Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture
1. All pictures are taken from
Dr StrangeLove movie
by Gleb Gritsai (as Alexander Timorin)
and Alexander Tlyapov
2.
Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to
keep Purity Of Essence
Sergey Gordeychik
Roman Ilin
Artem Chaykin
Dmitry Efanov
Andrey Medov
Alexander Zaitsev
Dmitry Sklyarov
Roman Ilin
Kirill Nesterov
Gleb Gritsai
Ilya Karpov
Yuriy Dyachenko
Yuri Goltsev
Sergey Scherbel
Dmitry Serebryannikov
Alexander Timorin
Alexander Tlyapov
Denis Baranov
Sergey Bobrov
Sergey Drozdov
Vladimir Kochetkov
Timur Yunusov
Dmitry Nagibin
Vyacheslav Egoshin
Evgeny Ermakov
3.
Gleb Gritsai
Penetration tester @ptsecurity
ICS researcher and expert
Member of @scadasl
Alexander Tlyapov
Reverse engineer @ptsecurity
ICS researcher
Member of @scadasl
4.
ICS 101
Industrial protocols (Gleb Gritsai)
This 101 is useless
Functions and weakness of protocols
Penetration tester’s view
WinCC architecture (Alexander Tlyapov)
Internal protocols
Authorization process
And how no to pay attention and get to serious stuff
7.
Movinged from Serial to Ethernet
Actually five senses of ICS by
Sometimes to Radio (GSM, ZigBee, WiFi, etc)
Controlling physical processes
Delivering feedback
Available starting from OSI/ISO layer 3
Industry and application specific
Delivering real time data from sensor or configuring
network settings of PLC or reflashing RTU
Operating in one subnet or providing remote telemetry
and supervisory
Developed without security in mind and in coders
“Times they are a changin‘”, but slowly
8.
Manufacturing Message Specification
A protocol, but more a specification for messaging
Originally developed at 1980
“Heavy”
See MODBUS packet: [gw_unit; function; register; value]
Applications
IED, PLC, SCADA, RTU
Vendors
GE, Siemens, Schneider, Daimler, ABB
9.
Domains
Named memory regions for managing data/code blobs
Abstraction for devices
Program invocations
Journals
Files (Yes, files)
Named variables and lists (groups of vars)
Events
State machines for alarms and events
Operators station (HMI)
Init semaphores
Concurrent access
10.
IEC 62351-4 is security for IEC 61850-8-1
IEC 61850-8-1 is MMS
Application level
ACSE AARQ and AARE PDUs
Transport level – TLS (62351-3)
Access Control Lists
Original port 102 to 3782 if secured
11.
Application security is in ACSE layer (i.e. Association
Control Service Element) which is rarely implemented
No password requirements defined for software
Welcome to the “123”
Application security is plain password
Bruteforce
Just try to keep port alive as no locking exist
Interception
Simple ARP spoofing is still a kill switch for ICS networks (do
this in labs or disconnected SCADAs if you care)
12.
Access must be defined to every object
(according to standard)
Kind of: read, write, delete
Optional
TLS, srsly?
No options to set it up seen in products
Not supported (not even with stubs in code)
13.
Discovery & Fingerprint
Port 102 is also S7 and … - COTP (Connection Oriented
Transport Protocol) & TPKT (Transport packet)
“Identify” request for Vendor, Model and Version
Enumeration of objects
Enumerate everything: Domains, Variables, Files, etc
Good thing – named variables (no need for db with
tags/registers/etc description) for understanding logic
Domains: IEDInverter, IEDBattery, IEDPhysical_Measurements
Variables for IEDBattery: ZBAT1$MX$Vol, ZBAT1$MX$Amp,
ZBAT1$ST$Health
Better than WriteCoil(coil=X, value=Y)
14.
Open source libs - easy to extract API for better
code coverage while fuzzing PLCs, IEDs, RTUs, …
Ain’t it fun fuzzing embedded devices
Lot’s of open source libs, single DLL APIs and
simulators
libiec61850 is C and free
http://libiec61850.com
openmuc is java and free
http://openmuc.org/
Smartgridware and others non free, but trial
http://www.smartgridware.com/
http://nettedautomation.com/iec61850li/dll/index.html
15.
Is actually IEC 61870-5-104
Master, Slave, Master-Slave
No security mechanisms in standard and in
implementations
Extensible and vice versa by design
Vendors publish checklists with supported functions
Mainly for gathering telemetry in electricity
distribution and power system automation
Except the IP addresses of Masters defined on Slaves
interrogations
Can feature control functions
write, command, execute
16.
Discovery
TCP port 2404
Application level ASDU broadcast address
As soon as RTU receives broadcast to enumerate IEC
104 endpoints it sends broadcast itself
If there is an RTU nearby you’ll get infinite broadcast
BCR (Binary Counter Reading) hack with frozen binary
counter can mitigate this
Do it at home unless … don’t do it
17.
Reading data
Writing data
Done by interrogations which provides set of
controlled data
Inspect vendor document on supported protocol
features
Simulators, libraries and fingerprint tool
https://github.com/atimorin/PoC2013/blob/master/i
ec-60870-5-104/iec-60870-5-104.py
https://code.google.com/p/mrts-ng/
https://code.google.com/p/sim104/
18. IEC 104 travels
over dedicated
network
Remote Control
IEC 104
Power plant 1
Power plant 2
Power Plant N
19.
IEC 104 flows through
RTU to SCADA Server
SCADA Server
reads/writes data
as requested
Power plant 1
FW: IEC 104 port opened
RTU
FW: IEC 104 port opened
SCADA Server
Open/Close
the Door
PLC
20. Remote Control
IEC 104, SMB,
HTTP, etc
corp.company.loc
Power plant 1
Power plant 2
Power Plant N
office.pp1.company.loc
office.pp2.company.loc
office.ppN.company.loc
21.
corp.company.loc
Now this does
look like
typical pentest
Remote Control
IEC 104, SMB,
HTTP, etc
Internets
E-mail
Sharepoint
Remote applications
Web sites
Power plant 1
Power plant 2
Power Plant N
office.pp1.company.loc
office.pp2.company.loc
office.ppN.company.loc
22.
corp.company.loc
Now this does
look like one of the
pentest attack
vectors
Remote Control
IEC 104, SMB,
HTTP, etc
Internets
E-mail
Sharepoint
Remote applications
Web sites
Power plant 1
Power plant 2
Power Plant N
office.pp1.company.loc
office.pp2.company.loc
office.ppN.company.loc
25. ActiveX components
for communication
and rendering of
HMI
Another component
of WinCC.
For example,
forwarding
commands to the
PLC via the S7
protocol
IIS extension
SCSWebBridgex.dll
Manages SCS
connection and
converts data to PAL
CCEServer.exe
Yep-Yep, again)
CCEServer.exe
WinCC core:
Manages requests of
components
WebNavigatorRT.exe
Rendering HMI and
command
transmission
26. •
•
•
•
The POST requests from the client contains the binary data of SCS
protocol
Basic-authorization
Authorization is “two-stage” (we’ll cover this later)
For the real identification of client a specially “generated” ID is
used
27.
SQL query to database (using COM objects)
Verification "special" Windows User
The "hardcode" and etc.
For successful authentication any path will do
28.
29. Authentication of
user in the database
through the COM
object on the server
Getting ServerID
and the “magic”
activity for the
password to
WebBridge
Using received
"magic" password to
work with
SCSWebBridgeX
38.
"Magic" password = MD5(WNUSR_DC92D7179E29.WinPassword)
Stored in the registry and encrypted with DPAPI. But with no luck.
Wrong flag allows any users (including Guest) on this host to get
password for special Siemens user. BTW, this user is local admin.
Password generation features very good charset, but chars used
uniquely and length is 12 to 14 chars which is not making cracking
MD5 harder
39.
All further communications authorized with
this password
For dispatching requests a special ID is used
that is generated ... in some weird and funny
way
41. Transmitted ID represents index and identifier in
the pool of objects which is responsible for storing
the data and dispatching requests
Offset
Description
Size
0
PoolID
2
2
PoolIndex
2
45.
According to received identifier component's object is looked up
Further communication occurs in the context of an established
connection, through a protocol called CAL
The mechanism of data transmission in the CAL protocol is
based on a global MappedSections
48.
SQLi for retrieving HMI user passwords from db
And XOR decryption tool
Hardcoded credentials for retrieving ServerID
Crack ServerID for Siemens windows user
Use ServerID for communication WebBridge
Session hijacking for privilege escalation on HMI
Exploiting architecture weakness to use arbitrary
components of WinCC (like PLC comms)