http://scadasl.org

*All pictures are taken from Dr StrangeLove movie and other Internets


Sergey Gordeychik


Positive Hack Days Director and
Scriptwriter, WASC board member
 http://www.phdays.com



Gleb G...


Group of security researchers focused on ICS/SCADA

to save Humanity from industrial disaster and to
keep Purity Of Ess...


Analytics “SCADA security in numbers”




Industrial Protocols




ICS systems on the internets
plcscan for S7 and ...


To find ICS system






To find vulnerable device





Get https://scans.io/ (~500 GB) = ~$60
Index by Elastic ...


Old, slow, boring




Google/Bing/Shodanhq/ERIPP

New, fast, easy to automate
ZMap, Masscan
 Homebrew scans of indus...
Country Devices
US
31211
DE
3793
IT
2956
BR
2461
GB
2282
CA
2276
KR
1785
SE
1345
ES
1341
NL
1312
FR
1171
TW
1126
CN
891
JP...
DATACOM, 945, 1%
Digi, 988, 1%
TAC AB, 1321, 2%
Siemens, 1322, 2%
Echelon, 1395, 2%

Other, 5933, 9%

Westermo, 1526, 2%
S...
Lantronix
UDS1100, 1310,
5%

Westermo MRD-310,
1171, 5%

i.LON 600, 1395, 5%

Lantronix XPort AR,
1413, 5%

NetWeaver
Appl...
telnet
671
1%

ftp
604
1%

snmp
15253
23%
Industrial
1612
2%
http
49989
73%
dnp3, 155, 10%
iec104, 44, 3%

s7, 827, 53%
modbus, 532,
34%
Kudos to http://www.scadaexposure.com/
http://scadastrangelove.blogspot.com/2013/12/internet-connected-icsscadaplc30c3.htm...


What RDP/VNC/Radmin can hide?...

…we will never know
Computer Based
Interlocking

RBC
RBC
MMI

GSM-R

Fixed
Eurobalise
to peripherals:
signals, point
machines, etc.

Plain Lin...
Computer Based
Interlocking

RBC
RBC
MMI

GSM-R

Fixed
Eurobalise
to peripherals:
signals, point
machines, etc.

Plain Lin...


Lot’s of new information coming up


Modbus (502)





DNP3 (20000)





http://scadastrangelove.blogspot.com/20...


Native broadcast to identify all components




Resource index = 0x82
Resource name = 0x5345???????????? (SE??????)
Packet counter = 0x3ba1
https://www.thc.org/thc-hydra/
…responsible disclosure
WinCC
Web-Client

Internet,
corp lan,
vpn’s

WinCC
DataMonitor

Some
networks
WinCC
SCADA-Clients

LAN

WinCC
Web-Client

...
http://www.youtube.com/watch?v=bE2r7r7VVic
WinCC
Web-Client

Internet,
corp lan,
vpn’s

WinCC
DataMonitor

Some
networks
WinCC
SCADA-Clients

LAN

WinCC
Web-Client

...
This is my
encryptionkey

Metasploit module

for harvesting data from WinCC project’s database and decrypting ciphertexts
...
This is my
encryptionkey
is

AUHFPPCY PPCY POEK
LWUBWMKKEKJWVOPP
WLDZ
HSLWEK
This is SHA

"0xC280" x len(password)
+ "0xC280" x len(password)
WinCC
Web-Client

Internet,
corp lan,
vpn’s

WinCC
DataMonitor

Some
networks
WinCC
SCADA-Clients

LAN

WinCC
Web-Client

...
ActiveX components
for communication
and rendering of
HMI

Another component
of WinCC.
For example,
forwarding
commands to...
HMI

Other
components

CCEServer

PLC
Communication

License
server

To register component in the CCEServer call
CAL_Start...
During initial communications SCS packet is sent
with GUID
describing target component
DTD Parsing,
SYSTEM
reading

Attacker

XML

Server

PROFIT!


What is Project?
Collection of ActiveX/COM/.NET objects
 Event Handlers and other code (C/VB)
 Configuration files, X...


NO!
 Project

itself is dynamic code
 It’s easy to patch it “on the fly”
 Vulnerabilities in data handlers


How to...
Sub OnClick(Byval Item)
Dim tagName, tagValue, tagFilename
Dim strFilename, strLine
Dim fso, objFile, objTag
Set fso = Cre...
https://guardian.emersonprocess.com/Guardian/KbaArticleMail.aspx?artId=de1cdd600d56-47b4-b1cf-f6994d0b6fec&exp=164f16aa-ad...
180

160

140

120

100

80

60

40

20

0

ABB

Emerson

Other
Sum

Total

Invensys
Fixed

Siemens
Self-written
HTTP server

Self written “pseudo” DNS

diagrams from http://cvedetails.com for Apache HTTP Server and ICS BI...
1000
899
900

800

700

600

500

400
285

300

200
73

100

0

1

2

9

7

6

10

11

14

100

96

94

135
81

17

1997 1...


Understand the components roles





Define entry points (input)




how they communicate (i.e. HMI-DCS-PLC)
how t...
Regex
# grep recv <decompiled bin function>
ret = recv(s, buf, buf_len, flags)
# grep ‘buf|buf_len’ <decompiled bin
functi...



7 verified RCE vulnerabilities
4 verified DoS vulnerabilities (all NPD)
…responsible disclosure


“cb” is buffer size
scadasl@December 04, 2012#ping vendor.ics.jp
Request timed out.
scadasl@January 18, 2013#traceroute vendor.ics.jp
1
2
3

3...
http://scadasl.org

*All pictures are taken from Dr StrangeLove movie and other Internets
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
SCADA StrangeLove 2:  We already know
Upcoming SlideShare
Loading in...5
×

SCADA StrangeLove 2: We already know

4,256

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,256
On Slideshare
0
From Embeds
0
Number of Embeds
50
Actions
Shares
0
Downloads
118
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SCADA StrangeLove 2: We already know

  1. 1. http://scadasl.org *All pictures are taken from Dr StrangeLove movie and other Internets
  2. 2.  Sergey Gordeychik  Positive Hack Days Director and Scriptwriter, WASC board member  http://www.phdays.com  Gleb Gritsai  Principal Researcher, Network security and forensic researcher, member of PHDays Challenges team  @repdet
  3. 3.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Roman Ilin Artem Chaykin Dmitry Efanov Andrey Medov Alexander Zaitsev Dmitry Sklyarov Roman Ilin Kirill Nesterov Gleb Gritsai Ilya Karpov Yuriy Dyachenko Yuri Goltsev Sergey Scherbel Dmitry Serebryannikov Alexander Timorin Alexander Tlyapov Denis Baranov Sergey Bobrov Sergey Drozdov Vladimir Kochetkov Timur Yunusov Dmitry Nagibin Vyacheslav Egoshin Evgeny Ermakov
  4. 4.  Analytics “SCADA security in numbers”   Industrial Protocols   ICS systems on the internets plcscan for S7 and modbus Vulnerabilities   Siemens WinCC components and vulnerabilities Lot’s of “We don’t know yet”
  5. 5.  To find ICS system     To find vulnerable device    Get https://scans.io/ (~500 GB) = ~$60 Index by Elastic Search (3 cpu days) = $0 Grep it all! It’s all vulnerable (for sure!) = $0 Put in Excel (I hate it!) = $9000 CoV  ($60 + $0 +$0 + $9000)/68076 = $0.1330865503261061
  6. 6.  Old, slow, boring   Google/Bing/Shodanhq/ERIPP New, fast, easy to automate ZMap, Masscan  Homebrew scans of industrial ports  Rapid7 Project Sonar  Internet Census (not so new)  + fast full-text search engines 
  7. 7. Country Devices US 31211 DE 3793 IT 2956 BR 2461 GB 2282 CA 2276 KR 1785 SE 1345 ES 1341 NL 1312 FR 1171 TW 1126 CN 891 JP 885
  8. 8. DATACOM, 945, 1% Digi, 988, 1% TAC AB, 1321, 2% Siemens, 1322, 2% Echelon, 1395, 2% Other, 5933, 9% Westermo, 1526, 2% SAP, 1639, 2% Tridium, 19490, 29% Rabbit, 1958, 3% Schneider Electric, 2458, 4% Generic, 2794, 4% NRG Systems, 11715, 17% Beck IPC, 3655, 5% Moxa, 3949, 6% Lantronix, 6988, 10% Vendor Devices Tridium NRG Systems Lantronix Moxa Beck IPC Generic Schneider Electric Rabbit SAP Westermo Echelon Siemens TAC AB Digi DATACOM Other 19490 11715 6988 3949 3655 2794 2458 1958 1639 1526 1395 1322 1321 988 945 5933
  9. 9. Lantronix UDS1100, 1310, 5% Westermo MRD-310, 1171, 5% i.LON 600, 1395, 5% Lantronix XPort AR, 1413, 5% NetWeaver Application Server, 1639, 6% WindCube, 11715, 45% PowerLogic ION, 1806, 7% Lantronix SLS, 2204, 8% IPC@CHIP, 3655, 14%
  10. 10. telnet 671 1% ftp 604 1% snmp 15253 23% Industrial 1612 2% http 49989 73%
  11. 11. dnp3, 155, 10% iec104, 44, 3% s7, 827, 53% modbus, 532, 34%
  12. 12. Kudos to http://www.scadaexposure.com/ http://scadastrangelove.blogspot.com/2013/12/internet-connected-icsscadaplc30c3.html
  13. 13.  What RDP/VNC/Radmin can hide?... …we will never know
  14. 14. Computer Based Interlocking RBC RBC MMI GSM-R Fixed Eurobalise to peripherals: signals, point machines, etc. Plain Line Data GSM-R ETCS Onboard GSM-R Fixed Eurobalise Station Onboard
  15. 15. Computer Based Interlocking RBC RBC MMI GSM-R Fixed Eurobalise to peripherals: signals, point machines, etc. Plain Line Data GSM-R ETCS Onboard GSM-R Fixed Eurobalise Station Onboard
  16. 16.  Lot’s of new information coming up  Modbus (502)    DNP3 (20000)    http://scadastrangelove.blogspot.com/2012/11/plcscan.html Profinet DCP   http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html S7 (102)   http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html MMS (102)   https://code.google.com/p/scadascan/ http://sourceforge.net/projects/dnp/ IEC104 (2404)   http://nmap.org/nsedoc/scripts/modbus-discover.html http://scadastrangelove.blogspot.com/2012/11/plcscan.html http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-days.html But some protocols still not researched [kudos to Alexander Timorin @atimorin]
  17. 17.  Native broadcast to identify all components
  18. 18.    Resource index = 0x82 Resource name = 0x5345???????????? (SE??????) Packet counter = 0x3ba1
  19. 19. https://www.thc.org/thc-hydra/
  20. 20. …responsible disclosure
  21. 21. WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
  22. 22. http://www.youtube.com/watch?v=bE2r7r7VVic
  23. 23. WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
  24. 24. This is my encryptionkey Metasploit module for harvesting data from WinCC project’s database and decrypting ciphertexts http://scadastrangelove.blogspot.com/2013/08/wincc-harvester-metasploit-module-is.html
  25. 25. This is my encryptionkey is AUHFPPCY PPCY POEK LWUBWMKKEKJWVOPP WLDZ HSLWEK
  26. 26. This is SHA "0xC280" x len(password) + "0xC280" x len(password)
  27. 27. WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
  28. 28. ActiveX components for communication and rendering of HMI Another component of WinCC. For example, forwarding commands to the PLC via the S7 protocol IIS extension SCSWebBridgex.dll Manages SCS connection and converts data to PAL CCEServer.exe Yep-Yep, again) CCEServer.exe WinCC core: Manages requests of components WebNavigatorRT.exe Rendering HMI and command transmission [kudos to Alexander Tlyapov @rigros1]
  29. 29. HMI Other components CCEServer PLC Communication License server To register component in the CCEServer call CAL_StartListen(Component’s GUID, PID, Required callbacks, etc)
  30. 30. During initial communications SCS packet is sent with GUID describing target component
  31. 31. DTD Parsing, SYSTEM reading Attacker XML Server PROFIT!
  32. 32.  What is Project? Collection of ActiveX/COM/.NET objects  Event Handlers and other code (C/VB)  Configuration files, XML and other    Can Project be trusted? Ways to spread malware with Project?
  33. 33.  NO!  Project itself is dynamic code  It’s easy to patch it “on the fly”  Vulnerabilities in data handlers  How to abuse?  Simplest handlers way – to patch event
  34. 34. Sub OnClick(Byval Item) Dim tagName, tagValue, tagFilename Dim strFilename, strLine Dim fso, objFile, objTag Set fso = CreateObject("Scripting.FileSystemObject") Set objFile = fso.CreateTextFile("%WinCC%1.exe",True) strLine = “malware code here" objFile.WriteLine strLine objFile.Close End Sub
  35. 35. https://guardian.emersonprocess.com/Guardian/KbaArticleMail.aspx?artId=de1cdd600d56-47b4-b1cf-f6994d0b6fec&exp=164f16aa-ade7-4a64-8bf2-e32d80daa846
  36. 36. 180 160 140 120 100 80 60 40 20 0 ABB Emerson Other Sum Total Invensys Fixed Siemens
  37. 37. Self-written HTTP server Self written “pseudo” DNS diagrams from http://cvedetails.com for Apache HTTP Server and ICS BIND
  38. 38. 1000 899 900 800 700 600 500 400 285 300 200 73 100 0 1 2 9 7 6 10 11 14 100 96 94 135 81 17 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  39. 39.  Understand the components roles    Define entry points (input)   how they communicate (i.e. HMI-DCS-PLC) how they store data (i.e. account/project data) User input, IPC communications, command protocols Analyze code   Resurrect structures/classes used in entry points Research initialization and processing
  40. 40. Regex # grep recv <decompiled bin function> ret = recv(s, buf, buf_len, flags) # grep ‘buf|buf_len’ <decompiled bin function> ret = recv(s, buf2, buf[42], flags)   This not supposed to work in real world!
  41. 41.   7 verified RCE vulnerabilities 4 verified DoS vulnerabilities (all NPD)
  42. 42. …responsible disclosure
  43. 43.  “cb” is buffer size
  44. 44. scadasl@December 04, 2012#ping vendor.ics.jp Request timed out. scadasl@January 18, 2013#traceroute vendor.ics.jp 1 2 3 3 days 5 days * S4.Conference jpcert.or.jp Request timed out. scadasl@March 04, 2013#ping vendor.ics.jp Reply from jpcert.or.jp: Destination host reachable! scadasl@June 19, 2013#traceroute vendor.ics.jp 1 1 days jpcert.or.jp Customer list complete! scadasl#echo WTF?!
  45. 45. http://scadasl.org *All pictures are taken from Dr StrangeLove movie and other Internets
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×