Industrial Control Systems : Pentesting PLCs 101 (Part 1/2)

welcome to this scatter workshop which is called industrial control systems then testing PLC’s 101 so just a quick reminder that means that it’s going to be an introductory class do not expect any O’Day’s this afternoon the goal is to give you some knowledge about how you can pan test those devices what what is specific to those devices what can what attack techniques you can use so basically that’s the point I’m sorry we start a bit late but we have some issues with the let’s say the hardware that I bring some things broke during the during the trouble just ten seconds about me my name is Anna Soulier I’m French I work at silicon which is a French management and IT consulting obviously I work in the IT part what are my interests I work in security mostly as a pen tester so I perform all kind of web application penetration tests network penetration test take clients and also industrial control systems I have a specific interest in Windows Active Directory issues I gave a talk at a French security conference earlier this year so that there’s actually actually a mistake on the slide it’s paused easier not last year and also I like wine a lot but this topic will not be covered today okay so this is a workshop so I expect you to ask all the question you want during the workshop no need to wait until the end there’s going to be two parts the first one would be about let’s an introduction to ICS so it’s going to be mostly slides and in the second part I will give you a virtual machine with some exercises to do firstly on simulators and in the second time we’re going to try to access those devices and try to understand how we can put them so I will give you give you USB keys it’s VirtualBox virtual machine which is Kali Linux I think most of you should be familiar with this Linux distribution it’s use for penetration testing I put some additional tools specific to the ICS so you will find mud misspelled mpg a TRC scansnap seven and also some Metasploit modules and also some pcap samples and some script that I wrote so I have the USB key just here what I suggest is that you copied the virtual machine and you try to install it during the first part so when you come back after the break everything works I’m low on USB keys but please share it with your neighbors okay there you go yeah that’s a bit sex here okay so as I told you there would be two part one mostly with the slide is going to be the ICS introduction and some specific knowledge about the mud based protocol and then the last part attacking PLC’s so I’m going to give you a quick word about what the PLC is right now so here you have two different models this one is from Siemens this one is from Schneider and those little devices are used in most of the plants or factory to allow automation of the process so depending on of the inputs the value of some sensors there will process this information and perform some kind of actions with the output basically ok so let’s start with the introduction what is an industrial control system and ICS so it’s let’s see it’s divided in several parts the lowest level one is what we call the the production network on which you can find sensors and actuators which are basically the inputs

and outputs of the PLC’s you can find some wild Nets net no networks most of the time it’s a let’s classical Wi-Fi network sometimes some specific proprietary tools can be used also we can also find some arty use which means a remote terminal units and it’s used to remotely access it’s kind of a PLC but meant to be used remotely then we have the supervision network that may also be called the SCADA Network on which you can find workstation with the supervision software installed so this is where the operators the people working at the plant or the factory let’s say they then manage the process you can also find some kind of laptops used for maintenance for example the people working the laptop with them and they connect directly to the PLC’s or to other kind of device on the field and of course you have some servers some are dedicated to the to the scattered supervision software that you use and some server are quite specific and are called data historian their purpose is to store all the data from the process at all the time in order to be a let’s say analyze later so what we call ICS is basically the production network and the supervision network most of the time everything is somehow connected to the corporate network where you can find let’s say all your application the use of users workstation because most of the time some data needs to be taking off the supervision network for example from the data is torreón and to be fed into some specific application in the corporate network for example in a AP or any other kind of ERP that allows the people to let’s say try to have to to have a better process – to me let’s say – to be more efficient so as a conclusion on this slide basically what I would like to say that you have to understand that corporate information system only handles data whereas what we call an ICS actually interfaces the data with the physical word so that means if you pair from you send some packets some real things will happen in the physical world that may be a light that will be switched on on or off or any kind of physical action next just a bit of vocabulary because I think it’s important I see S stands for industrial control system I’m going to say that at least a thousand times this afternoon it’s quite it’s exactly the same as I guess which means industrial automation and control system and as we saw earlier it’s quite different as from SCADA which means supervisory control and data acquisition because SCADA is only one part of the CICS and it’s also different from dcs which is another kind of let’s say process plant processing however what is also important to know today most people tend to say SCADA for ICS so if you encounter one of your client that says you want a SCADA assessment that could mean anything from the ICS that can be the the PLC’s the production network are only the supervision software that’s let’s say the trend today okay if I continue I will detail the let’s say the role of the key components that we can find in an ICS please feel free to to interrupt me if I forget something or if you know any kind of device that you can find so the first kind of device is what I called earlier the sensors and the actuators so as I told you these are the most low-level things you can find so basically what we call a sensor could be some kind of switch like this one and actuator is something that performs an action depending on the on the information that is sent to him so on this picture you have a valve so let’s say you send some electric signal to the valve and it shuts or shuts of the valve or maybe it opens it next type of thing you can encounter is what we call a local H M ISO means human machine interface so

over here we have one from Siemens so let’s say most of the time the the plants or the factory are quite big so the people are performing the supervision from one one central room but they also need to have some information well when they are on the field so here the the process so in most of the plants you can find those tiny screens sometimes there are touchscreen sometimes there is only some buttons it allows the operators to have some let’s say some information about what is going on or maybe before doing some kind of operation they can shut down the process locally so that’s quite important PLC’s which are let’s say the subject of today that means programmable logic control it managed all the sensors and the actuators so for example on the in the picture it’s also a PLC from Schneider if we take a look here at this PLC you will see that I’ll come back to that later but just quickly you can see that there is the power that’s what we call the CPU so it processes the information and then we have an input output card that allows to interact with the sensors and the actuators that I mentioned supervision screen so as I just told you most of the supervision in the plants or factory is done from a big room where you have those kind of big screen with the green or red light depending on how the process goes so that allows the people to have a high-level overview of the how the plant or the factory is going and then again data is turian that’s a server so I didn’t put any picture of server but more a picture of data it recalls all the data from the production networks and allowed this data to be sometimes forwarded to the corporate network where when the people crunch all these data to let’s say to try to make the process more efficient or in case of incident if something goes bad they can enlighten and see where the problem came from any questions so far ok next let’s say security awareness timeline from SCADA systems I think it’s important to understand that’s quite a big shift nowadays in scatter awarness so before 2011 let’s say nobody cared about scatter security that’s mostly right except from specific industries maybe in the nuclear production they were doing some security but most of my clients never asked on never mentioned the sky the security of ICS before that before 2011 then oh my god Stuxnet of course that was kind of a big deal because it made it to the news and not only the specific IT or security newspaper it was all over the place so that was at least for me and from a company quite of the game-changer because we were asked a lot for ICS assessments and for let’s say ICS counseling and maybe one day as we do today for some of the corporate networks we’ll have some fancy dashboard that truly means nothing about the security level but at least you have you have something ok so let’s continue and let’s try to find out what is wrong currently with the level of security of ICS so that’s mainly based on what I’ve seen please feel free to join in the conversation and add some things or tell me if I’m wrong so well the first part would be awareness and organization from what I’ve been able to see most of the time there is no security awareness for people working in the ICS field they care about safety which means the safety of the people working in the factory the safety of the people living nearby the factory and also they try not to pollute the environment but that’s what we call safety and it’s quite different from security so they they think a lot about what could go wrong in the process in terms of sort of safety of the people but they really not take into account the fact that someone could maybe remotely access the ICS and some bad things also it’s kind of hard to find someone to talk to concerning security when you visit the plant or a factory so in corporate networks most of the time we have chief

information security officers that’s not the case for most ICS locally on the plaintiff factory sometimes only a few people are knowledgeable about IT and that does not include security so that’s also kind of a very big deal next subject the network segmentation we’re going to deep dive in that later but let’s say that from what I’ve been able to see most of the time as I told you some data needs to get out of the ICS to be fed into some kind of network applications most of the time it’s done wrongly that means that sometimes you put some ICS devices on the internet that means that sometimes all your corporate network cannot access all the let’s say web interfaces of all you ICS so when we are talking about big companies that have maybe 100,000 employees that’s too much clearly sometimes the network segmentation is only done using let’s say some access control list on the router there is no real firewall therein there is no real DMZ or data diode so let’s say if an attacker can can breach into your corporate network and if there are some pentester over here I’m sure they they know that it’s quite easy it’s also quite easy to jump from the corporate network to the ICS network most of the time vulnerability management also a hot topic let’s say it’s not it’s not easy to do vulnerability management right in the corporate network it’s quite harder in the ICS world most of the time let’s say for the the PLC’s there are some security updates so you have to update the firmware the problem is that when you want to update the firmware you have to turn off your industrial process for a moment so let’s say you have a hundred PLC’s maybe your plant needs to be shut down for 1-2 days or maybe a week and then that’s a big loss of money most of the time they run 24/7 so it’s not possible to apply the patch during the night as we can do in the corporate network so yeah patches are published but rarely applied if we talk about the let’s say the classical IT component like Windows yeah it’s a Windows XP or Windows 7 workstation since the ICS is not directly connected to the corporate network do not benefit from the wsus systems for example so yes even though Windows machine are mostly not patched you have a question no actually no I’m mostly talking about factories and plants not the smart meters but I’m sure the let’s the security problems must be the same but I’ve never assessed security and let’s say on smart meters so I really don’t know but there was a great talk yesterday about that was really interesting yeah yes but then you have to be sure that the let’s say the update mechanism is secured because as the the people who did the talk yesterday mentioned they were able to let’s say create some kind of worm that will spread itself by modifying the firmware of each smart meter okay so that’s mostly the industrial control systems you can find in plants and factories yeah let’s continue with the security protocols so as we will see later with mud boosts most of the times there was no security included into the protocols so that means no authentication clear-text protocols so let’s say once you have network access you basically have the possibility of doing everything that we want which combined to the fact that the network segmentation is loose that’s kind of a big deal just a quick word about the third-party management in most of plants or factories that I’ve been to there was a lot of let’s say specific devices managed only by a third party so

the client had to let the third party come connect is specific computers maybe his USB key or even allow a remote connection to that specific device or to the world ICS to to allow remote connection and debugging and if you do not agree with that then you lose the support and then you cannot take that risk so that’s also a big deal and the next topic is security supervision which is a hot topic in the corporate network most of the time people try not to focus on the on protection but also on the ability of detecting any security breach and responding to it funny thing is that lets ICS and SCADA is all about monitoring butts monitoring a process and it’s quite different from monitoring the security of a process so the capabilities of the the PLC’s and other device that you can find in terms of logging are most of the time quite low at the moment I’ve never seen someone performing a real let’s say sea slug on ICS and correlating the logs I think maybe in the few years we can see that but at the moment I’ve never seen it any question yeah yeah but also for let’s say private swimming pools you can find some some private swimming pool on the Internet yes yeah that’s true actually if you we take a look at those devices the schnide one is used in small factories and the Siemens is let’s say I’m not sure it’s using factories but that’s the kind of device that I would want to perch in my home because it’s quite cheap and it’s easy to program it has relay outputs so yes this talk also includes the device that you can find at home yes I recently yes one of my clients not on the ICS part but a client recently told me that in his building which is a cell that a shared building the eating was remotely controlled by someone from the internet so yeah it was pretty scared for for this winter okay next up just a quick word about the ics-cert so it’s a computer emergency and response team that is specific to ICS it’s quite interesting to to take a look at at least if you want to perform some assessment on ICS and you’re looking for vulnerability known vulnerabilities in specific components you have to go there and check the vulnerability belgians and also I actually the ics-cert is for the US but the let’s say most of the devices used are the same so the vulnerabilities are the same and yet just a quick word about the study they published last year they listed over 200 attacks on ICS and some of them around 80 were successful so we also have to acknowledge that yes there are vulnerabilities and yes they are being exploited right now ok so now we will focus a bit on what is a PLC you have a question I think what they mean by 200 attacks is that let’s say somehow an incident was detected it was not before the incident happened it was after yeah ok so what is a PLC so as I told you before it’s made to manage input and output it’s some kind of real-time computer it was invented to replace electrical relays because that’s a few thousand years ago people were using electrical relays to perform the automation in plants and factories but it was really expensive when we wanted to modify the process you have to rewire everything so that was costly so that’s why we invent they invented PLC’s and also last thing you have to know that these devices are red that means they work in a harsh environment when there is dust when there is electrical noise

the temperature is not 18 degrees as in the data center so it’s quite different from a computer but basically it’s a real-time computer on the right side of the slide you consider 1,200 which is the the smallest PLC that I have you can see the inputs the outputs there is a network connection for Ethernet and that’s the power if we take a look at the at the same device but we try to look what’s inside we see that there’s the hardware on top of it there’s a few more an operating system for example under Schneider the operating system is VxWorks so it’s a real-time operating system then you have some application most of the time you have a web server sometimes an FTP server SNMP server and on the other side you have let’s say the the the logic that you program into your PLC and that is run through a middleware so in the past another some people have discovered vulnerabilities into those middleware and that allowed them to compromise several PLC because they all real some of them rely on the same middleware okay so to understand our PLC works it’s also interesting to know how you program a PLC so the first programming language that was used and that is still used today is what we call the ladder logic it was call like that because it mimics the look of let’s say an electrical wiring diagram you can see an example on the on the bottom left but since then there was a standard published that defines five main programming languages I’m not going to detail them I’m just going to show you the example so on the Left ladder diagram which mimics the let’s say real devices then in the middle you have the structured text example so it’s like programming in a classical programming language and on the right you have the instruction list example so as you can see it looks like assembly so maybe now I’m trying to show you how is programmed the Schneider PLC so you have a real example yeah I’m just going to set up my screen can you see at least some how some now I’m connected to the to the PLC the Schneider one so that’s the one on top I’m going to transfer the program from the PLC to my computer it should work I’m sorry everything is written in French when you’re using that kind of software you have to have a big screen because there are some let’s say windows everywhere that’s by the way that’s unity Pro that’s the programming software that you have to use for let’s say most of the Schneider’s PLC so let’s take a look at the code it’s really basic just to show you an example so as you can see there are are some lines that are green the other one I read basically green means electricity is flowing and red means that’s not so for example here one light is lit because I just put this output to on and the two other are switched off because light zero and light one are set to zero at the moment so basically if I just delay this one so that’s ladder logic as I was explaining before now I can transfer it

to the to the PLC yes mostly we will cover that in the second part of the workshop because the way it’s done by the software is quite funky but yes and it’s absolutely not working is it ah maybe it’s nonstop yes so now it’s it’s lit on because the electricity is flowing some just and I’ll go back to what I’ve done previously if I can okay okay so basically that was just to give you an idea how it works I which is programmed let’s say the people that I met mostly use a ladder logic but I’m sure it depends on the company and the specific policy about that okay so let’s go back to the slides okay so next topic I mentioned the lack the usual lack of network segmentation and I just wanted to give you some example of what a real lack of segmentation looks like that means can we find SCADA on the Internet you may know that the answer is yes to do that I will demonstrate using showdown I’m sure you’ve heard of it showdown is basically a search engine that scans the wall ipv4 addresses all the time and allows you to list let’s say search some specific some specific devices or some specific versions of software so it’s mostly free while you have to pay to export all the results what else can I say yes in my personal experience if I just buy a virtual machine on Amazon Cloud and I start an Apache server within two hours it has been if you take a look at the logs within two hours it has been scanned by shodhan so that’s quite efficient of course you can find some funny things you can find PLC’s like the Schneider and the Siemens you can find some webcams you can find some printers some fridge maybe they also have a quite good report on ICS so they try to crunch all the data to find how many ICS can be reached from the internet however you have to know that Schoelen works in an opt-out mode that means if you are an ISP and you do not want your IP addresses to be scanned by show then you can ask so basically what you can find on show then is not the let’s say the wall perimeter it’s only what they are allowed to scan so if you want to do it yourself there are quite some tools zmapp mat scan that’s also french tool called IV and i’m sure you can find some other online services that do the same that’s one example I want so on Twitter so there was someone scanning the internet and finding this scattered system which is actually a crematorium so that was freely accessible and you can start the fire and everything so that’s let’s say the most funny example I have but I’m going to I’m going to try to connect you show them to show you if you can find some devices as the Schneider or maybe as the Siemens just looking for my phone because I heard that the Wi-Fi is not working that well okay let’s see if it works yes so basically that’s the new version of shut down you have a new user interface that’s quite funny so let me input em 3340 which is the model of the Schneider

PLC so yes they found some I’m going to filter by that the countries I’m going to check out the ones in France so there are not a lot while even 40 PLC’s connected to the Internet is quite strange as you can see some info some interesting information can be found using showdowns so you have the name of the project and other things let’s click on detail maybe on this one it’s random I I do not notice this one oh okay so the part that was scan was the SNMP one so some information were sent back that’s not really interesting you can find some that have mud bees enabled so I’m sure you should we should find some yes this one for example everything is open great so you have the FTP port so you have the list of available comments you have the web interface we’re going to take a look at that later SNMP of course and mud boosts which allows you to have a precise version of the CPU as well as the version of the project and that’s all so let me just see if it works seems to work yeah I’m going to try another one I’d not prepare that but I was sure to to find some sorry nope no luck not this one other okay so this one has even the telnet port which is great as you can see it’s VX works as I told you actually I do not know how it’s possible to have a telnet enabled they succeeded apparently so yes so that’s the real web interface of one PLC somewhere in France I’m not going to try to log in with the default credential I’m sure that would be pretty illegal and I’m going to do the same with the other kind of PLC that I have which is the assignment siemens 7 1200 so yes not a lot but we can find some with a lot of open ports as well still in France so you have FTP you have HTTP that is strange they must have some kind of port forwarding there because that’s not the web interface of the Siemens but there is the specific proprietary protocol s-seven on part 102 so that’s also quite 10 rows and just to finish this new version of shodhan is quite great because of course you can see the results on a map if you pay for it I think but you also have an exploit tab which allows you to have the list of exploits that may or may not work for those kind of specific devices so yeah it’s really a all-inclusive and let’s go back okay so that was all for the first part which is which was the introduction do you have any question if no we’re going to switch to the second part which is a it’s a description of the muddiest protocol to understand how it works yeah that’s I do not have the text on my computer so might be says a serial communication protocol was invented a long time ago I think it was 1979 by Schneider Electric it was made specifically for industrial applications and it was royalty-free that means if you were developing some PLC’s or other kind of ICS component it was free to implement mud base protocol that’s why now at least in Europe and at least in France it’s one of the the most widespread industrial protocol it works in the master/slave mode that means the

master has to pull the information from the slave at our regular load time on you can only have around 250 slaves pair a mud base master and also you have to know that the data that you get is without any kind of context so you have to know if you are querying a sign integer or an unsigned integer because you just get the value not any kind of object or description of the data security anyone no not really as I told you before so again it’s the case for most of industrial protocols so it’s clear text there is no kind of authentication so let’s see if I have a cable that is plugged to a network on which there is a mud boost enabled device I can freely ask for some data and also set data yeah so mostly Modbus was invented on serial protocol it was a serial communication protocol but now since people tend to use classical Ethernet networks in the plants there is a mud boost TCP version of the protocol that actually implements all the same security features so yeah it’s basically the same protocol of a TCP if we take a look at the what a mud boost TCP frame looks like there is a transaction identifier that helps making sure that when you get a response from the device it corresponds to which request then you have the protocol identifier which is not really interesting because it’s 0 all the time you have a field for the length of the remaining remaining length of the packet you have the address of the slave so as we’re talking a TCP there is already the IP address that is used to know to who you’re talking to so actually most of the time it’s 0-1 or 255 that is used one dealing with mud with TCP and then you have the function code and the data well okay now let’s see which are the most basic function that you can find in Modbus TCP so there is two big kind of data you have a coil that means 0 or 1 and you also have what they call a register that stores some kind of word that are 8-bit Long’s so yeah the most basic function allowed to read and write to codes and registers I took this table from Wikipedia so if you want more information about what kind of function you can find on muddies go to Wikipedia it’s not only read and write there is also some kind of diagnostic functions then you can in some cases depending on the implementation you can also read some files from the device and of course some of the function codes are not documented and are used by some manufacturer to perform some things okay so now what we can do is try to understand how mad this works by taking a look at network capture so did anyone succeed in getting the USB key and the virtual machine take that for yes okay so if you do not know the the account name is root and the password is root reversed so that means tião okay so in the files directory you should be able to find mud bits one that pcap of course you have the classical warnings because you are running Wireshark as a root which is really not such a good idea so the first thing we can do is let’s say try to filter out only the mud based communication so we can filter by TCP port so the TCP port used by mud

base is 502 so that was pretty useless since in this precise capture I give you only mud with communications but anyway you can see that we have a 3-way TCP I am Jake and then we have the the first mud base request so we can see that it complies with the description I made earlier you have one transaction identifier protocol identifier zero six remaining bytes and unit identifier is one if we now take a look at the mud boots payload we can see that the function code is three with means which means reading registers reference number means the address of the data and here it is zero so it’s the the first data and we want to read sixteen words okay and if we take a look at the answer from the device you see that the transaction identifier is exactly the same so that’s the right answer it’s actually quite longer which is a good sign because we asked for 16 words function code is the same and then you have several values is that clear for everyone so if I go back to my slide I think I you I was asking a question about the value of specific value yes so in the capture you can see that there are some other requests and I would like to know if you are able to tell me what’s the value of the register number one two three at the end so if you can take a look at the file capture it’s quite easy you can just scroll to the end and it’s quite kind of a blast packet I think so as you can see Wireshark actually has a pretty good dissector format this protocol so it’s really easy to understand how it works so you have several queries the answers did somebody find the answer okay I’m just going to tell you then let’s see okay so here we are asking to read to read some value and I think that’s the good one yeah that’s actually this one and I’m going to explain to you why if we take a look at the query we asked to read some registers and the reference number was 120 so we want it to read 120 21 22 and 23 and if we take a look at the answer which bears the same transaction identifier we can see that the value is a 50 7005 which means if you take a look on the bottom of the screen at the exa x value it’s actually dead so that was the answer you have to know that depending on the implement some software implementation sometimes the the register address starts at 0 sometimes at 1 so that’s also something you can take into account ok I think there will be a break in about 10 minutes if I’m not wrong so what we can do is do another exercise on on Mabuse this time using a MIDI simulator yeah so included in the virtual machine you have mud boost pal that is a Java might be simulator it allows you to let’s say if you’re developing some specific tools or you’re trying to understand how mud this works it’s quite interesting to have a simulator because you do not have a PLC all the time just around so to launch it it’s quite easy you just go into the right directory which is a tools and then you with Java – jar and the name of the

program which is might be spell and I’m going to walk through walk you through it okay so we go to the tools directory and then we start the simulator which actually has a nice GUI yes here it is next the first thing to do is to try to add some slaves because as I mentioned before each it’s a master slave protocol so I’m just going to add one slave you put any funny name that you want okay so you can add a second one if you want that doesn’t matter okay so let’s see if I want to modify the values of this first slave I’m going to click on the big I and then you see you have several tabs one from the coils so I’m going to click on add and then just next neck neck add so you see now I have I can modify the value of all the coils so I’m going to do it let’s see if I try to input five actually inputs one since as I told you the value is 0 or 1 for a coil and for a register you can do the same you add and then try to modify some value depending at the address that you want once it’s done you just close the windows click on run and then you have a mod based device listening on localhost so that’s kind of convenient there are two tools that we’re going to use to perform those queries but maybe yeah let’s just one before the break it’s a Perl tool that is called mbg yet so if you want to take a look at the source code you can so it’s a common line tool it’s quite easy to understand it’s also in the tools directory if you want to perform some request you use the r1 switch for the coils and there are three switch for the words then you have to pass the address of course the number of words or coil that you want to read so that’s the end switch and then the IP address okay let’s see so I’m opening up a new tab so let’s see I will use the r1 switch to read the value of some coil starting at address zero and I want to read eight of it and then I just even put my IP address and you see that the values are 1 1 1 and then only zeros I’m going to do a double check by looking for the gooey on the coils and you can see that I have 1 1 1 and then only zeros so I’m just going to modify it and if I pair from the same request the first value should be 0 and it is does that work for those of you who are performing the test sorry which one the mad misspell okay because it runs on part 502 yeah sure that’s why we do not have this kind of problems in Cali since you’re running everything in route which is a very bad idea of course from a security point of view okay so let’s do the same kind of request on registers which stores let’s say longer values so you can see that I have one two three four five and that should be the same if I take a look at here yes that’s the same I’m just going to changed the five to six and it works of course if I want to I

can also modify the value by using the switch w6 and inputting a any address let’s say address one so it’s a worldwide okay and if I take a look in the GUI I have twelve at the address number two whereas I ask for address one which is a different because there is an offset in let’s say as I told you some software use zero as the first value some other use one as the first value so is it working for everyone do you have any kind of question nope okay just continue and try to modify the coil because that’s another possibility I do not I do not remember the exact command someone to look at the ALP so if you want to work with w5 case that should have worked this one and if I do the same with the value 0 then it’s 0 okay great I think if you do not have any other question we can take our break what are we going to do after the break we’re going to do the same kind of request using a Metasploit because there is an integrated Modbus client auxiliary module and then after I’m going to try to set up a Wi-Fi network so those of you which are interested can perform the same test as me on the real devices and by those tests I mean performing some kind of four week on using nmap or PLC scan then we are going to use the same tool and BT get on Metasploit to perform mud base request to the schneider plc and then i’m going to try to show you let’s say one or two vulnerability in the schneider plc that’s allow an authenticated stop and start on maybe we can try to retrieve the program without being authenticated