This is the author’s version of a work that was submitted/accepted for pub-lication in the following source:

Rodofile, Nicholas, Radke, Kenneth, & Foo, Ernest(2016)DNP3 network scanning and reconnaissance for critical infrastructure. InAustralasian Information Security Conference (ACSW-AISC), 2-5 February2016, Canberra, A.C.T.

This file was downloaded from: http://eprints.qut.edu.au/93117/

c© Copyright 2016 ACM

Notice: Changes introduced as a result of publishing processes such ascopy-editing and formatting may not be reflected in this document. For adefinitive version of this work, please refer to the published source:

http://doi.org/10.1145/2843043.2843350

DNP3 Network Scanning and Reconnaissance For CriticalInfrastructure

Nicholas R. Rodofile1 Kenneth Radke2 Ernest Foo3

Information Security Discipline,Queensland University of Technology,

Email: { n.rodofile1, k.radke2, e.foo3 } @qut.edu.au

Abstract

The Distributed Network Protocol v3.0 (DNP3) isone of the most widely used protocols to control na-tional infrastructure. The move from point-to-pointserial connections to Ethernet-based network archi-tectures, allowing for large and complex critical in-frastructure networks. However, networks and con-figurations change, thus auditing tools are needed toaid in critical infrastructure network discovery.

In this paper we present a series of intrusive tech-niques used for reconnaissance on DNP3 critical in-frastructure. Our algorithms will discover DNP3outstation slaves along with their DNP3 addresses,their corresponding master, and class object config-urations. To validate our presented DNP3 recon-naissance algorithms and demonstrate it’s practical-ity, we present an implementation of a software toolusing a DNP3 plug-in for Scapy. Our implementa-tion validates the utility of our DNP3 reconnaissancetechnique. Our presented techniques will be usefulfor penetration testing, vulnerability assessments andDNP3 network discovery.

Keywords: Critical Infrastructure, Reconnaissance,Network Discovery, Network Scanning, Substations,DNP3, Security

1 Introduction

Supervisory Control and Data Acquisition (SCADA)based critical infrastructure plays a significant role inmodern society due to its use in various public utilitiessuch as power transmission, water treatment, wastemanagement and transportation systems [15, 12].SCADA systems were designed to extend communica-tion over remote geographical locations, allowing forthe interconnectivity of once isolated control systemnetworks [15].

Previously these isolated control networks usedpoint-to-point serial communication, which deployeda series of proprietary automation protocols to pro-vide connectivity [17]. Such communication net-works have now moved to Ethernet-based and IT-based technologies to provide further performance, ef-ficiency and reliability for critical communication [17].This move to such technology has allowed entire crit-ical infrastructure networks to be managed from acentralised location such as a control centre [15].

As this move to IT-based technology has increasedinterconnectivity, new equipment can be deployedwith ease, which may result with increasing architec-ture complexity of the critical infrastructure network.Due to this increase in complexity, network auditingand discovery tools can provide a method of auditingprocess control equipment, aid in commissioning new

equipment, and automate testing for automation as-sets from a central location in SCADA-based criticalinfrastructure networks [1].

Traditional TCP/IP communications rely on IPaddress for network communication, routing and ad-dressing. Reconnaissance tools like Nmap are utilisedfor the discovery of IP based networks, but alone donot aid in the discovery of DNP3. DNP3 is usedin SCADA-based critical infrastructure to providecommunication among distributed automation equip-ment, which provides it’s own addressing scheme us-ing one of 65531 DNP3 addresses which tools likeNmap do not cater for. In addition, each DNP3 slavedevice will be configured with object class variableswhich contain configuration and automation data tomaintain and monitor the industrial process. Cur-rently there are no software tools available to providenetwork discovery for DNP3 networks.

Although the use of auditing and network tools isuseful for aiding the commissioning of critical infras-tructure equipment, it is the same utility that can beused by cyber-threats that wish to perform reconnais-sance on critical infrastructure equipment [8]. Cyber-attackers will utilise the reconnaissance method togather information about their attack targets. At-tackers would apply various tests to determine pos-sible access points via TCP ports, operating systemvulnerabilities and software configurations [14].

The reconnaissance phase for a remote cyber-attack will begin using Internet as gateway to theSCADA network [15, 16]. This process can beachieved as the critical infrastructure’s control cen-tre’s Internet connectivity now provides a gatewayto the SCADA network. Reconnaissance can also beperformed for insider attacks, which can be executedby malware introduced into the critical infrastructurenetwork [15, 14, 16]. This demonstrates the need forpenetration testing tools to help identify possible ac-cess points before they are discovered and exploitedfrom an attack.

There are various techniques such as passive, ac-tive and intrusive network discovery that are usedfor reconnaissance for SCADA based critical infras-tructure. In this paper we will present significantintrusive techniques that will be used during DNP3reconnaissance. We contribute algorithms that canbe utilised to discover DNP3 addresses of outsta-tion slaves along with their corresponding master andtheir initialised class objects. In addition to our al-gorithms, we present an implementation of a networkdiscovery software tool that validates our DNP3 dis-covery algorithms through an experiment on a DNP3virtual machine network. This will also demonstrateit’s practical use when preforming DNP3 network dis-covery. The software tool is developed in python usingthe nmap python library and the widely used packet

manipulation tool scapy. The software tool utilises aDNP3 scapy plug-in which is used to implement theDNP3 protocol in our software tool. As reconnais-sance is an issue and is typically the first phase of anycyber-attack, it is paramount to develop a knowledgebase of the techniques used by attackers. This ex-tended knowledge will contribute new perspectives tohelp aid the development of DNP3 penetration test-ing tools, and Intrusion Detection System (IDS).

2 Background

To help understand the ideas presented in this paperabout our algorithms and our network discovery tool,a background of the concepts and techniques is re-quired In this section we provide an overview of theDNP3 protocol and how it is used in SCADA-basedcritical infrastructure.

2.1 DNP3

DNP3 is one of the most widely used communica-tion protocols for critical infrastructure, most com-monly in the electricity industry [18]. To help under-stand the dynamics of our DNP3 reconnaissance algo-rithms and software tool implementation, we providean overview of DNP3. Westronic (now GE Harris)proposed DNP3 in 1993, as an open and interopera-ble industrial protocol [18]. The protocol is for com-munication between master stations and slave devicessuch as Remote Terminal Units (RTUs) and Intelli-gent Electronic Devices (IEDs). DNP3 is now part ofthe IEEE 1815-2012 standard [18].

Application

Pseudo-Transport

Data Link Data Link

Physical Media

Master Slave

Request

Response

Confirmation

Application

Pseudo-Transport

Control Center Outstation

Figure 2: DNP3 master-outstation model [18]

2.1.1 Application in a Critical InfrastructureNetwork

A typical electricity distribution company’s substa-tion will have an operations centre, making use ofmaster devices, to manage multiple slave devices run-ning in outstations that are usually at a remote lo-cation [18]. As shown in Figure 2, the master devicewill send a request message to the slave device, andthe slave device will respond with a response messagethat contains information to fulfil the request. In re-sponse to receiving the slave’s response message, themaster device will reply with a confirmation message.There may also be unsolicited messages sent from theslave to the master in response to an event. When

developing our DNP3 reconnaissance algorithms andthe implantation of our software tool, we needed toconsider both solicited and unsolicited communica-tion between master and slave devices. This enablesthe algorithm to comply with the protocol whilst ex-tracting master and slave address and object infor-mation.

The slave devices in the outstation collect andstore information that is sent back to the master assolicited or unsolicited messages to be processed ata control centre. The substation devices are taskedwith energising or de-energising circuit breakers, andmanaging voltage regulators [18, 4]. We show in Sec-tion 5, that by using our DNP3 network discoveryalgorithms and tools, it is possible to discover theseoutstation slaves and their configured class data.

Data from the processes in the outstation is sentback to the control centre where it is further pro-cessed and can be displayed on a human machine in-terface (HMI), which may be running on an engineer’scomputer. The engineer is also able to view the infor-mation received by the master, and is able to interactwith the automated process in the outstation if re-quired. DNP3 is one of the principal protocols usedto provide such forms of communication between anoutstation and a control centre [18, 4].

When designing our DNP3 test-bed and develop-ing our algorithm, we considered its usage on com-mon network architectures used in substations whichare supported by DNP3. These architectures includeone-to-one system, multi-drop, hierarchical and dataconcentrator. We will briefly describe each of thesearchitectures to provide an insight into their usage.

The one-to-one network architecture supported inDNP3 allows for communication directly between asingle master and a slave device [18, 4]. Since thecommunication still flows through a network consist-ing of network equipment such as switches or routers,the devices’ messages are vulnerable to attacks. Themulti-drop architecture allows for one master to com-municate with many slaves, but the master will re-quest information from one slave at a time in a round-robin order [18, 4]. Multi-drop architectures may alsoallow masters to change roles to become a slave to an-other master. A hierarchical architecture contains adevice, referred to as a sub-master. The sub-mastertakes the role of being a slave device to a master, andadditionally takes the role of being a master to otherslave devices [18, 4]. If an attacker is able to send ma-licious messages to the sub-master, the attack mayaffect it’s master device as well. A data concentra-tor network is used to gather information from manyslaves. This information is stored in a sub-master’sdatabase, which is then able to be retrieved by othermaster devices [18, 4]. Data concentrator networkstypically use many other industrial control protocolsand equipment to access and use the data collectedby a sub-master device. Such an architecture meansthat if an attacker maliciously manipulates a DNP3message, then the data contained in other protocols’messages may also be impacted.

2.1.2 Frames

The transportation of DNP3 messages, referred asframes, operates over the physical layer mentionedabove. DNP3 messaging can be separated into 4 lay-ers, the Physical, Data Link, Transport and Applica-tion layers (see Figure 2). In order to discover DNP3networks, an implementation of each layer is requiredas it allows us to interact with the DNP3 device wewish to discover. In this section we will outline each

IIN

FIR FIN SequenceCON UNS

0 1 2 3 4 5 6 7

App CRL

FN Code

DNP3 Application 2 - 4 Octets

Data Objects

Data - n Octets

DNP3 Application Control - 8 bits

FIN FIR SEQUENCE

DNP3 Pseudo-Transport - 8 bits

Start Destination Source CRC

DIR PRMFCB FCV

0 DFCFunction

LEN CRL

0 1 2 3 4 5 6 7

DNP3 Data link 10 Octets

DNP3 Header Control - 8 bits

TRP

0 1 2 3 4 5 6 7

Figure 1: DNP3 network frame [18].

of the DNP3 layers and describe their significance inthe DNP3 network discovery process.

Data Link Layer The data link layer operates ontop of the physical layer. The data link layer providesthe interface for the transport and application layerswith the physical media. The purpose of the datalink layer is to provide addressing and error detection.Additionally, the data link layer provides a logicalconnection between communicating devices [18, 4].

The DNP3 communication requires each DNP3device to be allocated with a unique DNP3 addressesto enable multiple masters and multiple slaves toshare the communication channel. Each DNP3 deviceon a single link or DNP3 network must be allocateda from the range of 0 through to 65519. The DNP3address range 65520 - 65531 is reserved for future useand rand 65532 - 65535 is reserved for broadcast [18].Popular network scanning tools such as nmap do notprovide a mechanism to scan for DNP3 addresses.

DNP3’s data link frame, shown in Figure 1, be-gins with a start (START) field to identify the be-ginning of the frame. The length field (LEN) is usedto provide the length in octets of the entire DNP3frame. The maximum length of a frame is 292 octets.The control (CTRL) field defines the frames direc-tion, transaction initiator, error and flow control, andfunction. The destination field (DST) identifies thedestination for the frame, whereas the source field(SRC) identifies the source of the frame. A CyclicRedundancy Check (CRC) field in the data link layerprovides integrity for the other eight octets of the datalink frame [7, 18, 4]. The data link implementation iscrucial as it will enable us to interact with the DNP3service on our target device. By interacting with thetarget slave we gain further information about it’smaster device and the state of it’s class data objects.

Transport Layer (Pseudo-Transport) Thepseudo-transport layer is responsible for the frag-mentation of DNP3 frames. The prefix ’pseudo’ isto indicate the layer’s limitations when compared tothe Open Systems Interconnection (OSI) definitionof the transport layer [3]. As shown in Figure 1,the pseudo-transport segment consists of 3 fieldsFIN, FIR and Sequence. The last field in thepseudo-transport segment is the auto-incrementing

SEQUENCE field, used to assure the segments arenot duplicated or missing, and are in order [18, 4].Some DNP3 equipment may be have a poor im-plementation of DNP3, and may be susceptibleto errors during the network discovery process [7].By implementing a functioning pseudo-transportlayer, it should minimise the impact of systemerrors during the network discovery process. For ournetwork discovery implementation using Scapy, weimplemented a functioning DNP3 pseudo-transportlayer to aid in the DNP3 discovery process.

Application Layer The DNP3 application frag-ment, shown in Figure 1, begins with an applicationcontrol (App Control) The confirmation (CON)field flags that the receiver should reply with a con-firmation message upon receiving the DNP3 frame.The unsolicited (UNS) field is set to true if the DNP3fragment is an unsolicited response from the slave. Ifthe UNS flag is unset, then the fragment is associ-ated with a sequence number. The sequence (SEQ)field is used to assure the segments are not duplicated,missing and that they are in order, as the sequencenumber increments on each fragment [18, 4]. TheFunction Code field is used to identify the purposeof the fragment. The function code is used in requestsfrom the master and responses from the slave. Thereexists 34 defined function codes for application re-quests. [18, 7]. The application layer was developedfor the DNP3 network discovery tool, enabling us toperform the DNP3 requests to discover class objectson the target DNP3 slave devices.

Following the application header are the DNP3data objects. DNP3 data objects are used to send to,and request information from, the master and slavedatabases. Examples of the object types include bi-nary, double, analog, time, class, frozen, and datasets.[18, 7].

DNP3 data objects use point ranges, which allowsthe master to request for all points of a object group,contiguous range of points with start and stop points,or a list of requested points. The slave device will thenrespond with the class object range specified by theMaster’s request [18]. When performing our networkdiscovery, we will maqurade as the master device andmake such requests to our target slaves, which willcause it to expose all it’s initialised data objects, their

index points, and their values.

3 Related work

Stand alone traditional network discovery tools suchas Nmap, used for traditional IT network discovery,does not encompass techniques to further assist withnetwork discovery for common automation protocolsused in critical such as DNP3, Profinet, Manufactur-ing Message Specification (MMS) and Generic Ob-ject Oriented Substation Events (GOOSE) [9]. Eachof these automation protocols include additional ad-dressing schemes and object configuration data thatrequires active iteration with the automation appli-cation for it’s discovery. Due to this challenge, therehas been a response by the research community toprovide new methods and tools in network discov-ery for critical infrastructure. In this section we willreview related work that have contributed method-ologies to assist with network discovery techniquesfor SCADA-based critical infrastructure [9]. Relatedwork by Donnet and Friedman [5], provides a sur-vey of tools and algorithms that are used to discoverTCP/IP based networks and hosts. The work pro-vides a serious of techniques including the trace-routealgorithm, active UDP scans, DNS scans and IP ad-dress scans. The techniques presented provide an in-sight to the discovery of routers, networks and vari-ous hosts of a traditional IT network, but does notprovide a methodology for discovering protocol spe-cific hosts used in automation such as DNP3. Myerset al. [10], provides an Internet wide scanning frame-work that allows for the discovery of SCADA basedequipment. The related work presents an in-depthanalysis of popular network discovery tools such asNmap, Masscan and Zmap. The framework pro-vides various techniques that can be used to createa survey of the Internet, more focused on SCADAsystems. The paper discusses whitelisting, modular-ity, scanning speed limits and scan policies to reducethe impact or disruption of SCADA equipment be-ing scanned. Although the work provides methodsfor surveying the Internet for SCADA systems, therewas no isolated technique that was demonstrated forDNP3.

Related work presented by Gonzalez and Papa [8],provides passive scanning algorithms that can beutilised for intrusion detection, and Modbus networktroubleshooting. The algorithms presented was ableto capture and process Modbus automation transac-tion messages, and gather protocol event data andgenerate Modbus network maps. The algorithms pre-sented do provide a method for mapping Modbus net-works, but the technique cannot be adapted for largeand complex SCADA networks that use DNP3. Thiscan also be said by passive network discovery theoriespresented by East et al. [7] for DNP3 networks.

The proposed work by East et al. provides an at-tack taxonomy on the DNP3 protocol [7]. The taxon-omy provides an analysis of 28 attacks on the DNP3protocol, which includes providing a passive recon-naissance technique that can be used by an attacker togather information from each DNP3 layer. The workpresented by East et al. were all theoretical and doesnot provide a practical technique to discover DNP3networks.

A demonstration of intrusive techniques used forDNP3 network discovery is demonstrated our previ-ous work [13]. This work demonstrated the use of aman-in-the-middle (MITM) using Address ResolutionProtocol (ARP) poisoning to demonstrate theoreticalattacks presented by East et al.. In the work pre-

sented, a technique of eavesdropping allowed for gath-ering of information about target master and slavedevices. Although the reconnaissance was a success,it was limited to gateway or local network reconnais-sance, therefore can not be adapted by a remote userand used for ethical penetration testing.

3.1 Network Discovery in Critical Infrastruc-ture

Network discovery is not a new concept for tradi-tional IT infrastructures. However, mapping existingSCADA networks for auditing, or for intrusion de-tection is said to be challenge[1]. This is due to anadditional layer of addressing that is specific to theautomation protocol i.e the DNP3 address discussedin section 2.1.2. In addition, the network discovery forSCADA may also exact coil or memory register statesor configuration details from networked automationequipment. In this section we will discuss some net-work discovery techniques that are currently used forEthernet-based or Internet-based networks. We willprovide an overview of passive, active and intrusivenetwork discovery techniques.

3.1.1 Passive

The passive network discovery technique involves anetwork device that would listen to network traffic.The discovery device does not interact with any of thetraffic or the target devices. We will briefly overviewthe two passive techniques of port mirroring and theuse of network tap.

Port Mirror A technique that can be used to anal-yse network traffic, is through the utility of an portmirror 1. A port mirror is a switch configuration thatallows traffic from a selected port to be forwarded toan analysis device device. The analysis device canbe a computer installed with a high resourced net-work interface card (NIC). The computer will thenuse a network analysis tool, such as Wireshark orTCP dump, to capture the mirror traffic transmit-ted to the NIC.

Network Tap A network tap, is a physical networkdevice that provides a passive method for monitor-ing network traffic [2]. Network taps in critical in-frastructure can act as optical splitters, which enablenetwork traffic to be redirected to a network analyserdevice [2]. Similar to the port mirror, the traffic canbe forwarded to a highly resourced NIC, allowing thetraffic to be analysed by a network analysis tool. Net-work taps are commonly used for network intrusiondetection, VoIP recording and network analysis.

3.1.2 Active

Active network discovery, is a technique that requiresthe interaction between the discovery device and tar-geted networked equipment. The discovery devicewould produce network transactions between the tar-get device, in which it is able to collect address andpossible configuration information. We will brieflyoverview two popular network discovery tools that arecommonly used for SCADA and network discovery.

1 MiaRec Inc (2015), What is port mirroring. URL: http://www.miarec.com/faq/what-is-port-mirroring.

Nmap One of the most widely used network dis-covery tools is network map (nmap)2. nmap is wellrenown for it’s use for active network discovery andnetwork auditing. Nmap utilises IP packets to dis-cover networked hosts, open TCP ports used for IPservices. nmap’s additional features can include oper-ating system section and scripting engines. In recentyears, additional plug-ins scripts have been developedto allow nmap to discover Mobus hosts and their hold-ing registers3.

Masscan Masscan is an internet-scale network dis-covery tool that can be utilised for surveys and datacollection by probing large subsets of the public IPaddress space [6]. Masscan4 is an open-source net-work scanner capable of scanning for a given openport across the entire public IPv4 address range.The Masscan scanner is capable of scanning the en-tire internet in the space of three minutes, support-ing TCP SYN scans, ICMP echo request scans, andapplication-specific UDP scans [6].

3.1.3 Intrusive

ARP poisoning is a technique used to trick two net-worked devices into forwarding all directed traffic be-tween each other to a MITM device. This techniqueexploits the ARP protocol used to resolve network ad-dress MAC address with IP address in a device’s ARPlookup table. The MITM device would poison each ofthe victims ARP cache to to contain it’s MAC addressfor the corresponding victim’s IP address. This wouldthen forward all IP traffic to the MITM device [11].This can be an Intrusive network discovery techniqueas it involves exploiting the rules of the ARP proto-col. ARP poisoning an effective technique to performnetwork discovery for DNP3 communication. This isbecause all traffic can be analysed without configur-ing additional network equipment which is requiredfor in-line taps or port mirrors.

As we have now provided a background of DNP3and some discovery concepts, we will introduce someof our algorithms to perform network discovery onDNP3 networks. The algorithms described will beaugmented in our network discovery tool for DNP3.

4 New DNP3 Reconnaissance Algorithms

As we have introduced the background of DNP3 andit’s functionality, and network discovery internet tech-niques that can be used in SCADA-based, we will nowintroduce our DNP3 network discovery algorithm. Inthis section we will present and describes each of ouralgorithms used to perform reconnaissance on criticalinfrastructure. The algorithms include the process re-sponse algorithm, short-range address discovery algo-rithm and the full-range address discovery algorithm.The algorithms are used to help identify slave DNP3address and it’s corresponding master address. Fur-ther more, the algorithms will also result in gatheringthe target slave’s object class data.

4.1 Algorithms

As DNP3 has it’s own data-link and transport layer,an implementation of DNP3 sequencing and DNP3

2Nmap.org (2003), Nmap. URL: https://nmap.org/3Rudakov, A. (2010), modbus-discover URL: https://nmap.org/

nsedoc/scripts/modbus-discover.html4Graham, R. D. (2014), Masscan: Mass ip port scanner, URL:

https://github.com/robertdavidgraham/masscan

Algorithm 1 Process Response

1: rspQueue2: rsp← False3: addrDiscovered← False4: procedure ProcessResponse(DNP3resp)5: if ¬rsp ∧ ¬addrDiscovered then6: m← DNP3resp.dst7: s← DNP3resp.src8: addrDiscovered← True9: rsp← True10: if DNP3resp.FuncCode.unsol then11: conf ← DNP3Req(m, s,Conf())12: send(conf)13: req ← DNP3Req(m, s,Read(0, 1, 2, 3))14: send(req)

15: rspQueue.put(DNP3resp)

addressing is required to achieve DNP3 network dis-covery. Unlike active TCP/IP network discoverymethods, the discovery device would be able to per-form a SYN scan, ARP scan or ping scan from it’s ownIP address. In the case of standalone DNP3 slaves de-ployed in SCADA networks, the slave configurationwould only allow correspondence with one specifiedDNP3 master, therefore the slave would not respondto any request made by a non-corresponding master.As part of our DNP3 network discovery method, thediscovery device will some need to obtain the slave’scorresponding master’s DNP3 address. Some DNP3slaves may have been configured to send an unso-licited response once a TCP connection is immedi-ately established. This is to inform the connectingmaster device of the slave’s current state, i.e if theslave has restarted or needs to be reconfigured. Theunsolicited response is then ultimately giving awayit’s slave DNP3 address and it’s corresponding mas-ter DNP3 address. If this case occurs, we can referto Algorithm 1 in which discovery device has receivedan unsolicited response (DNP3resp) and extract theslave’s address s from the source field DNP3resp.srcin the data-link segment, and extracted the master’saddress m from the destination field DNP3resp.dstfrom the data-link segment (see Figure 1 for theDNP3 data-link structure).

Algorithm 2 Short-range Address Discovery Algo-rithm1: src← 02: dst← 03: while ¬rsp ∧ src ≤ 10 do4: while ¬rsp ∧ dst ≤ 10 do5: req ←DNP3Req(src, dst, Read(0, 1, 2, 3))6: send(req)7: dst← dst + 18: src← src + 1

If the slave is not configured to send an unso-licited response upon TCP connection, this will re-quire the discovery device to brute force the DNP3slave for a response as we did nor receive an unso-licited response. In SCADA based critical infrastruc-ture networks, DNP3 equipment are usually deployedand configured with a low DNP3 address range. Thisis due to sequential additions of devices to a DNP3network. A master would be configured with config-ured with DNP3 address 0, and each slave added tothe network will have it’s DNP3 address incrementedby one.

Described in Algorithm 2 is what we refer to asthe short-range discovery algorithm. This algorithm

is utilised to discover slaves that have been configuredwith DNP3 addresses in the range of 0 and 10 which.This method is heavily practised in industry and canbe referred to as a short address range. The variablesrc holds the value of the DNP3 source address. Thissource value used by the discovery tool to masqueradeas the slave’s master, in order to cause the slave torespond to the discovery frame. The variable src willbe initialised with a value of 0. The variable dst willhold the value of the DNP3 destination address, whichwill be the target slaves DNP3 address first initialisedas 0, as the DNP3 address range starts at 0 [18].

While we have not received a response (rsp) fromthe slave, and src is less than or equivalent 10,we will continue. We could have received rsp be-fore the first while loop, which could indicate thatthe slave has been configured with an unsolicitedresponse on connection. We continue to check forrsp for the second loop for our dst loop and ifdst is less than or equivalent 10. In our secondloop we create what we call the DNP3 discoveryframe req, in which we assign the output of func-tion DNP3Req(src, dst, Read(0, 1, 2, 3)). The func-tion produces an entire DNP3 request frame, with aDNP3 “read” function request of class objects 0, 1, 2and 3. This request will cause the DNP3 slave tosend back all initialised DNP3 objects, with each ofthe objects index points and their values.

The DNP3 discovery frame is then sent(send(req)) to the slave. We then incrementdst to follow through with a second loop if thecurrent destination address did not result with aresponse from the slave. If the second loop has ex-hausted all the destination addresses, the source srcwill then increment as the slave not been configuredwith the current master address src. Once a requestreqDNP3 is received by the discovery device, we cango back to the parallel process of Algorithm 1, tostore in queue rspQueue for further observation ofclass objects in a network analysis tool.

Algorithm 3 Full-range Address Discovery Algo-rithm1: src← 02: dst← 03: while ¬rsp ∧ src ≤ 65519 do4: while ¬rsp ∧ dst ≤ 65519 do5: req ←DNP3Req(src, dst, Read(0, 1, 2, 3))6: send(req)7: dst← dst + 18: src← src + 1

Described in Algorithm 3, is a far more rigorousalgorithm as it requires the discovery tool to scan theentire DNP3 address range for all masters and slaves.The algorithm would cater for 65519 source src and65519 destinations dst, resulting in the generation of4292739361 DNP3 requests. Algorithm 3 would bequite noisy if deployed on a network in comparisonto Algorithm 2 which would only require 121, as weonly scan for eleven DNP3 addresses (0 − 10) eleventimes.

5 DNP3 Reconnaissance Experiment

We have introduced our algorithms used to performDNP3 network discovery in Section 4. In this sectionwe will present the implementation of our discoveryalgorithm on a software tool. We will present our vir-tual network test-bed and describe our experimentalprocess to evaluate our DNP3 network discovery algo-

rithms. We will then analyse the experimental resultsand discuss.

5.1 Virtual Test-bed

To perform our network discovery experiment, weused a virtual machine test-bed set-up consisting offour DNP3 slaves and one DNP3 master and oneDNP3 sub-master as depicted in Figure 3, Our test-bed setup consisted of the mulit-drop and hierarchi-cal DNP3 network architecture described in Section2.1.1. Each of the virtual machines were equippedwith a Debian Linux 8.2 distribution, with an allica-tion of 512MB of RAM. The master and slave ma-chines were configured with respective DNP3 masterand DNP3 outstation slave programs developed us-ing the OpenDNP3 library. OpenDNP3 is an opensource implementation of DNP3 which was developedin C++ by Automatak5. Real-world DNP3 applica-tions can be built using OpenDNP3, and can be de-veloped and deployed to high-performance SCADAservers or to resource limited embedded systems.

The DNP3 master in our test-bed was configuredwith the DNP3 address of 0. DNP3 device 1 hasbeen configured as a sub-master device, which man-ages DNP3 slaves 3, 4 and 5, whereas the DNP3 mas-ter manages DNP3 devices 1 and 2. Each of the mas-ter devices were configured to poll their designatedslaves using the Read class 1 objects request every 5seconds, along with an integrity scan every 60 sec-onds. Our reconnaissance device was equipped withthe Kali Linux 2.0 distribution, with the scapy libraryalso installed. The reconnaissance device was allo-cated an IP address of 10.192.168.10.

5.2 Software Tool

We have described our slave discovery algorithm insection 4, providing a solid approach to identifyingslaves and masters in a DNP3 network. In this sectionwe will describe the implementation of our softwaretool that augments our presented algorithms. OurDNP3 network discovery software tool has the capa-bility of performing a full network ARP and Port scanfor a given network address range. This functionalitywas performed using a python nmap library, allowingus to perform the initial scan of the network to dis-cover network hosts listening for DNP3 on TCP port20000.

Once the initial network scan is complete, a list ofall responding hosts along, with an addition of pro-viding the port status of port 20000. Once the listhas been displayed, the tool then requires the userto select a DNP3 host with an open DNP3 port, un-der the assumption the target host is DNP3 slave de-vice. The tool will then creates a TCP connection,using the Python socket library, to the selected hostby which it will begin to transmit DNP3 discoveryframes using Algorithm 2.

Scapy is a packet manipulation library, that allowsfor the construction of a packet, or set of packets, aslayers that are stacked one upon another 6. We usedan implementation of a DNP3 plug-in along with ourown DNP3 spoofing library used to implement all ourDNP3 discovery algorithms presented in Section 4.

The short-range DNP3 address discovery imple-mentation will cycle through each DNP3 address tothe DNP3 host until it receives a DNP3 response. As

5Automatak (2015), Opendnp3 project. URL: https://www.automatak.com/opendnp3/

6Biondi, P. (2014), Scapy. URL: http://www.secdev.org/projects/scapy/

Sub-master DNP3 : 1

10.192.168.1

Slave DNP3 : 2

10.192.168.2

Slave DNP3 : 3

10.192.168.3

Slave DNP3 : 4

10.192.168.4

Slave DNP3 : 5

10.192.168.5

Master DNP3 : 0

10.192.168.7

SCADA Network 10.192.168.0/24

ReconnaissanceDevice

10.192.168.10

Figure 3: Virtual machine DNP3 critical infrastructure network Test-bed.

an asynchronous process, the tool will utilise Algo-rithm 1, to listen for an unsolicited response, or for asolicited response induced by a discovery frame. If theshort-range DNP3 network discovery scan fails due tothe exhaustion of the low range DNP3 addresses, thena complete DNP3 network discovery scan will be per-formed ranging through all DNP3 addresses to 256.Once the tool has found the correct DNP3 master andDNP3 slave, it will display the this information to theuser. If the tool has exhausted all 65519 master and65519 slave address and does not manage to find theDNP3 service, it concludes that the device does notcontain a DNP3 slave service.

5.3 Experiment

To further evaluate our DNP3 network discovery al-gorithms, we will describe our experiment which wasperformed over our virtual machine DNP3 critical in-frastructure test-bed. In this experiment we wantedto see if our short-range network discovery algorithmwas able to find all DNP3 slaves deployed on the vir-tual network. From this experiment we expect to re-trieve the each DNP3 slave’s IP address, MAC ad-dress, DNP3 slave address and master address, andall object class data. We loaded our DNP3 networksoftware tool on the reconnaissance device depictedin Figure 3. To view our scanning progress duringthe experiment, we used the graphical and interactivenetwork traffic analysis tool Wireshark. Wiresharkcontains a DNP3 decoder which allows us to view ob-ject data that is retrieved from the DNP3 networkscan. Our process for acquiring information from theDNP3 slaves, will follow the tool operation procedureoutlined in Section 5.2. We first performed an APRScan to discover all devices in our target network,which was then followed by a TCP port scan. Oncewe received a list of hosts, we selected hosts for asecondary DNP3 discovery scan for slaves. These se-

Figure 4: Software tool output during initial networkscan.

lected hosts must have the state of their DNP3 port(port 20000) set to open, allowing us to scan for DNP3addresses using the short-range DNP3 address discov-ery algorithm described in Algorithm 2.

5.4 Results and Analysis

From our experiments, we were able to discover allhosts providing a DNP3 slave service. Shown in Fig-ure 4, is the tool’s output from the initial networkscan. The results show that seven hosts were dis-covered, and identifying five hosts who had tcp port20000 open. We manually selected our first host10.192.168.1 which had tcp port 20000 open, andproceeded to perform our DNP3 address discoveryscan to find it’s slave address, data objects and mas-ter’s address.

5.4.1 Unsolicited Response Processed

Shown in Figure 5 is the resulting output from thetool, showing it has received a DNP3 unsolicited re-sponse from host 10.192.168.1, indicating the DNP3

Figure 5: Software tool output during DNP3 networkdiscovery.

service on the target host had just been restarted andrequires a configuration. From this unsolicited re-sponse, the tool was able to extract the host’s DNP3slave address of 1, and extract it’s correspondingDNP3 master’s address of 0. The tool then proceededto send a confirm message to the slave’s unsolicitedresponse masquerading as the slave’s correspondingmaster. The software tool then continued to sendthe newly discovered slave a DNP3 discovery frame.The discovery frame resulted in the target slave re-sponding with a list of objects and their index pointvalues. This observation was made in the Wiresharkcapture running during the DNP3 network discov-ery experiment. Once we had the response contain-ing the slaves object classes, we then proceeded todiscover our other host’s DNP3 slave service. Thesame DNP3 discovery processes was performed onhost 10.192.168.2, in which the tool received an un-solicited response upon connecting, thus revealing it’sDNP3 slave address as 2 and it’s master as 0.

5.4.2 DNP3 Discovery Scan

By host 10.192.168.3, there was no unsolicited re-sponse immediately received from the target host, thisrequired the software tool to continue with the discov-ery scan. Shown in Figure 6, is the resulting Wire-shark traffic from the short-range DNP3 network dis-covery scan. We can see in Frame 812 of 6, underInfo where the tool has updated from slave range to2 in Frame 810, to range 3. This then resulted infinding the slaves address of 3 and it’s master addressof 1 which is shown in Frame 814 of 6, and the re-trieval of the slave’s class objects in Frame 816 and818. This was the same case with hosts 10.192.168.4and 10.192.168.5, as they did not send an unsolicitedresponse upon connection, but relied on the short-range network scan algorithm to induce a response.

5.4.3 All DNP3 slaves identified

Upon the completion of our experiment, we were ableto identify all DNP3 slaves on the network. Shownin Figure 7, is the final output after performing aDNP3 discovery scan for each of the suspected hostswith open DNP3 port. The final results show that10.192.168.1 was configured with the DNP3 address1 and 10.192.168.1 was configured with the DNP3address 2. Both of these hosts were slaves to a DNP3master 0. Hosts 10.192.168.3 was configured withDNP3 address 3, along with 10.192.168.4 with the

DNP3 address of 4, and finally host 10.192.168.5 wasconfigured with DNP3 address 5. Each of these hostswere configured to be slaves of a master 1 which weknow is allocated to host 10.192.168.1 when we per-formed our DNP3 address discovery scan in Figure-fig:FirstDNP3ScanOutput, thus identifying the hostas a DNP3 sub-master.

5.4.4 Slave class data objects

During the network discovery process, we were ableto collect class data objects from each of our targetslave devices in Wireshark. discovery frame. Shownin Figure, are the DNP3 response frames that werea result from the discovery frames sent by the soft-ware tool captured in Wireshark. With in each ofthe response frame’s application segment, we can ob-serve seven data objects containing 10 index pointseach. The first object is a binary input status object,followed by a double-bit input status and a binaryoutput status object. The final four objects are each32-bit DNP3 objects, a binary counter, frozen binarycounter, analog input, and analog output status.

6 Discussion

As shown from the results in Section 5.4, the experi-ment all DNP3 slaves were found. The software toolwas able to demonstrate an intrusive network discov-ery technique to discover DNP3 slave addresses andit’s corresponding master using the algorithms dis-cussed in Section 4.

Some deductions can be made from the resultssuch as the sub-master. We can see presented, inFigure 7, results showing host 10.192.168.1 config-ured as a slave with the DNP3 address of 1, the 3DNP3 slaves, 3, 4 and 5 have been configured totalk to master 1. From these results, we can makethe deduction that 10.192.168.1 can in fact be a sub-master. In some cases this could just be an incorrectconfiguration of DNP3 equipment in which there ex-ists two independent masters, one of which is using aDNP3 address allocated to a slave.

Due to the success of these results, we can see suchtechniques demonstrated would be a utility to per-form reconnaissance before a cyber-attack is perform.From the experiments we observe that each DNP3slave was discovered by the software tool, along withit’s class object data. This experiment demonstratesthe capability of a remote adversary. On a betternote, the techniques and algorithms presented can beutilised for honest use for authorised users who wishto assess SCADA equipment.

The usefulness of our presented tool for authoriseduse could be for the assessment of new or unknownpre-configured equipment. If equipment has been pro-vided by third-party, in which an unknown configura-tion that has been used, our tool would be able to ex-tract master, slave and class object data, thus aidingin the reverse engineering of it’s initial configuration.Further more our tool can be a utility to help auto-mate DNP3 system audits and aid in the discovery ofmisplaced or misconfiguration DNP3 equipment.

In addition to auditing, our techniques can beused to aid in the discovery rouge DNP3 equipment.This could involve the discovery introduced malwareor malicious equipment SCADA network, thus pro-viding a tool for intrusion detection. In additionto the aid of intrusion detection, our tool can beused to help understand reconnaissance techniquesthough use of penetration testing. this can be used

Figure 6: Wireshark output for short-range DNP3 network discovery scan.

Figure 7: Software tool output after discovering entire DNP3 network.

Figure 8: Wireshark output showing each DNP3 outstation along with objects from outstation 5.

find DNP3 network vulnerabilities that can be ex-ploited by cyber-threats against infrastructure net-works. The utility of the tool can contribute to thecreation of anomaly based traffic to help aid in the de-velopment of anomaly based intrusion detection sys-tems.

7 Conclusion

In conclusion, in this paper we present a techniqueused to perform reconnaissance on DNP3 devices.The algorithms described in Section 4 were shownto be effective. Their effectiveness was demonstratedas we collected DNP3 slave corresponding master ad-dresses ,and configured data objects using our soft-ware tool developed using a DNP3 plug-in for Scapy.The results of our network discovery can be seen inFigure 7 showing the DNP3 hosts along with theirDNP3 and IP address. This was demonstrated us-ing our virtual machine test-bed network consistingof DNP3 hosts implemented using OpenDNP3. Thereare a number of areas of future work that can be de-rived from this paper. The network discovery tech-nique can be taken to other automation protocols thatare implemented in SCADA network. Allowing fornew reconnaissance or network discovery techniquesfor other automation protocols. In addition the toolcan be extended to generate anomalous or malicioustraffic, to aid in the development of anomaly basedintrusion detection systems.

Acknowledgement

This work was supported in part by Australian Re-search Council Linkage Grant LP120200246, Practi-cal Cyber Security for Next Generation Power Trans-mission Networks.

References

[1] Akande, A. J., Fidge, C. and Foo, E. [2015],Component modeling for scada network map-ping, in D. Parry, ed., ‘38th Australasian Com-puter Science Conference (ACSC2015)’, Confer-ences in Research and Practice in InformationTechnology (CRPIT), Sydney, NSW, pp. 91–100.

[2] Burns, D., Adesina, O. and Barker, K. [2011],CCNP Security IPS 642-627 Official Cert Guide,Cisco Press.

[3] Clarke, G. R., Reynders, D. and Wright,E. [2004], Practical modern SCADA protocols:DNP3, 60870.5 and related systems, Newnes.

[4] Curtis, K. [2005], ‘A DNP3 Protocol Primer’,DNP User Group .

[5] Donnet, B. and Friedman, T. [2007], ‘Internettopology discovery: a survey’, CommunicationsSurveys Tutorials, IEEE 9(4), 56–69.

[6] Durumeric, Z., Bailey, M. and Halderman, J. A.[2014], An internet-wide view of internet-widescanning, in ‘USENIX Security Symposium’.

[7] East, S., Butts, J., Papa, M. and Shenoi, S.[2009], A Taxonomy of Attacks on the DNP3Protocol, in ‘Critical Infrastructure ProtectionIII’, Springer, pp. 67–81.

[8] Gonzalez, J. and Papa, M. [2008], Passive scan-ning in modbus networks, in E. Goetz andS. Shenoi, eds, ‘Critical Infrastructure Protec-tion’, Vol. 253 of IFIP International Federa-tion for Information Processing, Springer US,pp. 175–187.

[9] Hahn, A. and Govindarasu, M. [2011], An eval-uation of cybersecurity assessment tools on ascada environment, in ‘Power and Energy So-ciety General Meeting, 2011 IEEE’, pp. 1–6.

[10] Myers, D., Foo, E. and Radke, K. [2015],Internet-wide scanning taxonomy and frame-work, in I. Welch and X. Yi, eds, ‘AustralasianInformation Security Conference (ACSW-AISC)’, Australian Computer Society, Inc,Sydney, NSW.

[11] Nam, S. Y., Jurayev, S., Kim, S.-S., Choi, K. andChoi, G. S. [2012], ‘Mitigating arp poisoning-based man-in-the-middle attacks in wired orwireless lan’, EURASIP Journal on WirelessCommunications and Networking 2012(1), 1–17.

[12] Nicholson, A., Webber, S., Dyer, S., Patel, T.and Janicke, H. [2012], ‘SCADA Security in theLight of Cyber-Warfare’, Computers & Security31(4), 418 – 436.

[13] Rodofile, N., Radke, K. and Foo, E. [2015], Real-Time and Interactive Attacks on DNP3 Criti-cal Infrastructure Using Scapy, in ‘Proceedingsof Australasian Information Security Conference(ACSW-AISC 2015)’, pp. 1–4.

[14] Rowe, N. and Goh, H. [2007], Thwarting cyber-attack reconnaissance with inconsistency and de-ception, in ‘Information Assurance and SecurityWorkshop, 2007. IAW ’07. IEEE SMC’, pp. 151–158.

[15] Stouffer, K., Falco, J. and Scarfone, K. [2011],‘Guide to industrial control systems (ics) secu-rity’, NIST special publication pp. 800–82.

[16] van der Knijff, R. [2014], ‘Control systems/scadaforensics, what’s the difference?’, Digital Inves-tigation 11(3), 160 – 174. Special Issue: Embed-ded Forensics.

[17] Zhu, B., Joseph, A. and Sastry, S. [2011], ATaxonomy of Cyber Attacks on SCADA Sys-tems, in ‘Proceedings of 2011 International Con-ference on and 4th International Conference onCyber, Physical and Social Computing Internetof Things (iThings/CPSCom)’, pp. 380–388.

[18] IEEE Power and Energy Society [2012], IEEEStandard for Electric Power Systems Communi-cations DNP3, Technical report, The Institute ofElectrical and Electronics Engineers, Inc.