Giter VIP home page Giter VIP logo

goosestalker's Introduction

GooseStalker

Purpose

GooseStalker is a project to analyze and interact with Ethernet types associated with IEC 61850. Currently, the project is based on the Goose network packet parsing from the Keith Gray Power Engineering Goose Repo. These modules and scripts will parse network traffic to understand the IEC 61850 communications and to interact with devices communicating with these protocols.

Modules and Scripts

  • Goose
    • goose.py - Scapy layers to analyze packets (see TODO)
    • goose_pdu.py - ASN1 layers to analyze Goose data
  • Scripts
    • goose_parser.py - script to display the Scapy layers and parsed Goose data. Outputs text version of Goose layers and data.
    • goose_dataset_checker.py - display dataset information for all devices.
    • goose_device_cnt.py - count all devices and display, in CSV format, the source hardware address, destination hardware address, and Goose ID for each device.
    • goose_device_vlans.py - display Virtual Local Area Network (VLAN) information for Goose packets.
    • goose_packet_mod_test.py - template script to test Goose message modifications and print to terminal, without sending.
    • goose_routable_checker.py - check if the Goose implementation is configured to use routable Goose messages.
    • goose_security_checker.py - check if the Goose implementation is configured to use the Goose security features.
    • goose_send_mod_packet.py - template script to modify and send Goose messages from a network capture.
    • goose_time_sync_checker.py - check the timestamps in the Goose messages. This should represent the device time setting and help understand if a time server is being used to syncronize time on the subnet. NOTE: Devices do not have to have the exact same time because Goose messages are managed by timing and not the device time.
    • goose_type_checker.py - displays the Goose message types. See IEC 61850 for descriptions of each type.
  • PCAPS
    • GOOSE_wireshark.pcap - Wireshark's PCAP file for testing. This does not contain messages with VLAN layers (see TODO list).
    • ITI IEC61850 Goose PCAPS
  • DOCS
    • Research into IEC61850 that outlines usage and packet format (see DOCS section)
  • LICENSE - maintained the Keith's original MIT license for this work
  • Pipfile - required Python modules. Probably contains a few more than necessary to allow for additional development. See requirements below.

Usage

Scripts

Count of devices producing Goose messages

python3 ./goose_device_cnt.py <file.pcapng>
CutSec 21-12-13 9:37:52
> python3 ./goose_device_cnt.py ../PCAPs/GOOSE_wireshark.pcap
##################################################
### Goose Source Interface Address and Destination Addresses with Goose ID
##################################################
Goose Device Count: 1

Source Address,Destivation Address,goID
00:a0:f4:08:2f:77,01:a0:f4:08:2f:77,F650_GOOSE1

Type of Goose messages

python3 ./goose_type_checker.py <file.pcapng>
CutSec 21-12-13 9:40:30
> python3 ./goose_type_checker.py ../PCAPs/GOOSE_wireshark.pcap
Goose Packets: 8
    Type 1        : 8
    Type 1a       : 0
    GSE Management: 0
    Sampled Values: 0

Audit Goose configurations by running multiple scripts on a single file

for inf in goose_type_checker.py goose_routable_checker.py goose_security_checker.py \
goose_device_cnt.py goose_time_sync_checker.py goose_dataset_checker.py; do echo; \
echo ################; echo $inf; echo ################; python3 ./$inf <file.pcapng>; \
echo; done
CutSec 21-12-13 9:37:45
> for s in goose_type_checker.py goose_routable_checker.py goose_security_checker.py \ 
goose_device_cnt.py goose_time_sync_checker.py goose_dataset_checker.py; do echo; \ 
echo ################; echo $s; echo ################; python3 ./$s ../PCAPs/GOOSE_wireshark.pcap; \ 
echo; done

################
goose_type_checker.py
################
Goose Packets: 8
    Type 1        : 8
    Type 1a       : 0
    GSE Management: 0
    Sampled Values: 0


################
goose_routable_checker.py
################
Routable Goose and Sampled Values
    No routable Goose or Sampled Values detected.


################
goose_security_checker.py
################
Goose Packets: 8
    Security: 0
    No Security: 8


################
goose_device_cnt.py
################
##################################################
### Goose Source Interface Address and Destination Addresses with Goose ID
##################################################
Goose Device Count: 1

Source Address,Destination Address,goID
00:a0:f4:08:2f:77,01:a0:f4:08:2f:77,F650_GOOSE1


################
goose_time_sync_checker.py
################
##################################################
### Goose Timestamps and TTL by Goose ID and stNum
### NOTE: Devices times can be different and not
###       have a negative impact on operations.
###       Goose devices are more interested in
###       message timing than device time.
##################################################
Source Device: F650_GOOSE1
    1 : 2000-01-02 02:46:11 : 40000
    1 : 2000-01-02 02:47:29 : 1000
    1 : 2000-01-02 02:47:29 : 2000
    1 : 2000-01-02 02:47:29 : 40000


################
goose_dataset_checker.py
################
Goose Data by Device Hardware Address
Source Device: 00:a0:f4:08:2f:77
    GEDeviceF650/LLN0$GO$gcb01 - GEDeviceF650/LLN0$GOOSE1 - F650_GOOSE1 - 8

IPython Usage

  • TODO

DOCS - Research into IEC61850 that outlines usage and packet format

Requirements and Installation

  • Pipenv - Pipfile should contain all required packages, to include a few nice-to-haves.
    • Scapy - comes with its own set of required packages
    • PyASN1 - Python ASN1 module
    • iPython
    • cryptography - may or may not need this
  • Wireshark - you'll want a second source to analyze PCAPs
  • Admin Privileges - you'll need administrative privileges to capture and resend data on your system's network interface.

TODO

  • Convert parser into module for other scripts
  • Script to provide packet statistics
  • Script to identify control packets
  • Replay script
  • Spoofing script

goosestalker's People

Contributors

cutaway avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.