ftrole / ICSpot

A high-interaction virtual honeypot for ICS that provides physical process simulation
GNU General Public License v3.0
17 stars 3 forks source link
cps cybersecurity honeypot ics

ICSpot

A high interaction ICS honeypot that simulates a Siemens PLC and provides physical process simulation.

With ICSpot an attacker can interact with the operations involved in the control process of the water level inside a tank.

ICS architecture schema

The figure above shows the general architecture of our Honeypot and how the different components interact with each other.

Installation

Installation is quite articulated, so brace yourself.

Requirements

Installation process

  1. Clone this repository: git clone https://github.com/ftrole/ICSpot.git

  2. To install ICSpot and all its dependencies, run sh install.sh

  3. Fix the paths in:

    honeyd.conf so they match the absolute path of the ICSpot/scripts folder in your file system (lines 23-27);

    honeyd-http-siemens.py so it matches the absolute path of the ICSpot/scripts/web-siemens folder in your file system (line 14).

  4. Pick an IP address that ICSpot will use and replace the IP filed in honeyd.conf with your chosen address. Note that the IP address has to be on the same subnet of the listening port and should not be currently in use.

  5. In order to execute the simulation of the physical process and the HMI run:

    make watertower

    For more info have a look at waterTower folder.

  6. Copy the modified Snap7 library libsnap7.so in: /usr/lib/libsnap7.so:

    sudo cp snap7/build/bin/x86_64-linux/libsnap7.so /usr/lib/

    N.B.: By default the libsnap7.so refers to Siemens Simatic 300 PLC profile, which according to HoneyPLC paper, is the one with a lower Honeyscore (thus, less likely to be flagged as Honeypot by search engines). To change the emulated PLC model, you have to rename the library of the target model present in ./snap7/build/bin/x86_64-linux/ into libsnap7.so and copy/overwrite it in /usr/lib/libsnap7.so.

  7. Compile and Execute the s7comm server (you can find it here)

    Compile: make ./snap7/examples/cpp/server.cpp

    Execute: sudo ./snap7/examples/cpp/x86_64-linux/server 127.0.0.1

    N.B. it may be necessary to fix the sqlite3 db file path inside server.cpp (line 79)

  8. From inside the repository, run:

    sudo honeyd -d -p nmap-os-db -i INTERFACE -l honeyd.log -f honeyd.conf IP --disable-webserver

    where IP is the same IP address of Honeyd configuration file and INTERFACE is the interface of the listening port.

  9. The host computer has to intercept the network traffic addressed to the Honeypot, to allow honeyd to reply correctly. A useful tool that you can use to achieve this result is farpd:

    sudo farpd -d -i INTERFACE <IP>

  10. ICSpot is now up and running!

Functioning check

To check the correct functioning of ICSpot you can scan the IP from outside the Host machine with Nmap (e.g., if you are hosting the Honeypot in a VM, you can launch the Nmap from your own machine).

To do this, first install Nmap: sudo apt install nmap.

You can use the file with scanners.sh. You can launch it all together or just manually pick and run them.

N.B. Apparently Nmap does not find the exposed port with a general scan (e.g., nmap IP), so you have to use specific commands, which you can find in scanners.sh. This is probably because the ICSpot services are different from what Nmap expects.

Logging

For the logging part we used two publicly available tools.

To-Do List

Team

Francesco Trolese (francesco.trolese.1@studenti.unipd.it)
Federico Turrin (federico.turrin94@gmail.com)

We are members of SPRITZ Security and Privacy Research Group at the University of Padua, Italy.

Please don't hesitate to contact us for improvement suggestions or to notify bugs.

Reference

You can find the ICSpot paper at the following link.

Are you using ICSpot in your research work? Consider citing us:

@inproceedings{conti2022icspot,
  title={ICSpot: A High-Interaction Honeypot for Industrial Control Systems},
  author={Conti, Mauro and Trolese, Francesco and Turrin, Federico},
  booktitle={2022 International Symposium on Networks, Computers and Communications (ISNCC)},
  pages={1--4},
  year={2022},
  organization={IEEE}
}