Field Device Fingerprinting
From SCADApedia
Fingerprinting is a standard cyber reconnaissance technique used to identify the OS running upon a target system. In control system security, field device fingerprinting is used to identify the specific make and model of a field device.
Contents |
Standard IT Fingerprinting
In the IT realm there are two primary techniques employed for fingerprinting; active and passive identification.
Active identification sends packets to a targeted system and looks for artifacts in the handling of TCP/IP and/or SNMP and ICMP packets. An active fingerprinting tool (such as Nmap) may also perform banner grabbing against specific services on know ports with known behaviors.
Passive fingerprinting watches packets available to the scanner for TCP/IP and ICMP stack artifacts from which the OS may be identified. A common passive fingerprinting tool is p0f. Passive scanners are limited to the traffic that they can see and so function best on a span port.
The majority of both the active and passive scanning tools currently available do not have control specific signatures. they may be able to identify the OS or micro-OS running on a control system but will not be able to identify the specific make and model of a field device.
Control System Field Device Fingerprinting
As the standard tools (Nmap, p0f) do not provide signatures for correctly identifying field devices such as PLCs and RTUs there are additional techniques that can be employed in a control system environment.
Active Scanning
There a few identifiable elements on most field devices:
- Known set of open ports. Most field devices operate on a limited set of proprietary ports. If a port scan identifies a device as having port "x", "y", and "z" open then there is a good probability that the device is '"abc".
- Known behavior of services. The device identification can be confirmed by a banner grab against the known response on a port of the device.
- Ethernet header manufacturer tags. It is also possible to look for manufacturer specific tags in the ethernet headers of response packets from the field device.
- Known MAC address space. As each manufacturer of ethernet enabled devices is assigned an specific address space, if the scanner is running on the local segment further corroboration of the identity of the device can be acquired by looking at the MAC address of the device and comparing it to lists of known manufacturer address spaces.
A combination and correlation of these four items can produce a high confidence on a fingerprint.
Passive Scanning
Baseline signatures for a device can be developed for p0f (or other similar passive fingerprinting tool) by deploying p0f on the control system network segment and letting it run for a period of time. p0f will notice the device and create an entry for the device as an "unknown." The signature data provided by p0f for the "unknown" devices can be correlated against the known make and model of the device residing at the known IP address, and from this correlation a signature specific to the device can be created.
Passive scanning can also be combined with inspection of the Ethernet headers of packets from devices for manufacturer specific tags in the packet header as is also performed in the active scanning.
Example
Running an Nmap scan on a unknown network segment revealed a device of interest at 192.168.10.120. Nmap (incorrectly) identifies the system as; Device type: WAP|storage-misc|VoIP phone|media device|remote management|printer Running: Compex embedded, Hitachi embedded, Inter-tel embedded, Netgear embedded, Sony embedded, Sun embedded, Xerox embedded OS details: Compex WPE54G WAP, Hitachi WMS 100 SAN controller, Inter-tel 8662 VoIP phone, Netgear SC101 Storage Central NAS device, Sony LocationFree media server, or Xerox Phaser 6120/N printer with ports 80 and 111 open.
More detailed scanning for known control system ports reveals that ports 502, 2222, & 5891 are closed but that port 44818 is open. Port 44818 is a port known to be associated with Rockwell/Allen-Bradley PLCs. Wireshark analysis of telnet traffic directed at port 44818 also shows that this traffic is rockwell-encap in the Wireshark info field.
Resolving the MAC address of 00:00:bc:3e:eb:e4 against an web based MAC lookup page reveals that the 0000BC field resolves to Rockwell Automation (was: Allen-Bradley Co. Inc). MAC resolution will only be available if the fingerprinting is being performed on the local segment.
The available ports and the MAC address are both indicative of a Rockwell/Allen-Bradley device.
Banner grabbing the web server at port 80 shows that the server is a GoAhead web server. The <head> of the web page containts a <title> value stating 'Rockwell Automation."
At this point it still difficult to identify the specific model of Rockwell/Allen-Bradley device this may be as known list of Rockwell PLCs show multiple possibilities for PLCs with services on port 80 and port 44818. The device is only positively identified by pointing a web browser at the web server on port 80 at which point the web page reveals that this is a Rockwell/Allen-Bradley 1756-ENBT/A. The web server also divulges the revision number, firmware build and serial number of the device.
