| name | ot-security-assessment |
| description | Operational Technology (OT) security assessment using a two-stage methodology: (1) Identification/Discovery of OT devices and protocols, and (2) Vulnerability Assessment using online sources and Metasploit. Use when: (1) Conducting authorized OT/ICS security assessments, (2) Identifying and enumerating OT protocols (Modbus, S7, IEC 104, DNP3, BACnet, EtherNet/IP), (3) Discovering industrial control devices and PLCs, (4) Assessing OT protocol vulnerabilities and security weaknesses, (5) Performing compliance scanning aligned with IEC 62443 standards, (6) Validating network segmentation and access controls in OT environments.
|
| version | 0.1.0 |
| maintainer | https://github.com/i8void/ |
| category | offsec |
| tags | ["ot","ics","scada","modbus","siemens","industrial-security","vulnerability-assessment","reconnaissance"] |
| frameworks | ["MITRE-ATT&CK","IEC-62443","PTES"] |
| dependencies | {"packages":["nmap","metasploit-framework","python3"],"tools":["modbus-cli","plcscan","python-snap7","pymodbus"]} |
| references | ["https://nmap.org/book/","https://docs.rapid7.com/metasploit/msf-overview/","https://www.cisa.gov/news-events/cybersecurity-advisories","https://attack.mitre.org/techniques/T1046/","https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards"] |
OT Security Assessment
Overview
This skill provides a structured methodology for conducting Operational Technology (OT) and Industrial Control System (ICS) security assessments. The approach follows a two-stage methodology: (1) Identification/Discovery of OT devices, protocols, and services, and (2) Vulnerability Assessment using online vulnerability databases and Metasploit Framework for deeper analysis.
IMPORTANT: OT security assessments may impact critical industrial processes and must only be conducted with proper authorization. Always ensure written permission before assessing OT systems. Never test production systems without explicit authorization.
OT Network Security Considerations:
- Well-secured OT systems will not allow internet-connected devices (like this system) to be plugged into the network for assessment
- Most production OT assessments will be conducted offline on air-gapped networks
- This skill is suitable for:
- Less secure or open OT/SCADA systems
- Lab environments and test networks
- Authorized assessment scenarios where network isolation is managed separately
- Always coordinate with operations team to ensure proper network isolation and security controls
Quick Start
Basic OT device discovery and protocol enumeration:
nmap -sT -p 502,102,2404,20000,47808,2222 <target-ip>
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip>
nmap -sV -p 502,102,2404,20000,47808,2222 --script modbus-read-registers,s7-info,bacnet-info <target-ip>
Placeholder System
When executing commands, replace these placeholders with actual values:
<target-ip> - Single IP address (e.g., 192.168.1.100)
<target-network> - IP range in CIDR notation (e.g., 192.168.1.0/24)
<rhost> - Remote host (Metasploit) - IP address or hostname
<rport> - Remote port (Metasploit) - Port number
<unit-id> - Modbus unit ID (typically 1-255)
Core Workflow
Workflow Checklist (for complex operations)
Progress:
[ ] 1. Verify authorization and scope for OT assessment
[ ] 2. Perform network discovery and identify live hosts
[ ] 3. Scan for common OT protocol ports
[ ] 4. Enumerate OT protocols and identify devices
[ ] 5. Gather device information and service versions
[ ] 6. Research vulnerabilities using online sources
[ ] 7. Perform vulnerability assessment with Metasploit
[ ] 8. Document findings and generate assessment report
[ ] 9. Validate results and identify false positives
Work through each step systematically. Check off completed items.
1. Authorization Verification
CRITICAL: Before any OT assessment activities:
- Confirm written authorization from system owner and operations team
- Review scope document for in-scope IP ranges and OT systems
- Verify scanning windows and rate-limiting requirements (OT systems are sensitive)
- Document emergency contact for accidental disruption
- Confirm blacklisted hosts (production PLCs, safety systems, critical infrastructure)
- Coordinate with operations team for safe testing windows
2. Network Discovery
Identify live hosts in target OT network:
nmap -sn <target-network>/24
nmap -sn -PR <target-network>/24
nmap -sn -PS502,102,2404 <target-network>/24
nmap -Pn <target-network>/24
nmap -sn <target-network>/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txt
OT Network Discovery Techniques:
- ICMP Echo (-PE): Standard ping, often blocked in OT networks
- TCP SYN (-PS): Half-open connection to OT protocol ports (502, 102, etc.)
- UDP (-PU): Sends UDP packets to OT UDP ports (47808 for BACnet)
- ARP (-PR): Layer 2 discovery, only works on local network segment
3. OT Protocol Port Scanning
Scan discovered hosts for common OT protocol ports:
nmap -sT -p 502,102,2404,20000,47808,2222,161,623 -iL live_hosts.txt
nmap -sV -p 502,102,2404,20000,47808,2222 -iL live_hosts.txt -oA ot_scan
sudo nmap -sU -p 47808,161,623 -iL live_hosts.txt -oA ot_udp_scan
Common OT Protocol Ports:
- 502: Modbus TCP
- 102: S7/Siemens
- 2404: IEC 104
- 20000: DNP3
- 47808: BACnet/IP (UDP)
- 2222: EtherNet/IP
- 161: SNMP (UDP)
- 623: IPMI (UDP)
Timing and Performance for OT Networks:
OT networks are sensitive to high traffic volumes. Use conservative timing:
nmap -T2 --max-rate 10 -p 502,102,2404 <target-ip>
nmap --scan-delay 2s -p 502,102,2404 <target-ip>
4. OT Protocol Enumeration
Enumerate and identify OT protocols and devices:
Modbus TCP (Port 502)
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip>
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip> -oA modbus_enum
modbus read <target-ip> 502 1 0 10
S7/Siemens (Port 102)
nmap -p 102 --script s7-info <target-ip> -oA s7_info
python3 -c "import snap7; client = snap7.client.Client(); client.connect('<target-ip>', 0, 1); print(client.get_cpu_info()); client.disconnect()"
DNP3 (Port 20000)
The dnp3-info NSE script is not included in standard Nmap installations. Obtain it from the official Nmap community scripts repository:
curl -o /usr/local/share/nmap/scripts/dnp3-info.nse \
https://raw.githubusercontent.com/nmap/nmap/master/scripts/dnp3-info.nse
nmap --script-updatedb
nmap --script-help dnp3-info
nmap -p 20000 --script dnp3-info <target-ip> -oA dnp3_info
Other OT Protocols
nmap -p 2404 -sV <target-ip> -oA iec104_scan
sudo nmap -sU -p 47808 --script bacnet-info <target-ip> -oA bacnet_info
nmap -p 2222 -sV <target-ip> -oA ethernetip_tcp
5. Service and Device Information Gathering
Identify services and extract version information:
nmap -sV -p 502,102,2404,20000,47808,2222 <target-ip>
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip>
nmap -p 102 --script s7-info <target-ip>
nmap -p 20000 --script dnp3-info <target-ip>
sudo nmap -sU -p 47808 --script bacnet-info <target-ip>
6. Online Vulnerability Research
Research identified devices and services for known vulnerabilities:
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=industrial+control+system" \
-H "apiKey: <api-key>" -o nvd_ics_$(date +%Y%m%d).json
curl -s "https://www.cisa.gov/news-events/cybersecurity-advisories" \
-o ics-cert_$(date +%Y%m%d).html
curl -s "https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SCADA" \
-o cve_scada_$(date +%Y%m%d).html
7. Metasploit Vulnerability Assessment
Use Metasploit Framework for deeper OT protocol analysis:
msfconsole -q
msf6 > search modbus
msf6 > search scada
msf6 > search siemens
Using Modbus Metasploit Modules
msf6 > use auxiliary/scanner/scada/modbus_findunitid
msf6 auxiliary(scanner/scada/modbus_findunitid) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/scada/modbus_findunitid) > set RPORT 502
msf6 auxiliary(scanner/scada/modbus_findunitid) > run
msf6 > use auxiliary/scanner/scada/modbus_read
msf6 auxiliary(scanner/scada/modbus_read) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/scada/modbus_read) > set RPORT 502
msf6 auxiliary(scanner/scada/modbus_read) > set UNIT_ID 1
msf6 auxiliary(scanner/scada/modbus_read) > set REGISTER_START 0
msf6 auxiliary(scanner/scada/modbus_read) > set REGISTER_COUNT 10
msf6 auxiliary(scanner/scada/modbus_read) > run
Using S7/Siemens Metasploit Modules
msf6 > use auxiliary/gather/s7_comm_read
msf6 auxiliary(gather/s7_comm_read) > set RHOSTS <target-ip>
msf6 auxiliary(gather/s7_comm_read) > set RPORT 102
msf6 auxiliary(gather/s7_comm_read) > run
Using Other OT Protocol Modules
msf6 > use auxiliary/scanner/scada/dnp3_info
msf6 auxiliary(scanner/scada/dnp3_info) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/scada/dnp3_info) > set RPORT 20000
msf6 auxiliary(scanner/scada/dnp3_info) > run
msf6 > use auxiliary/scanner/scada/bacnet_info
msf6 auxiliary(scanner/scada/bacnet_info) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/scada/bacnet_info) > set RPORT 47808
msf6 auxiliary(scanner/scada/bacnet_info) > run
8. Documentation and Reporting
Organize findings and generate assessment reports:
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip> -oA modbus_enum_$(date +%Y%m%d_%H%M%S)
cat > assessment_summary_$(date +%Y%m%d).md << EOF
# OT Security Assessment Summary
## Target Information
- IP Address: <target-ip>
- Assessment Date: $(date)
## Stage 1: Identification Results
[Insert discovery findings]
## Stage 2: Vulnerability Assessment Results
[Insert vulnerability findings]
## Recommendations
[Insert recommendations]
EOF
9. Validation and False Positive Analysis
- Manually verify findings with specific tools
- Check service version against CVE databases
- Cross-reference with authenticated vulnerability scanners
- Validate protocol-specific vulnerabilities
- Review Metasploit module outputs for accuracy
Security Considerations
-
Authorization and Access Control: OT security assessments require explicit written authorization from system owners and operations teams. Never test production systems without proper authorization. Coordinate with operations team for safe testing windows and rate-limiting requirements.
-
Sensitive Data Handling: OT assessment findings may contain sensitive information about industrial control systems, network topology, and device configurations. Store assessment data securely and follow data classification requirements. Do not expose OT network details in public repositories or unsecured locations.
-
Access Control: Commands requiring root/sudo privileges:
- TCP SYN scans (
nmap -sS): Requires root for raw sockets
- UDP scans (
nmap -sU): Requires root for raw sockets
- Packet capture (
tcpdump, tshark): Requires root or CAP_NET_RAW capability
Commands NOT requiring root:
- TCP Connect scans (
nmap -sT): Safe, no root needed
- Service version detection (
nmap -sV): No root needed
- Most Python tools (pymodbus, snap7): Run as regular user
- Metasploit console: Runs as regular user
-
Claude CLI Safety Considerations:
-
Audit Logging: Document all assessment activities including:
- Authorization documents and scope
- Scanning windows and rate limits
- All privileged command executions
- Discovered devices and protocols
- Vulnerability findings and remediation status
-
Compliance: OT assessments should align with:
- IEC 62443 standards for industrial automation and control systems security
- MITRE ATT&CK for ICS framework
- PTES (Penetration Testing Execution Standard) methodology
- Organization-specific OT security policies
Common Patterns
Pattern 1: OT Network Discovery
nmap -sn -PE -PS502,102 -PA2404 <target-network>/24 -oG - | awk '/Up$/{print $2}' > ot_hosts.txt
nmap -Pn -sT -sV -p 502,102,2404,20000,47808,2222 -iL ot_hosts.txt -oA ot_scan
nmap -p 502 --script modbus-read-registers,modbus-read-coils -iL ot_hosts.txt -oA modbus_enum
nmap -p 102 --script s7-info -iL ot_hosts.txt -oA s7_enum
Pattern 2: Modbus Assessment
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-network>/24 -oA modbus_discovery
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip> -oA modbus_enum
msfconsole -q
msf6 > use auxiliary/scanner/scada/modbus_findunitid
msf6 auxiliary(scanner/scada/modbus_findunitid) > set RHOSTS <target-ip>
msf6 auxiliary(scanner/scada/modbus_findunitid) > run
Pattern 3: Multi-Protocol OT Assessment
nmap -sT -sV -p 502,102,2404,20000,47808,2222,161,623 <target-network>/24 -oA ot_comprehensive
nmap -p 502 --script modbus-* <target-ip> -oA modbus_full
nmap -p 102 --script s7-* <target-ip> -oA s7_full
msfconsole -q
msf6 > search scada
Integration Points
- Metasploit: Import Nmap results with
db_import <nmap-xml-file> for correlation and deeper analysis
- SIEM Integration: Parse Nmap XML output for security monitoring and alerting on discovered OT devices
- Asset Management: Update CMDB with discovered OT devices, protocols, and service versions
- Reporting: Generate structured reports from Nmap XML output and combine with Metasploit results for comprehensive assessment documentation
- CI/CD: Not typically applicable for OT assessments due to air-gapped network requirements
Troubleshooting
Issue: Nmap scan fails with "Operation not permitted"
Solution: This occurs when attempting SYN scans (-sS) or UDP scans (-sU) without root privileges. Use TCP Connect scans (-sT) instead:
Issue: dnp3-info script not found
Solution: The dnp3-info NSE script is not included in standard Nmap installations. Download it from the official Nmap scripts repository:
curl -o /usr/local/share/nmap/scripts/dnp3-info.nse \
https://raw.githubusercontent.com/nmap/nmap/master/scripts/dnp3-info.nse
nmap --script-updatedb
Issue: OT devices not responding to scans
Solution: OT networks often have strict firewall rules and may block ICMP. Try:
- Disable ping:
nmap -Pn <target-ip>
- Use TCP Connect scans with conservative timing:
nmap -sT -T2 --max-rate 10 <target-ip>
- Scan during authorized maintenance windows
- Coordinate with operations team for network access
Issue: Metasploit module not found
Solution: Ensure Metasploit Framework is updated and search for available modules:
msfconsole -q
msf6 > search scada
msf6 > search modbus
msf6 > search siemens
Issue: High false positive rate in vulnerability assessment
Solution:
- Manually verify findings with protocol-specific tools
- Cross-reference service versions with CVE databases
- Validate protocol-specific vulnerabilities with authenticated scanners
- Review Metasploit module outputs for accuracy
References