Free OT Hacking Lab in 5 Minutes: How Labshock is Disrupting Industrial Security Training + Video

Listen to this Post

Featured Image

Introduction:

The days of relying on static documents, network diagrams, and PowerPoint slides to secure critical infrastructure are over. As industrial environments become increasingly digitized, threats targeting Operational Technology (OT) have evolved from theoretical risks to real-world headlines. To truly defend an industrial control system (ICS), security professionals need a dynamic, interactive environment where they can build, break, and fix real networks. Labshock is an open-source, containerized platform that answers this call by allowing anyone to deploy a complete, network-ready OT security lab in minutes—not days.

Learning Objectives:

  • Build a complete virtual ICS/OT network from scratch using a drag-and-drop builder.
  • Perform reconnaissance and vulnerability scanning on industrial protocols like Modbus.
  • Execute a realistic cyber attack by modifying a PLC coil to manipulate a simulated oil refinery process.
  • Deploy and configure an Intrusion Detection System (IDS) to monitor and alert on malicious OT traffic.

You Should Know:

  1. Installing Labshock on a Virtual Machine (The Smart Way)
    Labshock runs on Docker, meaning it can be deployed on any Linux host, a Windows Subsystem for Linux (WSL) instance, or a dedicated virtual machine. For a safe, isolated environment, using a hypervisor like VMware or VirtualBox is highly recommended. The core idea is to create a sandbox where offensive actions can’t accidentally impact production systems.

The installation process relies on Docker Compose to orchestrate the various containers, including the OT network, penetration testing tools, SCADA interfaces, and PLCs.

Step-by-step guide:

  1. Prepare the host: Spin up a fresh Ubuntu 22.04 or 24.04 VM. Ensure you create a snapshot before proceeding in case of errors.
  2. Install Docker: Use the official Docker repository script to ensure you get the latest version.
    !/bin/bash
    set -e
    Uninstall old Docker versions
    for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove -y $pkg || true; done
    Prepare system
    sudo apt-get update
    sudo apt-get install -y ca-certificates curl gnupg lsb-release
    Add Docker's GPG key and repository
    sudo install -m 0755 -d /etc/apt/keyrings
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo tee /etc/apt/keyrings/docker.asc > /dev/null
    echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
    Install Docker Engine and plugins
    sudo apt-get update
    sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
    
  3. Clone and run Labshock: Download the Labshock repository from GitHub and bring up all containers.
    git clone https://github.com/zakharb/labshock.git
    cd labshock
    docker compose up -d
    
  4. Access the pentest environment: Labshock includes a dedicated penetration testing container accessible via SSH on port 2222. This is where you will run your attack tools.
    ssh pentest@localhost -p 2222
    Password: pentest
    

2. Scanning the Industrial Network with Nmap

Once Labshock is running, the OT environment is a living network with a SCADA system, PLCs, and HMIs. The first step for any attacker or defender is reconnaissance. Traditional network scanning with Nmap works, but OT protocols require specific scripts to identify services like Modbus (port 502) or S7 (port 102).

Step-by-step guide:

  1. From within the `pentest` container, perform a preliminary scan to discover live hosts in the OT subnet.
    Discover hosts on the OT subnet (adjust IP range based on your lab)
    nmap -sn 192.168.2.0/24
    
  2. Run a more detailed scan on the discovered PLC (typically 192.168.2.10) to identify open ports and service versions.
    Aggressive service detection on key OT ports
    nmap -sV -p 502,102,20000,44818 192.168.2.10
    
  3. Use Nmap’s Modbus script to enumerate PLC information without causing any state changes.
    Enumerate Modbus device information (non-intrusive)
    nmap --script modbus-discover -p 502 192.168.2.10
    

3. Weaponizing Modbus: Taking Control of Industrial Pumps

Modbus is a widely used industrial protocol that lacks strong authentication. By writing to Modbus coils (binary output points), an attacker can turn pumps on or off, open valves, or alter physical processes. In Labshock’s oil refinery simulation, this attack directly manipulates the “Gasflow Terminal” industrial process.

Step-by-step guide:

  1. Install `modbus-cli` inside the `pentest` container. This ruby-based tool allows reading and writing of Modbus registers from the command line.
    Update packages, install Ruby, and install modbus-cli
    sudo apt update
    sudo apt install ruby-full -y
    gem install modbus-cli
    Add the gem binary directory to your PATH
    echo 'export PATH="$HOME/.local/share/gem/ruby/3.3.0/bin:$PATH"' >> ~/.bashrc
    source ~/.bashrc
    
  2. Read the current state of coils to understand the process. In the refinery, Coil 1 represents Pump 1.
    Read 10 coils starting from address 1
    modbus read 192.168.2.10 1 10
    
  3. Write to a coil to change the state of a pump. Turning off a critical pump will cause a safety alarm and disrupt the process in the SCADA interface.
    Write a value of 0 (OFF) to coil address 9 (zero-based), which controls Pump 2
    modbus write 192.168.2.10 9 0
    

  4. Building a Detection Layer: Deploying Zeek IDS for OT Traffic
    Visibility is the foundation of security. Labshock integrates Zeek (formerly Bro), a powerful network security monitor, as its IDS service. Unlike signature-based tools, Zeek uses a flexible scripting engine to analyze protocol behavior, making it ideal for detecting anomalies in OT environments where custom industrial protocols are common.

Step-by-step guide:

  1. The Zeek IDS service is defined in the Labshock `docker-compose.yml` file. To enable it, modify the configuration to use the official Zeek image and mount volumes for logs.
    zeek:
    image: zeek/zeek:latest
    container_name: zeek-ids
    network_mode: "host"
    volumes:</li>
    </ol>
    
    <p>- ./zeek/logs:/usr/local/zeek/logs
    - ./zeek/scripts:/usr/local/zeek/share/zeek/site
    command: /usr/local/zeek/bin/zeek -i eth0
    restart: unless-stopped
    

    2. After restarting the container (docker compose restart zeek), Zeek will begin monitoring traffic on the OT network. It will generate detailed logs for every connection, including Modbus function codes and values.
    3. To detect a Modbus write command (the attack performed earlier), you can create a simple Zeek script that logs any `Write Multiple Registers` or `Write Single Coil` request. Place this script in the `./zeek/scripts/local.zeek` file.

     Zeek Script to detect Modbus write commands
    event modbus_write_single_coil(c: connection, headers: ModbusHeaders, coil: count, value: count) {
    print fmt("ALERT: Modbus write on coil %d with value %d from %s", coil, value, c$id$orig_h);
    }
    

    5. Exporting, Sharing, and Replaying Realistic OT Telemetry

    One of Labshock’s most powerful features is the ability to export a complete lab configuration as a portable file. You can drag-and-drop a router, add a PLC, connect an attacker machine, and the system will automatically assign IPs, build routing tables, and create the network structure. This config can be shared with colleagues or students, ensuring a perfectly reproducible training environment.

    Step-by-step guide:

    1. In the Labshock web builder interface, construct your industrial network by dragging components onto the canvas.
    2. Once the virtual network is running, navigate to the “Export Lab” function. The platform will export a `.labshock` file that contains the entire network state and service configurations.
    3. To load a shared lab on a different machine, drag the exported file into a new Labshock instance. The system will rebuild the exact same network, including all service connections and routing rules. This allows blue teams to test detection rules against a standardized, repeatable set of OT events.

    4. Integrating a SIEM: Sending OT Logs to Splunk
      OT SIEM (Security Information and Event Management) is essential for correlating industrial alerts with IT events. Labshock supports one-click integration with a Splunk container. This allows practitioners to collect logs from Zeek, PLCs, and the SCADA system into a centralized platform to build and test correlation rules.

    Step-by-step guide:

    1. In Labshock, navigate to the “Integrations” section and select “Deploy Splunk”. The platform will automatically download and start a Splunk container connected to the OT network.
    2. Configure log forwarders from the Zeek IDS and the OpenPLC to send syslog data to the Splunk Heavy Forwarder.
    3. In Splunk, create an alert rule that correlates “Modbus write command detected by Zeek” with “Successful SSH login to PLC from external IP”. This rule would detect an attacker establishing a foothold and then manipulating control logic.

    What Undercode Say:

    • Industrial security training is no longer gated by expensive hardware. Labshock democratizes OT security by providing a free, repeatable, and realistic cyber range that runs on a standard laptop.
    • The platform shifts the focus from infrastructure maintenance to active defense. By exporting and sharing lab configurations, security teams can collaborate on threat hunting and detection engineering with a common, behavior-driven baseline.

    Prediction:

    As the lines between IT and OT blur, the demand for hands-on, simulation-based training tools will explode. Labshock and platforms like it will become the standard for OT security certification programs and corporate incident response teams. In the next 18 months, we can expect to see a wave of community-developed attack scripts and detection rules built specifically for Labshock, turning it into the de facto Metasploit framework for industrial control systems.

    ▶️ Related Video (80% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Zakharb Labshock – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky