| name | ot-security-assessment | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| description | Operational Technology (OT) security assessment using a two-stage methodology: (1) Identification/Discovery of OT devices and protocols, and (2) Vulnerability Assessment using online sources and Metasploit. Use when: (1) Conducting authorized OT/ICS security assessments, (2) Identifying and enumerating OT protocols (Modbus, S7, IEC 104, DNP3, BACnet, EtherNet/IP), (3) Discovering industrial control devices and PLCs, (4) Assessing OT protocol vulnerabilities and security weaknesses, (5) Performing compliance scanning aligned with IEC 62443 standards, (6) Validating network segmentation and access controls in OT environments. | |||||||||||
| version | 0.1.0 | |||||||||||
| maintainer | https://github.com/i8void/ | |||||||||||
| category | offsec | |||||||||||
| tags |
|
|||||||||||
| frameworks |
|
|||||||||||
| dependencies |
|
|||||||||||
| references |
This skill provides a structured methodology for conducting Operational Technology (OT) and Industrial Control System (ICS) security assessments. The approach follows a two-stage methodology: (1) Identification/Discovery of OT devices, protocols, and services, and (2) Vulnerability Assessment using online vulnerability databases and Metasploit Framework for deeper analysis.
IMPORTANT: OT security assessments may impact critical industrial processes and must only be conducted with proper authorization. Always ensure written permission before assessing OT systems. Never test production systems without explicit authorization.
OT Network Security Considerations:
- Well-secured OT systems will not allow internet-connected devices (like this system) to be plugged into the network for assessment
- Most production OT assessments will be conducted offline on air-gapped networks
- This skill is suitable for:
- Less secure or open OT/SCADA systems
- Lab environments and test networks
- Authorized assessment scenarios where network isolation is managed separately
- Always coordinate with operations team to ensure proper network isolation and security controls
Basic OT device discovery and protocol enumeration:
# TCP Connect scan for common OT ports (no root required, safer for OT)
nmap -sT -p 502,102,2404,20000,47808,2222 <target-ip>
# Modbus enumeration (no root required)
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip>
# Comprehensive OT scan with service detection (no root required)
nmap -sV -p 502,102,2404,20000,47808,2222 --script modbus-read-registers,s7-info,bacnet-info <target-ip>When executing commands, replace these placeholders with actual values:
<target-ip>- Single IP address (e.g.,192.168.1.100)<target-network>- IP range in CIDR notation (e.g.,192.168.1.0/24)<rhost>- Remote host (Metasploit) - IP address or hostname<rport>- Remote port (Metasploit) - Port number<unit-id>- Modbus unit ID (typically 1-255)
Progress: [ ] 1. Verify authorization and scope for OT assessment [ ] 2. Perform network discovery and identify live hosts [ ] 3. Scan for common OT protocol ports [ ] 4. Enumerate OT protocols and identify devices [ ] 5. Gather device information and service versions [ ] 6. Research vulnerabilities using online sources [ ] 7. Perform vulnerability assessment with Metasploit [ ] 8. Document findings and generate assessment report [ ] 9. Validate results and identify false positives
Work through each step systematically. Check off completed items.
CRITICAL: Before any OT assessment activities:
- Confirm written authorization from system owner and operations team
- Review scope document for in-scope IP ranges and OT systems
- Verify scanning windows and rate-limiting requirements (OT systems are sensitive)
- Document emergency contact for accidental disruption
- Confirm blacklisted hosts (production PLCs, safety systems, critical infrastructure)
- Coordinate with operations team for safe testing windows
Identify live hosts in target OT network:
# Ping sweep (ICMP echo)
nmap -sn <target-network>/24
# ARP scan (local network only, faster and more reliable)
nmap -sn -PR <target-network>/24
# TCP SYN ping (when ICMP blocked, use OT ports)
nmap -sn -PS502,102,2404 <target-network>/24
# Disable ping, assume all hosts alive (common in OT networks)
nmap -Pn <target-network>/24
# Output live hosts to file
nmap -sn <target-network>/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txtOT Network Discovery Techniques:
- ICMP Echo (-PE): Standard ping, often blocked in OT networks
- TCP SYN (-PS): Half-open connection to OT protocol ports (502, 102, etc.)
- UDP (-PU): Sends UDP packets to OT UDP ports (47808 for BACnet)
- ARP (-PR): Layer 2 discovery, only works on local network segment
Scan discovered hosts for common OT protocol ports:
# TCP Connect scan for common OT protocol ports (no root required)
nmap -sT -p 502,102,2404,20000,47808,2222,161,623 -iL live_hosts.txt
# Comprehensive scan with service detection (no root required)
nmap -sV -p 502,102,2404,20000,47808,2222 -iL live_hosts.txt -oA ot_scan
# UDP scan for OT protocols (BACnet, SNMP) - requires root
sudo nmap -sU -p 47808,161,623 -iL live_hosts.txt -oA ot_udp_scanCommon OT Protocol Ports:
- 502: Modbus TCP
- 102: S7/Siemens
- 2404: IEC 104
- 20000: DNP3
- 47808: BACnet/IP (UDP)
- 2222: EtherNet/IP
- 161: SNMP (UDP)
- 623: IPMI (UDP)
Timing and Performance for OT Networks:
OT networks are sensitive to high traffic volumes. Use conservative timing:
# Polite (2) - Recommended for OT networks
nmap -T2 --max-rate 10 -p 502,102,2404 <target-ip>
# Scan with delays to avoid disruption
nmap --scan-delay 2s -p 502,102,2404 <target-ip>Enumerate and identify OT protocols and devices:
# Basic Modbus enumeration
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip>
# Comprehensive Modbus enumeration
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip> -oA modbus_enum
# Read holding registers (unit ID 1, start 0, count 10)
modbus read <target-ip> 502 1 0 10# S7 information gathering
nmap -p 102 --script s7-info <target-ip> -oA s7_info
# Python SNAP7 enumeration
python3 -c "import snap7; client = snap7.client.Client(); client.connect('<target-ip>', 0, 1); print(client.get_cpu_info()); client.disconnect()"The dnp3-info NSE script is not included in standard Nmap installations. Obtain it from the official Nmap community scripts repository:
# Download dnp3-info.nse from the official Nmap community scripts repo
curl -o /usr/local/share/nmap/scripts/dnp3-info.nse \
https://raw.githubusercontent.com/nmap/nmap/master/scripts/dnp3-info.nse
# Update Nmap script database
nmap --script-updatedb
# Verify script is available
nmap --script-help dnp3-info
# Run DNP3 enumeration
nmap -p 20000 --script dnp3-info <target-ip> -oA dnp3_info# IEC 104 (Port 2404)
nmap -p 2404 -sV <target-ip> -oA iec104_scan
# BACnet/IP (Port 47808/UDP) - requires root for UDP scan
sudo nmap -sU -p 47808 --script bacnet-info <target-ip> -oA bacnet_info
# EtherNet/IP (Port 2222)
nmap -p 2222 -sV <target-ip> -oA ethernetip_tcpIdentify services and extract version information:
# Service version detection for OT protocols
nmap -sV -p 502,102,2404,20000,47808,2222 <target-ip>
# OT-specific service enumeration (no root required for TCP scans)
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip>
nmap -p 102 --script s7-info <target-ip>
nmap -p 20000 --script dnp3-info <target-ip>
# UDP scan requires root
sudo nmap -sU -p 47808 --script bacnet-info <target-ip>Research identified devices and services for known vulnerabilities:
# Query NVD for ICS/SCADA vulnerabilities
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=industrial+control+system" \
-H "apiKey: <api-key>" -o nvd_ics_$(date +%Y%m%d).json
# Fetch latest ICS-CERT advisories
curl -s "https://www.cisa.gov/news-events/cybersecurity-advisories" \
-o ics-cert_$(date +%Y%m%d).html
# Search CVE database
curl -s "https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SCADA" \
-o cve_scada_$(date +%Y%m%d).htmlUse Metasploit Framework for deeper OT protocol analysis:
# Start Metasploit Framework console
msfconsole -q
# Search for OT/ICS modules
msf6 > search modbus
msf6 > search scada
msf6 > search siemensmsf6 > use auxiliary/scanner/scada/modbus_findunitid
msf6 auxiliary(scanner/scada/modbus_findunitid) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/scada/modbus_findunitid) > set RPORT 502
msf6 auxiliary(scanner/scada/modbus_findunitid) > run
# Read registers
msf6 > use auxiliary/scanner/scada/modbus_read
msf6 auxiliary(scanner/scada/modbus_read) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/scada/modbus_read) > set RPORT 502
msf6 auxiliary(scanner/scada/modbus_read) > set UNIT_ID 1
msf6 auxiliary(scanner/scada/modbus_read) > set REGISTER_START 0
msf6 auxiliary(scanner/scada/modbus_read) > set REGISTER_COUNT 10
msf6 auxiliary(scanner/scada/modbus_read) > runmsf6 > use auxiliary/gather/s7_comm_read
msf6 auxiliary(gather/s7_comm_read) > set RHOSTS <target-ip>
msf6 auxiliary(gather/s7_comm_read) > set RPORT 102
msf6 auxiliary(gather/s7_comm_read) > run# DNP3
msf6 > use auxiliary/scanner/scada/dnp3_info
msf6 auxiliary(scanner/scada/dnp3_info) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/scada/dnp3_info) > set RPORT 20000
msf6 auxiliary(scanner/scada/dnp3_info) > run
# BACnet
msf6 > use auxiliary/scanner/scada/bacnet_info
msf6 auxiliary(scanner/scada/bacnet_info) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/scada/bacnet_info) > set RPORT 47808
msf6 auxiliary(scanner/scada/bacnet_info) > runOrganize findings and generate assessment reports:
# Organized output with timestamps
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip> -oA modbus_enum_$(date +%Y%m%d_%H%M%S)
# Create summary report
cat > assessment_summary_$(date +%Y%m%d).md << EOF
# OT Security Assessment Summary
## Target Information
- IP Address: <target-ip>
- Assessment Date: $(date)
## Stage 1: Identification Results
[Insert discovery findings]
## Stage 2: Vulnerability Assessment Results
[Insert vulnerability findings]
## Recommendations
[Insert recommendations]
EOF- Manually verify findings with specific tools
- Check service version against CVE databases
- Cross-reference with authenticated vulnerability scanners
- Validate protocol-specific vulnerabilities
- Review Metasploit module outputs for accuracy
-
Authorization and Access Control: OT security assessments require explicit written authorization from system owners and operations teams. Never test production systems without proper authorization. Coordinate with operations team for safe testing windows and rate-limiting requirements.
-
Sensitive Data Handling: OT assessment findings may contain sensitive information about industrial control systems, network topology, and device configurations. Store assessment data securely and follow data classification requirements. Do not expose OT network details in public repositories or unsecured locations.
-
Access Control: Commands requiring root/sudo privileges:
- TCP SYN scans (
nmap -sS): Requires root for raw sockets - UDP scans (
nmap -sU): Requires root for raw sockets - Packet capture (
tcpdump,tshark): Requires root orCAP_NET_RAWcapability
Commands NOT requiring root:
- TCP Connect scans (
nmap -sT): Safe, no root needed - Service version detection (
nmap -sV): No root needed - Most Python tools (pymodbus, snap7): Run as regular user
- Metasploit console: Runs as regular user
- TCP SYN scans (
-
Claude CLI Safety Considerations:
- Review all commands before execution, especially those with
sudo - Prefer
-sT(TCP Connect) over-sS(SYN scan) when possible - Configure Linux capabilities instead of full sudo when available:
sudo setcap cap_net_raw,cap_net_admin+eip $(which nmap) # Then run without sudo: nmap -sS <target-ip>
- Log all privileged command executions for audit purposes
- Use principle of least privilege - only elevate when necessary
- Review all commands before execution, especially those with
-
Audit Logging: Document all assessment activities including:
- Authorization documents and scope
- Scanning windows and rate limits
- All privileged command executions
- Discovered devices and protocols
- Vulnerability findings and remediation status
-
Compliance: OT assessments should align with:
- IEC 62443 standards for industrial automation and control systems security
- MITRE ATT&CK for ICS framework
- PTES (Penetration Testing Execution Standard) methodology
- Organization-specific OT security policies
# Phase 1: Identify live hosts
nmap -sn -PE -PS502,102 -PA2404 <target-network>/24 -oG - | awk '/Up$/{print $2}' > ot_hosts.txt
# Phase 2: Scan common OT protocol ports (TCP Connect scan, no root required)
nmap -Pn -sT -sV -p 502,102,2404,20000,47808,2222 -iL ot_hosts.txt -oA ot_scan
# Phase 3: Protocol-specific enumeration
nmap -p 502 --script modbus-read-registers,modbus-read-coils -iL ot_hosts.txt -oA modbus_enum
nmap -p 102 --script s7-info -iL ot_hosts.txt -oA s7_enum# Phase 1: Discover Modbus devices
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-network>/24 -oA modbus_discovery
# Phase 2: Enumerate Modbus data
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip> -oA modbus_enum
# Phase 3: Vulnerability assessment with Metasploit
msfconsole -q
msf6 > use auxiliary/scanner/scada/modbus_findunitid
msf6 auxiliary(scanner/scada/modbus_findunitid) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/scada/modbus_findunitid) > run# Phase 1: Comprehensive OT port scan (TCP Connect, no root required)
nmap -sT -sV -p 502,102,2404,20000,47808,2222,161,623 <target-network>/24 -oA ot_comprehensive
# Phase 2: Protocol-specific enumeration
nmap -p 502 --script modbus-* <target-ip> -oA modbus_full
nmap -p 102 --script s7-* <target-ip> -oA s7_full
# Phase 3: Vulnerability research
# Query NVD, ICS-CERT, manufacturer databases for identified versions
# Phase 4: Metasploit assessment
msfconsole -q
msf6 > search scada
# Use appropriate modules based on discovered protocols- Metasploit: Import Nmap results with
db_import <nmap-xml-file>for correlation and deeper analysis - SIEM Integration: Parse Nmap XML output for security monitoring and alerting on discovered OT devices
- Asset Management: Update CMDB with discovered OT devices, protocols, and service versions
- Reporting: Generate structured reports from Nmap XML output and combine with Metasploit results for comprehensive assessment documentation
- CI/CD: Not typically applicable for OT assessments due to air-gapped network requirements
Solution: This occurs when attempting SYN scans (-sS) or UDP scans (-sU) without root privileges. Use TCP Connect scans (-sT) instead:
# Instead of: sudo nmap -sS <target-ip>
# Use: nmap -sT <target-ip>Solution: The dnp3-info NSE script is not included in standard Nmap installations. Download it from the official Nmap scripts repository:
curl -o /usr/local/share/nmap/scripts/dnp3-info.nse \
https://raw.githubusercontent.com/nmap/nmap/master/scripts/dnp3-info.nse
nmap --script-updatedbSolution: OT networks often have strict firewall rules and may block ICMP. Try:
- Disable ping:
nmap -Pn <target-ip> - Use TCP Connect scans with conservative timing:
nmap -sT -T2 --max-rate 10 <target-ip> - Scan during authorized maintenance windows
- Coordinate with operations team for network access
Solution: Ensure Metasploit Framework is updated and search for available modules:
msfconsole -q
msf6 > search scada
msf6 > search modbus
msf6 > search siemensSolution:
- Manually verify findings with protocol-specific tools
- Cross-reference service versions with CVE databases
- Validate protocol-specific vulnerabilities with authenticated scanners
- Review Metasploit module outputs for accuracy
- Nmap Documentation - Comprehensive Nmap scanning guide
- Metasploit Framework - Metasploit module documentation
- CISA ICS-CERT Advisories - Industrial control system security advisories
- MITRE ATT&CK for ICS - Network service scanning techniques
- IEC 62443 Standards - Industrial automation and control systems security standards