Learning OT Security with Conpot (2/3): A Beginners Guide to IEC-104 Hacking

Twitter

In the second part of the Conpot beginners series, we’re simulating a cyber attack on an IEC-104 infrastructure substation.

Working in OT Security, understanding the vulnerabilities of Industrial Control Systems (ICS) is an important skill. In the second part of the Conpot beginners series, we’re simulating a cyber attack on an IEC-104 infrastructure substation.

Setting up the IEC-104 Template

I assume you already have Conpot installed and setup. If not, read my installation and first-time setup guide here.

  1. Start up your virtual Linux environment.
  2. Start Conpot using the command conpot -f --template IEC104.
  3. Ensure virtual network communication between Conpot and your attacker machine.

Exploring the Target

Let‘s start with reconnaissance, the first step in any penetration test. With Nmap, we conduct a scan to find open tcp ports:


The command shown scans all 65535 tcp ports, and reveals that 22/tcp and 2404/tcp are open. The service on port 2404/tcp indicates the IEC-104 protocol. Our next step is fingerprinting. We utilize the scripting engine with iec-identify.nse, to pull more information from the target:


The command shown runs the script on Port 2404, revealing essential information such as the Application Service Data Unit (ASDU) address 7720, pivotal for subsequent interactions.

Metasploit Framework

Now equipped with the ASDU, we turn to the Metasploit framework for further exploration. Loading the iec-client module, we configure the necessary parameters to establish communication with the target:

use auxiliary/client/iec104
set RHOSTS <target_ip>
set ASDU 7720

These commands select and configure the iec104 client module, setting the target IP address (RHOSTS) and ASDU address obtained from our reconnaissance phase.


With the module configured, we initiate an interrogation of the target to retrieve vital data from information objects. Executing command 100 (default setting of the module) triggers the interrogation process, retrieving all data stored in all information objects within the infrastructure substation.

Manipulating Information Objects

To demonstrate the potential impact of unauthorized access, we simulate manipulation of information objects. Let’s overwrite the content of a specific object (e.g., Information Object 3370) with a new value:

set COMMAND_ADDRESS 3370
set COMMAND_TYPE 45
set COMMAND_VALUE 1

These commands configure the module to target Information Object 3370 and overwrite its content with the value ‘1’, showcasing the ability to tamper with the data stored in IOA 3370.


Implications for Security

Our educational exercise underscores the importance of robust security measures in safeguarding Operational Technology. While the hypothetical cyber attack exposes vulnerabilities, implementing strategies such as network segmentation and continuous monitoring can mitigate associated risks effectively.

Categories: : Learning, Pentesting

© 2025 RICKCEN