• Save
Scada strange love.
Upcoming SlideShare
Loading in...5

Scada strange love.






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Scada strange love. Scada strange love. Presentation Transcript

  • All pictures are taken fromDr StrangeLove movie
  •  Group of security researchers focused on ICS/SCADAto save Humanity from industrial disaster and tokeep Purity Of EssenceSergey Gordeychik Gleb Gritsai Denis BaranovRoman Ilin Ilya Karpov Sergey BobrovArtem Chaykin Yuriy Dyachenko Sergey DrozdovDmitry Efanov Yuri Goltsev Vladimir KochetkovAndrey Medov Sergey Scherbel Timur YunusovAlexander Zaitsev Dmitry Serebryannikov Dmitry NagibinDmitry Sklyarov Alexander Timorin Vyacheslav EgoshinRoman Ilin Alexander Tlyapov
  •  Goalsto automate security assessment of ICSplatforms and environment Objectivesto understand systemto assess built-in security featuresto create security audit/hardening guidesto automate processVulnerabilities – waste production
  •  Goalto create PoC of Stuxnet-style attack Initial conditionscommon ICS components and configurationcommon ICS security toolsonly ICS components weaknessvulnerabilities by SCADA StrangeLove team
  •  Engineering tools STEP 7 PCS7 TIA PORTAL SCADA/HMI WinCC (Windows) WinCC Flexible/Advanced (Windows/Win CE) S7 family PLC Old line (200, 300, 400) New line (1200, 1500)
  •  WinCC Server Windows/MSSQL based SCADA WinCC Client (HMI) WinCC runtime + Project + OPC WinCC Web Server (WebNavigator) IIS/MSSQL/ASP/ASP.NET/SOAP WinCC WebClient (HMI) ActiveX/HTML/JS
  • 1 2 9 7 610 1114 1773100 968999413528581010020030040050060070080090010001997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  •  Cyber Weapon Tactics, Techniques, and Procedures (TTPs) APT1 APT 2.0 Cyber Kill Chain
  •  ChinJa (R) (tm) Breaking through Harvesting Creeping death Chaos
  • That is a question!
  • http://bit.ly/RI6FtQhttp://bit.ly/UXn7d1
  • http://www.surfpatrol.ru/en/report
  •  A lot of “WinCCed” IE fromcountries/companies/industries Special prize to guys from US forWinCC 6.X at 2012
  •  XPath Injection (CVE-2012-2596) Path Traversal (CVE-2012-2597) XSS ~ 20 Instances (CVE-2012-2595)Fixed in Update 2 for WinCC V7.0 SP3http://support.automation.siemens.com/WW/view/en/60984587
  •  Lot of XSS and CSRF CVE-2012-3031 CVE-2012-3028 Lot of arbitrary file reading CVE-2012-3030 SQL injection over SOAP CVE-2012-3032 Username and password disclosure via ActiveXabuse CVE-2012-3034Fixed in Update 3 for WinCC V7.0 SP3http://support.automation.siemens.com/WW/view/en/63472422
  •  Path Traversal CVE-2013-0679 Buffer overflow in ActiveX CVE-2013-0674 XXE OOB CVE-2013-0677 Missing encryption of sensitive data CVE-2013-0678 Improper authorization CVE-2013-0676fFixed in WinCC 7.2/SIMATIC PCS7 V8.0 SP 1http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-714398.pdf
  •  Network-level Active scan S7, Modbus, MSSQL (WinCC Instance), HTTP(S) SNMP (public/private hardcoded for PLC and HMIPanels) Passive scan Profinet Host-level WinCC forensic
  • Dmitry Efanovhttp://scadastrangelove.blogspot.ru/2012/11/plcscan.html
  • Alexander TimorinPHDays III release
  •  PdlRt.exe – graphic runtime CCRtsLoader.EXE – loader s7otbxsx.exe – network Inter process communication: RPC Sections (memory mapped files) BaseNamedObjectsTCPSharedMm and otherinteresting stuff
  •  Detecting active project:HKCUSoftwareSIEMENSWINCCControlCenterDefault Settings LastOpenPath LastProject Detecting MS SQL database name (timestamp)ArchiveManagerAlarmLoggingArchiveManagerTagLogging*Obtaining information from database and systemobjects
  • • {Hostname}_{Project}_TLG*• TAG data• СС_{Project}_{Timestamp}*• Project data and configuration• Users, PLCs, Privileges
  • • Managed by UM app• Stored in dbo.PW_USER
  • CVE-2013-0676
  • • Administrator:ADMINISTRATOR• Avgur2 > Avgur
  • This is myencryptionkey
  •  Select from MS SQL via COM objects “Special” Windows Account Shortcuts**we don’t know yet, you know
  • Authenticationvia SQL-storedaccountsServerID magic toget WebBridgepasswordMagic is used forSCSWebBridgeX
  • Too hard for me…
  • Oh! En/c(r)ypt[10]n!ServerID = Base64(RC2(pass, key)), were key= MD5(dll hardcode)
  • Not my department password!
  •  All other confections use WNUSR forauthentication For authorization ID parameter is used
  • Not yet…
  •  «Magic» password = MD5(WNUSR_DC92D7179E29.Password) WNUSR_DC92D7179E29.Password generated during installation Stored in registry via DPAPI Good length and chartset but…
  •  WinCC clients use hardcoded account tocommunicate with OPC Web bridge Password for WNUSR_DC92D7179E29 generatedduring installation and probably strong MD5(WNUSR_.Password) stored with DPAPIprotection “Encrypted” password for WNUSR_DC* can beobtained by request to WinCCWebBridge.dll WNUSR_DC92D7179E29 is only account used forwork with Windows/Database
  • …responsible disclosure
  •  What is Project? Collection of ActiveX/COM/.NET objects Event Handlers and other code (C/VB) Configuration files, XML and other Can Project be trusted? Ways to spread malware with Project?
  •  NO! Project itself is dynamic code It’s easy to patch it “on the fly” Vulnerabilities in data handlers(CVE-2013-0677) How to abuse? Simplest way – to patch eventhandlers
  •  Hardcoded SNMP community string (unfixed) Hardcoded S7 PLC CA certificate (Dmitry Sklarov)http://scadastrangelove.blogspot.com/2012/09/all-your-plc-belong-to-us.html Multiple vulnerabilities in S7 1200 PLC Webinterface (Dmitriy Serebryannikov, Artem Chaikin, YuryGoltsev, Timur Yunusov)http://www.siemens.com/corporatetechnology/pool/de/forschungsfelder/siemens_security_advisory_ssa-279823.pdf
  •  Can be protected by password Authentication – simple challenge-response Password hashed (SHA1) on client (TIAPortal) Server (PLC) provide 20 byte challenge Client calculate HMAC-SHA1(challenge, SHA1(password) asresponse
  •  Can be protected by password Authentication – simple challenge-response Password hashed (SHA1) on client (TIAPortal) Server (PLC) provide 20 byte challenge Client calculate HMAC-SHA1(challenge, SHA1(password)) asresponse
  •  SHA-1 stored in PLC project files It can be intercepted duringfirmware update/project upload It can be extracted from project fileSHA-1(pass)VSHMAC-SHA1(challenge, SHA1(pass))
  •  Buffer overflow CVE-2013-0669 Cross-Site Scripting CVE-2013-0672/CVE-2013-0670/CVE-2013-0668 Directory traversal/Response splitting CVE-2013-0671 Server-side script injection CVE-2012-3032Fixed in WinCC (TIA Portal) V12http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf
  •  Profinet scanner WinCC Harvester 2.0http://scadastrangelove.blogspot.com/search/label/Releases
  •  TIA portal Security Hardening Guide S7 protocol password brute force tool and JtR Simatic WinCC Security Hardening Guide PLCScan tool ICS/SCADA/PLC Google/Shodan CheatSheet SCADA Safety in Numbershttp://scadastrangelove.blogspot.com/search/label/Releases
  • All pictures are taken fromDr StrangeLove movie