All pictures are taken from
Dr StrangeLove movie

by Gleb Gritsai (as Alexander Timorin)
and Alexander Tlyapov


Group of security researchers focused on ICS/SCADA

to save Humanity from industrial disaster and to
keep Purity Of Ess...


Gleb Gritsai
Penetration tester @ptsecurity
 ICS researcher and expert
 Member of @scadasl




Alexander Tlyapov

...


ICS 101




Industrial protocols (Gleb Gritsai)





This 101 is useless
Functions and weakness of protocols
Penet...


HMI




PLC




Programmable Logic Controller

RTU




Human Machine Interface

Remote Telemetry Unit

IED, SCADA...


Movinged from Serial to Ethernet




Actually five senses of ICS by







Sometimes to Radio (GSM, ZigBee, WiFi,...


Manufacturing Message Specification
 A protocol, but more a specification for messaging




Originally developed at ...


Domains

 Named memory regions for managing data/code blobs
 Abstraction for devices







Program invocations
...


IEC 62351-4 is security for IEC 61850-8-1
 IEC 61850-8-1 is MMS



Application level
 ACSE AARQ and AARE PDUs




...




Application security is in ACSE layer (i.e. Association
Control Service Element) which is rarely implemented
No pass...


Access must be defined to every object
(according to standard)





Kind of: read, write, delete
Optional

TLS, srsl...


Discovery & Fingerprint
 Port 102 is also S7 and … - COTP (Connection Oriented
Transport Protocol) & TPKT (Transport p...


Open source libs - easy to extract API for better
code coverage while fuzzing PLCs, IEDs, RTUs, …




Ain’t it fun fu...




Is actually IEC 61870-5-104
Master, Slave, Master-Slave
No security mechanisms in standard and in
implementations
...


Discovery
TCP port 2404
 Application level ASDU broadcast address


 As soon as RTU receives broadcast to enumerate ...


Reading data




Writing data




Done by interrogations which provides set of
controlled data
Inspect vendor docum...
IEC 104 travels
over dedicated
network

Remote Control

IEC 104



Power plant 1

Power plant 2

Power Plant N




IEC 104 flows through
RTU to SCADA Server
SCADA Server
reads/writes data
as requested

Power plant 1

FW: IEC 104 po...
Remote Control

IEC 104, SMB,
HTTP, etc

corp.company.loc

Power plant 1

Power plant 2

Power Plant N

office.pp1.company...


corp.company.loc

Now this does
look like
typical pentest

Remote Control

IEC 104, SMB,
HTTP, etc

Internets

E-mail
S...


corp.company.loc

Now this does
look like one of the
pentest attack
vectors

Remote Control

IEC 104, SMB,
HTTP, etc

I...





Internal protocols
Authorization process
And how no to pay attention and get to serious
stuff
WinCC
Web-Client

Internet,
corp lan,
vpn’s

WinCC
DataMonitor

Some
networks
WinCC
SCADA-Clients

LAN

WinCC
Web-Client

...
ActiveX components
for communication
and rendering of
HMI

Another component
of WinCC.
For example,
forwarding
commands to...
•
•
•
•

The POST requests from the client contains the binary data of SCS
protocol
Basic-authorization
Authorization is “...




SQL query to database (using COM objects)
Verification "special" Windows User
The "hardcode" and etc.

For successf...
Authentication of
user in the database
through the COM
object on the server

Getting ServerID
and the “magic”
activity for...
Oh! En/c(r)ypt[10]n!

ServerID = Base64(RC2(pass, key)), where key
= MD5(dll hardcode)
And forget that before
we entered a another
password...

Not my department password!
Sql injection in Basic-authorization.
It is too hard for me.
Passwords in database is
not plaintext…
CVE-2013-0676
But, it’s just XOR with very secret string.

CVE-2013-0678
This is my
encryptionkey
So, we have another way to get ServerID and later access
SCSWebBridgex.dll
Still not quite ...






"Magic" password = MD5(WNUSR_DC92D7179E29.WinPassword)
Stored in the registry and encrypted with DPAPI. But with...




All further communications authorized with
this password
For dispatching requests a special ID is used
that is gener...
Offset

Description

Size

0

AlwaysNULL

4

4

dwCode

4

8

Unknown

4

12

DataLen

4

16

ID

4

20

DataChunkNum

4

...
Transmitted ID represents index and identifier in
the pool of objects which is responsible for storing
the data and dispat...
HMI

Other
components

CCEServer

PLC
Communication

License
server

To start communication components must call CAL_Start...


During initial communications SCS packet is transmitted with GUID
describing target component






According to received identifier component's object is looked up

Further communication occurs in the context of ...
For sending data:
Section = ("GlobalSCS%08X%04X%04X%04XSAM", PID, SomeW, MapKey, Null);
ReadyEvent = ("GlobalSCS%08X%04X%0...


SQLi for retrieving HMI user passwords from db
 And XOR decryption tool








Hardcoded credentials for retriev...
Contact despair:
Gleb Gritsai
ggritsai@ptsecurity.com
@repdet

Alexander Tlyapov
atlyapov@ptsecurity.com
@Rigros1
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture
Upcoming SlideShare
Loading in...5
×

Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture

604

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
604
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture"

  1. 1. All pictures are taken from Dr StrangeLove movie by Gleb Gritsai (as Alexander Timorin) and Alexander Tlyapov
  2. 2.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Roman Ilin Artem Chaykin Dmitry Efanov Andrey Medov Alexander Zaitsev Dmitry Sklyarov Roman Ilin Kirill Nesterov Gleb Gritsai Ilya Karpov Yuriy Dyachenko Yuri Goltsev Sergey Scherbel Dmitry Serebryannikov Alexander Timorin Alexander Tlyapov Denis Baranov Sergey Bobrov Sergey Drozdov Vladimir Kochetkov Timur Yunusov Dmitry Nagibin Vyacheslav Egoshin Evgeny Ermakov
  3. 3.  Gleb Gritsai Penetration tester @ptsecurity  ICS researcher and expert  Member of @scadasl   Alexander Tlyapov    Reverse engineer @ptsecurity ICS researcher Member of @scadasl
  4. 4.  ICS 101   Industrial protocols (Gleb Gritsai)    This 101 is useless Functions and weakness of protocols Penetration tester’s view WinCC architecture (Alexander Tlyapov)    Internal protocols Authorization process And how no to pay attention and get to serious stuff
  5. 5.  HMI   PLC   Programmable Logic Controller RTU   Human Machine Interface Remote Telemetry Unit IED, SCADA, DSC, Sensor, Actuator, …
  6. 6.  Movinged from Serial to Ethernet   Actually five senses of ICS by     Sometimes to Radio (GSM, ZigBee, WiFi, etc) Controlling physical processes Delivering feedback Available starting from OSI/ISO layer 3 Industry and application specific Delivering real time data from sensor or configuring network settings of PLC or reflashing RTU  Operating in one subnet or providing remote telemetry and supervisory   Developed without security in mind and in coders  “Times they are a changin‘”, but slowly
  7. 7.  Manufacturing Message Specification  A protocol, but more a specification for messaging   Originally developed at 1980 “Heavy”  See MODBUS packet: [gw_unit; function; register; value]  Applications  IED, PLC, SCADA, RTU  Vendors  GE, Siemens, Schneider, Daimler, ABB
  8. 8.  Domains  Named memory regions for managing data/code blobs  Abstraction for devices      Program invocations Journals Files (Yes, files) Named variables and lists (groups of vars) Events  State machines for alarms and events   Operators station (HMI) Init semaphores  Concurrent access
  9. 9.  IEC 62351-4 is security for IEC 61850-8-1  IEC 61850-8-1 is MMS  Application level  ACSE AARQ and AARE PDUs    Transport level – TLS (62351-3) Access Control Lists Original port 102 to 3782 if secured
  10. 10.   Application security is in ACSE layer (i.e. Association Control Service Element) which is rarely implemented No password requirements defined for software   Welcome to the “123” Application security is plain password  Bruteforce  Just try to keep port alive as no locking exist  Interception  Simple ARP spoofing is still a kill switch for ICS networks (do this in labs or disconnected SCADAs if you care)
  11. 11.  Access must be defined to every object (according to standard)    Kind of: read, write, delete Optional TLS, srsly?   No options to set it up seen in products Not supported (not even with stubs in code)
  12. 12.  Discovery & Fingerprint  Port 102 is also S7 and … - COTP (Connection Oriented Transport Protocol) & TPKT (Transport packet)  “Identify” request for Vendor, Model and Version  Enumeration of objects  Enumerate everything: Domains, Variables, Files, etc  Good thing – named variables (no need for db with tags/registers/etc description) for understanding logic  Domains: IEDInverter, IEDBattery, IEDPhysical_Measurements  Variables for IEDBattery: ZBAT1$MX$Vol, ZBAT1$MX$Amp, ZBAT1$ST$Health  Better than WriteCoil(coil=X, value=Y)
  13. 13.  Open source libs - easy to extract API for better code coverage while fuzzing PLCs, IEDs, RTUs, …   Ain’t it fun fuzzing embedded devices Lot’s of open source libs, single DLL APIs and simulators  libiec61850 is C and free  http://libiec61850.com  openmuc is java and free  http://openmuc.org/  Smartgridware and others non free, but trial  http://www.smartgridware.com/  http://nettedautomation.com/iec61850li/dll/index.html
  14. 14.    Is actually IEC 61870-5-104 Master, Slave, Master-Slave No security mechanisms in standard and in implementations   Extensible and vice versa by design   Vendors publish checklists with supported functions Mainly for gathering telemetry in electricity distribution and power system automation   Except the IP addresses of Masters defined on Slaves interrogations Can feature control functions  write, command, execute
  15. 15.  Discovery TCP port 2404  Application level ASDU broadcast address   As soon as RTU receives broadcast to enumerate IEC 104 endpoints it sends broadcast itself  If there is an RTU nearby you’ll get infinite broadcast  BCR (Binary Counter Reading) hack with frozen binary counter can mitigate this  Do it at home unless … don’t do it
  16. 16.  Reading data   Writing data   Done by interrogations which provides set of controlled data Inspect vendor document on supported protocol features Simulators, libraries and fingerprint tool  https://github.com/atimorin/PoC2013/blob/master/i ec-60870-5-104/iec-60870-5-104.py  https://code.google.com/p/mrts-ng/  https://code.google.com/p/sim104/
  17. 17. IEC 104 travels over dedicated network Remote Control IEC 104  Power plant 1 Power plant 2 Power Plant N
  18. 18.   IEC 104 flows through RTU to SCADA Server SCADA Server reads/writes data as requested Power plant 1 FW: IEC 104 port opened RTU FW: IEC 104 port opened SCADA Server Open/Close the Door PLC
  19. 19. Remote Control IEC 104, SMB, HTTP, etc corp.company.loc Power plant 1 Power plant 2 Power Plant N office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc
  20. 20.  corp.company.loc Now this does look like typical pentest Remote Control IEC 104, SMB, HTTP, etc Internets E-mail Sharepoint Remote applications Web sites Power plant 1 Power plant 2 Power Plant N office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc
  21. 21.  corp.company.loc Now this does look like one of the pentest attack vectors Remote Control IEC 104, SMB, HTTP, etc Internets E-mail Sharepoint Remote applications Web sites Power plant 1 Power plant 2 Power Plant N office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc
  22. 22.    Internal protocols Authorization process And how no to pay attention and get to serious stuff
  23. 23. WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
  24. 24. ActiveX components for communication and rendering of HMI Another component of WinCC. For example, forwarding commands to the PLC via the S7 protocol IIS extension SCSWebBridgex.dll Manages SCS connection and converts data to PAL CCEServer.exe Yep-Yep, again) CCEServer.exe WinCC core: Manages requests of components WebNavigatorRT.exe Rendering HMI and command transmission
  25. 25. • • • • The POST requests from the client contains the binary data of SCS protocol Basic-authorization Authorization is “two-stage” (we’ll cover this later) For the real identification of client a specially “generated” ID is used
  26. 26.    SQL query to database (using COM objects) Verification "special" Windows User The "hardcode" and etc. For successful authentication any path will do
  27. 27. Authentication of user in the database through the COM object on the server Getting ServerID and the “magic” activity for the password to WebBridge Using received "magic" password to work with SCSWebBridgeX
  28. 28. Oh! En/c(r)ypt[10]n! ServerID = Base64(RC2(pass, key)), where key = MD5(dll hardcode)
  29. 29. And forget that before we entered a another password... Not my department password!
  30. 30. Sql injection in Basic-authorization. It is too hard for me.
  31. 31. Passwords in database is not plaintext… CVE-2013-0676
  32. 32. But, it’s just XOR with very secret string. CVE-2013-0678
  33. 33. This is my encryptionkey
  34. 34. So, we have another way to get ServerID and later access SCSWebBridgex.dll
  35. 35. Still not quite ...
  36. 36.     "Magic" password = MD5(WNUSR_DC92D7179E29.WinPassword) Stored in the registry and encrypted with DPAPI. But with no luck. Wrong flag allows any users (including Guest) on this host to get password for special Siemens user. BTW, this user is local admin. Password generation features very good charset, but chars used uniquely and length is 12 to 14 chars which is not making cracking MD5 harder
  37. 37.   All further communications authorized with this password For dispatching requests a special ID is used that is generated ... in some weird and funny way
  38. 38. Offset Description Size 0 AlwaysNULL 4 4 dwCode 4 8 Unknown 4 12 DataLen 4 16 ID 4 20 DataChunkNum 4 24 CRC 4 28 ChuckLen 4 32 DataChunkStart …
  39. 39. Transmitted ID represents index and identifier in the pool of objects which is responsible for storing the data and dispatching requests Offset Description Size 0 PoolID 2 2 PoolIndex 2
  40. 40. HMI Other components CCEServer PLC Communication License server To start communication components must call CAL_StartListen in the service CCEServer. This function is passing all the necessary information about the component. Such as: • Component’s GUID • His PID • Required callbacks • Etc
  41. 41.  During initial communications SCS packet is transmitted with GUID describing target component
  42. 42.    According to received identifier component's object is looked up Further communication occurs in the context of an established connection, through a protocol called CAL The mechanism of data transmission in the CAL protocol is based on a global MappedSections
  43. 43. For sending data: Section = ("GlobalSCS%08X%04X%04X%04XSAM", PID, SomeW, MapKey, Null); ReadyEvent = ("GlobalSCS%08X%04X%04X%04XSAN", PID, SomeW, MapKey, Null); SendEvent = ("GlobalSCS%08X%04X%04X%04XSAF", PID, SomeW, MapKey, Null); For receiving data: Section = ("GlobalSCS%08X%04X%04X%04XASM", PID, SomeW, MapKey, Null); ReadyEvent = ("GlobalSCS%08X%04X%04X%04XASN", PID, SomeW, MapKey, Null); ReciveEvent = ("GlobalSCS%08X%04X%04X%04XASF", PID, SomeW, MapKey, Null);
  44. 44.  SQLi for retrieving HMI user passwords from db  And XOR decryption tool      Hardcoded credentials for retrieving ServerID Crack ServerID for Siemens windows user Use ServerID for communication WebBridge Session hijacking for privilege escalation on HMI Exploiting architecture weakness to use arbitrary components of WinCC (like PLC comms)
  45. 45. Contact despair: Gleb Gritsai ggritsai@ptsecurity.com @repdet Alexander Tlyapov atlyapov@ptsecurity.com @Rigros1
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×