In the last chapter, we discussed how packets are structured and relate to the OSI model, set up capture filters with Wireshark, and used display filters to analyze industrial control system (ICS) lab packet captures (pcaps) that we downloaded from Netresec, using and practicing these skills to further our knowledge and sharpen our pentesting skills.

In this chapter, we are going to install Ignition SCADA and connect our Koyo Click PLC lab to it. We then will look at a number of tools for enumerating and scanning industrial networks, from port scanning with NMAP and RustScan to web application scanning with human machine interfaces (HMIs), SCADA operator screens, PLC control screens, and flow computer web portals with both Gobuster and feroxbuster. We will use these tools and run them against our Ignition SCADA instance.

In this chapter, we're going to cover the following main topics:

• Installing and configuring Ignition SCADA
• Introduction...

For this chapter, you will need the following:

• Ignition SCADA: You will need to install Inductive Automation's Ignition SCADA in order to work with Gobuster and feroxbuster. Use the following link and install it on your SCADA VM host:

• NMAP: https://nmap.org/.
• RustScan: https://github.com/RustScan/RustScan.
• Gobuster: https://github.com/OJ/gobuster.
• feroxbuster: https://github.com/epi052/feroxbuster.
• Redpoint Digital Bond's ICS Enumeration Tools: https://github.com/digitalbond/Redpoint.

You can view this chapter's code in action here: https://bit.ly/3veEeNm

Ignition SCADA is one of the newest platforms on the market and one that is truly embracing modern technologies for the modular framework that it provides. It has been adopted by many industries and some big Fortune 100 companies to manage their industrial control processes. By using real-world software and hardware in our lab, we can gain a better understanding of how things interoperate prior to engaging in an assessment:

1. Working with the link provided earlier, https://inductiveautomation.com/downloads/, we are going to download the package for our Ubuntu SCADA VM.

   You should have a package called ignition-8.1.5-linux-x64-installer.run.

2. Running the following command will get the installer rolling:

   ./iginition-8.1.5-linux-x64-installer.run

   This will then launch the installer window, which looks like the following:

   Figure 7.1 – Ignition Installer

3. Select Next through the default windows; we will keep the default location...

Coming from the automation controls space, I used NMAP early on in my career to troubleshoot new technology that was starting to adopt TCP-based protocols. Finding hardware that had open ports that had zero documentation was commonplace in the mid-00s. Over the next two decades, I followed this project and watched it grow into the foundational tool it is today. Not only is it used for finding open ports, but it can also be used to perform operating system fingerprinting, application identification, and many more features.

In this section, we are going to install and run NMAP against our lab environment. We will identify open ports and the services running on these ports. Scanning the network for assets and open ports is fundamental for gaining a foothold and a pivot point inside the industrial network when in the field working on a client's network. As said in the previous chapter about Wireshark being the number one tool for a pentester, I would say NMAP...

NMAP has been my de facto port scanning tool of choice until recently, when I discovered RustScan. The one major benefit of RustScan is the lightning speed at which it scans all 65K ports; it can do this in 3 seconds. Compare that to NMAP, and it's night and day. I would set up NMAP, go for lunch, and come back and it would still be running. It has a full suite of scripting support from Python, Lua, Bash, or even piping the RustScan results to NMAP.

When time is of the essence, RustScan is the choice. I do, however, still find myself reverting back to NMAP for specific tasks, but that is more out of familiarity and, as said in previous sections, practice, practice, and practice. In this section, we will be installing RustScan and running it against the machines in our lab. We'll observe the speed difference at which the scans run and get familiar with the syntax in order to add this tool to our pentesting arsenal.

Installing RustScan

Gobuster is a web enumeration and directory brute forcing tool that has been written in Go. Up until my discovery of Gobuster, I was using tools such as Nikto, Cadaver, Skipfish, WPScan, OWASP ZAP, and DirBuster. Every one of these tools has its strengths and weaknesses but, in the end, they all worked pretty much the same with varying results. However, I was looking for something that I could run from the command line and didn't contain a thick client to run.

This is when I stumbled across Gobuster. It was everything I was looking for in a command-line-driven web enumeration tool. I can quickly switch between directory brute forcing and virtual host enumeration. I can switch wordlists on the fly, set command-line arguments to perform file detection, and finally, adjust the thread count. All these features are why I personally have been using Gobuster during pentest engagements. In this section, we are going to install Gobuster and run it against our...

As you can tell from the last section, I am a huge fan of Gobuster; however, after reading an article that @_johnhammond reposted, written by Robert Scocca, titled Upgrade your Hacking Tools (the link can be found here: https://robertscocca.medium.com/upgrade-your-common-hacking-tools-45ba700d42bb), I have been leaning toward feroxbuster. I give John a shoutout as he is an amazing influencer in the pentesting space. He contributes a wealth of knowledge to tryhackme.com. If you join, you will surely see his influence on multiple rooms and the next holiday challenge. John happened to repost the blog by Robert Scocca, and like most committed members of this community, I was curious about the tools suggested to upgrade.

The focus areas were netcat, nmap, gobuster, and the Python server. I was intrigued by the nmap and gobuster topics. So, I quickly scrolled past pwncat which is the replacement for netcat – no offense, Robert ;). Lo...

When I first started in the industry, running these enumerations would reveal a treasure trove of vulnerabilities, but as the industry's security posture has matured, and more security individuals have entered this space, finding the low-hanging fruit as it were has become harder and harder. Staying ahead of tools, patching, monitoring, and security personnel is a constant struggle, but with perseverance and continual training, it is possible. Hence why we looked at both traditional tools, such as NMAP and Gobuster, and newer tools such as RustScan and feroxbuster in this chapter. Learning how to use these tools for port scanning and web application enumeration will help you complete a successful engagement in the future.

In the next chapter, we will be looking deeper at the protocols that drive industrial equipment and how we can leverage these protocols to take control of systems in the industrial network.