Building a SCADA Honeynet as a First Line of Defense for Industrial Systems
Today we take a look at deploying Conpot, a security system designed to emulate a Siemens SIMATIC S7-200 PLC. It is described as an ICS honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems.
Start by downloading the latest Conpot source code from github.
$ sudo apt-get install git $ git clone https://github.com/glastopf/conpot.git
Then run the following command gather all of prerequisites required to use Conpot.
sudo apt-get install libsmi2ldbl snmp-mibs-downloader python-dev libevent-dev libxslt1-dev libxml2-dev
$ sudo python setup.py install
Run the software
$ sudo conpot
If you receive an ImportError: cannot import name DatagramServer error while trying to run Conpot you need to
install the latest version of gevent.
The following command should take care of that:
$ sudo pip install cython git+git://github.com/surfly/gevent.git#egg=gevent $ sudo pip install gevent --upgrade
If you receive the following error: AttributeError: ‘module’ object has no attribute ‘DEVICE_INFO’
Then you will need remove modbus_tk and download Glastoph version of modbus-tk.
$ sudo pip uninstall modbus_tk $ cd /usr/src $ git clone https://github.com/glastopf/modbus-tk.git $ cd modbus_tk $ sudo python setup.py install
You will need to stop any software running on port 80 (Apache, Nginx, etc) as well as any SNMP Server using port 161.
Open up your Internet browser and browse to the system http://ipaddress/
Upon going to the address, I found that I received a blank page. I had to manually copy over the web files by issuing the following commands:
sudo conpot -t /usr/local/lib/python2.7/dist-packages/Conpot-0.2.2-py2.7.egg/conpot/templates/default.xml -w /usr/src/conpot/conpot/templates/www/default/htdocs