Listen to this Post
Introduction:
Operational Technology (OT) and Industrial Control Systems (ICS) form the backbone of critical infrastructure, from power grids to water treatment plants. Unlike traditional IT, securing these environments requires specialized knowledge of proprietary protocols, real-time constraints, and physical safety implications. With threats like Industroyer and TRITON targeting these sectors, hands-on practice is essential. Here are eight free GitHub repositories that provide virtual labs, packet captures, and penetration testing tools to build and test your OT/ICS cybersecurity skills.
Learning Objectives:
- Set up realistic OT/ICS virtual lab environments for safe offensive and defensive practice.
- Analyze industrial network traffic by exploring packet captures of protocols like Modbus and Profinet.
- Deploy and utilize specialized penetration testing tools and honeypots to understand attacker techniques in OT environments.
You Should Know:
- Building Your Virtual OT Range: GRFICSv3 and LabSHOCK
To understand OT security, you need a safe space to simulate attacks. The Graphical Realism Framework for Industrial Control Simulation (GRFICSv3) is a standout project. It provides a full-stack simulation, allowing you to visualize a 3D industrial plant (like a chemical tank) while interacting with the control logic. You can see the physical impact of your cyber actions in real-time.
– Step‑by‑step guide:
1. Clone the repository: `git clone https://github.com/dformby/grficsv3.git`
2. Navigate to the directory: `cd grficsv3</h2>
3. Install dependencies: Ensure you have Vagrant and VirtualBox installed. Runvagrant plugin install vagrant-reload.
4. Launch the environment:vagrant up`. This will build the entire virtual network, including a PLC, HMI, and attacker machine.
5. Access the attacker machine: Use `vagrant ssh attacker` to enter the Kali-based machine and begin your exercises, such as ARP spoofing or Modbus register manipulation.
2. Analyzing Industrial Protocols with Packet Captures
3. Install dependencies: Ensure you have Vagrant and VirtualBox installed. Run
4. Launch the environment:
OT protocols often lack basic security features. Analyzing real traffic is the best way to spot anomalies. The OT-PCAPs repository is a goldmine for this, offering captures from Modbus, DNP3, Profinet, and more.
– Step‑by‑step guide:
1. Download a sample: Clone the repo `git clone https://github.com/automayt/OT-PCAPs.git` or download a specific Modbus PCAP.
2. Open in Wireshark: `wireshark ./OT-PCAPs/Modbus/modbus_slaveID_0.pcap`
3. Apply a display filter: In Wireshark, type `modbus` to isolate only Modbus traffic.
4. Analyze function codes: Look for Function Code 16 (Write Multiple Registers) or Function Code 6 (Write Single Register). These are critical write operations that, if malicious, could alter physical processes. Use `tshark -r modbus.pcap -Y “modbus.func_code == 16” -V` to view these packets in the command line.
3. Deploying an OT Honeypot: Conpot
Honeypots are decoy systems designed to lure attackers. Conpot is a low-interactive ICS honeypot that emulates industrial protocols like Modbus and S7comm, making it perfect for studying attacker behavior without risking real gear.
– Step‑by‑step guide (Linux):
1. Install via pip: `pip install conpot`
- Initialize a default configuration: `conpot –template default -f` (The `-f` flag keeps it in the foreground for debugging).
- Modify the configuration: To change which protocol it listens on, edit the `conpot.cfg` file. For example, to change the Modbus port, find the `[bash]` section and update
port = 5020. - Test the emulation: From another machine, use `nmap -p 5020
` to see if the port is open. For deeper testing, use a Modbus client tool like `modbus-cli` to read a coil: modbus read -p 5020 <honeypot_ip> 1.
4. Using ICS Penetration Testing Suites: ICS-Security-Tools
This repository is a curated list of scripts and tools. One of the most powerful included tools is `modbus-tk` and exploit scripts for known PLC vulnerabilities. Learning to use these helps you think like an attacker to build better defenses.
– Step‑by‑step guide:
1. Clone the tools list: git clone https://github.com/ITI/ICS-Security-Tools.git`nmap –script modbus-discover -p 502
2. Explore Modbus Scripts: Navigate to the scripts directory. Often, security researchers provide Python scripts to scan for open Modbus units.
3. Run a Modbus scan (Example): If you have your lab running, you can write a simple script using the `pymodbus` library to discover slave IDs. A common command-line approach using `nmap` is:
- Simulating Attacks with the “List of OT/ICS Pentesting Tools”
Another excellent resource is the “List of OT/ICS Pentesting Tools” which aggregates links. It highlights tools like MODBUS Pentest Tool and ISF (Industrial Exploitation Framework) . ISF is a Python-based exploit framework similar to Metasploit but designed for ICS protocols.
– Step‑by‑step guide (ISF):
1. Clone ISF: `git clone https://github.com/dark-lbp/isf.git`
2. Run the framework: `cd isfthen `python isf.py`set RHOST 192.168.1.10`. Type `run` to execute, which might attempt to stop the PLC, demonstrating the importance of network segmentation.
3. Search for exploits: Inside the ISF console, type `search siemens` to find exploits for Siemens S7 PLCs.
4. Use an exploit: Type `use exploits/siemens/s7_300_400_plc_control` to load a specific module.
5. Show options: Type `show options` and set the target IP with
6. Leveraging T-Mobile’s Honeypot: GasPot
GasPot is specifically designed to simulate gas station tank gauges, which are surprisingly vulnerable entry points. It helps security teams understand the specific telemetry used in the fuel sector.
– Step‑by‑step guide:
1. Clone the repository: `git clone https://github.com/sjhilt/GasPot.git`
2. Install requirements: `cd GasPot` and run `pip install -r requirements.txt`
3. Configure: Edit `GasPot.ini` to change the listening ports or the range of possible gauge IDs it should emulate.
4. Run the honeypot: `python GasPot.py -f GasPot.ini -p 12345` (replacing 12345 with your desired port).
5. Monitor logs: GasPot logs all connections and commands sent to it. Check the `gasPot.log` file to see if anyone is probing for gas gauge controllers on your network.
What Undercode Say:
- Key Takeaway 1: OT security is not just IT security with different labels; it requires dedicated labs and protocol-level knowledge to understand the “cyber-to-physical” bridge.
- Key Takeaway 2: Free, open-source resources like these democratize access to critical infrastructure security training, allowing defenders to practice offense and honeypot deployment in safe, virtual sandboxes.
The availability of these eight GitHub repositories represents a paradigm shift in how we train the next generation of OT defenders. By lowering the barrier to entry, they empower blue teams to simulate complex attacks like PLC manipulation and Man-in-the-Middle (MitM) on industrial protocols without purchasing expensive hardware. However, the gap remains between simulation and reality; the true test will be how well practitioners can translate skills learned on these frameworks to legacy brownfield sites where a single packet can cause physical damage. The community must continue to build bridges between open-source labs and real-world industrial resilience.
Prediction:
As OT environments become increasingly connected to IT for business efficiency, the attack surface will expand exponentially. Consequently, we will see a surge in automated attack tools targeting these very protocols. The future of ICS defense will rely heavily on AI-driven anomaly detection trained on datasets derived from these PCAP repositories, making proactive hunting for threats like rogue Modbus writes a standard practice rather than a niche skill.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
