• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
SCADA StrangeLove 2:  We already know
 

SCADA StrangeLove 2: We already know

on

  • 2,977 views

 

Statistics

Views

Total Views
2,977
Views on SlideShare
1,330
Embed Views
1,647

Actions

Likes
0
Downloads
78
Comments
0

43 Embeds 1,647

http://scadastrangelove.blogspot.co.at 1023
http://scadastrangelove.blogspot.com 173
http://scadastrangelove.blogspot.ru 147
http://scadastrangelove.blogspot.de 75
http://feedly.com 27
http://scadastrangelove.blogspot.fr 26
http://scadastrangelove.blogspot.co.uk 21
http://scadastrangelove.blogspot.jp 15
http://strangelove32.rssing.com 12
http://scadastrangelove.blogspot.se 11
http://scadastrangelove.blogspot.cz 10
http://scadastrangelove.blogspot.nl 9
http://scadastrangelove.blogspot.co.il 8
http://www.blogger.com 8
http://scadastrangelove.blogspot.ca 8
http://scadastrangelove.blogspot.in 7
http://scadastrangelove.blogspot.ch 6
http://scadastrangelove.blogspot.kr 6
https://www.rebelmouse.com 6
http://scadastrangelove.blogspot.fi 5
http://news.google.com 5
http://scadastrangelove.blogspot.com.es 4
http://scadastrangelove.blogspot.com.br 4
http://scadastrangelove.blogspot.co.nz 3
http://scadastrangelove.blogspot.com.au 3
http://scadastrangelove.blogspot.sg 3
http://scadastrangelove.blogspot.sk 2
http://scadastrangelove.blogspot.be 2
http://digg.com 2
http://scadastrangelove.blogspot.ae 2
http://scadastrangelove.blogspot.it 2
http://scadastrangelove.blogspot.com.ar 1
http://scadastrangelove.blogspot.hk 1
http://scadastrangelove.blogspot.pt 1
http://webcache.googleusercontent.com 1
http://scadastrangelove.blogspot.gr 1
http://scadastrangelove.blogspot.tw 1
http://127.0.0.1 1
http://scadastrangelove.blogspot.mx 1
http://scadastrangelove.blogspot.com.tr 1
http://scadastrangelove.blogspot.no 1
http://scadastrangelove.blogspot.hu 1
http://www.scadastrangelove.blogspot.ru 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    SCADA StrangeLove 2:  We already know SCADA StrangeLove 2: We already know Presentation Transcript

    • http://scadasl.org *All pictures are taken from Dr StrangeLove movie and other Internets
    •  Sergey Gordeychik  Positive Hack Days Director and Scriptwriter, WASC board member  http://www.phdays.com  Gleb Gritsai  Principal Researcher, Network security and forensic researcher, member of PHDays Challenges team  @repdet
    •  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Roman Ilin Artem Chaykin Dmitry Efanov Andrey Medov Alexander Zaitsev Dmitry Sklyarov Roman Ilin Kirill Nesterov Gleb Gritsai Ilya Karpov Yuriy Dyachenko Yuri Goltsev Sergey Scherbel Dmitry Serebryannikov Alexander Timorin Alexander Tlyapov Denis Baranov Sergey Bobrov Sergey Drozdov Vladimir Kochetkov Timur Yunusov Dmitry Nagibin Vyacheslav Egoshin Evgeny Ermakov
    •  Analytics “SCADA security in numbers”   Industrial Protocols   ICS systems on the internets plcscan for S7 and modbus Vulnerabilities   Siemens WinCC components and vulnerabilities Lot’s of “We don’t know yet”
    •  To find ICS system     To find vulnerable device    Get https://scans.io/ (~500 GB) = ~$60 Index by Elastic Search (3 cpu days) = $0 Grep it all! It’s all vulnerable (for sure!) = $0 Put in Excel (I hate it!) = $9000 CoV  ($60 + $0 +$0 + $9000)/68076 = $0.1330865503261061
    •  Old, slow, boring   Google/Bing/Shodanhq/ERIPP New, fast, easy to automate ZMap, Masscan  Homebrew scans of industrial ports  Rapid7 Project Sonar  Internet Census (not so new)  + fast full-text search engines 
    • Country Devices US 31211 DE 3793 IT 2956 BR 2461 GB 2282 CA 2276 KR 1785 SE 1345 ES 1341 NL 1312 FR 1171 TW 1126 CN 891 JP 885
    • DATACOM, 945, 1% Digi, 988, 1% TAC AB, 1321, 2% Siemens, 1322, 2% Echelon, 1395, 2% Other, 5933, 9% Westermo, 1526, 2% SAP, 1639, 2% Tridium, 19490, 29% Rabbit, 1958, 3% Schneider Electric, 2458, 4% Generic, 2794, 4% NRG Systems, 11715, 17% Beck IPC, 3655, 5% Moxa, 3949, 6% Lantronix, 6988, 10% Vendor Devices Tridium NRG Systems Lantronix Moxa Beck IPC Generic Schneider Electric Rabbit SAP Westermo Echelon Siemens TAC AB Digi DATACOM Other 19490 11715 6988 3949 3655 2794 2458 1958 1639 1526 1395 1322 1321 988 945 5933
    • Lantronix UDS1100, 1310, 5% Westermo MRD-310, 1171, 5% i.LON 600, 1395, 5% Lantronix XPort AR, 1413, 5% NetWeaver Application Server, 1639, 6% WindCube, 11715, 45% PowerLogic ION, 1806, 7% Lantronix SLS, 2204, 8% IPC@CHIP, 3655, 14%
    • telnet 671 1% ftp 604 1% snmp 15253 23% Industrial 1612 2% http 49989 73%
    • dnp3, 155, 10% iec104, 44, 3% s7, 827, 53% modbus, 532, 34%
    • Kudos to http://www.scadaexposure.com/ http://scadastrangelove.blogspot.com/2013/12/internet-connected-icsscadaplc30c3.html
    •  What RDP/VNC/Radmin can hide?... …we will never know
    • Computer Based Interlocking RBC RBC MMI GSM-R Fixed Eurobalise to peripherals: signals, point machines, etc. Plain Line Data GSM-R ETCS Onboard GSM-R Fixed Eurobalise Station Onboard
    • Computer Based Interlocking RBC RBC MMI GSM-R Fixed Eurobalise to peripherals: signals, point machines, etc. Plain Line Data GSM-R ETCS Onboard GSM-R Fixed Eurobalise Station Onboard
    •  Lot’s of new information coming up  Modbus (502)    DNP3 (20000)    http://scadastrangelove.blogspot.com/2012/11/plcscan.html Profinet DCP   http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html S7 (102)   http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html MMS (102)   https://code.google.com/p/scadascan/ http://sourceforge.net/projects/dnp/ IEC104 (2404)   http://nmap.org/nsedoc/scripts/modbus-discover.html http://scadastrangelove.blogspot.com/2012/11/plcscan.html http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-days.html But some protocols still not researched [kudos to Alexander Timorin @atimorin]
    •  Native broadcast to identify all components
    •    Resource index = 0x82 Resource name = 0x5345???????????? (SE??????) Packet counter = 0x3ba1
    • https://www.thc.org/thc-hydra/
    • …responsible disclosure
    • WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
    • http://www.youtube.com/watch?v=bE2r7r7VVic
    • WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
    • This is my encryptionkey Metasploit module for harvesting data from WinCC project’s database and decrypting ciphertexts http://scadastrangelove.blogspot.com/2013/08/wincc-harvester-metasploit-module-is.html
    • This is my encryptionkey is AUHFPPCY PPCY POEK LWUBWMKKEKJWVOPP WLDZ HSLWEK
    • This is SHA "0xC280" x len(password) + "0xC280" x len(password)
    • WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
    • ActiveX components for communication and rendering of HMI Another component of WinCC. For example, forwarding commands to the PLC via the S7 protocol IIS extension SCSWebBridgex.dll Manages SCS connection and converts data to PAL CCEServer.exe Yep-Yep, again) CCEServer.exe WinCC core: Manages requests of components WebNavigatorRT.exe Rendering HMI and command transmission [kudos to Alexander Tlyapov @rigros1]
    • HMI Other components CCEServer PLC Communication License server To register component in the CCEServer call CAL_StartListen(Component’s GUID, PID, Required callbacks, etc)
    • During initial communications SCS packet is sent with GUID describing target component
    • DTD Parsing, SYSTEM reading Attacker XML Server PROFIT!
    •  What is Project? Collection of ActiveX/COM/.NET objects  Event Handlers and other code (C/VB)  Configuration files, XML and other    Can Project be trusted? Ways to spread malware with Project?
    •  NO!  Project itself is dynamic code  It’s easy to patch it “on the fly”  Vulnerabilities in data handlers  How to abuse?  Simplest handlers way – to patch event
    • Sub OnClick(Byval Item) Dim tagName, tagValue, tagFilename Dim strFilename, strLine Dim fso, objFile, objTag Set fso = CreateObject("Scripting.FileSystemObject") Set objFile = fso.CreateTextFile("%WinCC%1.exe",True) strLine = “malware code here" objFile.WriteLine strLine objFile.Close End Sub
    • https://guardian.emersonprocess.com/Guardian/KbaArticleMail.aspx?artId=de1cdd600d56-47b4-b1cf-f6994d0b6fec&exp=164f16aa-ade7-4a64-8bf2-e32d80daa846
    • 180 160 140 120 100 80 60 40 20 0 ABB Emerson Other Sum Total Invensys Fixed Siemens
    • Self-written HTTP server Self written “pseudo” DNS diagrams from http://cvedetails.com for Apache HTTP Server and ICS BIND
    • 1000 899 900 800 700 600 500 400 285 300 200 73 100 0 1 2 9 7 6 10 11 14 100 96 94 135 81 17 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
    •  Understand the components roles    Define entry points (input)   how they communicate (i.e. HMI-DCS-PLC) how they store data (i.e. account/project data) User input, IPC communications, command protocols Analyze code   Resurrect structures/classes used in entry points Research initialization and processing
    • Regex # grep recv <decompiled bin function> ret = recv(s, buf, buf_len, flags) # grep ‘buf|buf_len’ <decompiled bin function> ret = recv(s, buf2, buf[42], flags)   This not supposed to work in real world!
    •   7 verified RCE vulnerabilities 4 verified DoS vulnerabilities (all NPD)
    • …responsible disclosure
    •  “cb” is buffer size
    • scadasl@December 04, 2012#ping vendor.ics.jp Request timed out. scadasl@January 18, 2013#traceroute vendor.ics.jp 1 2 3 3 days 5 days * S4.Conference jpcert.or.jp Request timed out. scadasl@March 04, 2013#ping vendor.ics.jp Reply from jpcert.or.jp: Destination host reachable! scadasl@June 19, 2013#traceroute vendor.ics.jp 1 1 days jpcert.or.jp Customer list complete! scadasl#echo WTF?!
    • http://scadasl.org *All pictures are taken from Dr StrangeLove movie and other Internets