Home
About Us
Services
Application Security
Web Application Penetration Testing
API Penetration Testing
Mobile Application Penetration Testing​
Source Code Reviews
Threat Modeling
Architecture Reviews
Infrastructure Security
Internal Network Penetration Testing
External Network Penetration Testing
Active Directory Security Assessments
Wireless Network Penetration Testing
Host Reviews
Firewall Configuration Reviews
Cloud Security
Cloud Configuration Reviews
Cloud Penetration Testing
Adversary Simulations
Red Teaming
Purple teaming
OSINT
Phishing Simulations
DevSecOps
Container Security
Kubernetes configuration reviews
Other
Managed Vulnerability Scanning
PCI DSS Security Assessments
Hardware Security Assessments
Smart Contracts Security Assessments
Academy
Advisory
Blog
Media
Podcasts
Videos
Contact Us
Home
About Us
Services
Application Security
Web Application Penetration Testing
API Penetration Testing
Mobile Application Penetration Testing​
Source Code Reviews
Threat Modeling
Architecture Reviews
Infrastructure Security
Internal Network Penetration Testing
External Network Penetration Testing
Active Directory Security Assessments
Wireless Network Penetration Testing
Host Reviews
Firewall Configuration Reviews
Cloud Security
Cloud Configuration Reviews
Cloud Penetration Testing
Adversary Simulations
Red Teaming
Purple teaming
OSINT
Phishing Simulations
DevSecOps
Container Security
Kubernetes configuration reviews
Other
Managed Vulnerability Scanning
PCI DSS Security Assessments
Hardware Security Assessments
Smart Contracts Security Assessments
Academy
Advisory
Blog
Media
Podcasts
Videos
Contact Us

PLC Hacking (Pt. 1)

PLC Hacking (Pt. 1)
  • May 31, 2022
  • ICS Security
  • Redfox Security Team

Programmable Logic Controllers (PLCs) are industrial computers used to control different electro-mechanical processes for use in manufacturing, plants, or other automation environments. PLCs can range from small modular devices with tens of inputs and outputs (I/O) in a housing integral with the processor, to large rack-mounted modular devices with a count of thousands of I/O, which are often in networks containing other PLC and SCADA systems. Programmable Logic Controllers help in the functioning of critical infrastructure. They have been widely adopted as high-reliability automation controllers suitable for harsh environments. 

Even though PLCs are used on mission-critical applications such as nuclear power plants, they were not designed with cybersecurity in mind. An example of an ICS attack is Stuxnet, which targeted the nuclear program of Iran. The industrial cybersecurity industry has grown significantly in recent years. More industries are following the Purdue Model for segmenting the Operational Technology (OT) Network from The Informational Technology (IT) Network to improve their cybersecurity posture. More information regarding the Purdue model can be found here.

In our “PLC Hacking” series, we are going to cover different methods of interacting with PLCs, the different protocols which they use, and to demonstrate their inherent lack of security protection. In this particular blog, we will be looking at setting up the PLC and writing a ladder logic program into it.

Requirements:

  • Koyo CLICK C0-10DRE-D PLC and its power supply. Link here.
  • A Windows PC/VM with an ethernet port for configuring the PLC using CLICK software.
  • A Kali Linux VirtualBox VM as an attack machine.
  • A TP-LINK smart switch. Link here.
  • Ethernet Cables.
  • Electrical wires.

Power up the Programmable Logic Controllers using a 24V 2A DC power supply. Wire up the Windows PC and the PLC to the switch. Also, set the network interface on Kali Linux’s VirtualBox settings to “Bridged Mode”. Then, download and install the free CLICK software on the Windows machine. After installation, we see the following screen on opening the application.

plc hacking

Click on “Connect to PLC”. We will now be presented with the following screen:

plc hacking

Make sure that the Programmable Logic Controllers , Windows PC, Switch and Linux VM are on the same subnet.

For example, assign the following static IP addresses on a 10.0.1.0/24 subnet.

  • Switch: 0.1.1
  • PLC:0.1.10
  • Windows PC:0.1.20
  • Kali Linux:0.1.30

If the subnet of the PLC does not match, click the “Edit…” button (see screenshot above), and assign the preferred IP. It should look similar to this.

The network settings on our Windows machine are shown below.

Kali Linux’s network settings are shown below:

Now, we’ll proceed with connecting to the PLC.

Select “Read the project from the PLC” and press “OK”. This option will read the current project from the PLC if any.

A new project should look similar to the screenshot below.

Now, we’ll be performing a bit of PLC programming using Ladder logic. We’ll create a simple program that allows us to push buttons and turn on lights. A ladder diagram represents a control program in an electrical wiring framework. The power sources are the vertical lines (ladder), while the control circuits are the horizontal lines (rungs).

  • The first step is to drag a NO Contact (from the instruction list) to rung number one.
  • Then, we’ll proceed to select the address by clicking the Address button on the right-hand side, as shown in the following screenshot:
plc hacking
  • A dialog box will appear, allowing us to select an address from the list of addresses available on Koyo Click.
  • Double-click the first address; that is, “X001” and click “OK”.
  • So, now that we have an input, we’ll need an output. Drag the Out function under the Coil section of the “Instruction List” menu on the right-hand side of the user interface to the (NOP) location at the end of rung 1, as shown in the following screenshot:
plc hacking
  • Once the function locks in, it will create a dialog box, asking the programmer to configure Bit Memory addressing, as shown here:
plc hacking
  • Click the memory address picker icon; An Address Picker dialog box pops up. The following screenshot shows that the address picker automatically displays the real-world list of output addresses.
plc hacking
  • Pick Y001 as the output address for the coil that we placed onto rung 1 and select OK. As shown in the following screenshot, it has auto-populated the Bit Memory Address1 field.
plc hacking
  • Repeat the steps shown above on rung 2, 3 and 4 with X002-X004 inputs and Y002-Y004 outputs respectively.
plc hacking
  • Next, we need to add an END function to tell the program that we have concluded all operations. From the “Instruction List” menu, under the “Program Control” heading, select and drag the END function to the (NOP) location at the end of rung 5, as shown in the following screenshot:
plc hacking
  • After we add the END function, we’ll check for syntax errors. It’s located under the “Program” tab.
plc hacking
  • In the output window, we should see the outcome of the syntax check.
plc hacking

To write the project to Programmable Logic Controllers , select the “Write Project into Programmable Logic Controllers” option from the PLC menu, as shown in the following screenshot.

  • Note: Change the PLC mode to STOP before writing a project.
plc hacking
plc hacking
  • Continue by clicking OK.
  • If everything goes smoothly, we should see a Transfer completed dialog box, as shown here:
  • Next, you will be asked to change the PLC Modes setting from STOP to RUN, as shown here:
  • Select OK to put the PLC in RUN mode.
  • Now that the project has been written to the PLC and the mode has been changed to RUN, we can finally test it out using local inputs X1-X4 as we have previously configured. C1 stands for Common 1. Y1-Y4 are the outputs.
  • The input voltage for our C0-10DRE-D PLC is 24V DC. Since our power supply is also 24V, we’ll power our inputs from the same terminal. If all the wiring is done correctly, connecting the inputs X1-X4 to our 24V power supply will cause the coil to energize and we should see corresponding red lights on Y1-Y4, as shown here:
plc hacking

TL;DR

In this blog, we learned how to setup a connection with the Koyo CLICK PLC and to write a basic ladder logic program. We wired up X1-X4 inputs and observed how outputs Y1-Y4 lights up respective to their inputs. In our PLC Hacking Part 2 blog, we will delve into overriding data and how to interact with the PLC using industrial communication protocols like Modbus TCP and Ethernet/IP.

References:

Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them. To schedule a call with one of our technical specialists, call 1-800-917-0850 now.

“Join us on our journey of growth and development by signing up for our comprehensive courses.

Recent Blog

July 23, 2024
Cyber Security Training
July 23, 2024
Introduction to Assembly Language
July 23, 2024
Asus RT N12 + B1’s Privilege Escalation CVE-2024-28326​

Follow Us

Youtube X-twitter Facebook Instagram Linkedin Github Medium

Delaware Office

Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.

info@redfoxsec.com

Quick Menu

Legal

Newsletter

Success
Thank you! Form submitted successfully.
This field is required

©️2024 Redfox Cyber Security Inc. All rights reserved.