Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture

  1. 1. All pictures are taken from Dr StrangeLove movie by Gleb Gritsai (as Alexander Timorin) and Alexander Tlyapov
  2. 2.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Roman Ilin Artem Chaykin Dmitry Efanov Andrey Medov Alexander Zaitsev Dmitry Sklyarov Roman Ilin Kirill Nesterov Gleb Gritsai Ilya Karpov Yuriy Dyachenko Yuri Goltsev Sergey Scherbel Dmitry Serebryannikov Alexander Timorin Alexander Tlyapov Denis Baranov Sergey Bobrov Sergey Drozdov Vladimir Kochetkov Timur Yunusov Dmitry Nagibin Vyacheslav Egoshin Evgeny Ermakov
  3. 3.  Gleb Gritsai Penetration tester @ptsecurity  ICS researcher and expert  Member of @scadasl   Alexander Tlyapov    Reverse engineer @ptsecurity ICS researcher Member of @scadasl
  4. 4.  ICS 101   Industrial protocols (Gleb Gritsai)    This 101 is useless Functions and weakness of protocols Penetration tester’s view WinCC architecture (Alexander Tlyapov)    Internal protocols Authorization process And how no to pay attention and get to serious stuff
  5. 5.  HMI   PLC   Programmable Logic Controller RTU   Human Machine Interface Remote Telemetry Unit IED, SCADA, DSC, Sensor, Actuator, …
  6. 6.  Movinged from Serial to Ethernet   Actually five senses of ICS by     Sometimes to Radio (GSM, ZigBee, WiFi, etc) Controlling physical processes Delivering feedback Available starting from OSI/ISO layer 3 Industry and application specific Delivering real time data from sensor or configuring network settings of PLC or reflashing RTU  Operating in one subnet or providing remote telemetry and supervisory   Developed without security in mind and in coders  “Times they are a changin‘”, but slowly
  7. 7.  Manufacturing Message Specification  A protocol, but more a specification for messaging   Originally developed at 1980 “Heavy”  See MODBUS packet: [gw_unit; function; register; value]  Applications  IED, PLC, SCADA, RTU  Vendors  GE, Siemens, Schneider, Daimler, ABB
  8. 8.  Domains  Named memory regions for managing data/code blobs  Abstraction for devices      Program invocations Journals Files (Yes, files) Named variables and lists (groups of vars) Events  State machines for alarms and events   Operators station (HMI) Init semaphores  Concurrent access
  9. 9.  IEC 62351-4 is security for IEC 61850-8-1  IEC 61850-8-1 is MMS  Application level  ACSE AARQ and AARE PDUs    Transport level – TLS (62351-3) Access Control Lists Original port 102 to 3782 if secured
  10. 10.   Application security is in ACSE layer (i.e. Association Control Service Element) which is rarely implemented No password requirements defined for software   Welcome to the “123” Application security is plain password  Bruteforce  Just try to keep port alive as no locking exist  Interception  Simple ARP spoofing is still a kill switch for ICS networks (do this in labs or disconnected SCADAs if you care)
  11. 11.  Access must be defined to every object (according to standard)    Kind of: read, write, delete Optional TLS, srsly?   No options to set it up seen in products Not supported (not even with stubs in code)
  12. 12.  Discovery & Fingerprint  Port 102 is also S7 and … - COTP (Connection Oriented Transport Protocol) & TPKT (Transport packet)  “Identify” request for Vendor, Model and Version  Enumeration of objects  Enumerate everything: Domains, Variables, Files, etc  Good thing – named variables (no need for db with tags/registers/etc description) for understanding logic  Domains: IEDInverter, IEDBattery, IEDPhysical_Measurements  Variables for IEDBattery: ZBAT1$MX$Vol, ZBAT1$MX$Amp, ZBAT1$ST$Health  Better than WriteCoil(coil=X, value=Y)
  13. 13.  Open source libs - easy to extract API for better code coverage while fuzzing PLCs, IEDs, RTUs, …   Ain’t it fun fuzzing embedded devices Lot’s of open source libs, single DLL APIs and simulators  libiec61850 is C and free   openmuc is java and free   Smartgridware and others non free, but trial  
  14. 14.    Is actually IEC 61870-5-104 Master, Slave, Master-Slave No security mechanisms in standard and in implementations   Extensible and vice versa by design   Vendors publish checklists with supported functions Mainly for gathering telemetry in electricity distribution and power system automation   Except the IP addresses of Masters defined on Slaves interrogations Can feature control functions  write, command, execute
  15. 15.  Discovery TCP port 2404  Application level ASDU broadcast address   As soon as RTU receives broadcast to enumerate IEC 104 endpoints it sends broadcast itself  If there is an RTU nearby you’ll get infinite broadcast  BCR (Binary Counter Reading) hack with frozen binary counter can mitigate this  Do it at home unless … don’t do it
  16. 16.  Reading data   Writing data   Done by interrogations which provides set of controlled data Inspect vendor document on supported protocol features Simulators, libraries and fingerprint tool  ec-60870-5-104/  
  17. 17. IEC 104 travels over dedicated network Remote Control IEC 104  Power plant 1 Power plant 2 Power Plant N
  18. 18.   IEC 104 flows through RTU to SCADA Server SCADA Server reads/writes data as requested Power plant 1 FW: IEC 104 port opened RTU FW: IEC 104 port opened SCADA Server Open/Close the Door PLC
  19. 19. Remote Control IEC 104, SMB, HTTP, etc Power plant 1 Power plant 2 Power Plant N
  20. 20.  Now this does look like typical pentest Remote Control IEC 104, SMB, HTTP, etc Internets E-mail Sharepoint Remote applications Web sites Power plant 1 Power plant 2 Power Plant N
  21. 21.  Now this does look like one of the pentest attack vectors Remote Control IEC 104, SMB, HTTP, etc Internets E-mail Sharepoint Remote applications Web sites Power plant 1 Power plant 2 Power Plant N
  22. 22.    Internal protocols Authorization process And how no to pay attention and get to serious stuff
  23. 23. WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
  24. 24. ActiveX components for communication and rendering of HMI Another component of WinCC. For example, forwarding commands to the PLC via the S7 protocol IIS extension SCSWebBridgex.dll Manages SCS connection and converts data to PAL CCEServer.exe Yep-Yep, again) CCEServer.exe WinCC core: Manages requests of components WebNavigatorRT.exe Rendering HMI and command transmission
  25. 25. • • • • The POST requests from the client contains the binary data of SCS protocol Basic-authorization Authorization is “two-stage” (we’ll cover this later) For the real identification of client a specially “generated” ID is used
  26. 26.    SQL query to database (using COM objects) Verification "special" Windows User The "hardcode" and etc. For successful authentication any path will do
  27. 27. Authentication of user in the database through the COM object on the server Getting ServerID and the “magic” activity for the password to WebBridge Using received "magic" password to work with SCSWebBridgeX
  28. 28. Oh! En/c(r)ypt[10]n! ServerID = Base64(RC2(pass, key)), where key = MD5(dll hardcode)
  29. 29. And forget that before we entered a another password... Not my department password!
  30. 30. Sql injection in Basic-authorization. It is too hard for me.
  31. 31. Passwords in database is not plaintext… CVE-2013-0676
  32. 32. But, it’s just XOR with very secret string. CVE-2013-0678
  33. 33. This is my encryptionkey
  34. 34. So, we have another way to get ServerID and later access SCSWebBridgex.dll
  35. 35. Still not quite ...
  36. 36.     "Magic" password = MD5(WNUSR_DC92D7179E29.WinPassword) Stored in the registry and encrypted with DPAPI. But with no luck. Wrong flag allows any users (including Guest) on this host to get password for special Siemens user. BTW, this user is local admin. Password generation features very good charset, but chars used uniquely and length is 12 to 14 chars which is not making cracking MD5 harder
  37. 37.   All further communications authorized with this password For dispatching requests a special ID is used that is generated ... in some weird and funny way
  38. 38. Offset Description Size 0 AlwaysNULL 4 4 dwCode 4 8 Unknown 4 12 DataLen 4 16 ID 4 20 DataChunkNum 4 24 CRC 4 28 ChuckLen 4 32 DataChunkStart …
  39. 39. Transmitted ID represents index and identifier in the pool of objects which is responsible for storing the data and dispatching requests Offset Description Size 0 PoolID 2 2 PoolIndex 2
  40. 40. HMI Other components CCEServer PLC Communication License server To start communication components must call CAL_StartListen in the service CCEServer. This function is passing all the necessary information about the component. Such as: • Component’s GUID • His PID • Required callbacks • Etc
  41. 41.  During initial communications SCS packet is transmitted with GUID describing target component
  42. 42.    According to received identifier component's object is looked up Further communication occurs in the context of an established connection, through a protocol called CAL The mechanism of data transmission in the CAL protocol is based on a global MappedSections
  43. 43. For sending data: Section = ("GlobalSCS%08X%04X%04X%04XSAM", PID, SomeW, MapKey, Null); ReadyEvent = ("GlobalSCS%08X%04X%04X%04XSAN", PID, SomeW, MapKey, Null); SendEvent = ("GlobalSCS%08X%04X%04X%04XSAF", PID, SomeW, MapKey, Null); For receiving data: Section = ("GlobalSCS%08X%04X%04X%04XASM", PID, SomeW, MapKey, Null); ReadyEvent = ("GlobalSCS%08X%04X%04X%04XASN", PID, SomeW, MapKey, Null); ReciveEvent = ("GlobalSCS%08X%04X%04X%04XASF", PID, SomeW, MapKey, Null);
  44. 44.  SQLi for retrieving HMI user passwords from db  And XOR decryption tool      Hardcoded credentials for retrieving ServerID Crack ServerID for Siemens windows user Use ServerID for communication WebBridge Session hijacking for privilege escalation on HMI Exploiting architecture weakness to use arbitrary components of WinCC (like PLC comms)
  45. 45. Contact despair: Gleb Gritsai @repdet Alexander Tlyapov @Rigros1