
Compare IT and OT, showing how IT updates and security tools contrast with OT’s long hardware lifecycles and real-time constraints, highlighting cyber security risks in Industry 4.0.
Examine how open source intelligence and osint techniques uncover default credentials in industrial control systems, highlighting vendor patterns, password risks, and the need for regular password changes.
Explore Shodan, a search engine for IoT and control systems, to locate exposed PLC devices, perform banner grabbing, and search for protocols like Modbus and S7 Comm on port 102.
Scan the public IP range with Shodan using the net filter to identify exposed Siemens controllers and ports like Telnet and SSH; banner grabbing reveals module coding and firmware version.
Download Ubuntu desktop, create a VirtualBox VM with 8 GB RAM and 25 GB disk, bridge the network, install VirtualBox guest additions, and complete the initial Ubuntu server setup.
Set up Kali Linux for ICS testing by configuring bridged networking, enabling clipboard, and German keyboard, then run a script to install open-source pentesting tools and Modbus Pal.
Explore onboard Kali Linux and open source pen testing tools for industrial control systems, and practice scanning targets with Nmap and testing exploits on simulated controllers.
Boot Ubuntu server PLC VM and Kali Linux VM, open terminal, run run.sh to spawn honeypots, then switch to Kali Linux and practice sudo with tool name, IP, and port.
Explore enumeration with snmp-check to extract device information from SNMP on UDP port 161, gathering vendor, model, firmware, and serial data to support ICS pentesting.
Search Shodan for exposed Siemens PLC devices using port 102, then extend the search with the vendor to identify the product series and model numbers.
Search port 102 for the S7 protocol hosts with shodan; banner grabbing shows product details for Siemens and Symantec devices, and including cpu type digits refines the results.
Filter the Excel spreadsheet for Siemens and perform a Google Docs search with the terms to locate publicly exposed devices as part of practical industrial control system penetration testing.
We scan tcp ports 1 to 65535 and udp port 16100 with nmap, skipping host discovery. The com port remains undetected and snmp on udp 16100 is not detected.
Perform an SNMP enumeration using the SNMP check tool against port 16,100 to identify SNMP servers and gather information about the target.
Advance your pen testing skills by using the Nmap scripting engine in Kompot and integrating external exploits into Metasploit, after verifying your Mac address matches the course materials.
Explore scanning port 102 with the Nmap scripting engine, using --script to run a chosen NSE script, and locate suitable S7 scripts for Siemens devices in the Nmap share.
Navigate to the PLC scan folder, display its contents, and run the legacy plc scan script with the target IP using Python 2 to pull information from the target.
Use open source tools to run PLC scan and Siemens level two discovery, extracting device details and manipulating outputs or CPU state on a target PLC.
Explore the gas station inventory controller's communication interface on port 10,001 using Shodan to count online devices. Analyze device function code 201 00 to determine exposed units.
Kick off a practical industrial control system pentest by launching Ubuntu Server and Kali Linux in a VM, starting gas station controller emulation, and performing ssh-based IP and NAT discovery.
Examine open port 10001 with Nmap, specify the target IP and port, and start the Nmap scripting engine; explore gas station inventory systems (ATG) and related Nmap scripts.
Demonstrate using nmap NSE scripts to locate and run a specific ATG info script, scan a target IP and port, and interpret returned controller function data, with honeypot detection.
Explore lab-based penetration testing of exposed Schneider Electric devices using Shodan and Google Docs, boot Ubuntu Server and Kali Linux virtual machines, and perform Modbus port 5020 testing with netdiscover.
Examine an IP address with Nmap, start with XPN, skip host discovery, specify the destination IP, and use dash P to set the target port range for a tcp scan.
Run modbus metasploit modules against the target to detect modbus operation, identify the station number via unit id, and banner grabbing, noting other modules fail on the honeypot.
Start the modbus simulation on Kali Linux, add a modbus device and holding registers, run the modbus server, then discover your IP with ifconfig and scan the port with nmap.
Launch the Metasploit framework, load Modbus modules, and identify whether Modbus is running on the target and determine the target's unit ID.
Explore using a metasploit modbus module to detect modbus tcp targets, set the host IP, check unit IDs, and read or manipulate PLC registers, with a future command line alternative.
Read memory blocks solution demonstrates reading the first ten memory blocks by setting a starting address with percent zero followed by a ten, directly accessing memory content from blocks 0–10.
Hacking ICS/OT on shodan or in your own company? Better not!
I believe that the best way to learn is with practical experience. ICS/OT Security is a new and important skill for all technicians and engineers working on industrial control systems. There are quite a few open source tools that can be used to investigate the cyber security of industrial control systems, but unfortunately there is no suitable training opportunity.
For learners of IT pentesting, there are plenty of opportunities like HackTheBox or VulnHub, where pentest tools and hacking skills can be tried out. Training platforms with ICS focus either don't exist or come in the form of a boring seminar with over 1000€ participation fee.
In this workshop you will learn important pentest tools from Kali and open source tools and you can try them out in 6 interactive simulations of industrial controllers. Of course the simulations are not perfect, so I will show you the tools and techniques on two real PLCs.
The workshop has a high practical part and encourages you to participate! There are more than 30 exciting tasks waiting for you, with which you can deepen your skills bit by bit!
Important: The pentesting of ICS cannot be compared to the typical pentesting of the IT world. Industrial plants need to be continuously available and hardly any plant operator wants to risk a production stop. Typically, security testing is performed at the lowest or second lowest aggressiveness level. So if you are hoping to pwn your device with buffer overflows, kernel exploits, privilege escalation and root shells, you are in the wrong place.
Are you interested in security analysis of ICS and do you already have basic knowledge of industrial cyber security? Then this is the right place for you!
Are you currently studying for the (CEH) Certified Ethical Hacker? From v12 on knowledge in OT is required! This course offers you a hands-on introduction to understand the typical vulnerabilities of OT hardware!
Curious about safeguarding of ICS/OT devices? Join my course Assessing and Protecting Industrial Control Systems.
Please note that the software used is not mine. I can only offer limited assistance in case of problems. Please contact the publisher of the software for help. The installation instructions were created to the best of my knowledge, but the responsibility for the installation lies with the participants.