Your SlideShare is downloading. ×
Industrialprotocolsfor pentestersTimorin AlexanderEfanov DmitryPositive TechnologiesPHDays III
Who We AreTimorin Alexander• Lead specialist of penetration testing team at PositiveTechnologies• Main interests: penetrat...
Who We AreEfanov Dmitry• Lead specialist of security development team at PositiveTechnologies• Main interests: penetration...
ICSIndustrial Control System
ICS in the World
ICS in the World
ICS in the World
What we will talk about ?• Modbus• Mystical S7• Authentication and protection• Profinet
Industrial protocols• CIP• BACnet• CC-Link• Ethernet/IP• Modbus• Profinet• S3 / S5 / S7• DNP3
Old Modbus• Published by Modicon (now Schneider Electric) in 1979.• Widely used for connecting industrial electronic devic...
Modbus in XX
Modbus in XXI
Modbus TCPStandard port – 502/tcpModbus Request packet:• No authentication• No encryption• No security
Modbus Functions• Data access• Read/Write Coils and Registers• Read/Write File Records• Diagnostics• Device Identification...
Modbus Device IdentificationStandard Function (opcode 0x2B, subcode 0x0E)• VendorName• ProductCode• MajorMinorRevision• Ve...
Modbus Device Identification
Modbus Tools• Emulators:• http://www.modbustools.com/download.asp• Device Discovery:• https://code.google.com/p/plcscan/• ...
Modbus Demo
Mystic S7Standard port – 102/tcpIn Siemens docs - iso-on-tcp, rfc 1006
S7 materials• Exploiting Siemens Simatic S7 PLCs (by Dillon Beresford)http://media.blackhat.com/bh-us-11/Beresford/BH_US11...
ISO-on-TCP (RFC 1006)• Transport layer only• Require source and destination TSAP (Transport ServiceAccess Point) for conne...
What is under ISO-on-TCP?
What is under ISO-on-TCP?S5 CommunicationakaFETCH / WRITEakaSinec H1S7 CommunicationAnotherS7 Communication
S7 communicationS7 packet:PDU-types:• 0x01 – Request• 0x02 – Acknowledgement• 0x03 – Response• 0x07– User Data
What we can do• Read / Write data• Start / Stop CPU• Upload / Download Blocks• List blocks• Get blocks info• Read SZL (Sys...
Device Identification• PLC scan (https://code.google.com/p/plcscan/)• For s7-300:Module : 6ES7 151-8AB01-0AB0 v.2Basic Har...
S7-300 password protectionPassword (8 bytes)«Encryption»:
S7comm on S7-1200S7-300 S7-1200Read/Write Vars + +Device Identification + +/-Start/Stop CPU + -Upload/Download Blocks + -B...
«Another S7 communication»Simple S7 packet ( connection establishment)72 01 – S7 data delimiter
TIA Portal read/write protectionPLC read/write password protection for main operations:CPU start/stop/data change, project...
TIA Portal PEData.plf passwords historySimple SHA-1 passwords:456e6372797074656450617373776f72[a-f0-9]{240,360}00010100000...
S7 password hashes extractorsource: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.pyextr...
SCADA <-> PLC S7 authentication1. SCADA-> PLC : auth request2. SCADA <- PLC : challenge3. SCADA-> PLC : response = HMAC( S...
SCADA <-> PLC S7 authenticationsending authentication response from SCADA workstation to PLC
SCADA <-> PLC S7 authentication• ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02• John the Ripper ...
S7 challenge-response extractorsource: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.pyextracting ch...
PROFINET family2003: IEC 61158, IEC 61784• PROFINET CBA (Component Based Automation)• PROFINET IO
PROFINET IO• master – slave communications• RT (~ 10 ms), IRT (~ 1 ms)• PROFINET PTCP (Precision Time Control Protocol)• P...
PROFINET DCP scannersource: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.pydiscovering all SCADA de...
PROFINET DCP scannerpayload = fefe05000401000200800004ffff0000pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/...
How to analyze protocols ?• search-analyze-search-analyze-search …• Rob Savoye: “Believe it or not, if you stare at the he...
Outro• Positive Technologies SCADA analytics:http://www.ptsecurity.com/download/SCADA_analytics_english.pdf• Findings• Rec...
S7-300. Live Demo
Thanks to all … to be continuedTimorin Alexander atimorin@ptsecurity.ruEfanov Dmitry defanov@ptsecurity.ruStay in touch an...
Upcoming SlideShare
Loading in...5
×

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters

508

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
508
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters"

  1. 1. Industrialprotocolsfor pentestersTimorin AlexanderEfanov DmitryPositive TechnologiesPHDays III
  2. 2. Who We AreTimorin Alexander• Lead specialist of penetration testing team at PositiveTechnologies• Main interests: penetration testing, SCADAsystems, industrial protocols, password cracking• atimorin@ptsecurity.ru
  3. 3. Who We AreEfanov Dmitry• Lead specialist of security development team at PositiveTechnologies• Main interests: penetration testing, network protocols andhex-numbers• defanov@ptsecurity.ru
  4. 4. ICSIndustrial Control System
  5. 5. ICS in the World
  6. 6. ICS in the World
  7. 7. ICS in the World
  8. 8. What we will talk about ?• Modbus• Mystical S7• Authentication and protection• Profinet
  9. 9. Industrial protocols• CIP• BACnet• CC-Link• Ethernet/IP• Modbus• Profinet• S3 / S5 / S7• DNP3
  10. 10. Old Modbus• Published by Modicon (now Schneider Electric) in 1979.• Widely used for connecting industrial electronic devices• Schneider Electric• Advanced Micro Controls• ABB• Emerson• Chinese NONAME• and all other vendors
  11. 11. Modbus in XX
  12. 12. Modbus in XXI
  13. 13. Modbus TCPStandard port – 502/tcpModbus Request packet:• No authentication• No encryption• No security
  14. 14. Modbus Functions• Data access• Read/Write Coils and Registers• Read/Write File Records• Diagnostics• Device Identification• …• + User Defined Functions
  15. 15. Modbus Device IdentificationStandard Function (opcode 0x2B, subcode 0x0E)• VendorName• ProductCode• MajorMinorRevision• VendorUrl• ProductName• ModelName• UserApplicationName
  16. 16. Modbus Device Identification
  17. 17. Modbus Tools• Emulators:• http://www.modbustools.com/download.asp• Device Discovery:• https://code.google.com/p/plcscan/• https://code.google.com/p/modscan/• …• Wireshark• python
  18. 18. Modbus Demo
  19. 19. Mystic S7Standard port – 102/tcpIn Siemens docs - iso-on-tcp, rfc 1006
  20. 20. S7 materials• Exploiting Siemens Simatic S7 PLCs (by Dillon Beresford)http://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf• Wireshark dissectorhttp://sourceforge.net/projects/s7commwireshark/• Libnodave – free communication libraryhttp://sourceforge.net/projects/libnodave/
  21. 21. ISO-on-TCP (RFC 1006)• Transport layer only• Require source and destination TSAP (Transport ServiceAccess Point) for connection• TSAP (2 bytes)• Connection type (PG – 0x01, OP– 0x02)• Rack/Slot Id
  22. 22. What is under ISO-on-TCP?
  23. 23. What is under ISO-on-TCP?S5 CommunicationakaFETCH / WRITEakaSinec H1S7 CommunicationAnotherS7 Communication
  24. 24. S7 communicationS7 packet:PDU-types:• 0x01 – Request• 0x02 – Acknowledgement• 0x03 – Response• 0x07– User Data
  25. 25. What we can do• Read / Write data• Start / Stop CPU• Upload / Download Blocks• List blocks• Get blocks info• Read SZL (System Status List)• Module Identification• Component Identification• LED’s status
  26. 26. Device Identification• PLC scan (https://code.google.com/p/plcscan/)• For s7-300:Module : 6ES7 151-8AB01-0AB0 v.2Basic Hardware : 6ES7 151-8AB01-0AB0 v.2Basic Firmware : v.3.2.6PLC Name : SIMATIC 300(Bla_bla_name)Module Name : IM151-8 PN/DP CPUPlant ID :Copyright : Original Siemens EquipmentModule Serial number : S C-BOUV49xxxxx1Module type name : IM151-8 PN/DP CPUMemory card Serial number : MMC 6CAxxxx0Module OEM ID :Module Location :• For s7-1200:Module : 6ES7 212-1BD30-0XB0 v.2Basic Hardware : 6ES7 212-1BD30-0XB0 v.2Basic Firmware : 6ES7 212-1BD30-0XB0 v.2.2.0
  27. 27. S7-300 password protectionPassword (8 bytes)«Encryption»:
  28. 28. S7comm on S7-1200S7-300 S7-1200Read/Write Vars + +Device Identification + +/-Start/Stop CPU + -Upload/Download Blocks + -Blocks Info + -LED’s status + -
  29. 29. «Another S7 communication»Simple S7 packet ( connection establishment)72 01 – S7 data delimiter
  30. 30. TIA Portal read/write protectionPLC read/write password protection for main operations:CPU start/stop/data change, project upload, firmwareupdate, etc.
  31. 31. TIA Portal PEData.plf passwords historySimple SHA-1 passwords:456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40}redbox value: password_length * 2 + 1
  32. 32. S7 password hashes extractorsource: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.pyextracting all password sha1 hashes from TIA Portal project file and simple bruteforce.Also possible to intercept password hash when uploading new project to PLC. It’s easy.Know-how protection:• prevent code blocks (OB, FB, FC, DB) from unauthorized access• base64( sha1(password-in-unicode) )
  33. 33. SCADA <-> PLC S7 authentication1. SCADA-> PLC : auth request2. SCADA <- PLC : challenge3. SCADA-> PLC : response = HMAC( SHA1(password), challenge )4. SCADA <- PLC : auth resultsending authentication challenge from PLC to SCADA workstation
  34. 34. SCADA <-> PLC S7 authenticationsending authentication response from SCADA workstation to PLC
  35. 35. SCADA <-> PLC S7 authentication• ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02• John the Ripper Jumbo patch:https://github.com/magnumripper/JohnTheRipper/pull/193• http://www.digitalbond.com/blog/2013/05/10/john-the-ripper-s7-password-cracking/
  36. 36. S7 challenge-response extractorsource: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.pyextracting challenge-response values from pcap file and simple bruteforce.pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == 7202000f32‘ -> auth okpckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == 7202001732‘ -> auth badOther researches/materials:• Dillon Beresford: http://scadahacker.com/exploits/exploits-dillonbh2011.html
  37. 37. PROFINET family2003: IEC 61158, IEC 61784• PROFINET CBA (Component Based Automation)• PROFINET IO
  38. 38. PROFINET IO• master – slave communications• RT (~ 10 ms), IRT (~ 1 ms)• PROFINET PTCP (Precision Time Control Protocol)• PROFINET DCP (Discovery and Basic Configuration Protocol)profinet dcp identify response
  39. 39. PROFINET DCP scannersource: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.pydiscovering all SCADA devices (PC, HMI, PLC) in subnet
  40. 40. PROFINET DCP scannerpayload = fefe05000401000200800004ffff0000pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/payload.decode(hex)fefe 2b: DCP multicast header05 1b: Identify service00 1b: Request type04010002 4b: Xid (request identificator)0080 2b: Response delay0004 2b: DCP data lengthffff0000 4b: dcp dataOption(All), Suboption(All)Also we can:• change name of station• change ip, gateway• request network info• LED flashing: PLC, HMI (something wrong with PLC or devices ?? )• and much more …profinet video demo
  41. 41. How to analyze protocols ?• search-analyze-search-analyze-search …• Rob Savoye: “Believe it or not, if you stare at the hex dumpslong enough, you start to see the patterns”• Rob Savoye: FOSDEM 2009 Reverse Engineering ofProprietary Protocols, Tools and Techniques :http://youtu.be/t3s-mG5yUjY• Netzob: http://www.netzob.org• Fuzzing• wiresharktcpdumppythonscapyhex viewer
  42. 42. Outro• Positive Technologies SCADA analytics:http://www.ptsecurity.com/download/SCADA_analytics_english.pdf• Findings• Recommendations:• http://scadastrangelove.org• http://www.scadahacker.com• http://www.digitalbond.com• http://ics-cert.us-cert.gov• Releases:https://code.google.com/p/scada-tools/https://code.google.com/p/plcscan/• Greetz to: SCADASTRANGELOVE TEAM• QA• And now …
  43. 43. S7-300. Live Demo
  44. 44. Thanks to all … to be continuedTimorin Alexander atimorin@ptsecurity.ruEfanov Dmitry defanov@ptsecurity.ruStay in touch and feel free …

×