mushorg / conpot Goto Github PK

They are in the setup.py but don't get properly picked up by pip (or distribute?)

Serial port converters discussed by HD Moore blog, slides.

They usually expose SNMP/Modbus/ADDP on ports:

• Lantronix: 2001-2032, 3001-3032
• Digi: 2001-2099
• Linux root on 2001 and 3001

Digi provides RealPort on 771 and SSL version on 1027

Common passwords are "dbps", "digi" and "faster"

A client and instructions on how to use it.

I did not fully sort out what goes wrong,
but I encountered the following problem:

Trying to set a snmp value that has been previously registered via
XML template, produces the following error:

creo$ snmpset -c public -v 1 10.203.96.128 1.3.6.1.2.1.2.2.1.3 i 2
Error in packet.
Reason: (noSuchName) There is no such variable name in this MIB.
Failed object: IF-MIB::ifType

Curiously, while this implies that this OID could not be found,
it is indeed aware of the parameters associated to this object
when I try to set a wrong object type ( string instead of integer ):

creo$ snmpset -c public -v 1 10.203.96.128 1.3.6.1.2.1.2.2.1.3 s test
IF-MIB::ifType: Bad variable type (Type of attribute is INTEGER, not OCTET STRING)

Create HMI using HTML.

• Simpel onepage HTML with JS.
  • Shows gauges
  • Manipulation of controls
  • Need to look ICSish
• Use modbus backend for storing/retrieving values.

Not quite sure if we should use ports in "userspace" for the tests so we don't have to run as root. On the other hand we should run the tests as they are run by the user. What do you think? https://travis-ci.org/glastopf/conpot/builds/6569494

Skills required: Python, basic C++, dissecting network traffic.
* Time estimation:* We assume this to be a three months project.
Short Description: Improve Conpot’s current very minimal support for the DNP3 protocol. Goal is to provide a server capable of basic DNP3 communication.

Description:
Conpot provides a variety of common protocols: Modbus, S7Comm, SNMP, HTTP and Kamstrup. We are always working on getting additional protocols supported. This is a rather complicated task as many protocols don't have an open source implementation, documentation is rather complex or simply not available. One of the protocols we are interested in is DNP3 (Distributed Network Protocol) which is similar to IEC 60870-5 and often used for communication between control centers, RTUs (Remote Terminal Units) and IEDs (Intelligent Electronic Devices). Conpot has a feature which we call the Proxy Module. This allows us to proxy incoming requests through Conpot to a service and back to the client. When we implement a new protocol in Conpot, we set up an instance with this proxy module and tunnel all requests from the client to e.g. a real device or a service with that protocol running on another host. Then, piece by piece, we are decoding the message in Conpot while it passes through so we get insight into the intention of the request. Right now we have a very basic decoder for the DNP3 protocol which we would like to extend.

More information:

• DNP3 library: https://github.com/automatak/dnp3
• Wrapping C++ with Python
• Calling C/C++ from python: http://stackoverflow.com/a/145649/948369

Custom MIB support (#46) got implemented by Johnny (768b77d) and needs documentation.

• How to create custom MIBs
• How to load a custom MIB

BACnet should be an interesting protocol to add:
http://bacpypes.sourceforge.net/index.html
https://bacpypes.svn.sourceforge.net/svnroot/bacpypes/trunk/

In case a config is defined using an argument (--config) we are not loading it.

The doc version should be the same as the current version. This could be integrated into https://github.com/glastopf/conpot/blob/master/docs/update-site.sh

Seems like we are not logging set commands.

For some reason i could not get SNMP v1 working. See
https://github.com/glastopf/conpot/blob/master/modules/snmp_command_responder.py#L84-L85

Create HMI using HTML.

• Simpel onepage HTML with JS, ActiveX or Java. (Siemens seems to favor ActiveX)
  • Shows gauges
  • Manipulation of controls
  • Need to look ICSish
• Use modbus backend for storing/retrieving values.

We should provide a package on pypi for easy installation.

IMO we should also have to start time in the session_data object as we are queueing the data and the events only hold the elapsed time.
What do you think?

session_data = {'session_id': session_id, 'remote': address, 'data_type': 'modbus', 'start_time': start_time, 'data': {}}

and how to import it and start snmp server...

It would be useful if we could get the IP of the honeypot when reporting with hpfeeds. Some folks might object to this (which would be understandable) so a alternative could be to only transmit the geolocation.
It might look like this in conpot.cfg:

[hpfriends]
#ip: log honeypot IP
#geoloc: log only the geolocation of the IP
#none (or commented out): log no location info
location_mode = ip

All the values shouldn't be static. For the generated profiles one should be able to define ranges and rates of change. For the cloned real ICS profiles, we want to auto generate this from a diff.

Based on some rough settings the ICS server should be able to create a profile. Probably should investigate how a generic ICS looks like...

If we can extract values from STEP7 projects, we can create realistic modbus profiles without scraping actual hardware.

(I am looking into this at the moment)

Siemens has made an iPhone application which can be used to control S7-1200 PLC's.
It would be interesting to find out which protocol it uses - and possibly implement this protocol in Conpot.

Enable hpfriends by default. Required for #25

Provide support for various system profiles. The scraper #2 should export results as a profile.

Cover the logging capabilities.

Tests should cover basic modbus and snmp communication.

Tool to clone an ICS with modbus interface to mimic real systems.

Converting this to Python should do the trick: https://github.com/vlet/iec104/blob/master/lib/Net/IEC104.pm

Describe how to create a custom profile for modbus and SNMP.

A short FAQ. Starting with data sharing.

SNMP is a protocol used to get device/service health/statistics running on udp/161. http://pysnmp.sourceforge.net/ seems to be a reasonable choice. http://snmpsim.sourceforge.net/intro.html explains how to create a SNMP agent.

Add support for travis.

The egg would allow us to install modbus-tk using distribute.
Any opinions on forking modbus-tk to github?

We should be able to act as a ship: https://community.rapid7.com/community/infosec/blog/2013/04/29/spying-on-the-seven-seas-with-ais

As discussed in #14 move into a different task.

Currently users has to pre-compile MIB files with build-pysnmp-mib to .py files usable by pysnmp (see #46).

Apparently there are issues running Conpot on the Raspberry Pi (Debian GNU/Linux 7.0).
@nsmfoo could you please provide the output of pip freeze and your libevent version?

Console output:

2013-05-30 21:44:32,036 Registered OID (1, 3, 6, 1, 2, 1, 1, 6) (sysLocation, SNMPv2-MIB) :  
2013-05-30 21:44:32,046 Registered OID (1, 3, 6, 1, 2, 1, 1, 7) (sysServices, SNMPv2-MIB) : 72
2013-05-30 21:44:32,050 SNMP server started on: ('0.0.0.0', 161)
Segmentation fault

Strace:

mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6054000
_llseek(4, 0, [0], SEEK_CUR)            = 0
read(4, "\3\363\r\n\357\301\247Qc\0\0\0\0\0\0\0\0t\0\0\0@\0\0\0sq\31\0\0e\0"..., 20480) = 20480
read(4, "or an SNMP entity supporting\ncom"..., 4096) = 2171
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0xb6054000, 4096)                = 0
stat64("/usr/local/lib/python2.7/dist-packages/pysnmp/smi/mibs/SNMPv2-MIB.py", {st_mode=S_IFREG|0644, st_size=28780, ...}) = 0
gettimeofday({1369949760, 709892}, NULL) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=118, ...}) = 0
write(2, "2013-05-30 21:36:00,709 Register"..., 95) = 95
gettimeofday({1369949760, 716357}, NULL) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=118, ...}) = 0
write(2, "2013-05-30 21:36:00,716 SNMP ser"..., 65) = 65
epoll_ctl(0x5, 0x1, 0x3, 0xbea5a420)    = 0
rt_sigaction(SIGINT, {0xb6a48c84, ~[RTMIN RT_1], SA_RESTART|0x4000000}, {0xd3f28, [], 0x4000000 /* SA_??? */}, 8) = 0
epoll_ctl(0x5, 0x1, 0x7, 0xbea59db8)    = 0
clock_gettime(CLOCK_MONOTONIC, {1337, 453045042}) = 0
gettimeofday({1369949760, 723796}, NULL) = 0
epoll_wait(0x5, 0x738550, 0x20, 0)      = 0
clock_gettime(CLOCK_MONOTONIC, {1337, 454075113}) = 0
gettimeofday({1369949760, 724741}, NULL) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

If SIGINT is thrown it does not get handled properly.

 Traceback (most recent call last):
  File "/Users/jkv/virtualenvs/conpot/bin/conpot", line 7, in <module>
    execfile(__file__)
  File "/Users/jkv/repos/conpot/bin/conpot", line 122, in <module>
    main()
  File "/Users/jkv/repos/conpot/bin/conpot", line 107, in main
    servers.append(gevent.spawn(snmp_server.start()))
  File "/Users/jkv/repos/conpot/conpot/snmp_server.py", line 47, in start
    self.snmp_server.serve_forever()
  File "/Users/jkv/repos/conpot/conpot/modules/snmp_command_responder.py", line 170, in serve_forever
    self.snmpEngine.transportDispatcher.serve_forever()
  File "/Users/jkv/virtualenvs/conpot/lib/python2.7/site-packages/gevent/baseserver.py", line 190, in serve_forever
    self._stopped_event.wait()
  File "/Users/jkv/virtualenvs/conpot/lib/python2.7/site-packages/gevent/event.py", line 74, in wait
    result = get_hub().switch()
  File "/Users/jkv/virtualenvs/conpot/lib/python2.7/site-packages/gevent/hub.py", line 164, in switch
    return greenlet.switch(self)
KeyboardInterrupt

The basic documentations should cover installation, usage, customization and how to create profiles for modbus and snmp.

I introduced a walk command 30eff43 which obviously is not just simply working. Not sure if it's me not using it properly, bad implementation or issues in pySNMP.

There are various tools available to identify IC systems. We should run them against conpot and create a recon tool profile for better handling in the future.
This could also be integrated as a test to verify if we are responding according to the modbus specification.
Infracritical NMAP scripts: http://www.infracritical.com/?p=4909

cd docs/
make html

Should return at least a index.html in docs/build/html

Currently SNMP request/reply pairs are transmitted in separate log messages. This needs to be fixed so that they are logged together.
Code reference:
https://github.com/glastopf/conpot/blob/master/conpot/snmp/snmp_command_responder.py#L74

The instructions are a bit outdated.

The section was introduced in #23 but needs extension and proof reading.