Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Pentesting Industrial Control Systems

You're reading from   Pentesting Industrial Control Systems An ethical hacker's guide to analyzing, compromising, mitigating, and securing industrial processes

Arrow left icon
Product type Paperback
Published in Dec 2021
Publisher Packt
ISBN-13 9781800202382
Length 450 pages
Edition 1st Edition
Languages
Arrow right icon
Author (1):
Arrow left icon
Paul Smith Paul Smith
Author Profile Icon Paul Smith
Paul Smith
Arrow right icon
View More author details
Toc

Table of Contents (19) Chapters Close

Preface 1. Section 1 - Getting Started
2. Chapter 1: Using Virtualization FREE CHAPTER 3. Chapter 2: Route the Hardware 4. Chapter 3: I Love My Bits – Lab Setup 5. Section 2 - Understanding the Cracks
6. Chapter 4: Open Source Ninja 7. Chapter 5: Span Me If You Can 8. Chapter 6: Packet Deep Dive 9. Section 3 - I’m a Pirate, Hear Me Roar
10. Chapter 7: Scanning 101 11. Chapter 8: Protocols 202 12. Chapter 9: Ninja 308 13. Chapter 10: I Can Do It 420 14. Chapter 11: Whoot… I Have To Go Deep 15. Section 4 -Capturing Flags and Turning off Lights
16. Chapter 12: I See the Future 17. Chapter 13: Pwned but with Remorse 18. Other Books You May Enjoy

Discovering what VMware is

VMware was founded in 1998, launching their first product, VMware workstation, in 1999. 3 years after the company was founded, they released GSX and ESX into the server market. Elastic Sky X (ESX) retained the name until 2010. The "i" was added after VMware invested time and money into upgrading the OS and modernizing the user interface. The product is now dubbed ESX integrated (ESXi). If you are reading this, I think it is safe for me to assume that you have perused a few books on related topics, since most books cover Desktop Hypervisors such as Player, Workstation, and/or Fusion. I want to take this a step further and provide some hands-on exposure and practice with ESXi in the next section.

OK, maybe that was a slightly sales-y pitch, but I can honestly say that I have never worked for VMware and do not get any royalties for plugging their technology. However, I feel it would do you a disservice to not take you through a hands-on practical experience with technology that you will most certainly discover out there in the field. I have personally encountered VMware in the verticals of oil and gas, energy, chemical, pharma, consumer product production, discrete manufacturing, and amusement parks, to name a few.

A typical production solution consists of the following:

  • Distributed Resource Scheduler (DRS)
  • High Availability (HA)
  • Consolidated Backup
  • VCenter
  • Virtual machines
  • ESXi servers
  • Virtual Machine File System (VMFS)
  • Virtual symmetric multi-processing (SMP)

For a better overview of these specific components, please reference the following web page: https://www.vmware.com/pdf/vi_architecture_wp.pdf.

I do not want to deep dive into VMware; instead, I simply want to make you aware of some of the pieces of technology that will be encountered when you're on an engagement. I do, however, want to call out the core stack, which consists of vCenter, ESXi servers, and VMs. These are the building blocks of almost all virtualization implementations in large organizations. vCenters control ESXi servers, and ESXi servers are where VMs live. Knowing this will help you understand the path of Privilege Escalation once you get a foothold of a VM inside the operational layer of the company. I have had many of conversations with security personnel over the years around Separation of Duties (SoD), and teams dedicated to their applications are more than happy to explain the great pain and lengths they have gone through to adhere to Confidentiality, Integrity, and Availability (CIA). When performing tabletop exercises with these same teams and asking them "Who controls the ESXi server your app lives on?" and then continuing with, "What is your total exposure if your vCenter is compromised?" you'll find that the answers, in most cases, will shock you, if not terrify you to the bone. I challenge you to ask your IT/OT team – or whoever is managing your virtual infrastructure – how many VMs are running per server. Then, follow that up with, "When is the last time you performed a Disaster Recovery (DR) failover test?" Knowing if a piece of the critical control is running inside an over-taxed server with minimal resources is quite useful from a risk mitigation point of view, but for the purpose of this book, we need to exploit a weakness in an overlooked component in the system.

The following diagram shows the relationship between the different components we mentioned previously and how they integrate with each other:

Figure 1.1 – VMware infrastructure

Figure 1.1 – VMware infrastructure

I performed some work for a Steam Assisted Gravity Drainage (SAGD) heavy oil company, and part of their claim was the virtualization of the Rockwell PlantPAX DCS. This was all on top of an ESXi cluster inside a robust vSphere platform. The biggest takeaway from understanding VMware is that, at an enterprise level, vSphere is the platform, and ESXi is the hypervisor. In this book, I will be posting screenshots of VMware Fusion, which is the macOS-specific desktop platform and that of ESXi. If you are using Windows, you have two options – VMPlayer or VMWorkstation. I will focus most of my time and demos on ESXi as I feel that understanding this technology is the most important task for proceeding down the yellow brick road of industrial pentesting.

In this section, we touched on what VMware is, called out the core components that make up a virtual stack, and shared some real-world examples of what you will find out there in the wild. Now, the next step is diving right into it and turning it all on. We will start by walking through the installation processes for VMware Fusion, VMware ESXi, and VMs in order to create a virtual Supervisory Control and Data Acquisition (SCADA) environment for our testing in further chapters.

You have been reading a chapter from
Pentesting Industrial Control Systems
Published in: Dec 2021
Publisher: Packt
ISBN-13: 9781800202382
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime