuring out how to attack it. Even having all the help needed from its
engineers, probably having more experience with this kind of systems would
CHAPTER 6. DISCUSSION 41
have surfaced other vulnerabilities. But, anyway, the scope of the thesis is to
attack this control system as an outsider with no specific knowledge of the
system, so it is thought that the vulnerabilities discovered are representative
of an hypothetical real attack.
6.2 Attacks Mitigation
Network attacks are the most common type of attack performed once inside a
network because, at first, they don’t require any other step, such as infiltrating
into anothermachine. In the case of the system tested, there are already some
measures tomitigate these attacks, for example, Kerberos is used somessages
can’t be read because of the encryption and can’t be replayed because of the
sequence numbers.
Control servers can have more than one interface so their communication
cannot be easily interrupted. These interfaces would have to be in separate
networks, so an attacker would have to access every network at the same
time to disrupt communications, and it’s uncommon for a machine to have
access to every network. One idea could be to use one network (or as many
as needed) only for control servers and another one for communication with
the rest of the servers.
Other measures that could be taken for this scenario are implementing tests
or checks in the servers software. For example, checking if the delay suddenly
increases or other uncommon events and using another interface in order to
avoid MITM attacks.
ARP spoofing can bemitigated by using static ARP tables (since the network is
unlikely to change continuously) filtering out packets with conflicting source
address information or using ARP spoofing detection software, that block
packets that appear to be spoofed, based on their headers.
With respect to the use of user credentials to attack and access servers, there
are, at first sight, two possible ways to prevent this. First, non-essential
42 CHAPTER 6. DISCUSSION
users should not exist in the domain, and also as few as possible for essential
users. And second, computers and servers should only allow the least possible
number of users at the same time, being the best situation with just one.
Also, the Active Directory configuration must be checked regularly or, at
least, when a new user or group is added to the domain. This is because the
more users and groups there are, the more possible it is to make a mistake
configuring them or forgetting to remove permissions.
Finally, looking at the clients created for attacking the servers, more checks in
the servers’ software, regarding authentication and who uses the API, should
be implemented. Also it should be considered if all the information that is
being transferred is necessary.
Practices like keeping libraries and external software updated and building
a company culture in which the security is one of the main focuses when
developing new software will help reducing the amount of vulnerabilities
present in future systems.
6.3 Methodology
Themain focus of the methodology used in this project is not to find or create
the most powerful or efficient exploit but to understand how this kind of
systems work and what are their main weaknesses.
For this, the steps of the Penetration Testing Execution Standard [9] were
followed, as explained in section 2.2. First gathering as much information as
possible about the system; creating or, in this case, using a existing threat
model; discovering vulnerabilities and developing exploits for them and,
finally, collecting data and reporting the results.
As these steps are broad, they can be used inmost penetration tests, but that is
also a weakness of the method because more robust exploits could have been
developed following a methodology focused, for example, in Active Directory
hacking.
CHAPTER 6. DISCUSSION 43
Regarding sources of error, a potential one could have been to have the
opportunity to ask and get to know about the system as much as needed,
instead of having no communication. This can be a source of error because,
inadvertently, it might lead to specific attacks that the person giving the
information prefers, instead of discovering vulnerabilities in general.
Another potential source of error is the usage of a virtual system for
penetration testing instead of a real one. Even though the virtual scenario is
as similar as possible as the real one, vulnerabilitiesmight exist in one of them
that the other one doesn’t have. Looking into the vulnerabilities discovered in
this assessment, it is believed that they can exist in both environments.
6.4 Sustainability and Ethical
Considerations
Breaking into systems by discovering flaws can lead to great damages, both
economical and personal, if done maliciously or carelessly. Because of this,
there is always an ethical part in ethical hacking and should be as important
as the hacking one.
In this thesis, both parties agreed beforehand the goals of the research
and how to deal with the results, for example, by signing a Non-Disclosure
Agreement and preventing the vulnerabilities to be public. In order to avoid
as much potential damage as possible, the results and objective have been
anonymized and some of them have been skipped.
Depending on the system, the vulnerabilities found and the countrywhere it is
done, sometimes it is illegal to perform these penetration tests, so meticulous
thought about is must be had before it is attempted.
It is of great importance to communicate the vulnerabilities to the attacked
client in the least amount of time possible since the discovery. Failing to do
this andmaybe causing some damage would carry an ethical baggage not easy
to dismiss.
44 CHAPTER 6. DISCUSSION
Sometimes, releasing the vulnerabilities results publicly puts more pressure
on the vendor to fix them as soon as possible whereas, in other cases, they
wouldn’t have been fixed. Doing this carries a great risk depending on the
target and should be carefully thought, but it’s not the topic of discussion for
this thesis.
Looking at the sustainability of ethical hacking, it is a concept that builds on
ideas such as justice, equity and how we want society to be for us humans
[36]. It is not only about technical fixes but also about how and why we work,
how innovation is achieved and how to deal with knowledge.
The hacking methods aim to challenge the status quo of the existing business
models, providing an alternate work ethic, with a hands-on approach and
openness of information in their core. This leads to collaboration in society
to solve problems and create new knowledge.
The same approach could also be taken for tackling the climate crisis, for
example, with open data about emissions and transparency on the impact of
products and industries. Bringing technology to the people is related with the
hands-on approach and helps to close the digital divide, which leads to equity
and justice.
6.5 Future Work
As this system is in continuous development, its security will require to be
tested from time to time, as well as always checking that the mistakes found
in this assessment are not made again. Other penetration tests could focus
on other parts of the system, other services or testing the vulnerabilities in
real-world scenarios as well.
For example, these tests could assess the external security of the system,
other services or machines which also exist in the network, spoofing servers
in functionality and not just communication relaying or even ideas like DNS
or DLL hijacking.
CHAPTER 6. DISCUSSION 45
There are companies that specialize in penetration testing and, obviously,
with more resources, time and money, more vulnerabilities could be
discovered in comparison with this thesis. It is believed that, for the scope
and time of this thesis, the results are satisfactory.
Finally, it has been taken into consideration that all software used is up to
date and that clients and users are responsible with their passwords and
managing the network. In any case, creating a good practicesmanual for final
users could be useful for minimizing mistakes when setting up or using the
systems.
Chapter 7
Conclusions
Even though a system can seem well secured, there are always vulnerabilities
in it, and that should be the main mentality when using, managing and
developing for it. The vulnerabilities tested in this assessment are only a
fraction of all the vulnerabilities that could exist. For example, hardware
vulnerabilities and social engineering could be two interesting paths to
research but are not feasible in the scope of this thesis.
The vulnerabilities discovered, for example the Man In The Middle to
disrupt connections or the client to crash servers through their interfaces,
demonstrate that every single mistake counts and can affect the entire system
easily. Attackers with, a priori, little to no power over a network, can make
use of simple tools and cause huge losses to a company.
Similar exercises in the future will be useful to keep improving the security of
the system. It is also recommended to keep up with news and trends related
to security as well as building a company culture that takes security into its
main priorities, specially when dealing with critical systems.
46
Bibliography
[1] Hodge, Rae. Zoom Security Issues: Timeline. URL: https : / / www .
cnet . com / news / zoom - security - issues - zoom - buys - security -
company - aims - for - end - to - end - encryption/ (visited on
05/17/2020).
[2] Winder, Davey. Cyber Attacks Against Hospitals. URL: https://www.
forbes . com / sites / daveywinder / 2020 / 04 / 08 / cyber - attacks -
against - hospitals - fighting - covid - 19 - confirmed - interpol -
issues-purple-alert/ (visited on 05/17/2020).
[3] Common Vulnerabilities and Exposures (CVE). URL: https://cve.
mitre.org/ (visited on 02/18/2020).
[4] Schatz, Daniel, Bashroush, Rabig, and Wall, Julie. “Towards a More
Representative Definition of Cyber Security”. In: JDFSL 12.2 (2017).
URL: https://commons.erau.edu/jdfsl/vol12/iss2/8/.
[5] Nate Lord, DigitalGuardian. What is Cyber Security? URL: https :
/ / digitalguardian . com / blog / what - cyber - security (visited on
04/02/2020).
[6] Walkowski, Debbie.What Is The CIATriad? 2019. URL: https://www.
f5.com/labs/articles/education/what-is-the-cia-triad (visited
on 02/21/2020).
[7] NIST. URL: https://csrc.nist.gov/ (visited on 02/23/2020).
[8] DOI, US. Penetration testing. URL: https://www.doi.gov/ocio/
customers/penetration-testing (visited on 07/05/2020).
47
48 BIBLIOGRAPHY
[9] PTES. The penetration testing execution standard. URL: http://www.
pentest-standard.org/ (visited on 02/18/2020).
[10] Wikipedia. OSI Model. URL: https://en.wikipedia.org/wiki/OSI_
model (visited on 02/17/2020).
[11] Information Sciences Institute. Transmission Control Protocol. RFC
793. RFC Editor, Sept. 1981, pp. 1–89. URL: https://tools.ietf.
org/html/rfc793.
[12] Plummer, David C. An Ethernet Address Resolution Protocol. RFC
826. RFC Editor, Nov. 1982, pp. 1–8. URL: https:/ /tools. ietf.
org/html/rfc826.
[13] Wikipedia.Man-in-the-middle attack. URL: https://en.wikipedia.
org/wiki/Man-in-the-middle_attack (visited on 02/20/2020).
[14] Sun Microsystems, Inc. RPC: Remote Procedure Call. RFC 1057. RFC
Editor, June 1988, pp. 1–25. URL: https://tools.ietf.org/html/
rfc1057.
[15] Microsoft.Windows Authentication. URL: https://docs.microsoft.
com/en-us/windows-server/security/windows-authentication/
windows-authentication-overview (visited on 04/15/2020).
[16] Microsoft. Active Directory. URL: https://docs.microsoft.com/
en-us/windows-server/identity/ad-ds/get-started/virtual-
dc / active - directory - domain - services - overview (visited on
03/04/2020).
[17] RedHat. System Security Services Daemon. URL: https://access.
redhat . com / documentation / en - us / red _ hat _ enterprise _
linux/6/html/deployment_guide/sssd- introduction (visited on
04/26/2020).
[18] MIT. Kerberos. URL: https://web.mit.edu/kerberos/ (visited on
02/15/2020).
BIBLIOGRAPHY 49
[19] Microsoft.Microsoft SMBProtocol andCIFSProtocolOverview. URL:
https : / / docs . microsoft . com / es - es / windows / win32 / fileio /
microsoft - smb - protocol - and - cifs - protocol - overview ?
redirectedfrom=MSDN (visited on 07/05/2020).
[20] Team, Samba. Samba. URL: https://www.samba.org/ (visited on
05/05/2020).
[21] Kohnfelder, Loren and Garg, Praerit. The threats to our products.
URL: https://adam.shostack.org/microsoft/The-Threats-To-
Our-Products.docx (visited on 03/19/2020).
[22] Rapid7.Metasploit. URL: https://www.metasploit.com/ (visited on
03/19/2020).
[23] Lyon, Gordon. Nmap. URL: https : / / nmap . org/ (visited on
03/21/2020).
[24] Will, Justin Warner and Nelson, Matt. Powershell Empire. URL:
https://www.powershellempire.com/ (visited on 03/21/2020).
[25] Combs, Gerald. Wireshark. URL: https : / / www . wireshark . org/
(visited on 03/21/2020).
[26] Team, Samba. SMBclient. URL: https : / / www . samba . org / samba /
docs/current/man-html/smbclient.1.html (visited on04/26/2020).
[27] Lowe, Mark. Enum4Linux. URL: https : / / tools . kali . org /
information-gathering/enum4linux (visited on 04/26/2020).
[28] byt3bl33d3r. CrackMapExec. URL: https : / / github . com /
byt3bl33d3r/CrackMapExec (visited on 04/26/2020).
[29] Team, Samba.RPCclient. URL: https://www.samba.org/samba/docs/
current/man-html/rpcclient.1.html (visited on 04/26/2020).
[30] Wikipedia. Responsible disclosure. URL: https : / / en . wikipedia .
org/wiki/Responsible_disclosure (visited on 03/25/2020).
[31] Conde Ortiz, Daniel. Man In The Middle Script. URL: https : / /
github.com/DanielCondeOrtiz/PenetrationTesting/blob/master/
mitm.py (visited on 05/17/2020).
50 BIBLIOGRAPHY
[32] Friedl, Steve. NBTscan. URL: http : / / www . unixwiz . net / tools /
nbtscan.html (visited on 04/26/2020).
[33] Evans, Shawn. SMBMap. URL: https://github.com/ShawnDEvans/
smbmap (visited on 04/26/2020).
[34] Secureauth. impacket. URL: https://github.com/SecureAuthCorp/
impacket (visited on 04/27/2020).
[35] Moreau, Marc-André. FreeRDP. URL: https://www.freerdp.com/
(visited on 04/02/2020).
[36] Zapico Lamela, Jorge
Luis. “Hacker Ethic, Openness, and Sustainability”. In: (2013). URL:
http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-635998.
www.kth.seTRITA-EECS-EX-2020:662