Veeder-Root Automatic Tank Gauge (ATG) Administrative Client - Metasploit
This page contains detailed information about how to use the auxiliary/admin/atg/atg_client metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
Module: auxiliary/admin/atg/atg_client
Source code: modules/auxiliary/admin/atg/atg_client.rb
Disclosure date: -
Last modification time: 2022-01-23 15:28:32 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 10001
List of CVEs: -
This module acts as a simplistic administrative client for interfacing with Veeder-Root Automatic Tank Gauges (ATGs) or other devices speaking the TLS-250 and TLS-350 protocols. This has been tested against GasPot and Conpot, both honeypots meant to simulate ATGs; it has not been tested against anything else, so use at your own risk.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/admin/atg/atg_client
msf auxiliary(atg_client) > show options
... show and set options ...
msf auxiliary(atg_client) > set RHOSTS ip-range
msf auxiliary(atg_client) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(atg_client) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(atg_client) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(atg_client) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Go back to menu.
Msfconsole Usage
Here is how the admin/atg/atg_client auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/atg/atg_client
msf6 auxiliary(admin/atg/atg_client) > show info
Name: Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
Module: auxiliary/admin/atg/atg_client
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Jon Hart <[email protected]>
Available actions:
Name Description
---- -----------
ALARM I30200 Sensor alarm history (untested)
ALARM_RESET IS00300 Remote alarm reset (untested)
CLEAR_RESET IS00200 Clear Reset Flag (untested)
DELIVERY I20200 Delivery report
INVENTORY 200/I20100 In-tank inventory report
LEAK I20300 Leak report
RELAY I40600 Relay status (untested)
RESET IS00100 Reset (untested)
SENSOR I30100 Sensor status (untested)
SENSOR_DIAG IB0100 Sensor diagnostics (untested)
SET_TANK_NAME S602 set tank name (use TANK_NUMBER and TANK_NAME options)
SHIFT I20400 Shift report
STATUS I20500 In-tank status report
SYSTEM_STATUS I10100 System status report (untested)
TANK_ALARM I20600 Tank alarm history (untested)
TANK_DIAG IA0100 Tank diagnostics (untested)
VERSION Version information
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 10001 yes The target port (TCP)
TANK_NAME no The tank name to set (use with SET_TANK_NAME, defaults to random)
TANK_NUMBER 1 no The tank number to operate on (use with SET_TANK_NAME, 0 to change all)
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
This module acts as a simplistic administrative client for
interfacing with Veeder-Root Automatic Tank Gauges (ATGs) or other
devices speaking the TLS-250 and TLS-350 protocols. This has been
tested against GasPot and Conpot, both honeypots meant to simulate
ATGs; it has not been tested against anything else, so use at your
own risk.
References:
https://blog.rapid7.com/2015/01/22/the-internet-of-gas-station-tank-gauges
http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment
https://github.com/sjhilt/GasPot
https://github.com/mushorg/conpot
http://www.veeder.com/us/automatic-tank-gauge-atg-consoles
http://www.chipkin.com/files/liz/576013-635.pdf
http://www.veeder.com/gold/download.cfm?doc_id=6227
Module Options
This is a complete list of options available in the admin/atg/atg_client auxiliary module:
msf6 auxiliary(admin/atg/atg_client) > show options
Module options (auxiliary/admin/atg/atg_client):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 10001 yes The target port (TCP)
TANK_NAME no The tank name to set (use with SET_TANK_NAME, defaults to random)
TANK_NUMBER 1 no The tank number to operate on (use with SET_TANK_NAME, 0 to change all)
THREADS 1 yes The number of concurrent threads (max one per host)
Auxiliary action:
Name Description
---- -----------
INVENTORY 200/I20100 In-tank inventory report
Advanced Options
Here is a complete list of advanced options supported by the admin/atg/atg_client auxiliary module:
msf6 auxiliary(admin/atg/atg_client) > show advanced
Module advanced options (auxiliary/admin/atg/atg_client):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
PROTOCOL TLS-350 yes The Veeder-Root TLS protocol to speak (Accepted: TLS-350, TLS-250)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
TIMEOUT 5 yes Time in seconds to wait for responses to our probes
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/atg/atg_client module can do:
msf6 auxiliary(admin/atg/atg_client) > show actions
Auxiliary actions:
Name Description
---- -----------
ALARM I30200 Sensor alarm history (untested)
ALARM_RESET IS00300 Remote alarm reset (untested)
CLEAR_RESET IS00200 Clear Reset Flag (untested)
DELIVERY I20200 Delivery report
INVENTORY 200/I20100 In-tank inventory report
LEAK I20300 Leak report
RELAY I40600 Relay status (untested)
RESET IS00100 Reset (untested)
SENSOR I30100 Sensor status (untested)
SENSOR_DIAG IB0100 Sensor diagnostics (untested)
SET_TANK_NAME S602 set tank name (use TANK_NUMBER and TANK_NAME options)
SHIFT I20400 Shift report
STATUS I20500 In-tank status report
SYSTEM_STATUS I10100 System status report (untested)
TANK_ALARM I20600 Tank alarm history (untested)
TANK_DIAG IA0100 Tank diagnostics (untested)
VERSION Version information
Evasion Options
Here is the full list of possible evasion options supported by the admin/atg/atg_client auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/atg/atg_client) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<ACTION.NAME> not defined for <PROTOCOL>
Here is a relevant code snippet related to the "<ACTION.NAME> not defined for <PROTOCOL>" error message:
167: end
168:
169: def setup
170: # ensure that the specified command is implemented for the desired version of the TLS protocol
171: unless action.opts.keys.include?(protocol_opt_name)
172: fail_with(Failure::BadConfig, "#{action.name} not defined for #{protocol}")
173: end
174:
175: # ensure that the tank number is set for the commands that need it
176: if action.name == 'SET_TANK_NAME' && (tank_number < 0 || tank_number > 99)
177: fail_with(Failure::BadConfig, "TANK_NUMBER #{tank_number} is invalid")
TANK_NUMBER <TANK_NUMBER> is invalid
Here is a relevant code snippet related to the "TANK_NUMBER <TANK_NUMBER> is invalid" error message:
172: fail_with(Failure::BadConfig, "#{action.name} not defined for #{protocol}")
173: end
174:
175: # ensure that the tank number is set for the commands that need it
176: if action.name == 'SET_TANK_NAME' && (tank_number < 0 || tank_number > 99)
177: fail_with(Failure::BadConfig, "TANK_NUMBER #{tank_number} is invalid")
178: end
179:
180: unless timeout > 0
181: fail_with(Failure::BadConfig, "Invalid timeout #{timeout} -- must be > 0")
182: end
Invalid timeout <TIMEOUT> -- must be > 0
Here is a relevant code snippet related to the "Invalid timeout <TIMEOUT> -- must be > 0" error message:
176: if action.name == 'SET_TANK_NAME' && (tank_number < 0 || tank_number > 99)
177: fail_with(Failure::BadConfig, "TANK_NUMBER #{tank_number} is invalid")
178: end
179:
180: unless timeout > 0
181: fail_with(Failure::BadConfig, "Invalid timeout #{timeout} -- must be > 0")
182: end
183: end
184:
185: def get_response(request)
186: sock.put(request)
Go back to menu.
Related Pull Requests
- #12949 Merged Pull Request: This fixes broken links to the community.rapid7.com blog
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7530 Merged Pull Request: Improve atg_client to detected unsupported commands
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #6526 Merged Pull Request: Peers for the peer god
References
- CVE: Not available
- https://blog.rapid7.com/2015/01/22/the-internet-of-gas-station-tank-gauges
- http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment
- https://github.com/sjhilt/GasPot
- https://github.com/mushorg/conpot
- http://www.veeder.com/us/automatic-tank-gauge-atg-consoles
- http://www.chipkin.com/files/liz/576013-635.pdf
- http://www.veeder.com/gold/download.cfm?doc_id=6227
See Also
Check also the following modules related to this module:
- auxiliary/admin/scada/yokogawa_bkbcopyd_client
- auxiliary/client/hwbridge/connect
- auxiliary/client/iec104/iec104
- auxiliary/client/mms/send_mms
- auxiliary/client/sms/send_text
- auxiliary/client/smtp/emailer
- auxiliary/client/telegram/send_message
- auxiliary/dos/dhcp/isc_dhcpd_clientid
- auxiliary/fuzzers/ftp/client_ftp
- auxiliary/scanner/http/cisco_asa_clientless_vpn
- auxiliary/server/openssl_heartbeat_client_memory
- exploit/multi/http/git_client_command_exec
- exploit/unix/dhcp/rhel_dhcp_client_command_injection
- exploit/windows/fileformat/bpftp_client_bps_bof
- exploit/windows/ftp/trellian_client_pasv
- exploit/windows/ftp/xftp_client_pwd
- exploit/windows/ftp/xlink_client
- exploit/windows/local/ms15_051_client_copy_image
- exploit/windows/local/novell_client_nicm
- exploit/windows/local/novell_client_nwfs
- exploit/windows/novell/groupwisemessenger_client
- exploit/windows/oracle/client_system_analyzer_upload
- exploit/windows/smtp/sysgauge_client_bof
- exploit/windows/vnc/realvnc_client
- exploit/windows/vnc/ultravnc_client
- post/multi/gather/filezilla_client_cred
- post/windows/gather/credentials/wsftp_client
- auxiliary/scanner/scada/modbusclient
- auxiliary/scanner/scada/pcomclient
- auxiliary/server/dhclient_bash_env
- exploit/windows/browser/wellintech_kingscada_kxclientdownload
- exploit/windows/http/mdaemon_worldclient_form2raw
- exploit/windows/local/gog_galaxyclientservice_privesc
- exploit/windows/local/srclient_dll_hijacking
Authors
- Jon Hart <jon_hart[at]rapid7.com>
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.