Merge branch 'ICS-modbus' of https://git.tk.informatik.tu-darmstadt.de/scm-ssi-industrial-control-mobile-honeypot

assets/payload/redirect-ports.sh

@@ -3,15 +3,16 @@
 # redirects ports below 1024 to a higher range using iptables, so they can be used without elevated rights
 # MySQL SIP (3306 and 5060) are left out because they are >= 1024 anyways
 
-#             ECHO  FTP   HTTP  HTTPS SMB (NETBIOS UDP & TCP) SSH   TELNET
-protocol=(    "tcp" "tcp" "tcp" "tcp" "udp" "udp"  "tcp" "tcp" "tcp" "tcp")
-origin=(       7     21    80    443   137   138    139   22    23    445)
-destination=( 28144 28169 28217 28580 28274 28275 28276 28159 28160 28582) # simply offset by 1024 + 27113
+#             ECHO  FTP   HTTP  HTTPS S7COMM SNMP SMB (NETBIOS UDP & TCP) SSH   TELNET MODBUS
+protocol=(    "tcp" "tcp" "tcp" "tcp" "tcp" "udp" "udp" "udp"  "tcp" "tcp" "tcp" "tcp" "tcp" )
+origin=(       7     21    80    443   102	 161   137   138    139   22    23    445   502 )
+destination=( 28144 28169 28217 28580 28239 28298 28274 28275 28276 28159 28160 28582 28639 ) # simply offset by 1024 + 27113
 length=${#protocol[@]} # count protocol elements
 
 # for (( i=0; i<$length; i++ ))
 #for i in `seq 0 9` # fix for android's annoyingly limited bash
-for i in 0 1 2 3 4 5 6 7 8 9 # another fix for devices missing the seq command
+
+for i in 0 1 2 3 4 5 6 7 8 9 10 11 12# another fix for devices missing the seq command
 
 do
 	# echo ${protocol[$i]} ${origin[$i]} ${destination[$i]} # debug

build.gradle

@@ -21,12 +21,14 @@ dependencies {
     compile files('libs/nineoldandroids-2.4.0.jar')
     compile 'com.android.support:support-v4:18.0.0'
     //compile fileTree(dir: 'libs', include: '*.jar')
+    compile files('libs/snmp4j-agent-2.3.3.jar')
     compile files('libs/swipelistview-1.0.jar')
     compile files('libs/sshlib-v1.1.jar')
     compile files('libs/chart-library2.2.jar')
     //compile files('libs/jlan-5.jar')
     compile files('libs/alfresco-jlan.jar')
     compile files('libs/cryptix-jce-provider.jar')
+    compile 'org.snmp4j:snmp4j:1.10.1'
 }
 
 android {

pom.xml

@@ -78,6 +78,9 @@
 			<type>jar</type>
 		</dependency>
     </dependencies>
+
+
+
 	<build>
 		<finalName>${project.artifactId}</finalName>
 		<sourceDirectory>src</sourceDirectory>
@@ -149,4 +152,7 @@
             </snapshots>
         </repository>
     </repositories>
+
+
+
 </project>

res/values-de/protocols.xml

@@ -15,15 +15,16 @@
     </string-array>
 
     <string-array name="protocols_description">
-        <item>Protokoll zum testen und messen der round-trip time</item>
-        <item>Protokoll zum Datentransfer zwischen Client/Server und Server/Server</item>
-        <item>Protokoll zum Spiegeln von eingehenden Verbindungen. Antwort erfolgt auf dem selben Port wie die eingegangene Verbindung</item>
-        <item>Datenübertragungsprotokoll für Webseiten</item>
-        <item>Genau wie HTTP mit zusätzlicher Sicherung der Verbindung mittels SSL/TLS</item>
-        <item>Weit verbreitetes relationelles Datenbank Management System</item>
-        <item>Dieses Protokoll wird für VoIP(Voice over IP) Dienste genutzt</item>
-        <item>Protokoll um Daten, Drucker und mehr in einem Netzwerk zu teilen</item>
-        <item>Netzwerkprotokoll das Datenzugriff, Datentransfer und Datenmanagement Funktionen über einen vertrauenswürdigen Datenstrom bereitstellt</item>
-        <item>Netzwerkprotokoll das genutzt wird um eine bidirektionale interaktive Kommunikation in einem virtuellen Terminal zu ermöglichen</item>
+        <item>A service for testing and measurement of round-trip times in IP networks</item>
+        <item>A protocol used to transfer files from one host to another host</item>
+        <item>A protocol mirrors an incoming connection back to the attacker on the same port, that it is running on</item>
+        <item>A protocol to exchange or transfer hypertext. It is the foundation of data communication for the World Wide Web</item>
+        <item>The same as HTTP, but using a secure connections based on SSL/TLS</item>
+        <item>The world\'s second most widely used relational database management system</item>
+        <item>ICS SCADA MODBUS</item>
+        <item>A protocol for VoIP (Voice over IP) services</item>
+        <item>A protocol used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network</item>
+        <item>A network protocol that provides file access, file transfer, and file management functionalities over any reliable data stream</item>
+        <item>A network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection</item>
     </string-array>
 </resources>

res/values/protocols.xml

@@ -2,12 +2,15 @@
 <resources>
 
     <string-array name="protocols">
-		<item>ECHO</item>
+        <item>ECHO</item>
         <item>FTP</item>
         <item>GHOST</item>
         <item>HTTP</item>
         <item>HTTPS</item>
         <item>MySQL</item>
+        <item>MODBUS</item>
+        <item>S7COMM</item>
+        <item>SNMP</item>
         <item>SIP</item>
         <item>SMB</item>
         <item>SSH</item>
@@ -15,15 +18,18 @@
     </string-array>
 
     <string-array name="protocols_description">
-		<item>A service for testing and measurement of round-trip times in IP networks</item>
-		<item>A protocol used to transfer files from one host to another host</item>
-		<item>A protocol mirrors an incoming connection back to the attacker on the same port, that it is running on</item>
-		<item>A protocol to exchange or transfer hypertext. It is the foundation of data communication for the World Wide Web</item>
-		<item>The same as HTTP, but using a secure connections based on SSL/TLS</item>
-		<item>The world\'s second most widely used relational database management system</item>
-		<item>A protocol for VoIP (Voice over IP) services</item>
-		<item>A protocol used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network</item>
-		<item>A network protocol that provides file access, file transfer, and file management functionalities over any reliable data stream</item>
-		<item>A network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection</item>
-	</string-array>
+        <item>A service for testing and measurement of round-trip times in IP networks</item>
+        <item>A protocol used to transfer files from one host to another host</item>
+        <item>A protocol mirrors an incoming connection back to the attacker on the same port, that it is running on</item>
+        <item>A protocol to exchange or transfer hypertext. It is the foundation of data communication for the World Wide Web</item>
+        <item>The same as HTTP, but using a secure connections based on SSL/TLS</item>
+        <item>The world\'s second most widely used relational database management system</item>
+        <item>ICS SCADA MODBUS</item>
+        <item>Siemens SIMATIC Communication Protocol</item>
+        <item>Simple Network Monitoring Protocol</item>
+        <item>A protocol for VoIP (Voice over IP) services</item>
+        <item>A protocol used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network</item>
+        <item>A network protocol that provides file access, file transfer, and file management functionalities over any reliable data stream</item>
+        <item>A network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection</item>
+    </string-array>
 </resources>

res/values/strings.xml

@@ -246,6 +246,9 @@
 	<string name="profile_linux_hard_desc">This profile will imitate a linux machine which has just SSH activated</string>
     <string name="profile_voip_desc">This profile imitates a VOIP Server by monitoring the SIP service</string>
     <string name="profile_random_desc">This profile monitors services randomly</string>
+    <string name="profile_nuclearPower_desc">This profile simulates the Siemens SIMATIC S7 200 PLC working in a Nuclear Power Plant Environment</string>
+    <string name="profile_waterPlant_desc">This profile simulates the PLC infrastructure of a Water Distribution and Treatment Plant </string>
+    <string name="profile_modbusMater_desc">This profile simulates a MODBUS Master system that controls PLCs in a ICS SCADA environment</string>
     <string name="profile_paranoid_desc">This profile monitors all available services</string>
     <string name="profile_help_swipe">Swipe from the left or right on an item to expose all available actions for an item</string>
     <string name="profile_monitor_ghost">Monitor GHOST</string>

src/de/tudarmstadt/informatik/hostage/persistence/ProfileManager.java

@@ -639,8 +639,63 @@ public class ProfileManager {
 
 		this.addProfile(randomProfile, false);
 
-		Profile paranoidProfile = new Profile(
+
+		Profile nuclearPlant = new Profile(
 				8,
+				"Nuclear Power Plant",
+				MainActivity.getInstance().getString(R.string.profile_nuclearPower_desc),
+				R.drawable.ic_nuclearpp,
+				false
+		);
+
+		nuclearPlant.mActiveProtocols.put("MODBUS", true);
+		nuclearPlant.mActiveProtocols.put("HTTP", true);
+		nuclearPlant.mActiveProtocols.put("FTP", true);
+		nuclearPlant.mActiveProtocols.put("TELNET", true);
+		nuclearPlant.mActiveProtocols.put("SNMP",true);
+		nuclearPlant.mActiveProtocols.put("S7COMM",true);
+		this.addProfile(nuclearPlant, false);
+
+
+		Profile waterPlant = new Profile(
+				9,
+				"Water Distribution & Treatment Plant",
+				MainActivity.getInstance().getString(R.string.profile_waterPlant_desc),
+				R.drawable.ic_profile_water_dist,
+				false
+		);
+
+		waterPlant.mActiveProtocols.put("MODBUS", true);
+		waterPlant.mActiveProtocols.put("HTTP", true);
+		waterPlant.mActiveProtocols.put("FTP", true);
+		waterPlant.mActiveProtocols.put("TELNET", true);
+		this.addProfile(waterPlant, false);
+
+
+		Profile modbusMaster = new Profile(
+				10,
+				"Modbus Master",
+				MainActivity.getInstance().getString(R.string.profile_modbusMater_desc),
+				R.drawable.ic_modbus_master,
+				false
+		);
+
+		modbusMaster.mActiveProtocols.put("MODBUS",true);
+		modbusMaster.mActiveProtocols.put("SMB",true);
+		modbusMaster.mActiveProtocols.put("SMB", true);
+		modbusMaster.mGhostActive = true;
+		modbusMaster.mGhostPorts = "135";
+
+		for(int i: pickRandom(3, 49152, 60000)){
+			modbusMaster.mGhostPorts += "," + i;
+		}
+
+		modbusMaster.mActiveProtocols.put("ECHO", true);
+
+		this.addProfile(modbusMaster, false);
+
+		Profile paranoidProfile = new Profile(
+				11,
 				"Paranoid",
                 MainActivity.getInstance().getString(R.string.profile_paranoid_desc),
 				R.drawable.ic_profile_paranoid,

src/de/tudarmstadt/informatik/hostage/protocol/HTTP.java

@@ -28,13 +28,11 @@ import de.tudarmstadt.informatik.hostage.wrapper.Packet;
 public class HTTP implements Protocol {
 	
 	public HTTP() {
-		boolean useQotd = Hostage.getContext().getSharedPreferences(Hostage.getContext().getString(R.string.shared_preference_path), Hostage.MODE_PRIVATE).getBoolean("useQotd", true);
-		if (useQotd) {
-			new QotdTask().execute(new String[] {});
-		}
+
+		checkProfile();
+
 	}
-	
-	/**
+		/**
 	 * Get the current time in html header format.
 	 * 
 	 * @return the formatted server time.
@@ -73,7 +71,7 @@ public class HTTP implements Protocol {
 	private String initServerVersion() {
 		SecureRandom rndm = new SecureRandom();
 		int majorVersion = rndm.nextInt(possibleHttpVersions.length);
-		
+		checkProfile();
 		String version;
 		String sharedPreferencePath = Hostage.getContext().getString(
 				R.string.shared_preference_path);
@@ -100,6 +98,8 @@ public class HTTP implements Protocol {
 
 	private static String htmlDocumentContent = HelperUtils.getRandomString(32, false);
 
+	private static String htmlTitleContent = HelperUtils.getRandomString(32, false);
+
 	// request codes
 	private static final String OPTIONS = "OPTIONS";
 
@@ -121,8 +121,11 @@ public class HTTP implements Protocol {
 	 * 
 	 * @param htmlDocumentContent
 	 */
-	public static void setHtmlDocumentContent(String htmlDocumentContent) {
-		HTTP.htmlDocumentContent = htmlDocumentContent;
+	public static void setHtmlDocumentContent(String htmlDocumentContent,String htmlTitleContent) {
+
+			HTTP.htmlDocumentContent= htmlDocumentContent;
+			HTTP.htmlTitleContent = htmlTitleContent;
+
 	}
 
 	// html header pre and suffix
@@ -135,7 +138,7 @@ public class HTTP implements Protocol {
 	// html website
 	private String htmlDocument = "<!doctype html>\n" + "<html lang=\"en\">\n"
 			+ "<head>\n" + "<meta charset=\"UTF-8\">\n" + "<title>"
-			+ htmlDocumentContent + "</title>\n" + "<body>"
+			+ htmlTitleContent + "</title>\n" + "<body>"
 			+ htmlDocumentContent + "</body>\n" + "</head>\n" + "</html>";
 
 	// html error pre and suffix
@@ -171,18 +174,24 @@ public class HTTP implements Protocol {
 		if (request.startsWith("G")) {
 			//weird if clause but required for https
 			responsePackets.add(buildPacket(STATUS_CODE_200, GET));
+			checkProfile();
 		} else if (!request.contains(httpVersion)) {
 			responsePackets.add(buildPacket(STATUS_CODE_505, ""));
+			checkProfile();
 		} else if (request.contains(GET)) {
+			checkProfile();
 			responsePackets.add(buildPacket(STATUS_CODE_200, GET));
 		} else if (request.contains(HEAD)) {
 			responsePackets.add(buildPacket(STATUS_CODE_200, HEAD));
+			checkProfile();
 		} else if (request.contains(TRACE)) {
 			responsePackets.add(buildPacket(STATUS_CODE_200, TRACE));
+			checkProfile();
 		} else if (request.contains(OPTIONS)) {
 			responsePackets.add(buildPacket(STATUS_CODE_400, OPTIONS));
 		} else if (request.contains(POST)) {
 			responsePackets.add(buildPacket(STATUS_CODE_200, POST));
+
 		} else if (request.contains(PUT)) {
 			responsePackets.add(buildPacket(STATUS_CODE_400, PUT));
 		} else if (request.contains(DELETE)) {
@@ -193,13 +202,40 @@ public class HTTP implements Protocol {
 			responsePackets.add(buildPacket(STATUS_CODE_400, ""));
 		}
 		
-		boolean useQotd = Hostage.getContext().getSharedPreferences(Hostage.getContext().getString(R.string.shared_preference_path), Hostage.MODE_PRIVATE).getBoolean("useQotd", true);
-		if (useQotd) {
-			new QotdTask().execute(new String[] {});
-		}
+		checkProfile();
+
 		return responsePackets;
 	}
 
+
+
+
+	private void checkProfile() {
+
+		String sharedPreferencePath = Hostage.getContext().getString(
+				R.string.shared_preference_path);
+		String profile = Hostage
+				.getContext()
+				.getSharedPreferences(sharedPreferencePath,
+						Context.MODE_PRIVATE).getString("os", "");
+		if (profile.equals("Nuclear Power Plant")) {
+
+			htmlDocumentContent = "<font color="+"\"339966\""+">"+" <b>Welcome to Siemens Simatic S7 200 Portal</b>\n"+"<img src="+"" + "\"http://jewishbusinessnews.com/wp-content/uploads/2014/04/siemens-logo.jpg\""+"alt="+"\"Siemens Logo\""+">";
+			htmlTitleContent="Siemens Simatic S7 200 Home";
+
+			HTTP.setHtmlDocumentContent(htmlDocumentContent,htmlTitleContent);
+
+		}
+		else {
+
+			boolean useQotd = Hostage.getContext().getSharedPreferences(Hostage.getContext().getString(R.string.shared_preference_path), Hostage.MODE_PRIVATE).getBoolean("useQotd", true);
+			if (useQotd) {
+				new QotdTask().execute(new String[]{});
+
+			}
+		}
+	}
+
 	@Override
 	public String toString() {
 		return "HTTP";
@@ -242,32 +278,54 @@ public class HTTP implements Protocol {
 	 */
 	private class QotdTask extends AsyncTask<String, Void, String> {
 		@Override
+
+
 		protected String doInBackground(String... unused) {
-			String[] sources = new String[] { "djxmmx.net", "alpha.mike-r.com"};
-			SecureRandom rndm = new SecureRandom();
+
 			StringBuffer sb = new StringBuffer();
-			try {
-				Socket client = new Socket(sources[rndm.nextInt(sources.length)], 17);
-				BufferedReader in = new BufferedReader(new InputStreamReader(client.getInputStream()));
-				while (!in.ready())
-					;
-				while (in.ready()) {
-					sb.append(in.readLine());
+
+			String sharedPreferencePath = Hostage.getContext().getString(
+					R.string.shared_preference_path);
+			String profile = Hostage
+					.getContext()
+					.getSharedPreferences(sharedPreferencePath,
+							Context.MODE_PRIVATE).getString("os", "");
+
+
+			String[] sources = new String[]{"djxmmx.net", "alpha.mike-r.com"};
+			SecureRandom rndm = new SecureRandom();
+
+				try {
+					sb.equals("");
+					Socket client = new Socket(sources[rndm.nextInt(sources.length)], 17);
+					BufferedReader in = new BufferedReader(new InputStreamReader(client.getInputStream()));
+					while (!in.ready())
+						;
+					while (in.ready()) {
+						sb.append(in.readLine());
+					}
+					in.close();
+					client.close();
+				} catch (Exception e) {
+					e.printStackTrace();
 				}
-				in.close();
-				client.close();
-			} catch (Exception e) {
-				e.printStackTrace();
-			}
+
+
 			return sb.toString();
-		}
+
+			}
+
 
 		@Override
 		protected void onPostExecute(String result) {
+
+
+			checkProfile();
 			if (result != null)
-				HTTP.setHtmlDocumentContent(result);
+
+				HTTP.setHtmlDocumentContent(result,result);
 			else
-				HTTP.setHtmlDocumentContent(HelperUtils.getRandomString(32, false));
+				HTTP.setHtmlDocumentContent(HelperUtils.getRandomString(32, false),HelperUtils.getRandomString(32, false));
 		}
 	}
 }

src/de/tudarmstadt/informatik/hostage/protocol/MODBUS.java

@@ -0,0 +1,449 @@
+package de.tudarmstadt.informatik.hostage.protocol;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.InputMismatchException;
+import java.util.List;
+
+
+import de.tudarmstadt.informatik.hostage.wrapper.Packet;
+
+/**
+ * Created by Shreyas Srinivasa on 25.05.15.
+ */
+public class MODBUS implements Protocol {
+
+
+    public int getPort() {
+        return 502;
+    }
+
+    public boolean isClosed() {
+        return false;
+    }
+
+    public boolean isSecure() {
+        return false;
+    }
+
+    private StringBuffer command = new StringBuffer();
+
+
+    @Override
+    public String toString() {
+        return "MODBUS";
+    }
+
+    public TALK_FIRST whoTalksFirst() {
+        return TALK_FIRST.CLIENT;
+    }
+
+
+
+
+
+    //Declarations
+
+    HashMap<Integer,Integer> coil = new HashMap<Integer,Integer>();
+    HashMap<Integer,Integer> register = new HashMap<Integer,Integer>();
+    HashMap<Integer,Integer> discreteInput = new HashMap<Integer,Integer>();
+
+
+
+    //Function Request Codes
+    public static final int READ_COILS = 1;
+    public static final int READ_INPUT_DISCRETES = 2;
+    public static final int READ_HOLDING_REGISTERS=3;
+    public static final int READ_INPUT_REGISTERS = 4;
+    public static final int WRITE_COIL = 5;
+    public static final int WRITE_SINGLE_REGISTER = 6;
+    public static final int MODBUS_SERVICE = 17; //for detection using metasploit module
+    public static final int MODBUS_DISCOVER=1;
+
+    //public static final int WRITE_MULTIPLE_COILS = 15; Not sure of these commands
+    //public static final int WRITE_MULTIPLE_REGISTERS = 16; Not sure of these commands
+
+    //Packet Constants, declaring it for now, depends on usage. Static assignment is not a good idea
+
+    int FUNCTION_CODE;
+    int UNIT_NUMBER;
+    int DATA_ADDRESS;
+    int SIZE;
+
+
+
+
+
+
+    public int sid=1; // Denotes the Unit Number or Slave_ID of the device
+
+    public static final int COIL_MAX_DATA_ADDRESS = 128; // Max coil data address
+
+    public static final int COIL_START_ADDRESS = 1; // Start address of coil
+
+    public static final int DISCRETE_MAX_DATA_ADDRESS = 10032; // Max DISCRETE_INPUT data address
+
+    public static final int DISCRETE_START_ADDRESS = 10001; // Start address of DISCRETE_INPUT
+
+    public static final int ANALOG_INPUT_MAX_DATA_ADDRESS = 30009; //Max ANALOG_INPUT data address
+
+    public static final int ANALOG_INPUT_START_ADDRESS = 30001;//Start address of ANALOG_INPUT
+
+    public static final int HOLDING_REGISTERS_MAX_ADDRESS = 40009; // MAX HOLDING_REGISTER data_address
+
+    public static final int HOLDING_REGISTERS_START_ADDRESS = 40001; // Start address of the HOLDING_REGISTER
+
+
+    @Override
+    public List<Packet> processMessage(Packet requestPacket) {
+        List<Packet> responsePackets = new ArrayList<Packet>();
+
+
+
+        byte[] request = null;
+        if (requestPacket != null) {
+            request = requestPacket.getBytes();
+
+
+            getRequestType(request);
+
+            responsePackets=processRequest(request,getRequestType(request));
+            System.out.println(responsePackets);
+
+
+        }
+
+
+        return responsePackets;
+    }
+
+    private List<Packet> processRequest(byte[] request,int requestType) {
+
+        List<Packet> responsePackets = new ArrayList<Packet>();
+        switch (requestType){
+
+            case MODBUS_SERVICE:
+               // responsePackets.add(new Packet(request,getDeviceInfo()));
+                responsePackets.add(new Packet(getDeviceInfo()+"\r\n","EE:FF:66:88:GH:JI:DJ"));
+                System.out.println(responsePackets);
+                break;
+
+            case READ_INPUT_REGISTERS:
+
+                sid=(request[6]);
+                int registerAddress = (request[9]);
+
+
+                if(sid==1){
+                    //Exception packet
+                }
+
+                else if(sid==2 && registerAddress >= ANALOG_INPUT_START_ADDRESS && registerAddress<=ANALOG_INPUT_MAX_DATA_ADDRESS) {
+                    request[9] = (byte) readRegister(registerAddress);
+                    responsePackets.add(new Packet(request, getDeviceInfo()));
+
+                }
+
+                else if(sid==2 && registerAddress < ANALOG_INPUT_START_ADDRESS || registerAddress > ANALOG_INPUT_MAX_DATA_ADDRESS ){
+                    //Exception packet
+                }
+
+                break;
+
+            case READ_HOLDING_REGISTERS:
+                sid=request[6];
+                int holdingRegisterAddress=request[9];
+
+                if (sid==1){
+                    //exception packet
+                }
+
+                else if (sid==2 && holdingRegisterAddress >=HOLDING_REGISTERS_START_ADDRESS && holdingRegisterAddress <= HOLDING_REGISTERS_MAX_ADDRESS){
+
+                    request[9] = (byte) readRegister(holdingRegisterAddress);
+                    responsePackets.add(new Packet(request, getDeviceInfo()));
+
+                }
+
+                else if(sid==2 && holdingRegisterAddress < HOLDING_REGISTERS_START_ADDRESS || holdingRegisterAddress > HOLDING_REGISTERS_MAX_ADDRESS ){
+                    //Exception packet
+                }
+
+            case READ_COILS:
+
+                sid= (request[6]);
+                int address = (request[9]);
+
+                if(sid==1&&address<COIL_MAX_DATA_ADDRESS && address>=COIL_START_ADDRESS){
+
+                    request[5]=4;
+
+                    request[9]=(byte)readCoil(address);
+                    responsePackets.add(new Packet(request,getDeviceInfo()));
+
+
+                }
+
+                //Imitating Siemens Simatic S7-200 Architecture
+                else if(sid==1 && address<COIL_START_ADDRESS || address>COIL_MAX_DATA_ADDRESS){
+
+                  request[7]=(byte)129;
+                  request[8]=(byte)2;
+                  request[9]=0;
+                  request[10]=0;
+                  request[11]=0;
+
+                  responsePackets.add(new Packet(request,getDeviceInfo()));
+
+                }
+
+                else if(sid==2){
+                    //Exception packet
+                }
+
+
+                break;
+
+
+            case READ_INPUT_DISCRETES:
+
+                sid =request[6];
+                int inputAddress = (request[9]);
+
+                if(sid==1&& inputAddress>DISCRETE_MAX_DATA_ADDRESS || inputAddress<DISCRETE_START_ADDRESS){
+                    request[7]=(byte)129;
+                    request[8]=(byte)2;
+                    request[9]=0;
+                    request[10]=0;
+                    request[11]=0;
+
+                    responsePackets.add(new Packet(request,getDeviceInfo()));
+                }
+
+                else if(sid==1&&inputAddress<DISCRETE_MAX_DATA_ADDRESS && inputAddress>=DISCRETE_START_ADDRESS){
+
+
+                    request[5]=4;
+                    request[9]=(byte)readDiscrete(inputAddress);
+                    responsePackets.add(new Packet(request,getDeviceInfo()));
+
+                }
+
+                else if(sid==2){
+                    //Exception packet
+                }
+
+                break;
+
+            case WRITE_COIL:
+
+                sid=request[6];
+
+                int coilAddress = (request[9]);
+                int coilData = (request[10]);
+
+                if(sid==2){
+                    //Exception packet
+                }
+
+                else if(sid==1 && coilAddress>COIL_MAX_DATA_ADDRESS){
+                    //exception packet
+                }
+
+                else if(sid==1 && coilAddress<=COIL_MAX_DATA_ADDRESS && coilAddress>=COIL_START_ADDRESS) {
+                    writeCoil(coilAddress, coilData);
+                    responsePackets.add(new Packet(request, getDeviceInfo()));
+                }
+                break;
+
+
+            case WRITE_SINGLE_REGISTER:
+
+                sid = request[6];
+                int regAddress=(request[9]);
+                int regData=(request[10]);
+
+                if (sid==1){
+                    //exception
+                }
+
+                else if(sid==2 && regAddress >= ANALOG_INPUT_START_ADDRESS && regAddress<=ANALOG_INPUT_MAX_DATA_ADDRESS) {
+
+                    writeSingleRegister(regAddress,regData);
+                    responsePackets.add(new Packet(request,getDeviceInfo()));
+
+
+                }
+
+                else if(sid==2 && regAddress < ANALOG_INPUT_START_ADDRESS || regAddress > ANALOG_INPUT_MAX_DATA_ADDRESS ){
+                    //Exception packet
+                }
+
+                else if (sid==2 && regAddress >=HOLDING_REGISTERS_START_ADDRESS && regAddress <= HOLDING_REGISTERS_MAX_ADDRESS){
+
+
+                        writeSingleRegister(regAddress,regData);
+                        responsePackets.add(new Packet(request,getDeviceInfo()));
+
+                }
+
+                else if(sid==2 && regAddress < HOLDING_REGISTERS_START_ADDRESS || regAddress > HOLDING_REGISTERS_MAX_ADDRESS ) {
+
+                    //Exception Packet
+
+                }
+
+                break;
+
+            default:
+                break;
+
+        }
+    return responsePackets;
+    }
+
+
+    //Read Coil function
+    public int readCoil(int address) {
+
+        address+=1;//has an offset 1
+
+        if (coil.containsKey(address)) {
+            int val = (Integer) coil.get(address);
+            return val;
+        } else {
+            coil.put(address, rand());
+            //System.out.println(coil);
+
+            int val = (Integer) coil.get(address);
+            System.out.println("Address:" + String.valueOf(address) + "Data:" + String.valueOf(val));
+            return val;
+        }
+    }
+    //Random input of 0 & 1 for coils
+    private int rand() {
+
+        int num =(Math.random()<0.5)?0:1;
+        return num;
+    }
+
+
+    //Device Information
+    private String DeviceInfo = getDeviceInfo();
+
+    private String getDeviceInfo() {
+
+        DeviceInfo = "5369656d656e732053494d415449432053372d323030"; // Hex value for Simatic S7 200
+        return DeviceInfo;
+    }
+
+
+
+
+    private int readRegister(int registerAddress) {
+
+       // registerAddress+=30001; //Offset of 30001 Check the packet in wireshark and decide to put offset
+
+        if (register.containsKey(registerAddress)) {
+            int val = (Integer) register.get(registerAddress);
+            return val;
+        } else {
+            register.put(registerAddress, randvalue());
+            int val = (Integer) register.get(registerAddress);
+            System.out.println("Address:" + String.valueOf(registerAddress) + "Data:" + String.valueOf(val));
+            return val;
+        }
+
+
+
+    }
+
+    private int randvalue(){
+
+        int num =(Math.random()<0.5)?0:255; //Max Hex value that can be stored in 10 bit Binary is 255
+        return num;
+
+    }
+
+
+
+    private int writeSingleRegister(int regAddress, int regData){
+
+        //regData+=30001;
+        register.put(regAddress, regData);
+        int val = (Integer)register.get(regAddress);
+        return val;
+
+    }
+
+
+    private int writeCoil(int coilAddress, int coilData) {
+
+        coilAddress+=1;//offset 1
+
+        coil.put(coilAddress,coilData);
+
+        int val=(Integer)coil.get(coilAddress);
+        return val;
+
+    }
+
+
+
+    //Read Coil function
+    public int readDiscrete(int address) {
+
+        address+=1;//offset 1
+
+        if (discreteInput.containsKey(address)) {
+            int val = (Integer) discreteInput.get(address);
+            return val;
+        } else {
+            discreteInput.put(address, rand());
+            //System.out.println(coil);
+
+            int val = (Integer) discreteInput.get(address);
+            System.out.println("Address:" + String.valueOf(address) + "Data:" + String.valueOf(val));
+            return val;
+        }
+    }
+
+
+
+
+
+    /* gets the type of request made from the master */
+    private int getRequestType(byte[] request) {
+
+        int requestType=request[7];
+
+        if (requestType == 17) {
+            requestType = MODBUS_SERVICE;
+        } else if (requestType == 5) {
+            requestType = WRITE_COIL;
+        } else if (requestType == 1) {
+            requestType = READ_COILS;
+        } else if (requestType == 6) {
+            requestType = WRITE_SINGLE_REGISTER;
+        } else if (requestType == 4) {
+            requestType = READ_INPUT_REGISTERS;
+        }
+        else if (requestType==2){
+            requestType = READ_INPUT_DISCRETES;
+        }
+        else if (requestType==3){
+            requestType = READ_HOLDING_REGISTERS;
+        }
+
+       System.out.println(requestType);
+        return requestType;
+
+
+
+    }
+
+
+
+
+    }
+

src/de/tudarmstadt/informatik/hostage/protocol/Protocol.java

@@ -41,11 +41,11 @@ public interface Protocol {
 	/**
 	 * Determines the next response.
 	 * 
-	 * @param message
+	 * @param requestPacket
 	 *            Last message received from the client.
 	 * @return Message to be sent to the client.
 	 */
-	List<Packet> processMessage(Packet message);
+	List<Packet> processMessage(Packet requestPacket);
 
 	/**
 	 * Returns the name of the protocol.

src/de/tudarmstadt/informatik/hostage/protocol/S7COMM.java

@@ -0,0 +1,47 @@
+package de.tudarmstadt.informatik.hostage.protocol;
+
+import java.util.List;
+
+import de.tudarmstadt.informatik.hostage.wrapper.Packet;
+
+/**
+ * Created by root on 06.07.15.
+ */
+public class S7COMM implements Protocol {
+    @Override
+    public int getPort() {
+        return 102;
+    }
+
+    @Override
+    public boolean isClosed() {
+        return false;
+    }
+
+    @Override
+    public boolean isSecure() {
+        return false;
+    }
+
+    @Override
+    public List<Packet> processMessage(Packet requestPacket) {
+
+        byte[] request = requestPacket.getBytes();
+
+        for(int i=0; i<=request.length;i++) {
+            System.out.println(request[i]);
+        }
+
+        return null;
+    }
+
+    @Override
+    public TALK_FIRST whoTalksFirst() {
+        return null;
+    }
+
+    @Override
+    public String toString(){
+        return "S7COMM";
+    }
+}

src/de/tudarmstadt/informatik/hostage/protocol/SMB.java

@@ -9,12 +9,7 @@ import android.preference.PreferenceManager;
 
 import org.alfresco.jlan.app.XMLServerConfiguration;
 import org.alfresco.jlan.netbios.server.NetBIOSNameServer;
-import org.alfresco.jlan.server.SessionListener;
-import org.alfresco.jlan.server.SrvSession;
 import org.alfresco.jlan.server.config.InvalidConfigurationException;
-import org.alfresco.jlan.server.filesys.FileListener;
-import org.alfresco.jlan.server.filesys.NetworkFile;
-import org.alfresco.jlan.smb.server.CIFSConfigSection;
 import org.alfresco.jlan.smb.server.SMBServer;
 
 import java.io.IOException;
@@ -186,7 +181,7 @@ public class SMB implements Protocol {
     }
 
     @Override
-    public List<Packet> processMessage(Packet message) {
+    public List<Packet> processMessage(Packet requestPacket) {
         return null;
     }
 

src/de/tudarmstadt/informatik/hostage/protocol/SNMP.java

@@ -0,0 +1,183 @@
+package de.tudarmstadt.informatik.hostage.protocol;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.List;
+
+import de.tudarmstadt.informatik.hostage.wrapper.Packet;
+
+import org.alfresco.jlan.server.auth.spnego.OID;
+import org.snmp4j.TransportMapping;
+import org.snmp4j.agent.BaseAgent;
+import org.snmp4j.agent.CommandProcessor;
+import org.snmp4j.agent.DuplicateRegistrationException;
+import org.snmp4j.agent.MOGroup;
+import org.snmp4j.agent.ManagedObject;
+import org.snmp4j.agent.mo.MOTableRow;
+import org.snmp4j.agent.mo.snmp.RowStatus;
+import org.snmp4j.agent.mo.snmp.SnmpCommunityMIB;
+import org.snmp4j.agent.mo.snmp.SnmpNotificationMIB;
+import org.snmp4j.agent.mo.snmp.SnmpTargetMIB;
+import org.snmp4j.agent.mo.snmp.StorageType;
+import org.snmp4j.agent.mo.snmp.VacmMIB;
+import org.snmp4j.agent.security.MutableVACM;
+import org.snmp4j.mp.MPv3;
+import org.snmp4j.security.SecurityLevel;
+import org.snmp4j.security.SecurityModel;
+import org.snmp4j.security.USM;
+import org.snmp4j.smi.Address;
+import org.snmp4j.smi.GenericAddress;
+import org.snmp4j.smi.Integer32;
+import org.snmp4j.smi.OctetString;
+import org.snmp4j.smi.Variable;
+import org.snmp4j.transport.TransportMappings;
+
+/**
+ * Created by root on 06.07.15.
+ */
+public class SNMP extends BaseAgent implements Protocol {
+    @Override
+    public int getPort() {
+        return 161;
+    }
+
+    @Override
+    public boolean isClosed() {
+        return false;
+    }
+
+    @Override
+    public boolean isSecure() {
+        return false;
+    }
+
+    @Override
+    public List<Packet> processMessage(Packet requestPacket) {
+        return null;
+    }
+
+    @Override
+    public TALK_FIRST whoTalksFirst() {
+        return null;
+    }
+
+    @Override
+    public String toString(){
+        return "SNMP";
+    }
+
+
+    private String address;
+
+    public SNMP(String address) throws IOException {
+
+        super(new File("conf.agent"), new File("bootCounter.agent"),
+                new CommandProcessor(
+                        new OctetString(MPv3.createLocalEngineID())));
+        this.address = address;
+    }
+
+    @Override
+    protected void registerManagedObjects() {
+
+    }
+
+    @Override
+    protected void unregisterManagedObjects() {
+
+    }
+
+    @Override
+    protected void addUsmUser(USM usm) {
+
+    }
+
+
+    @Override
+    protected void addNotificationTargets(SnmpTargetMIB snmpTargetMIB, SnmpNotificationMIB snmpNotificationMIB) {
+
+    }
+
+    @Override
+    protected void addViews(VacmMIB vacmMIB) {
+
+        vacmMIB.addGroup(SecurityModel.SECURITY_MODEL_SNMPv2c, new OctetString("cpublic"), new OctetString("v1v2group"), StorageType.nonVolatile);
+
+        vacmMIB.addAccess(new OctetString("v1v2group"), new OctetString("public"),
+        SecurityModel.SECURITY_MODEL_ANY, SecurityLevel.NOAUTH_NOPRIV,
+        MutableVACM.VACM_MATCH_EXACT, new OctetString("fullReadView"),
+        new OctetString("fullWriteView"), new OctetString("fullNotifyView"), StorageType.nonVolatile);
+
+        vacmMIB.addViewTreeFamily(new OctetString("fullReadView"), new org.snmp4j.smi.OID("1.3"),
+        new OctetString(), VacmMIB.vacmViewIncluded, StorageType.nonVolatile);
+    }
+
+    @Override
+    protected void addCommunities(SnmpCommunityMIB snmpCommunityMIB) {
+
+        Variable[] com2sec = new Variable[] { new OctetString("public"),
+
+                new OctetString("cpublic"), // security name
+
+                getAgent().getContextEngineID(), // local engine ID
+
+                new OctetString("public"), // default context name
+
+                new OctetString(), // transport tag
+
+                new Integer32(StorageType.nonVolatile), // storage type
+
+                new Integer32(RowStatus.active) // row status
+
+        };
+
+        MOTableRow row = snmpCommunityMIB.getSnmpCommunityEntry().createRow(
+
+        new OctetString("public2public").toSubIndex(true), com2sec);
+
+        snmpCommunityMIB.getSnmpCommunityEntry().addRow((SnmpCommunityMIB.SnmpCommunityEntryRow) row);
+    }
+
+    public void start() throws IOException {
+
+        init();
+        // This method reads some old config from a file and causes
+        // unexpected behavior.
+        // loadConfig(ImportModes.REPLACE_CREATE);
+        addShutdownHook();
+        getServer().addContext(new OctetString("public"));
+        finishInit();
+        run();
+        sendColdStartNotification();
+    }
+
+
+    protected void initTransportMappings() throws IOException {
+        transportMappings = new TransportMapping[1];
+        Address addr = GenericAddress.parse(address);
+
+        TransportMapping tm = TransportMappings.getInstance()
+        .createTransportMapping(addr);
+        transportMappings[0] = tm;
+    }
+
+
+    public void registerManagedObject(ManagedObject mo) {
+        try {
+            server.register(mo, null);
+            } catch (DuplicateRegistrationException ex) {
+
+            throw new RuntimeException(ex);
+              }
+
+    }
+
+
+    public void unregisterManagedObject(MOGroup moGroup){
+        moGroup.unregisterMOs(server,getContext(moGroup));
+    }
+
+
+
+
+}

src/de/tudarmstadt/informatik/hostage/protocol/SNMPUtils/MOCreator.java

@@ -0,0 +1,26 @@
+package de.tudarmstadt.informatik.hostage.protocol.SNMPUtils;
+
+
+import org.snmp4j.agent.mo.MOAccessImpl;
+import org.snmp4j.agent.mo.MOScalar;
+import org.snmp4j.smi.OID;
+import org.snmp4j.smi.OctetString;
+import org.snmp4j.smi.Variable;
+
+/**
+ * Created by root on 06.07.15.
+ */
+public class MOCreator {
+
+    public static MOScalar createReadOnly(OID oid, Object value){
+        return new MOScalar(oid, MOAccessImpl.ACCESS_READ_ONLY,getVariable(value));
+    }
+
+    private static Variable getVariable(Object value){
+        if(value instanceof String) {
+            return new OctetString((String) value);
+        }
+        throw new IllegalArgumentException("Ummanaged Type:"+value.getClass());
+    }
+
+}

src/de/tudarmstadt/informatik/hostage/protocol/SNMPUtils/MOTableBuilder.java

@@ -0,0 +1,87 @@
+package de.tudarmstadt.informatik.hostage.protocol.SNMPUtils;
+
+import org.snmp4j.agent.MOAccess;
+import org.snmp4j.agent.mo.DefaultMOMutableRow2PC;
+import org.snmp4j.agent.mo.DefaultMOTable;
+import org.snmp4j.agent.mo.MOColumn;
+import org.snmp4j.agent.mo.MOMutableTableModel;
+import org.snmp4j.agent.mo.MOTable;
+import org.snmp4j.agent.mo.MOTableIndex;
+import org.snmp4j.agent.mo.MOTableSubIndex;
+import org.snmp4j.smi.OID;
+import org.snmp4j.smi.SMIConstants;
+import org.snmp4j.smi.Variable;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Created by root on 06.07.15.
+ */
+public class MOTableBuilder {
+
+    private MOTableSubIndex[] subIndexes = new MOTableSubIndex[] { new MOTableSubIndex(
+            SMIConstants.SYNTAX_INTEGER) };
+    private MOTableIndex indexDef = new MOTableIndex(subIndexes, false);
+
+    private final List<MOColumn> columns = new ArrayList<MOColumn>();
+    private final List<Variable[]> tableRows = new ArrayList<Variable[]>();
+    private int currentRow = 0;
+    private int currentCol = 0;
+
+    private OID tableRootOid;
+
+    private int colTypeCnt = 0;
+
+
+    /**
+     * Specified oid is the root oid of this table
+     */
+    public MOTableBuilder(OID oid) {
+        this.tableRootOid = oid;
+    }
+
+    /**
+     * Adds all column types {@link MOColumn} to this table.
+     * Important to understand that you must add all types here before
+     * adding any row values
+     *
+     * @param syntax use {@link SMIConstants}
+     * @param access
+     * @return
+     */
+    public MOTableBuilder addColumnType(int syntax, MOAccess access) {
+        colTypeCnt++;
+        columns.add(new MOColumn(colTypeCnt, syntax, access));
+        return this;
+    }
+
+
+    public MOTableBuilder addRowValue(Variable variable) {
+        if (tableRows.size() == currentRow) {
+            tableRows.add(new Variable[columns.size()]);
+        }
+        tableRows.get(currentRow)[currentCol] = variable;
+        currentCol++;
+        if (currentCol >= columns.size()) {
+            currentRow++;
+            currentCol = 0;
+        }
+        return this;
+    }
+
+    public MOTable build() {
+        DefaultMOTable ifTable = new DefaultMOTable(tableRootOid, indexDef,
+                columns.toArray(new MOColumn[0]));
+        MOMutableTableModel model = (MOMutableTableModel) ifTable.getModel();
+        int i = 1;
+
+        for (Variable[] variables : tableRows) {
+            model.addRow(new DefaultMOMutableRow2PC(new OID(String.valueOf(i)),
+                    variables));
+            i++;
+        }
+        ifTable.setVolatile(true);
+        return ifTable;
+    }
+}

src/de/tudarmstadt/informatik/hostage/wrapper/Packet.java

@@ -59,7 +59,8 @@ public class Packet {
 		if (protocol.equals("FTP") 
 				|| protocol.equals("HTTP") 
 				|| protocol.equals("HTTPS")
-				|| protocol.equals("SIP")) {
+				|| protocol.equals("SIP")
+				|| protocol.equals("MODBUS")) {
 			return new String(payload);
 		} else {
 			return HelperUtils.bytesToHexString(payload);

thesis_report/Thesis_Report.tex

@@ -0,0 +1,149 @@
+\documentclass[article,msc=informatik,type=msc,colorback,accentcolor=tud9c]{tudthesis}
+\usepackage{ngerman}
+
+\newcommand{\getmydate}{%
+  \ifcase\month%
+    \or Januar\or Februar\or M\"arz%
+    \or April\or Mai\or Juni\or Juli%
+    \or August\or September\or Oktober%
+    \or November\or Dezember%
+  \fi\ \number\year%
+}
+
+\begin{document}
+  \thesistitle{A Mobile Honeypot for Industrial Control Systems }
+    {}
+  \author{Shreyas Srinivasa}
+  \birthplace{Bangalore, India}
+  \referee{Emmanouil Vasilomanolakis}{}
+  \department{Fachbereich Informatik}
+  \group{Telekooperation \\ Prof. Dr. Max M{\"u}hlh{\"a}user}
+  \dateofexam
+  \tuprints{12345}
+  \makethesistitle
+  
+
+
+         
+  
+  \section{Introduction}
+   Mobile devices today have better communication capabilities. They enable dynamic and faster communication. Users are able to access internet and web applications through their smart phones anywhere, anytime. Smarter applications offer better social interaction and online presence to the users. This creates an urge to stay connected and be online seamlessly to  be updated.Public infrastructures like airports, coffee shops, shopping malls  provide free access to their networks to its customers to facilitate their connectivity and of course, for some information exchange. With free access to networks, attackers are now concentrating on the possibility of exploiting users in the same network. Securing open networks is very challenging and complex. It is however possible to detect these attacks. A pro-active approach for detecting the attacks is a better approach. Prevention is better than cure, as said, is to better stay away from such environments than get exploited and realize at a later stage.
+   
+   Huge industries like nuclear power plants, water treatment and distribution plants, manufacturing plants have many complex critical machines and require constant monitoring. They rely on process automation on these machines and are dependent on sensors for making this automation possible. This sensor-to-machine-to-human communication and automation is achieved with the help of PLCs\cite{Webb:1998:PLC:551899} or Programmable Logic Controllers. This communication is usually not secure and is open to attacks. As this hardware has limited computing resources, encryption of data is an expensive option. There have been many attacks detected over the years on SCADA\footnote{http://www.schneider-electric.com/solutions/ww/en/med/20340568/application/pdf/1485se-whitepaper-letter-scadaoverview-v005.pdf} ICS, most notable being STUXNET\cite{Langner:2011:SDC:1990763.1990881}. Securing and detecting attacks in these networks is necessary as it is responsible for communication in critical machines. Failure of such machines could cause a devastation to the environment and human life because of the wide spread use of PLCs in infrastructures like airports, coffee shops and also in prisons. 
+   
+   
+   There are two approaches for detection of attacks. One is by using a NIDS\cite{1377213} (Network Intrusion Detection System ) and the other is by using honeypot\cite{Provos:2004:VHF:1251375.1251376} . NIDS are installed on the server machines or hosts. The requests are scanned and analyzed for exploit-forged packets before they are sent to the server.  NIDS are suitable for systems with high resources. The honeypot approach, rather could be used where there are lesser resources. The idea behind honeypot, is to pose as vulnerable hosts connected to the network, which could be tempting for exploits, thereby trapping the attacker by collecting as much information possible to backtrack, or good enough to detect that the network is under attack. 
+   
+   \subsection{Motivation}
+   
+   The applicability of a honeypot in a mobile environment is prodigious, considering the public network infrastructure services offered. Network connectivity has become more of a necessity than a luxury, as technology is continuously evolving. Better services, data management and accessibility draw a lot of users having online space and in the need to stay connected. This need is rendered by some businesses and public infrastructure like airports, malls and cafeterias. With smart phones, people have the power to stay connected and do the majority of the tasks efficiently at their fingertips. Mobile devices today are considered personal devices because of the capability to store, share and process private data. This data is valuable and private to a user and has to be secured. Connecting to public networks can result in lot of vulnerabilities, as there is not always security considered in public networks. With the help of scripts crafted to exploit these vulnerabilities, an attacker can exploit users personal data.
+   
+   
+   Attacks are not limited to the above protocols. Airports, malls, enterprise hotels and huge industries use PLCs\cite{Webb:1998:PLC:551899} (Programmable Logic Controllers) as for many applications such as conveyor belts, elevators, lighting control systems, fire and  safety detection systems in order to automate the tasks quickly without human intervention. PLCs can be programmed logically to specify the methods to be called, based on inputs provided by sensors.  SCADA (Supervisory Control and Data Acquisition) is a system operating with coded signals over the communication channels so as to provide control of remote equipment like PLCs. 
+        
+   A study made by DELL\cite{DELLSecurityPoster2015} showed that the attacks on Industrial components like PLCs doubled over the years, and even more dangerously, such incidents going unreported. The research found a 100 percent increase in attacks against industrial control systems like SCADA.
+        
+   Figure 1 gives an understanding of the Key SCADA Attack Methods. It shows that about half of the total attacks were based on improper assignment on bounds of a memory buffer, improper input invalidation, vulnerabilities in credentials management. These vulnerabilities pose as a huge threat to ICS. Figure 2 represents the number of attacks performed over the months. There is a steep increase in the number of attacks performed over the months, expressing the need to safeguard ICS systems and also detect these attacks.
+        
+        \begin{figure}[ht]
+        \centering
+        \includegraphics[scale=0.25]{scadamethods}
+        \caption[SCADA Attack Types]{\label{f:SCADA Attack}SCADA attack methods\cite{DELLSecurityPoster2015}}
+        \end{figure}
+        
+         
+        \begin{figure}[ht]
+           \centering
+           \includegraphics[scale=0.35]{scadahits}
+           \caption[SCADA Hits]{\label{f:SCADA Hits}SCADA hits on a monthly basis.\cite{DELLSecurityPoster2015}}
+           \end{figure} 
+           
+   The majority of industrial systems today use SCADA for controlling and automating their processes.
+   Securing these devices is as much important like any other hosts in the network because these devices are programmable and could affect the normal automatized working. STUXNET\cite{Langner:2011:SDC:1990763.1990881}, a computer worm discovered in 2010 was designed to attack industrial programmable logic controllers (PLCs). STUXNET reportedly compromised PLCs in power plant at Iran. The design and architecture of STUXNET is not domain-specific and it could be forged for exploiting modern SCADA and PLC systems.  
+  
+   \subsection{Contribution}
+      
+   This theses aims at identifying and detecting the SCADA attacks using a low interaction mobile honeypot platform using which a  industrial PLC will be designed and implemented. An analysis of the communication paradigm and the security loopholes in a SCADA ICS system is made, to simulate the services offered by the system.     
+   The thesis also concentrates on contributing to many security related research questions of SCADA ICS systems like identifying the targets, analyzing the malware, assessing the consequences and defending ICS systems.
+    
+   
+   \subsection{Outline}
+      
+   This thesis topic also aims at adding more capabilities to detect attacks through different malware, mainly focussing on simulating industrial level SCADA PLC to determine malware attacks on them. The rest of the expose is structured as follows. Section 2 will specify the requirements to develop the protocol emulation for mobile honeypot. In Section 3, related work in the area of mobile honeypot and SCADA honeypot are discussed. Section 4 describes a proposed system for a mobile honeypot for ICS systems and Section 5 concludes with a time plan for the thesis. 
+     
+       
+   \section{Background - ICS SCADA and Mobile Honeypots}
+    
+   ICS (Industrial Control Systems) form a dominant portion in present day industries. Strange, yet astonishing, the fact that ICS is also a part of everyday life is also true. ICS components include actuators, sensors, networking devices, controlling systems and PLC's . The sensors form a major part of ICS as they provide continuous feed of critical information which is used to automate and control other systems. The other important component is the PLC. This interface allows a programmer to implement a logic to automate the systems based on the data received from sensors. There are a few different kinds of ICS. One of the major types is SCADA (Supervisory control and data aquisition) which is deployed on geographically widespread and controlled using a central location. Examples to this type include nuclear power plants, water distribution , power distribution where there is a need constant monitoring and critical automation. SCADA systems are mainly deployed where is a need for alarm systems. The other kind of ICS system is the Distributed Control Systems (DCS). On the contrary these systems are not centralized, but distributed across a network. We shall focus more on SCADA ICS systems are they are being deployed in major infrastructures today.
+    
+   Infrastructures discussed above have a lot of components and devices which need constant communication between them. 
+    
+     
+  \subsection{Honeypots}
+  
+  There has been extensive research going on in the field of honeypots. This section describes related works on honeypots. 
+  
+  Early research on mobile honeypots focused only on  Bluetooth communications[5,17]. The continuous advances in the field of smartphone technology has enabled better opportunities towards honeypot research on smart phones. 
+  There has been existing work that focused on detection of mobile specific malware. The first to discuss the idea of a honeypot for smartphones were Mulliner et al., by providing the initial ideas, challenges and an architecture for their proposed system\cite{mulliner2011poster}. Nomadic Honeypots\cite{Liebergeld_nomadichoneypots:} concentrates on mobile specific malware and also trades off with a lot of personal information.
+  
+  Trend Micro a global security software company conducted an experiment\footnote{http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf} to detect attacks on SCADA by setting up 12 honeypots in 8 countries. The honeypots camouflaged a municipal water control system based on SCADA that was connected to the internet. Attacks were basically focussed on meddling with the pump system.  The objective of this experiment is to assess who/what is attacking Internet-facing ICS/SCADA(Industrial Control Systems) devices and why. In addition, the research set out to identify if the attacks performed on these systems were targeted, by whom, and for what purpose.
+         
+  The honeypot architecture design used a combination of high-interaction and pure-production honeypots. A total of three honeypots were created to ensure as much of the target surface as possible. All three honeypots were Internet facing and used three different static Internet IP addresses in different subnets scattered throughout the United States. 
+         
+   \subsection{SCADA ICS}
+   
+   \subsection{MODBUS}
+   
+   \subsection{Mobile Honeypots}
+       
+   \section{Related Work} 
+       
+   \subsection{SCADA Honeynet and Conpot} 
+   
+   SCADA Honeynet Project\cite{5198796} is a project aimed at building honeypots for industrial networks. The industrial hardware include PLCs which also form the backbone of their automation systems.SCADA Honeynet was designed to simulate the PLCs and detect attacks performed on them.The short-term goal of the project was to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures.
+   
+   
+   Conpot\footnote{http://conpot.org/} is a low interactive server side ICS honeypot designed to be easy to deploy, modify and extend. It provides a range of common industrial control protocols capable of emulating complex infrastructures to convince an adversary that he just found a huge industrial complex.To improve the deceptive capabilities it also provides the possibility to server a custom human machine interface to increase the honeypots attack surface. The default configuration of Conpot simulates a basic Siemens SIMATIC S7-200 PLC with an input/output module.
+     
+     
+   \subsection{HosTaGe}       
+      
+   HosTaGe\cite{Vasilomanolakis:2013:TNI:2516760.2516763},\cite{Vasilomanolakis:2014:HMH:2659651.2659663} is an Android App which acts as a mobile honeypot, determined to detect malicious networks and probe for attacks. It is user centric and aims at creating security awareness to its users. The results obtained in this process are synchronised with a global repository and also can be shared locally through bluetooth. The current version has capabilities of emulating as Windows, Unix, Apache Server, SQL and Paranoid host. Attacks through HTTP, SMB, SSH, HTTPS, Telnet and FTP can be identified. 
+       
+             
+       
+  \section{Proposed System}
+  
+  In this work, a low interaction mobile honeypot mechanism to simulate industrial PLC will be designed and implemented. The design also aims at detecting attacks and making inferences about the attackers and attacks. The final version will be integrated to the HosTaGe app along with the other advanced mechanisms that HosTaGe already provides to its users.  
+  As the proposed system deals with implementing a low interaction honeypot, the challenge involves implementing only the essential components or services, that satisfy the discovery and vulnerability to attack them, for example, the network stack. Along with basic attack detection, the system must also have a short response time, robust design to withstand the attacks and also maintain a log of the exploit for further analysis and backtracking. An attempt will be made to detect attacks forged with popular identified worms like STUXNET. The conclusions on the attacks made will be pushed on to a central repository where the details of the attack are made public for users worldwide. The overlay of the proposed system, mechanisms and the evaluation are followed below. 
+       
+    
+  \section{System Design}
+  
+  HosTaGe has implemented mechanisms to emulate different kind of hosts like a windows host, linux host, webserver, FTP server, SSH server and more. The simulation of industrial level SCADA based PLC will be added to the the existing list of simulated hosts and services. To simulate PLCs it is important to understand their communication and control infrastructure. PLCs have network interfaces that support Ethernet, TCP/IP, MODBUS\cite{4627171}, DeviceNet\cite{898793}, ControlNet\cite{898793}, Foundation Fieldbus\cite{1435740}. The manufacturers have their own in built shells to support FTP commands.  The Ethernet communication module of the PLC typically runs an embedded operating system that includes standard network protocol as well as implementations of industrial network protocols such as Modbus/TCP or EtherNet/IP.  Telnet and FTP servers are common and have identifying information which can be used to determine the vendor and version of software. The network components that need to be simulated in  a PLC are the TCP/IP stack, Modbus/TCP server, FTP server, Telnetd server and a HTTP web server which provides an interface to manage the functioning and control of PLC.
+       
+  The discovery and identification of the PLC in the network can be through a network nmap scan that reveals information about the host name, ports 21, 80 and 502(Modbus) open. 
+        
+  The main objective is to detect attacks made using the Modbus port. A logging mechanism logs the information about the attacker in pursuit.  
+       
+       
+      \subsection{Architecture of Siemens SIMATIC s7 200}
+      
+      \subsection{Understanding MODBUS}
+      
+      \subsection{Vulnerability Analysis of SIMATIC s7 200}
+      
+      \section{Implementation}
+      
+      \section{Results and Evaluation}
+ 
+
+	
+            
+      \bibliographystyle{plain}
+      
+      
+      \bibliography{bibfile}
+      
+      
+\end{document}