Learning OT Security with Conpot (1/3): A Beginners Guide to Setting Up Conpot

Marcel Rick-Cen Author

In this guide, we’ll look into the basics of scanning ICS using Conpot, a popular open-source honeypot software designed for ICS environments.

Working in OT Security, understanding the vulnerabilities of Industrial Control Systems (ICS) is an important skill. With cyber crime on the rise, it’s important to grasp how to detect and protect against potential threats. In this guide, we’ll look into the basics of scanning ICS using Conpot, a popular open-source honeypot software designed for ICS environments.

Why Scanning Live or Exposed ICS on Shodan Is a Bad Idea

Before we jump into the intricacies of scanning ICS, it’s crucial to understand the risks associated with scanning live or exposed systems on platforms like Shodan. These actions can be considered intrusive and may even violate legal boundaries. Moreover, scanning can disrupt critical operations and lead to severe consequences.

Purchasing original ICS equipment for experimentation purposes can be prohibitively expensive for newcomers. Fortunately, there’s a better alternative: setting up your virtual test lab. By creating a simulated environment, you can explore ICS vulnerabilities without the financial burden.

Getting Started: Installation and Setup

To begin, ensure you’re operating within a virtual Linux environment. Linux provides the flexibility necessary for setting up Conpot. Follow these steps to install Conpot and prepare your system:

1. Install Python 3: Open your terminal and enter the command sudo apt-get install python3.
2. Install pip for Python 3: Enter sudo apt-get install python3-pip in your terminal to install pip, a package management system used to install and manage software packages written in Python.
3. Install Conpot: Once pip is installed, enter pip install conpot in your terminal. This command will download and install Conpot on your system.
4. Disable UFW (Uncomplicated Firewall): Enter sudo ufw disable in your terminal. Disabling the firewall temporarily ensures that Conpot can communicate without any hindrances.
5. Update Your Path: Open your .profile file using a text editor like Nano by entering sudo nano .profile in your terminal. Add PATH="$HOME/.local/bin:$PATH" to the file, then save and exit.
6. Start Conpot: Finally, start Conpot using the command conpot -f --template default in your terminal. This command initiates Conpot with default settings.
7. Ensure virtual network communication between Conpot and your attacker machine.

Conpot runs on non-privileged ports to simplify installation and mitigate potential security risks. Here are the default ports utilized by Conpot:

• Modbus Server: Port 5020/TCP
• S7Comm: Port 10201/TCP
• BACnet: Port 47808/TCP
• SNMP: Port 16100/UDP

Start Experimenting!

Running a scan using Nmap with the -p- flag reveals a list of open TCP ports, including 22, 2121, 5020, 8800, 10201, and 44818.

However, it's worth noting that the services associated with these ports may appear incorrect during scanning. This discrepancy arises from the internal mapping of port numbers to service names within Conpot's template configuration. Despite the mismatch, it’s a good start to excercise recon.

Upon scanning, you may encounter port 8800/TCP hosting a web server named Technodrome. While Technodrome serves as a placeholder in our simulated environment, it’s crucial to recognize that misconfigured web servers represent a significant attack surface in real-world scenarios. Such misconfigurations can potentially expose unwanted functions, such as CPU controls for exploitation.

SNMP (Simple Network Management Protocol) plays a crucial role in network monitoring and management. By performing an SNMP check on port 16100/UDP, you can retrieve basic information about the target system. SNMP queries provide insights into device configurations, network statistics, and more, aiding in the reconnaissance process.