Assessing and Exploiting
Control Network Captures

Module Outline:

• Examples when to use

• Overview of methodology

• Traffic Capture

  • Hardware and software to use

  • Suggested configurations

• Endpoint and Flow Analysis

  • Common TCP/IP based ICS protocols

  • Exercise: Using Wireshark for endpoint and flow analysis

  • Exercise: Using GrassMarlin

• Known Protocol Analysis

  • Deepdive into Modbus TCP

  • Exercise: Analysing Modbus TCP captures

  • Exercise: Using zeek with Modbus TCP

  • Exercise: Using strings on control protocols

  • Overview of ProfiNet, EnternetIP/CIP, OPC, DNP3, IEC 104, IEC 61850, ICCP

• Unknown Protocol Analysis

  • Exercise: Finding unknown protocols with Wireshark

  • Exercise: Entropy analysis of network payloads

  • Exercise: Using GrassMarlin on unknown protocols

• Gap Analysis with Security Architecture Review

Software

• ControlThings Platform Virtual Machine

Hardware

• None