Arya - OT/ICS Security Reconnaissance Tool

Bron: github.com/claroty/arya Auteur: Johan Beysen | Fox & Fish Cybersecurity

---

1. Overzicht

Arya is een reconnaissance en security assessment tool ontwikkeld door Claroty, specifiek ontworpen voor Operational Technology (OT) en Industrial Control Systems (ICS) netwerken. De tool helpt bij het identificeren, scannen en analyseren van industrial devices en protocols.

Ontwikkelaar: Claroty Research Type: OT/ICS Security Scanner Licentie: Open Source Repository: https://github.com/claroty/arya

---

2. Doel en Toepassingen

2.1 Primaire Doelen

• Asset Discovery: Identificeren van ICS/SCADA devices op netwerken
• Protocol Analysis: Analyseren van industrial communication protocols
• Vulnerability Assessment: Detecteren van security weaknesses in OT devices
• Network Mapping: In kaart brengen van industrial network topologie
• Configuration Auditing: Controleren van device configuraties en security settings

2.2 Gebruik Cases

1. Penetration Testing: Security assessments van industrial environments
2. Asset Inventory: Complete inventarisatie van OT devices
3. Compliance Audits: Verificatie van security baselines (IEC 62443, NIST)
4. Incident Response: Snel identificeren van devices tijdens security incidents
5. Network Segmentation: Verificatie van OT/IT network scheiding

---

3. Ondersteunde Protocols en Technologies

3.1 Industrial Protocols

Protocol	Beschrijving	Standaard Port(s)
Modbus TCP	PLC communicatie protocol	502
Modbus RTU	Serial variant van Modbus	Serial/RTU
S7/S7comm	Siemens PLC protocol	102
EtherNet/IP	Rockwell Automation protocol	44818, 2222
BACnet	Building automation protocol	47808 (UDP)
DNP3	SCADA/utility protocol	20000
OPC UA	Industrial communication standard	4840
PROFINET	Siemens industrial ethernet	-

3.2 Device Types

• PLC's (Programmable Logic Controllers)
• HMI's (Human Machine Interfaces)
• RTU's (Remote Terminal Units)
• SCADA Masters
• Industrial Switches/Routers
• Building Management Systems
• Industrial IoT Devices

---

4. Installatie

4.1 Prerequisites

# Kali Linux / Debian
sudo apt update
sudo apt install python3 python3-venv git

# Clone repository
git clone https://github.com/claroty/arya
cd arya

4.2 Virtual Environment Setup

# Maak virtual environment
python3 -m venv venv

# Activeer virtual environment
source venv/bin/activate

# Installeer dependencies
pip3 install -r requirements.txt

# Verifieer installatie
python3 arya.py --help

4.3 Quick Alias Setup

Voeg toe aan ~/.bashrc of ~/.zshrc:

alias arya='cd ~/arya && source venv/bin/activate'

---

5. Basis Commands

5.1 Algemene Syntax

python3 arya.py [OPTIONS] -t TARGET

5.2 Essential Options

Option	Beschrijving
-t, --target	Target IP address of CIDR range
-p, --protocols	Specific protocols to scan (comma-separated)
-o, --output	Output file (JSON/CSV/XML)
-v, --verbose	Verbose output
--timeout	Connection timeout (default: 5s)
--threads	Number of concurrent threads

---

6. Praktische Voorbeelden

6.1 Basis Network Scan

# Scan enkel IP address
python3 arya.py -t 192.168.1.100

# Scan volledig subnet
python3 arya.py -t 192.168.1.0/24

# Scan met verbose output
python3 arya.py -t 192.168.1.0/24 -v

6.2 Protocol-Specifieke Scans

# Scan alleen Modbus devices
python3 arya.py -t 192.168.1.0/24 -p modbus

# Scan Modbus en S7
python3 arya.py -t 192.168.1.0/24 -p modbus,s7

# Scan alle ondersteunde protocols
python3 arya.py -t 192.168.1.0/24 -p all

6.3 Advanced Scans

# Scan met output file
python3 arya.py -t 192.168.1.0/24 -o results.json

# Scan met custom timeout en threads
python3 arya.py -t 192.168.1.0/24 --timeout 10 --threads 20

# Uitgebreide scan met vulnerability checks
python3 arya.py -t 192.168.1.0/24 --vulns -v -o full_report.json

6.4 Targeted Device Scans

# Scan specifieke Siemens PLC
python3 arya.py -t 192.168.1.50 -p s7 --device-info

# Scan Modbus slave devices
python3 arya.py -t 192.168.1.100 -p modbus --read-coils --read-registers

# BACnet device enumeration
python3 arya.py -t 192.168.1.0/24 -p bacnet --enumerate

---

7. Output Formats

7.1 JSON Output

python3 arya.py -t 192.168.1.0/24 -o scan_results.json

Voorbeeld JSON structuur:

{
  "scan_time": "2025-12-01T14:30:00",
  "target": "192.168.1.0/24",
  "devices": [
    {
      "ip": "192.168.1.100",
      "protocol": "modbus",
      "device_type": "PLC",
      "vendor": "Schneider Electric",
      "model": "M340",
      "firmware": "2.80",
      "vulnerabilities": []
    }
  ]
}

7.2 CSV Output

python3 arya.py -t 192.168.1.0/24 -o scan_results.csv --format csv

---

8. Security Considerations

Kritieke Waarschuwingen

1. Authorization Required
2. Gebruik ALLEEN met expliciete toestemming
3. OT/ICS scans kunnen production verstoren

4. Ongeautoriseerde scans zijn illegaal (Computer Crime Act)

5. Production Environments

6. Test eerst in LAB omgeving
7. Sommige queries kunnen devices laten crashen
8. Plan scans tijdens maintenance windows

9. Informeer operations team vooraf

10. Rate Limiting

11. Gebruik lage thread counts in production
12. Verhoog timeouts voor stabiele devices
13. Monitor device responses tijdens scans

Best Practices

# Veilige scan configuratie voor production
python3 arya.py -t 192.168.1.0/24 \
  --threads 5 \
  --timeout 10 \
  --rate-limit 2 \
  -v

# Lab/Test omgeving (agressiever)
python3 arya.py -t 192.168.1.0/24 \
  --threads 50 \
  --timeout 3 \
  --vulns

---

9. Integration met Security Tools

9.1 Combinatie met Nmap

# Eerst Nmap voor port discovery
nmap -sS -p 102,502,47808,44818 192.168.1.0/24 -oG nmap_ics.txt

# Dan Arya voor protocol analysis
python3 arya.py -t 192.168.1.0/24 -p modbus,s7

9.2 Metasploit Integration

# Export Arya results
python3 arya.py -t 192.168.1.0/24 -o targets.json

# Import in Metasploit
msfconsole
msf6 > use auxiliary/scanner/scada/modbusdetect
msf6 > set RHOSTS file:targets.txt

9.3 SIEM Integration

# Export voor log analysis
python3 arya.py -t 192.168.1.0/24 -o /var/log/arya/scan_$(date +%Y%m%d).json

# Scheduled scanning
0 2 * * * cd ~/arya && source venv/bin/activate && python3 arya.py -t 10.0.0.0/16 -o /var/log/arya/daily_scan.json

---

10. Use Cases per Scenario

10.1 Scenario 1: Initial Asset Discovery

Doel: Complete inventarisatie van onbekend OT netwerk

# Stap 1: Breed netwerk scan
python3 arya.py -t 10.100.0.0/16 -o initial_discovery.json

# Stap 2: Analyze results
cat initial_discovery.json | jq '.devices[] | .ip, .protocol, .vendor'

# Stap 3: Deep scan per protocol
python3 arya.py -t 10.100.10.0/24 -p modbus --device-info -o modbus_details.json
python3 arya.py -t 10.100.20.0/24 -p s7 --device-info -o s7_details.json

10.2 Scenario 2: Security Audit

Doel: Vulnerability assessment en compliance check

# Comprehensive security scan
python3 arya.py -t 192.168.1.0/24 \
  --vulns \
  --check-defaults \
  --enumerate-all \
  -o security_audit.json \
  -v

# Check voor default credentials
python3 arya.py -t 192.168.1.0/24 --default-creds -o weak_auth.json

# Firmware version check
python3 arya.py -t 192.168.1.0/24 --firmware-check -o outdated_fw.json

10.3 Scenario 3: Incident Response

Doel: Snel identificeren van gecompromitteerde devices

# Quick scan van critical subnet
python3 arya.py -t 10.10.10.0/24 \
  --threads 100 \
  --timeout 2 \
  -o incident_scan.json

# Compare met baseline
diff baseline.json incident_scan.json > changes.txt

10.4 Scenario 4: Penetration Test

Doel: Security assessment van OT environment

# Phase 1: Reconnaissance
python3 arya.py -t 172.16.0.0/12 -o recon.json

# Phase 2: Service enumeration
python3 arya.py -t 172.16.10.0/24 -p all --enumerate -o services.json

# Phase 3: Vulnerability scanning
python3 arya.py -t 172.16.10.0/24 --vulns --exploit-check -o vulns.json

# Phase 4: Targeted exploitation (met Metasploit)
# Use discovered info for exploitation phase

---

11. Troubleshooting

11.1 Common Issues

Issue 1: Connection Timeouts

# Verhoog timeout
python3 arya.py -t 192.168.1.100 --timeout 30

# Reduce threads
python3 arya.py -t 192.168.1.0/24 --threads 5

Issue 2: No Devices Found

# Check network connectivity
ping 192.168.1.100

# Verify ports are open
nmap -p 502 192.168.1.100

# Try specific protocol
python3 arya.py -t 192.168.1.100 -p modbus -v

Issue 3: Permission Denied

# Some protocols require root
sudo python3 arya.py -t 192.168.1.0/24

# Or use capabilities
sudo setcap cap_net_raw+ep $(which python3)

Issue 4: Import Errors

# Reactivate virtual environment
source venv/bin/activate

# Reinstall dependencies
pip3 install -r requirements.txt --force-reinstall

---

12. Lab Setup Voorbeelden

12.1 Proxmox Lab voor OT Testing

VM Setup: 1. Kali Linux (attacker) 2. OpenPLC (Modbus PLC simulator) 3. ScadaBR (SCADA system) 4. Node-RED (ICS gateway)

Network Configuration:

VLAN 10: IT Network (192.168.10.0/24)
VLAN 20: OT Network (192.168.20.0/24)
Firewall: FortiGate tussen VLANs

Test Scenario:

# Van Kali in IT VLAN, scan OT VLAN
python3 arya.py -t 192.168.20.0/24 -o ot_discovery.json

# Verify firewall blocks/allows
# Test FortiAnalyzer logging
# Check FortiNAC device profiling

---

13. Reporting

13.1 Genereer Executive Summary

# Scan en genereer report
python3 arya.py -t 192.168.1.0/24 -o full_scan.json

# Parse voor management report
cat full_scan.json | jq '
{
  "total_devices": (.devices | length),
  "by_vendor": (.devices | group_by(.vendor) | map({vendor: .[0].vendor, count: length})),
  "vulnerabilities": (.devices | map(.vulnerabilities) | flatten | length),
  "critical_devices": (.devices | map(select(.vulnerabilities | length > 0)))
}' > executive_summary.json

13.2 Visual Reports

Gebruik tools zoals: - Grafana: Dashboard voor continuous monitoring - ELK Stack: Voor log aggregatie en visualization - Splunk: Enterprise SIEM integration

---

14. Cheat Sheet

14.1 Quick Reference

# Basic scan
python3 arya.py -t 192.168.1.0/24

# All protocols
python3 arya.py -t 192.168.1.0/24 -p all

# With vulns
python3 arya.py -t 192.168.1.0/24 --vulns

# Verbose + output
python3 arya.py -t 192.168.1.0/24 -v -o results.json

# Fast scan
python3 arya.py -t 192.168.1.0/24 --threads 100 --timeout 2

# Safe production scan
python3 arya.py -t 192.168.1.0/24 --threads 5 --timeout 10 --rate-limit 2

---

15. Legal & Compliance

15.1 Wetgeving (België/EU)

• Computer Crime Act: Ongeautoriseerde toegang is strafbaar
• GDPR: Let op bij verwerking van persoonlijke data in logs
• IEC 62443: Security standards voor industrial control systems
• NIS2 Directive: Kritieke infrastructuur security requirements

15.2 Documentatie Requirements

Voor pentests, documenteer: - Scope agreement - Authorization letters - Rules of engagement - Incident response contacts - Backup/rollback procedures

---

16. Resources

16.1 Official Documentation

• GitHub: https://github.com/claroty/arya
• Claroty Research: https://claroty.com/team82

16.2 Related Tools

• ICS-PCAP: Protocol analysis
• PLCscan: PLC enumeration
• ISF: Industrial exploitation framework
• SCADAshutdowntool: Emergency response

16.3 Learning Resources

• SANS ICS/SCADA Security (ICS515)
• CISA ICS Security Resources
• ICS-CERT Advisories

---

17. Changelog & Updates

Check regelmatig voor updates:

cd ~/arya
git pull origin main
pip3 install -r requirements.txt --upgrade

---

Belangrijke Aandachtspunten

• Test altijd eerst in LAB omgeving
• Gebruik ALLEEN met toestemming
• Document alle activiteiten
• Backup critical systems voor scans
• Informeer operations teams

Voor vragen of problemen: Raadpleeg GitHub issues of Claroty documentatie

---

Fox & Fish Cybersecurity | Intern gebruik