SlideShare a Scribd company logo

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters

Positive Hack Days
Positive Hack Days

This document summarizes an presentation on industrial protocols for pentesters. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Specific exploitation techniques are mentioned such as extracting password hashes from TIA Portal project files or intercepting S7 authentication challenges and responses. The presenters provide resources for further information on industrial control systems and security.

TechnologyBusiness
1 of 44
Industrial protocols for pentesters Timorin Alexander Efanov Dmitry Positive Technologies PHDays III
Who We Are Timorin Alexander • Lead specialist of penetration testing team at Positive Technologies • Main interests: penetration testing, SCADA systems, industrial protocols, password cracking • atimorin@ptsecurity.ru
Who We Are Efanov Dmitry • Lead specialist of security development team at Positive Technologies • Main interests: penetration testing, network protocols and hex-numbers • defanov@ptsecurity.ru
ICS Industrial Control System
ICS in the World
ICS in the World
ICS in the World
What we will talk about ? • Modbus • Mystical S7 • Authentication and protection • Profinet
Industrial protocols • CIP • BACnet • CC-Link • Ethernet/IP • Modbus • Profinet • S3 / S5 / S7 • DNP3
Old Modbus • Published by Modicon (now Schneider Electric) in 1979. • Widely used for connecting industrial electronic devices • Schneider Electric • Advanced Micro Controls • ABB • Emerson • Chinese NONAME • and all other vendors
Modbus in XX
Modbus in XXI
Modbus TCP Standard port – 502/tcp Modbus Request packet: • No authentication • No encryption • No security
Modbus Functions • Data access • Read/Write Coils and Registers • Read/Write File Records • Diagnostics • Device Identification • … • + User Defined Functions
Modbus Device Identification Standard Function (opcode 0x2B, subcode 0x0E) • VendorName • ProductCode • MajorMinorRevision • VendorUrl • ProductName • ModelName • UserApplicationName
Modbus Device Identification
Modbus Tools • Emulators: • http://www.modbustools.com/download.asp • Device Discovery: • https://code.google.com/p/plcscan/ • https://code.google.com/p/modscan/ • … • Wireshark • python
Modbus Demo
Mystic S7 Standard port – 102/tcp In Siemens docs - iso-on-tcp, rfc 1006
S7 materials • Exploiting Siemens Simatic S7 PLCs (by Dillon Beresford) http://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf • Wireshark dissector http://sourceforge.net/projects/s7commwireshark/ • Libnodave – free communication library http://sourceforge.net/projects/libnodave/
ISO-on-TCP (RFC 1006) • Transport layer only • Require source and destination TSAP (Transport Service Access Point) for connection • TSAP (2 bytes) • Connection type (PG – 0x01, OP– 0x02) • Rack/Slot Id
What is under ISO-on-TCP?
What is under ISO-on-TCP? S5 Communication aka FETCH / WRITE aka Sinec H1 S7 Communication Another S7 Communication
S7 communication S7 packet: PDU-types: • 0x01 – Request • 0x02 – Acknowledgement • 0x03 – Response • 0x07– User Data
What we can do • Read / Write data • Start / Stop CPU • Upload / Download Blocks • List blocks • Get blocks info • Read SZL (System Status List) • Module Identification • Component Identification • LED’s status
Device Identification • PLC scan (https://code.google.com/p/plcscan/) • For s7-300: Module : 6ES7 151-8AB01-0AB0 v.2 Basic Hardware : 6ES7 151-8AB01-0AB0 v.2 Basic Firmware : v.3.2.6 PLC Name : SIMATIC 300(Bla_bla_name) Module Name : IM151-8 PN/DP CPU Plant ID : Copyright : Original Siemens Equipment Module Serial number : S C-BOUV49xxxxx1 Module type name : IM151-8 PN/DP CPU Memory card Serial number : MMC 6CAxxxx0 Module OEM ID : Module Location : • For s7-1200: Module : 6ES7 212-1BD30-0XB0 v.2 Basic Hardware : 6ES7 212-1BD30-0XB0 v.2 Basic Firmware : 6ES7 212-1BD30-0XB0 v.2.2.0
S7-300 password protection Password (8 bytes) «Encryption»:
S7comm on S7-1200 S7-300 S7-1200 Read/Write Vars + + Device Identification + +/- Start/Stop CPU + - Upload/Download Blocks + - Blocks Info + - LED’s status + -
«Another S7 communication» Simple S7 packet ( connection establishment) 72 01 – S7 data delimiter
TIA Portal read/write protection PLC read/write password protection for main operations: CPU start/stop/data change, project upload, firmware update, etc.
TIA Portal PEData.plf passwords history Simple SHA-1 passwords: 456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40} redbox value: password_length * 2 + 1
S7 password hashes extractor source: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.py extracting all password sha1 hashes from TIA Portal project file and simple bruteforce. Also possible to intercept password hash when uploading new project to PLC. It’s easy. Know-how protection: • prevent code blocks (OB, FB, FC, DB) from unauthorized access • base64( sha1(password-in-unicode) )
SCADA <-> PLC S7 authentication 1. SCADA-> PLC : auth request 2. SCADA <- PLC : challenge 3. SCADA-> PLC : response = HMAC( SHA1(password), challenge ) 4. SCADA <- PLC : auth result sending authentication challenge from PLC to SCADA workstation
SCADA <-> PLC S7 authentication sending authentication response from SCADA workstation to PLC
SCADA <-> PLC S7 authentication • ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02 • John the Ripper Jumbo patch: https://github.com/magnumripper/JohnTheRipper/pull/193 • http://www.digitalbond.com/blog/2013/05/10/john-the-ripper-s7-password- cracking/
S7 challenge-response extractor source: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.py extracting challenge-response values from pcap file and simple bruteforce. pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32‘ -> auth ok pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732‘ -> auth bad Other researches/materials: • Dillon Beresford: http://scadahacker.com/exploits/exploits-dillonbh2011.html
PROFINET family 2003: IEC 61158, IEC 61784 • PROFINET CBA (Component Based Automation) • PROFINET IO
PROFINET IO • master – slave communications • RT (~ 10 ms), IRT (~ 1 ms) • PROFINET PTCP (Precision Time Control Protocol) • PROFINET DCP (Discovery and Basic Configuration Protocol) profinet dcp identify response
PROFINET DCP scanner source: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.py discovering all SCADA devices (PC, HMI, PLC) in subnet
PROFINET DCP scanner payload = 'fefe05000401000200800004ffff0000' pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/payload.decode('hex') fefe 2b: DCP multicast header 05 1b: Identify service 00 1b: Request type 04010002 4b: Xid (request identificator) 0080 2b: Response delay 0004 2b: DCP data length ffff0000 4b: dcp dataOption(All), Suboption(All) Also we can: • change name of station • change ip, gateway • request network info • LED flashing: PLC, HMI (something wrong with PLC or devices ?? ) • and much more … profinet video demo
How to analyze protocols ? • search-analyze-search-analyze-search … • Rob Savoye: “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” • Rob Savoye: FOSDEM 2009 Reverse Engineering of Proprietary Protocols, Tools and Techniques : http://youtu.be/t3s-mG5yUjY • Netzob: http://www.netzob.org • Fuzzing • wireshark tcpdump python scapy hex viewer
Outro • Positive Technologies SCADA analytics: http://www.ptsecurity.com/download/SCADA_analytics_english.pdf • Findings • Recommendations: • http://scadastrangelove.org • http://www.scadahacker.com • http://www.digitalbond.com • http://ics-cert.us-cert.gov • Releases: https://code.google.com/p/scada-tools/ https://code.google.com/p/plcscan/ • Greetz to: SCADASTRANGELOVE TEAM • QA • And now …
S7-300. Live Demo
Thanks to all … to be continued Timorin Alexander atimorin@ptsecurity.ru Efanov Dmitry defanov@ptsecurity.ru Stay in touch and feel free …

Recommended

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
InduSoft Web Studio and OPC UA Connectivity
InduSoft Web Studio and OPC UA ConnectivityInduSoft Web Studio and OPC UA Connectivity
InduSoft Web Studio and OPC UA ConnectivityAVEVA
 
Pushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudPushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudDMC, Inc.
 

Recommended

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
InduSoft Web Studio and OPC UA Connectivity
InduSoft Web Studio and OPC UA ConnectivityInduSoft Web Studio and OPC UA Connectivity
InduSoft Web Studio and OPC UA ConnectivityAVEVA
 
Pushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudPushing Data from S7-1200 to Cloud
Pushing Data from S7-1200 to CloudDMC, Inc.
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Fred Posner
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례Lee Ji Eun
 
BeagleBone Black Bootloaders
BeagleBone Black BootloadersBeagleBone Black Bootloaders
BeagleBone Black BootloadersSysPlay eLearning Academy for You
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part IIEmertxe Information Technologies Pvt Ltd
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
SOC design
SOC design SOC design
SOC design Vinchipsytm Vlsitraining
 
Firmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using VerilatorFirmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using VerilatorSeyed Amir Alavi
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
I2C-Bus Design and Verification Specs
I2C-Bus Design and Verification SpecsI2C-Bus Design and Verification Specs
I2C-Bus Design and Verification SpecsMostafa Khamis
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Siemens s7 300 programming
Siemens s7 300 programming Siemens s7 300 programming
Siemens s7 300 programming satyajit patra
 
Taking your Siemens PLC s7-1200 to industry 4.0
Taking your Siemens PLC s7-1200 to industry 4.0Taking your Siemens PLC s7-1200 to industry 4.0
Taking your Siemens PLC s7-1200 to industry 4.0DMC, Inc.
 
Reusing your existing software on Android
Reusing your existing software on AndroidReusing your existing software on Android
Reusing your existing software on AndroidTetsuyuki Kobayashi
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 

More Related Content

What's hot

Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Fred Posner
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례Lee Ji Eun
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
Firmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using VerilatorFirmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using VerilatorSeyed Amir Alavi
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
I2C-Bus Design and Verification Specs
I2C-Bus Design and Verification SpecsI2C-Bus Design and Verification Specs
I2C-Bus Design and Verification SpecsMostafa Khamis
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Siemens s7 300 programming
Siemens s7 300 programming Siemens s7 300 programming
Siemens s7 300 programming satyajit patra
 
Taking your Siemens PLC s7-1200 to industry 4.0
Taking your Siemens PLC s7-1200 to industry 4.0Taking your Siemens PLC s7-1200 to industry 4.0
Taking your Siemens PLC s7-1200 to industry 4.0DMC, Inc.
 
Reusing your existing software on Android
Reusing your existing software on AndroidReusing your existing software on Android
Reusing your existing software on AndroidTetsuyuki Kobayashi
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 

What's hot (20)

Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례
 
BeagleBone Black Bootloaders
BeagleBone Black BootloadersBeagleBone Black Bootloaders
BeagleBone Black Bootloaders
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bag
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
SOC design
SOC design SOC design
SOC design
 
Firmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using VerilatorFirmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
I2C-Bus Design and Verification Specs
I2C-Bus Design and Verification SpecsI2C-Bus Design and Verification Specs
I2C-Bus Design and Verification Specs
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Siemens s7 300 programming
Siemens s7 300 programming Siemens s7 300 programming
Siemens s7 300 programming
 
Taking your Siemens PLC s7-1200 to industry 4.0
Taking your Siemens PLC s7-1200 to industry 4.0Taking your Siemens PLC s7-1200 to industry 4.0
Taking your Siemens PLC s7-1200 to industry 4.0
 
Reusing your existing software on Android
Reusing your existing software on AndroidReusing your existing software on Android
Reusing your existing software on Android
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 

Similar to Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...OptimalPlus
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...PROIDEA
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessS4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessNathan Wallace, PhD, PE
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...PROIDEA
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 

Similar to Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters (20)

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessS4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters

  • 1. Industrial protocols for pentesters Timorin Alexander Efanov Dmitry Positive Technologies PHDays III
  • 2. Who We Are Timorin Alexander • Lead specialist of penetration testing team at Positive Technologies • Main interests: penetration testing, SCADA systems, industrial protocols, password cracking • atimorin@ptsecurity.ru
  • 3. Who We Are Efanov Dmitry • Lead specialist of security development team at Positive Technologies • Main interests: penetration testing, network protocols and hex-numbers • defanov@ptsecurity.ru
  • 5. ICS in the World
  • 6. ICS in the World
  • 7. ICS in the World
  • 8. What we will talk about ? • Modbus • Mystical S7 • Authentication and protection • Profinet
  • 9. Industrial protocols • CIP • BACnet • CC-Link • Ethernet/IP • Modbus • Profinet • S3 / S5 / S7 • DNP3
  • 10. Old Modbus • Published by Modicon (now Schneider Electric) in 1979. • Widely used for connecting industrial electronic devices • Schneider Electric • Advanced Micro Controls • ABB • Emerson • Chinese NONAME • and all other vendors
  • 13. Modbus TCP Standard port – 502/tcp Modbus Request packet: • No authentication • No encryption • No security
  • 14. Modbus Functions • Data access • Read/Write Coils and Registers • Read/Write File Records • Diagnostics • Device Identification • … • + User Defined Functions
  • 15. Modbus Device Identification Standard Function (opcode 0x2B, subcode 0x0E) • VendorName • ProductCode • MajorMinorRevision • VendorUrl • ProductName • ModelName • UserApplicationName
  • 17. Modbus Tools • Emulators: • http://www.modbustools.com/download.asp • Device Discovery: • https://code.google.com/p/plcscan/ • https://code.google.com/p/modscan/ • … • Wireshark • python
  • 19. Mystic S7 Standard port – 102/tcp In Siemens docs - iso-on-tcp, rfc 1006
  • 20. S7 materials • Exploiting Siemens Simatic S7 PLCs (by Dillon Beresford) http://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf • Wireshark dissector http://sourceforge.net/projects/s7commwireshark/ • Libnodave – free communication library http://sourceforge.net/projects/libnodave/
  • 21. ISO-on-TCP (RFC 1006) • Transport layer only • Require source and destination TSAP (Transport Service Access Point) for connection • TSAP (2 bytes) • Connection type (PG – 0x01, OP– 0x02) • Rack/Slot Id
  • 22. What is under ISO-on-TCP?
  • 23. What is under ISO-on-TCP? S5 Communication aka FETCH / WRITE aka Sinec H1 S7 Communication Another S7 Communication
  • 24. S7 communication S7 packet: PDU-types: • 0x01 – Request • 0x02 – Acknowledgement • 0x03 – Response • 0x07– User Data
  • 25. What we can do • Read / Write data • Start / Stop CPU • Upload / Download Blocks • List blocks • Get blocks info • Read SZL (System Status List) • Module Identification • Component Identification • LED’s status
  • 26. Device Identification • PLC scan (https://code.google.com/p/plcscan/) • For s7-300: Module : 6ES7 151-8AB01-0AB0 v.2 Basic Hardware : 6ES7 151-8AB01-0AB0 v.2 Basic Firmware : v.3.2.6 PLC Name : SIMATIC 300(Bla_bla_name) Module Name : IM151-8 PN/DP CPU Plant ID : Copyright : Original Siemens Equipment Module Serial number : S C-BOUV49xxxxx1 Module type name : IM151-8 PN/DP CPU Memory card Serial number : MMC 6CAxxxx0 Module OEM ID : Module Location : • For s7-1200: Module : 6ES7 212-1BD30-0XB0 v.2 Basic Hardware : 6ES7 212-1BD30-0XB0 v.2 Basic Firmware : 6ES7 212-1BD30-0XB0 v.2.2.0
  • 27. S7-300 password protection Password (8 bytes) «Encryption»:
  • 28. S7comm on S7-1200 S7-300 S7-1200 Read/Write Vars + + Device Identification + +/- Start/Stop CPU + - Upload/Download Blocks + - Blocks Info + - LED’s status + -
  • 29. «Another S7 communication» Simple S7 packet ( connection establishment) 72 01 – S7 data delimiter
  • 30. TIA Portal read/write protection PLC read/write password protection for main operations: CPU start/stop/data change, project upload, firmware update, etc.
  • 31. TIA Portal PEData.plf passwords history Simple SHA-1 passwords: 456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40} redbox value: password_length * 2 + 1
  • 32. S7 password hashes extractor source: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.py extracting all password sha1 hashes from TIA Portal project file and simple bruteforce. Also possible to intercept password hash when uploading new project to PLC. It’s easy. Know-how protection: • prevent code blocks (OB, FB, FC, DB) from unauthorized access • base64( sha1(password-in-unicode) )
  • 33. SCADA <-> PLC S7 authentication 1. SCADA-> PLC : auth request 2. SCADA <- PLC : challenge 3. SCADA-> PLC : response = HMAC( SHA1(password), challenge ) 4. SCADA <- PLC : auth result sending authentication challenge from PLC to SCADA workstation
  • 34. SCADA <-> PLC S7 authentication sending authentication response from SCADA workstation to PLC
  • 35. SCADA <-> PLC S7 authentication • ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02 • John the Ripper Jumbo patch: https://github.com/magnumripper/JohnTheRipper/pull/193 • http://www.digitalbond.com/blog/2013/05/10/john-the-ripper-s7-password- cracking/
  • 36. S7 challenge-response extractor source: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.py extracting challenge-response values from pcap file and simple bruteforce. pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32‘ -> auth ok pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732‘ -> auth bad Other researches/materials: • Dillon Beresford: http://scadahacker.com/exploits/exploits-dillonbh2011.html
  • 37. PROFINET family 2003: IEC 61158, IEC 61784 • PROFINET CBA (Component Based Automation) • PROFINET IO
  • 38. PROFINET IO • master – slave communications • RT (~ 10 ms), IRT (~ 1 ms) • PROFINET PTCP (Precision Time Control Protocol) • PROFINET DCP (Discovery and Basic Configuration Protocol) profinet dcp identify response
  • 39. PROFINET DCP scanner source: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.py discovering all SCADA devices (PC, HMI, PLC) in subnet
  • 40. PROFINET DCP scanner payload = 'fefe05000401000200800004ffff0000' pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/payload.decode('hex') fefe 2b: DCP multicast header 05 1b: Identify service 00 1b: Request type 04010002 4b: Xid (request identificator) 0080 2b: Response delay 0004 2b: DCP data length ffff0000 4b: dcp dataOption(All), Suboption(All) Also we can: • change name of station • change ip, gateway • request network info • LED flashing: PLC, HMI (something wrong with PLC or devices ?? ) • and much more … profinet video demo
  • 41. How to analyze protocols ? • search-analyze-search-analyze-search … • Rob Savoye: “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” • Rob Savoye: FOSDEM 2009 Reverse Engineering of Proprietary Protocols, Tools and Techniques : http://youtu.be/t3s-mG5yUjY • Netzob: http://www.netzob.org • Fuzzing • wireshark tcpdump python scapy hex viewer
  • 42. Outro • Positive Technologies SCADA analytics: http://www.ptsecurity.com/download/SCADA_analytics_english.pdf • Findings • Recommendations: • http://scadastrangelove.org • http://www.scadahacker.com • http://www.digitalbond.com • http://ics-cert.us-cert.gov • Releases: https://code.google.com/p/scada-tools/ https://code.google.com/p/plcscan/ • Greetz to: SCADASTRANGELOVE TEAM • QA • And now …
  • 44. Thanks to all … to be continued Timorin Alexander atimorin@ptsecurity.ru Efanov Dmitry defanov@ptsecurity.ru Stay in touch and feel free …