cutaway-security/goosestalker

Python / Scapy tool to analyze and interact with IEC 61850 Goose traffic

GooseStalker

Purpose

GooseStalker is a project to analyze and interact with Ethernet types associated with IEC 61850. Currently, the project is based on the Goose network packet parsing from the Keith Gray Power Engineering Goose Repo. These modules and scripts will parse network traffic to understand the IEC 61850 communications and to interact with devices communicating with these protocols.

Modules and Scripts

• Goose
  • goose.py - Scapy layers to analyze packets (see TODO)
  • goose_pdu.py - ASN1 layers to analyze Goose data
• Scripts
  • goose_parser.py - script to display the Scapy layers and parsed Goose data. Outputs text version of Goose layers and data.
  • goose_dataset_checker.py - display dataset information for all devices.
  • goose_device_cnt.py - count all devices and display, in CSV format, the source hardware address, destination hardware address, and Goose ID for each device.
  • goose_device_vlans.py - display Virtual Local Area Network (VLAN) information for Goose packets.
  • goose_packet_mod_test.py - template script to test Goose message modifications and print to terminal, without sending.
  • goose_routable_checker.py - check if the Goose implementation is configured to use routable Goose messages.
  • goose_security_checker.py - check if the Goose implementation is configured to use the Goose security features.
  • goose_send_mod_packet.py - template script to modify and send Goose messages from a network capture.
  • goose_time_sync_checker.py - check the timestamps in the Goose messages. This should represent the device time setting and help understand if a time server is being used to syncronize time on the subnet. NOTE: Devices do not have to have the exact same time because Goose messages are managed by timing and not the device time.
  • goose_type_checker.py - displays the Goose message types. See IEC 61850 for descriptions of each type.
• PCAPS
  • GOOSE_wireshark.pcap - Wireshark's PCAP file for testing. This does not contain messages with VLAN layers (see TODO list).
  • ITI IEC61850 Goose PCAPS
• DOCS
  • Research into IEC61850 that outlines usage and packet format (see DOCS section)
• LICENSE - maintained the Keith's original MIT license for this work
• Pipfile - required Python modules. Probably contains a few more than necessary to allow for additional development. See requirements below.

Usage

Scripts

Count of devices producing Goose messages

python3 ./goose_device_cnt.py <file.pcapng>

CutSec 21-12-13 9:37:52
> python3 ./goose_device_cnt.py ../PCAPs/GOOSE_wireshark.pcap
##################################################
### Goose Source Interface Address and Destination Addresses with Goose ID
##################################################
Goose Device Count: 1

Source Address,Destivation Address,goID
00:a0:f4:08:2f:77,01:a0:f4:08:2f:77,F650_GOOSE1

Type of Goose messages

python3 ./goose_type_checker.py <file.pcapng>

CutSec 21-12-13 9:40:30
> python3 ./goose_type_checker.py ../PCAPs/GOOSE_wireshark.pcap
Goose Packets: 8
    Type 1        : 8
    Type 1a       : 0
    GSE Management: 0
    Sampled Values: 0

Audit Goose configurations by running multiple scripts on a single file

for inf in goose_type_checker.py goose_routable_checker.py goose_security_checker.py \
goose_device_cnt.py goose_time_sync_checker.py goose_dataset_checker.py; do echo; \
echo ################; echo $inf; echo ################; python3 ./$inf <file.pcapng>; \
echo; done

CutSec 21-12-13 9:37:45
> for s in goose_type_checker.py goose_routable_checker.py goose_security_checker.py \ 
goose_device_cnt.py goose_time_sync_checker.py goose_dataset_checker.py; do echo; \ 
echo ################; echo $s; echo ################; python3 ./$s ../PCAPs/GOOSE_wireshark.pcap; \ 
echo; done

################
goose_type_checker.py
################
Goose Packets: 8
    Type 1        : 8
    Type 1a       : 0
    GSE Management: 0
    Sampled Values: 0


################
goose_routable_checker.py
################
Routable Goose and Sampled Values
    No routable Goose or Sampled Values detected.


################
goose_security_checker.py
################
Goose Packets: 8
    Security: 0
    No Security: 8


################
goose_device_cnt.py
################
##################################################
### Goose Source Interface Address and Destination Addresses with Goose ID
##################################################
Goose Device Count: 1

Source Address,Destination Address,goID
00:a0:f4:08:2f:77,01:a0:f4:08:2f:77,F650_GOOSE1


################
goose_time_sync_checker.py
################
##################################################
### Goose Timestamps and TTL by Goose ID and stNum
### NOTE: Devices times can be different and not
###       have a negative impact on operations.
###       Goose devices are more interested in
###       message timing than device time.
##################################################
Source Device: F650_GOOSE1
    1 : 2000-01-02 02:46:11 : 40000
    1 : 2000-01-02 02:47:29 : 1000
    1 : 2000-01-02 02:47:29 : 2000
    1 : 2000-01-02 02:47:29 : 40000


################
goose_dataset_checker.py
################
Goose Data by Device Hardware Address
Source Device: 00:a0:f4:08:2f:77
    GEDeviceF650/LLN0$GO$gcb01 - GEDeviceF650/LLN0$GOOSE1 - F650_GOOSE1 - 8

IPython Usage

• TODO

DOCS - Research into IEC61850 that outlines usage and packet format

• 6921_IEC61850Network_MS_20190712_Web.pdf
• B5_PS1_117_DE_Jenkins_2017.pdf
• TR-61850.pdf
• elsarticle-template.pdf
• energies-12-02536.pdf
• sensors-21-01554-v2.pdf
• IEC61850 - The Digital Power System
• Utilization of IEC 61850 GOOSE messaging in protection applications in distribution network
• A Practical Guide of Troubleshooting IEC 61850 GOOSE Communication
• Relion® Protection and Control IEC 61850 615 series Engineering Guide
• GE Grid: IEC 61850 Communication Networks and Systems In Substations: An Overview for Users

Requirements and Installation

• Pipenv - Pipfile should contain all required packages, to include a few nice-to-haves.
  • Scapy - comes with its own set of required packages
  • PyASN1 - Python ASN1 module
  • iPython
  • cryptography - may or may not need this
• Wireshark - you'll want a second source to analyze PCAPs
  • Herb Falk’s Skunkwork Network Analyzer - a bit dated, but helps to analyze Goose / MMS / IEC61850 packets.
  • Tshark - because command line packet analysis is always more fun.
• Admin Privileges - you'll need administrative privileges to capture and resend data on your system's network interface.

TODO

• Convert parser into module for other scripts
• Script to provide packet statistics
• Script to identify control packets
• Replay script
• Spoofing script