Penetration testing

Use of Various Windows Utilities to Manage ICS Processes

Jim Acord
April 26, 2018 by
Jim Acord

Introduction

Target Audience: Operational Technology (OT) operators of industrial control systems (ICS) that do not have information technology (IT) training.

Need: Typically, OT operators learn IT commands as they need them. They do not have a formal training class that teaches some of the fundamentals of network or system administration.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

Execution: This article will attempt to provide some traditional IT tools and their application within the OT network.

It is assumed that you have access to at least one Windows computer on the ICS network. All work should be performed from that box.

Step 1: Find the name of the box that you are on.

Open a command prompt. Start àtype cmd in the search box. Press enter.

After the command prompt is opened, type: hostname

The resultant is the name of the computer that you are accessing.

Step 2: Find the IP of the box that you are on.

Open a command prompt. Start àtype cmd in the search box. Press enter.

After the command prompt is opened, type: ipconfig

The IP of the box that you are accessing is listed. In this example, it is 10.175.53.127

Step 3:

Find the name of A box that you KNOW THE IP

Step 4: Determine if a communication pathway exists between the box that you are on another device.

Ping is an extremely useful network administration tool. It is primarily to used to test the round-trip time for messages sent from a server going to a destination computer. In fact, the name comes from active sonar terminology that sends a pulse of sound and listens for the echo to detect objects under water.

Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP echo reply. The program reports errors, packet loss, and a statistical summary of the results, typically including the minimum, maximum, the mean round-trip times, and standard deviation of the mean.

By using ping to a hostname, ping resolves to the IP. For example:

This indicates that a communication pathway, a connection, exists between the host box and PCCRTS1. However, I does not indicate what kind of traffic is being passed or if a firewall is blocking some of the ports.

As helpful as ping may be, it does not allow you to select a target port. In fact, ping does not use ports. What if we could use a utility that functioned like ping but allowed you to specify a target port? This would be helpful in determining if the communication packet is egressing a firewall and reaching its destination IP and port.

CryPing is a free and simple-to-use network connectivity test tool. It is a command line utility that extends the functionality of the traditional ping command to include:

  • The ability to ping individual specific ports. With CryPing you can ping a TCP-IP port.
  • The ability ping HTTP, SMTP, POP3 or NNTP services. CryPing provides a simple command line way to check that an HTTP web server (HTTP), outgoing email server (SMTP), incoming email server (POP3) or news-server (NNTP) is responding. You can even view the response headers if you wish. This is for when pinging the port just isn't enough.
  • Allowing the output to be time-stamped (useful when left running).
  • Audible alarms (on failure or success). Useful when plugging and unplugging cables.

Author's website: http://www.cryer.co.uk/downloads/cryping/index.htm

What these flags mean:

-a (or -alarm) Notifies you each time the ping fails.

-tcp This specifies that TCP/IP is to be used.

-http This specifies that the HTTP protocol must be utilized.

-smtp Specifies that the SMTP protocol must be utilized.

-pop3 Specifies that the POP3 protocol must be utilized.

-nntp Specifies that the NNTP protocol must be utilized.

-b (or -beep) Notifies you each time the ping test is working.

-d This is the date/time stamp command.

-p port (or -port port) Instructs CryPing to hit a specific TCP/IP port.

-t This is the "Run Forever" command.

-n This hits the server a specified number of times.

-l This is the command for "Send buffer size."

-i This is the "Time to live" command.

-o This command specifies the type of service to be used.

-v (or -verbose) This is the command for the "Verbose output."

So, suppose we wanted to remote desktop over to a device. We would check to see if port 3389 was open.

Step 5: Determine Which ports are active

The command netstat allows you to view ports that are open or in use on a particular host but should not be confused with a network port scanner which actually probes a host for open ports.

Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP connections.

netstat [-a] [-e] [-n] [-o] [-p <Protocol>] [-r] [-s] [<Interval>]

Parameters

Parameter Description

-a This command displays all live TCP connections.

-e This command displays the specific Ethernet statistics

-n This command displays all the active TCP connections.

-o This command displays the process ID (PID) for each connection.

-p This command shows the connections for the specified protocol.

-s This command displays the various statistics by protocol.

-r This displays the contents of all of the IP Addresses that are in the routing table.

-t Interval This command redisplays the selected information at every Interval second.

/? This keystroke displays help at the command prompt.

Comments

Parameters used with this command must be prefixed with a hyphen (-) rather than a slash (/).

netstat provides statistics for the following:

Proto     The name of the protocol (TCP or UDP).

Local address    The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).

foreign address    The IP address and port number of the remote computer to which the socket is connected. The names that correspond to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).

(state)    Indicates the state of a TCP connection.

The possible states are as follows:

  • CLOSE_WAIT
  • CLOSED
  • ESTABLISHED
  • FIN_WAIT_1
  • FIN_WAIT_2
  • LAST_ACK
  • listEN
  • SYN_RECEIVED
  • SYN_SEND
  • timeD_
  • WAIT
  • This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

    In lines saying 'ESTABLISHED,' you need the remote port to identify what has connected to the remote site.

    In lines saying 'LISTENING,' you need the local port to identify what is listening there.

    Each outbound TCP connection also causes a LISTENING entry on the same port.

    Most UDP listening ports are duplicates from a listening TCP port. Ignore them unless they don't have a TCP match.

    TIME_WAIT entries are not important and should be ignored.

    If it says 0.0.0.0 on the Local Address column, it means that port is listening on all 'network interfaces' (i.e., your computer, your modem(s) and your network card(s)).

    If it says 127.0.0.1 in the Local Address column, it means that port is ONLY listening for connections from your PC itself, not from the Internet or network. No danger there.

    If it displays your online IP in the Local Address column, it means that port is ONLY listening for connections from the Internet.

    If it displays your local network IP on the Local Address column, it means that port is ONLY listening for connections from the local network.

    netstat –an ¦find /i "listening"

    The results will be displayed across four columns – the protocol type, local IP address and associated port number, foreign IP address, and state – as shown in the image below. The column of interest, in this case, would be the second column.


    By using the 'o' parameter as part of the netstat command, a fifth column will be displayed as part of the results. This column shows the application process ID (PID) associated with each open port. The full command would be as follows:

    netstat –ano ¦find /i "listening"

    (SOURCE: https://sites.google.com/site/xiangyangsite/home/technical-tips/linux-unix/networks-related-commands-on-linux/how-to-read-netstat--an-results)

    In the above illustration, on the first line,

    Indicates that the local machine's interface with an IP of 10.175.53.127, is using port 49280 and communicating with lyncseondarypool on port 5061.

    It is advisable to establish a set of baseline-tables of active connections for each one of your Windows boxes on your process network.

    So, wouldn't it be nice to know if there was an "undesirable" or "unapproved" program listening for incoming connection right now? It would be highly desirable to answer that question and is essential for any ICS professional. This portion of the article will assist us in detecting and analyzing the legitimate programs that are listening and communicating on any of your Windows boxes. Without charts or tables of your Windows boxes, you will not be able to discover those connections that do not belong.

    Four netstat.exe switches will be most useful to you:

    • -a will cause all connections and listening ports to be displayed.
    • -b comes in handy when you are trying to find out what port a particular program is listening on. "-b" causes netstat.exe to display the name of the executable that opened each connection or listening port.
    • -n is useful because by default netstat.exe will hide the actual port number from you for protocols that it "knows" about. For example, one of the ports that Windows XP listens on by default is 445. If you run netstat.exe without the -n switch it will display "microsoft-ds" instead of the port number. In some cases, this may be useful, and in others, it might be a hindrance.
    • -o causes netstat.exe to display the process identifier (PID) of each program in the connection list. The PID can be used to trace a connection back to a process listed in the Windows Task Manager.

    This next illustration shows what "netstat -ano" looks like on my laptop:



    This is the good stuff right here. This is useful information. With this new-found information, you can see what processes are currently listening for incoming connections. If there were active connections, you would also see those listed. There are various uses for this information including investigating a system for malware and tracking down firewall exceptions.

    Let's apply this knowledge. What if you need to allow incoming connections for a more obscure program or a non-traditional program like a polling engine? This is a walk in the park with netstat. Simply run "netstat -abno" while your polling software is running and look for the polling software executables. Have the associated ports put into your firewall exception list and you should be good to go.

    Here is an example Windows Task Manager:

    Select the Process tab à View àSelect Columns. Select PID, User Name, and Description.

    Next, adjust the widths of the columns so that information is more presentable.

    What should you learn next?

    What should you learn next?

    From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

    Finally, let's look at investigate the relationship with a connection displayed by netstat.exe with a process listed in Windows Task Manager. Often you can just run a "netstat -abno" and find the appropriate process name listed in Windows Task Manager, but what if there are two or more processes with the same name? In the previous illustration, you'll notice that chrome.exe is listed several times by "netstat -abno" and the Windows Task Manager. The PID can be used to find an exact match as well.

    Jim Acord
    Jim Acord

    Jim Acord has nearly 30 years' worth of Industrial control systems and cybersecurity experience. He holds a Bachelor's Science degree in Electrical Engineering and a Masters in Information Technology with a specialization in Data Assurance and Security. He is a subject matter expert for a three letter agency for industrial control systems.