2023 Business CTF: ICS Watch Tower

#htb #ctf #scada #network-forensics #very-easy #ics #pcap

Challenge Information

AttributeDetails
Event2023 Business CTF
CategorySCADA/ICS
ChallengeWatch Tower
DifficultyVery Easy

Summary

ICS Watch Tower is a very easy-level forensic analysis challenge involving network traffic analysis of an industrial control system. The infrastructure monitoring system detected abnormal behavior and captured network traffic. The objective is to analyze the capture to identify what information intruders collected and altered on the network.

Challenge Information

The challenge description states:

“Our infrastructure monitoring system detected some abnormal behavior and initiated a network capture. We need to identify information the intruders collected and altered in the network.”

Challenge Objectives

  1. Examine the provided network capture file
  2. Identify suspicious or anomalous traffic patterns
  3. Determine what data intruders accessed
  4. Identify what data was modified or tampered with
  5. Extract evidence of the intrusion

Analysis

Network Forensics Methodology

When analyzing suspicious network captures:

  1. Timeline Analysis: Establish when suspicious activity occurred
  2. Protocol Analysis: Identify which protocols were used
  3. Data Flow: Track data sources and destinations
  4. Anomaly Detection: Identify unusual communication patterns
  5. Payload Analysis: Examine packet contents for sensitive data

Common ICS Intrusion Indicators

Reconnaissance Activities:

  • Repeated queries to system registers
  • Scanning of port 502 (Modbus)
  • Port scanning for industrial protocols (DNP3, Profibus, EtherCAT)
  • SNMP enumeration attempts
  • Banner grabbing

Data Exfiltration:

  • Large data transfers to unexpected destinations
  • Unusual outbound connections
  • Encrypted tunneling attempts
  • DNS exfiltration

System Tampering:

  • Unexpected register writes
  • Coil modifications
  • Configuration changes
  • Device disconnections/reconnections

Solution

Step 1: Open the Network Capture

Use Wireshark to analyze the traffic:

Terminal window
wireshark capture.pcap &

Or use command-line tools:

Terminal window
tshark -r capture.pcap

Step 2: Examine Overall Traffic Statistics

Get a high-level view of the network activity:

Terminal window
# Summary statistics
tshark -r capture.pcap -q -z io,phs


# Protocol hierarchy
tshark -r capture.pcap -q -z protocol,colinfo

Step 3: Identify ICS Protocol Traffic

Filter for common industrial protocols:

# Modbus
tcp.port == 502


# DNP3
tcp.port == 20000 || udp.port == 20000


# PROFINET
eth.type == 0x8892


# Ethernet/IP
tcp.port == 2222 || tcp.port == 44818

Step 4: Analyze Modbus Traffic for Reconnaissance

Look for repeated read operations:

Terminal window
tshark -r capture.pcap -Y "modbus" -T fields \
  -e ip.src -e ip.dst -e modbus.func_code -e modbus.starting_address

Identify which registers were queried repeatedly, indicating information gathering.

Step 5: Identify Data Exfiltration

Search for unusual data transfers:

Terminal window
# Look for DNS tunneling
tshark -r capture.pcap -Y "dns" -T fields \
  -e dns.qry.name | sort | uniq -c | sort -rn


# Look for HTTP/HTTPS with suspicious content
tshark -r capture.pcap -Y "http" -T fields \
  -e http.request.uri -e http.user_agent

Step 6: Detect Tampering

Look for write operations (Function Code 05, 06, 15, 16):

Terminal window
tshark -r capture.pcap -Y "modbus.func_code == 5 || modbus.func_code == 6 || modbus.func_code == 15 || modbus.func_code == 16"

Step 7: Extract Suspicious Data

Export conversation data:

Terminal window
# Extract TCP conversations
tshark -r capture.pcap -q -z conv,tcp


# Export specific flows
tshark -r capture.pcap -Y "ip.addr == attacker_ip" -w suspicious.pcap

Step 8: Analyze Payload Content

For captured data, decode the contents:

from scapy.all import *


packets = rdpcap('capture.pcap')


for packet in packets:
    if TCP in packet and packet[TCP].dport == 502:
        if Raw in packet:
            payload = packet[Raw].load
            # Try to decode as ASCII
            try:
                decoded = payload.decode('ascii', errors='ignore')
                print(f"Decoded: {decoded}")
            except:
                print(f"Binary: {payload.hex()}")

Step 9: Timeline Reconstruction

Create a timeline of events:

from scapy.all import *


packets = rdpcap('capture.pcap')


events = []
for packet in packets:
    if TCP in packet:
        events.append({
            'time': packet.time,
            'src': packet[IP].src,
            'dst': packet[IP].dst,
            'sport': packet[TCP].sport,
            'dport': packet[TCP].dport,
            'flags': packet[TCP].flags
        })


# Sort by time
events.sort(key=lambda x: x['time'])


# Display timeline
for event in events:
    print(f"{event['time']}: {event['src']}:{event['sport']} -> {event['dst']}:{event['dport']}")

Step 10: Identify and Extract the Flag

Based on analysis, determine:

  1. What information was exfiltrated: Sensitive data from registers
  2. What was modified: System configurations changed by intruders
  3. How to prove tampering: Compare before/after states
  4. Extract the evidence: Compile findings into the flag format

Common Intrusion Patterns

Pattern 1: Reconnaissance Followed by Exploitation

1. Repeated reads to enumerate registers
2. Identification of critical control registers
3. Focused writes to specific registers
4. System malfunction or unexpected behavior

Pattern 2: Credential Theft

1. Search for configuration files
2. Queries to credential storage registers
3. Export of user authentication data
4. Potential lateral movement

Pattern 3: Backdoor Installation

1. Upload of firmware/configuration
2. Modification of boot parameters
3. Installation of persistence mechanism
4. Callback to command server

Wireshark Tips and Tricks

# Filter for conversations between two IPs
ip.src == 192.168.1.1 && ip.dst == 192.168.1.100


# Find all DNS queries
dns.qry.name contains "example"


# Display only traffic with data
tcp.len > 0


# Follow TCP stream
Right-click packet → Follow TCP Stream


# Color code by conversation
View → Coloring Rules


# Export objects
File → Export Objects

Key Takeaways

  • Network Visibility: Industrial systems need comprehensive network monitoring
  • Baseline Comparison: Compare normal vs. suspicious traffic patterns
  • Protocol Understanding: Knowledge of ICS protocols aids intrusion detection
  • Evidence Preservation: Capture and preserve network evidence
  • Timeline Correlation: Correlate network activity with system behavior
  • Threat Hunting: Proactively search for indicators of compromise

Tools and Resources

  • Wireshark: Interactive packet analyzer with GUI
  • tshark: Command-line Wireshark for scripting
  • Scapy: Python library for packet manipulation
  • zeek (Bro): Network security monitoring platform
  • Suricata: Open-source threat detection engine
  • tcpdump: Command-line packet capture
  • Network Miner: Automated PCAP analysis