scy-phy / minicps Goto Github PK

As the title said, am trying to use the swat example given in examples/swat-s1, but when i try receiving something in plc1 from plc2 it always return an empty byte. I tried sending the tag with self.send(TAG, VALUE, PLC1_ADDR) and self.send(TAG, VALUE, PLC2_ADDR) neither works. I did thesame with receive, self.recieve(TAG, PLC1_ADDR) and self.recieve(TAG, PLC2_ADDR) but no luck.

From what i understand minicps use cpppo to send/receive stuff. Since i received an empty bytes i cant call float on it. It resulted to a str cant be converted to float (which make sense)

I tested it on ubuntu and endeavoros(arch based) but all result in thesame.

Sample output from plc1 terminal

DEBUG SENSO2-FL:2
DEBUG1 (b'', None)
DEBUG2 b''
DEBUG4 b'

Am really lost

Hi. I recently installed Minicps in my PC but faced the following problem while doing a plc1 ifconfig :

File "plc1.py", line 12, in disk = PLC1_DATA)
File "/usr/lib/python2.7/minicps/devices.py", line 74 in __init__self._init_state()
File "/usr/lib/python2.7/minicps/devices.py", line 152, in_init_state self._state = SQLITEState(self.state)
File "/usr/lib/python2.7/minicps/states.py", line 93, in __init__raise ValueError('Primary key not found')
ValueError: Primary Key not found.

Please help.

Hi *
Congrats for your amazing effort in the CPS simulation. I am trying to replicate the case described in swat-tutorial.rst. So I run make swat-s1-init . Then I run make swat-s1. (This executed the run.py .. tested the ping between the attacker and plc1,plc2 and plc3 and ended in the mininet prompt.. from which I exited with quit() ).

I expect after a simulation run at every time-tick there should be a cyber and physical log entry output-ed in a directory or a database ? Where is this stored ?

Cheers,
Dimitris

PS. The logs subdir in the swat-s1 contains some 0 size files and an protocols_enip_tests_server. There is also a dir real-tags which does not collect any logs. (are those dirs of any usage ?)

Hello,
I am facing an issue when running swat-s1 after having uncommented the lines of code that enable all the plc functionalities (lines 45-46 of plc2.py and 92-104 of plc1.py). After a while, the simulations stops and the logs of each plc return an exception:

Traceback (most recent call last):
File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main
  "__main__", fname, loader, pkg_name)
File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
  exec code in run_globals
File "/usr/local/lib/python2.7/dist-packages/cpppo/server/enip/client.py", line 1699, in <module>
  sys.exit( main() )
File "/usr/local/lib/python2.7/dist-packages/cpppo/server/enip/client.py", line 1680, in main
  fragment=fragment, printing=printing, timeout=timeout )
File "/usr/local/lib/python2.7/dist-packages/cpppo/server/enip/client.py", line 1444, in process
  transactions		= list( self.results( operations=operations, **kwds ))
File "/usr/local/lib/python2.7/dist-packages/cpppo/server/enip/client.py", line 1436, in results
  for idx,dsc,req,rpy,sts,val in self.operate( operations, **kwds ):
File "/usr/local/lib/python2.7/dist-packages/cpppo/server/enip/client.py", line 1431, in operate
  for idx,dsc,req,rpy,sts,val in harvested:
File "/usr/local/lib/python2.7/dist-packages/cpppo/server/enip/client.py", line 1321, in validate
  for index,descr,request,reply,status,val in harvested:
File "/usr/local/lib/python2.7/dist-packages/cpppo/server/enip/client.py", line 1308, in pipeline
  complete, requests )
AssertionError: Communication ceased before harvesting all pipeline responses:   0/  1`  

It is possible to reproduce this behavior with cpppo==4.0.4 or cpppo==4.3.4 and probably other versions, while more recent versions (like 4.4) cannot be used due to another error (addressed here #28).

Furthermore, I notice that the exception arise always after a specific period. To check it, I attach a version of physical_process.py that writes in a csv file (out.csv)
a log of each variable and a timestamp at every cycle. Exceptions arises always at timestamp = 88.40.

I'm working on Ubuntu 20.04, but I tried in other versions as well without any luck.

Is there any solution to this behavior? Thank you!

I keep facing a problem while running the example project swat-s1. Whilst init.py works and I can start run.py seeing the mininet> prompt the PLCs are not communication correctly as the ENIP-Tags are not filled properly. When I start plc1.py (after having started plc2 and plc3) i get the error:

fit201 = float(self.receive(FIT201_2, PLC2_ADDR))
ValueError: could not convert string to float:

Debugging showed me that this is because fit201 is just an empty string.
Could you maybe help me what I'm missing out here?

In the file minicps/examples/swat-s1/plc1.c:

        elif lit101 <= LIT_101_M['L']:
            # OPEN mv101
            print "INFO PLC1 - lit101 under L -> open mv101."
            self.set(MV101, 1)
            self.send(MV101, 1, PLC1_ADDR)
        elif lit101 <= LIT_101_M['LL']:
            print "WARNING PLC1 - lit101 under LL: %.2f <= %.2f." % (
                lit101, LIT_101_M['LL'])

The last elif condition can never be reached since if second condition in this snippet is true then the first condition is also true.

In recent PRs, we introduced python3 support, and we have a fix coming up to allow latest cpppo library use. This issue is to remind me that we need to update the sphinx documentations as well to reflect these changes.

Can PLC's send udp packets to the controller?

While trying to get the modbus part of example s3-2017 running, I've noticed that minicps is written against pymodbus version 1.3.2, which is very out of date (current pymodbus uses a different structure / api). In addition, installing pymodbus==1.3.2 doesn't work for any python versions above 3.6 as it's using the reserved keyword async.

If the topology has loops, I can't send packets to another plc. Any idea why?

Hi folks,

First off thank you for publishing this work, it is great.

In my office we've setup a lab with minicps executing inside a Debian VM. The mininet setup works smoothly as well as the simulation of swat-s1 with regard to the CPS but after a few hours working on it I cannot seem to pull off the ARP spoofing attacks that the docs suggest are possible.

Specifically with swat-s1 we have attacker, plc1, plc2 and plc3. As soon as the simulation starts checking the arp tables of the PLCs reveals that they are in fact all populated.

Checking the timeout of values reveals a 60 second ttl for arp table entries of plc3-eth

> cat /proc/sys/net/ipv4/neigh/plc3-eth/gc_stale_time
60

However, after running the simulation for a day, the values still do not expired. Possibly suggesting that the internal networking between interfaces is not following the typical request and response with ARP or maybe that continuous communication between the devices keeps the entries fresh.

After trying a spoofing attack with the tool bettercap (v2.25) executing from the attacker with the following parameters I did not observe any successful intercept of traffic by attacker.

> net.probe on;
> set arp.spoof.internal true;
> set arp.spoof.targets 192.168.1.20,192.168.1.30;
> set arp.spoof.full_duplex on;
> arp.spoof on;

Please let me know if there is something I have overlooked. I am happy to also discuss this over email as well.

pymodbus is giving some trouble on the Travis server and consequently some tests are failing remotely but not locally.

When trying to run the swat-s1 tutorial, I am running into the same problem mentioned in issue #28, where the receive function returns nothing. I tried uninstalling cpppo and installing version 4.3.4, but the issue still occurs and additionally, a warning pops up: "/usr/lib/python3.8/runpy.py:127: RuntimeWarning: 'cpppo.server.enip.client' found in sys.modules after import of package 'cpppo.server.enip', but prior to execution of 'cpppo.server.enip.client'; this may result in unpredictable behaviour"

I also tried replacing the enip protocol with modbus in the utils file, but that leads to some different error messages: "/usr/bin/python3: can't open file '/usr/local/lib/python3.8/dist-packages/minicps/pymodbus/servers.py': [Errno 2] No such file or directory" and "/usr/bin/python3: can't open file '/usr/local/lib/python3.8/dist-packages/minicps/pymodbus/synch-client.py': [Errno 2] No such file or directory" and "ERROR modbus _receive: local variable 'out' referenced before assignment"

As noted in #30 as part of the bug report, with cpppo 4.3.4 we now get warnings such as the following from the plcs in the example:

logs/plc2.log:/usr/lib/python3.8/runpy.py:127: RuntimeWarning: 'cpppo.server.enip.client' found in sys.modules after import of package 'cpppo.server.enip', but prior to execution of 'cpppo.server.enip.client'; this may result in unpredictable behaviour

While this does not appear to impact the execution, the warning should be addressed at some point.