search

mushorg / conpot

ICS/SCADA honeypot
GNU General Public License v2.0
1.22k stars 413 forks source link

Unstable behaviour #136

Closed ghost closed 10 years ago

ghost commented 10 years ago

I have been experiencing some problems with conpot. It initialises just perfectly sometimes and the next time it just gives some error. And again it will initialise properly. You never know for sure if it will initiate properly or run into some error. I am trying to get head around the code that goes into conpot but was unable to find any definite answer. Also note that there isn't any service running, it is basically a freshly installed system. Do give your thoughts about why this would possibly be happening. 

2014-05-15 03:12:58,281 DataBus: Storing key: [empty] value: []
2014-05-15 03:12:59,528 Fetched 220.245.18.113 as external ip.
Traceback (most recent call last):
File "/usr/local/bin/conpot", line 5, in <module>
pkg_resources.run_script('Conpot==0.2.2', 'conpot')
File "/usr/local/lib/python2.7/dist-packages/distribute-0.6.35-py2.7.egg/pkg_resources.py", line 505, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/local/lib/python2.7/dist-packages/distribute-0.6.35-py2.7.egg/pkg_resources.py", line 1245, in run_script
execfile(script_filename, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/Conpot-0.2.2-py2.7.egg/EGG-INFO/scripts/conpot", line 206, in <module>
main()
File "/usr/local/lib/python2.7/dist-packages/Conpot-0.2.2-py2.7.egg/EGG-INFO/scripts/conpot", line 164, in main
snmp_server = SNMPServer(snmp_host, snmp_port, args.template, args.mibpaths, args.raw_mib)
File "/usr/local/lib/python2.7/dist-packages/Conpot-0.2.2-py2.7.egg/conpot/protocols/snmp/snmp_server.py", line 49, in __init__
self.xml_mib_config(dom, mibpaths, rawmibs_dirs)
File "/usr/local/lib/python2.7/dist-packages/Conpot-0.2.2-py2.7.egg/conpot/protocols/snmp/snmp_server.py", line 85, in xml_mib_config
available_mibs = find_mibs(rawmibs_dirs)
File "/usr/local/lib/python2.7/dist-packages/Conpot-0.2.2-py2.7.egg/conpot/protocols/snmp/build_pysnmp_mib_wrapper.py", line 103, in find_mibs
if os.path.getsize(_file) > '1048576':
File "/usr/lib/python2.7/genericpath.py", line 49, in getsize
return os.stat(filename).st_size
OSError: [Errno 13] Permission denied: '/home/conpot/.gvfs' ```
johnnykv commented 10 years ago

I think this relates to #109. From which directory did you start conpot? I would suggest that you try and start ConPot from a new empty directory.

johnnykv commented 10 years ago

@technojuggler Did you try to start conpot from a new empty directory?

johnnykv commented 10 years ago

Closing due to no response from issuer.

ghost commented 10 years ago

@johnnykv Sorry for not replying back. Running from an empty directory did work i would say but i haven't had the opportunity to shoot it up multiple times so could not reach any conclusion. I'll try running it multiple times over the next few days and will let you know. Apart from that I am focussing on extending the usability to S7-300 PLC or any other PLC. Could you please help me with what areas to explore to extend the usability? what areas of conpot do i need to focus upon to achieve it?

johnnykv commented 10 years ago

Sounds good. Do you have real PLC hardware available?

creolis commented 10 years ago

@technojuggler: At the moment we're fully compatible to S7-1500 and S7-1200 PLCs. Having a look at S7-300 would sure be a good thing, thanks in advance!

As far as I know, our SNMP, HTTP and S7comm-SystemStateList support should be fine for Simatic S7 - but I think some testing on how well we mimick them should go to modbus and S7comm in general.

I did not fully test how easy it is to reflect real-life modbus data gathered from a real PLC and I adding further support for S7comm (though I know it is a juggernaut) in terms of extending the protocol stack would be great.

Personally I would ask you to test if the latest committed version on github allows you to recreate the HTTP interface in all its glory. I implemented those triggers because we needed them for smaller and older logical controllers :)

ghost commented 10 years ago

@johnnykv @creolis my professor has not allotted funds for the hardware for now, the aim for this semester specifically is just to get my head around conpot from scratch and its functionality. Next, semester the plan is to actually implement it with real hardware and study the attack vectors.

However, at this juncture I have been asked to look into if the usability can be extended to other PLC families. I haven't worked in the ICS much yet, but I am wanting to change my field of study to SCADA system security and trying to learn even more. So, I am sound naive at times.

I had a few conceptual doubts though,

  1. Does the Modbus protocol vary with PLCs? How could be the compatibility established with other PLC families?
  2. I want to implement a S7-200 PLC without a hardware, could that be accomplished with a simulator or something, will that give the same output if i write a small program for the same?

It would be great if you could help me understand a few things to get me going at this point.

Thanks!

johnnykv commented 10 years ago

Hi @technojuggler, thanks for your interest in the project!

And my answers:

  1. Define "vary" :-) My guess is that most vendors try to stick to the confinements of the Modbus protocol - with a few shortcuts here and there. ( i am guessing here...)
  2. Actually @glaslos has made some progress on integrating awlsim into conpot. He might be able to provide more information. Other than that you might be able to get you hands on STEP7 which includes a PLC simulator from siemens - you university might be able to provide this?