Scada Strangelove - 29c3

14,291 views
14,097 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
14,291
On SlideShare
0
From Embeds
0
Number of Embeds
10,473
Actions
Shares
0
Downloads
232
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Scada Strangelove - 29c3

  1. 1. Sergey Gordeychik Denis Baranov Gleb Gritsai
  2. 2.  Sergey Gordeychik  Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member  http://sgordey.blogspot.com, http://www.phdays.com Gleb Gritsai  Principal Researcher, Network security and forensic researcher, member of PHDays Challenges team  @repdet, http://repdet.blogspot.com Denis Baranov  Head of AppSec group, researcher, member of PHDays CTF team
  3. 3.  Group of security researchers focused on ICS/SCADAto save Humanity from industrial disaster and to keep Purity Of EssenceSergey Gordeychik Gleb Gritsai Denis BaranovRoman Ilin Ilya Karpov Sergey BobrovArtem Chaykin Yuriy Dyachenko Sergey DrozdovDmitry Efanov Yuri Goltsev Vladimir KochetkovAndrey Medov Sergey Scherbel Timur YunusovAlexander Zaitsev Dmitry Serebryannikov Dmitry NagibinDmitry Sklyarov Alexander Timorin Vyacheslav EgoshinIlya Smith Roman Ilin Alexander Tlyapov
  4. 4. http://scadastrangelove.blogspot.com/2012/11/scada-safety-in-numbers.html
  5. 5.  Siemens ProductCERT  Reallyprofessional team  Quick responses  Personal contacts  Even Patches  You guys rock!
  6. 6.  Common target during pentests Most common platform (market, ShodanHQ) Largest number of published and fixed bugs
  7. 7.  Invensys Wonderware Yokogawa ICONICS …. Stay tuned!
  8. 8. ERP BUSINESS LAYERMES OPERATION AND PRODUCTION SUPERVISIONSCADA SUPERVISOR CONTROLPLC/RTU DIRECT CONTROL
  9. 9.  SCADA network is isolated and is not connected to other networks, all the more so to Internet MES/SCADA/PLC is based on custom platforms, and attackers can’t hack it HMI has limited functionality and does not allow to mount attack…
  10. 10.  100% of tested SCADA networks are exposed to Internet/Corporate network  Network equipment/firewalls misconfiguration  MES/OPC/ERP integration gateways  HMI external devices (Phones/Modems/USB Flash) abuse  VPN/Dialup remote access 99.9(9)% of tested SCADA can be hacked with Metasploit  Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)  Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)  Standard bugs (patch management, passwords, firewalling, application vulnerabilities)
  11. 11.  50% of HMI/Engineering stations are also used as desktops  Kiosk mode bypass  (Secret) Internet access  games/”keygens”/trojans and other useful software ICS security = Internet security in the early 2000 VS
  12. 12. • NO magic on network • Standard network protocols/channel level• NO magic on system level • Standard OS/DBMS/APPs • Windows/SQL for SCADA • Linux/QNX for PLC• NO AppSec at all• ICS guys don’t care about IT/IS• MES reality - connecting SCADA to other networks/systems (ERP etc.)
  13. 13. • Ethernet• Cell (GSM, GPRS, …)• RS-232/485• Wi-Fi• ZigBee• Lot’s of other radio and wire• All can be sniffed thanks to community
  14. 14. • Modbus• DNP3• OPC• S7• And more and more …• EtherCAT• FL-net• Foundation Fieldbus
  15. 15. • Sniffing• Spoofing/Injection• Fingerprinting/Data collection• Fuzzing• Security?!
  16. 16.  Wireshark supports most of it Third-party protocol dissectors for Wireshark Industry grade tools and their free functions  FTE NetDecoder No dissector/tool – No problem  Plaintext and easy to understand protocols
  17. 17.  Widely available tools for Modbus packet crafting Other protocols only with general packet crafters (Scapy) More tools to come (from us ;)) Most of protocols can be attacked by simple packet replay Or you can write your own fuzZzer*…*But don’t forget about Python compilation issues (sec-recon, hi there)
  18. 18.  Well known ports Modbus  Product, Device, GW, Unit enumeration S7  Product, Device, Associated devices OPC  RPC/DCOM, but authentication Modern fingerprinting add-ons  snmp, http, management ports
  19. 19. By Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman IlinGoogle/Shodan dorks for: Siemens Emerson Allen-Bradley Rockwell Automation Schneider Electric General ElectricWant to be real SCADAHacker?Just click! http://bit.ly/12RzuJC
  20. 20.  Open Source ICS devices scan/fingerprint tool Support modbus, S7, more to come  Software and hardware version  Device name and manufacturing  Other technical info Thank to Dmitry Efanov
  21. 21. http://scadastrangelove.blogspot.ru/2012/11/plcscan.html
  22. 22.  Just a network device with it’s own  OS  Network stack  Applications  …vulnerabilities How to find vulnerabilities in PLC  Nothing special  Fuzzing  Code analysis  Firmware reversing
  23. 23.  Firmware is in Intel HEX format Several LZSS blobs and ARM code Blobs contain file system for PLC Web application source code (MSWL) … And ...
  24. 24.  ASCII armored certificate! For what? For built-in Certification Authority ?!?!??!!!??! Is there a private key?
  25. 25. …responsible answer
  26. 26.  Hardcoded S7 PLC CA certificate (Dmitry Sklarov)http://scadastrangelove.blogspot.com/2012/09/all-your-plc-belong-to-us.html Multiple vulnerabilities in S7 1200 PLC Webinterface (Dmitriy Serebryannikov, Artem Chaikin,Yury Goltsev, Timur Yunusov)http://www.siemens.com/corporatetechnology/pool/de/forschungsfelder/siemens_security_advisory_ssa-279823.pdf
  27. 27. • Network stack • Connects with PLCs, etc• OS• Database• Applications • HMI • Web • Tools
  28. 28.  Depends on OS/DBMS security  GUI restrictions/Kiosk mode for HMI  OS network stack and API heavily used  File shares  RPC/DCOM  Database replication Password authentication, ACLs/RBAC Something else?
  29. 29. • Nothing special • Windows/Linux • No Patches • Weak/Absence-of Passwords • Misconfiguration • Insecure defaults
  30. 30. • Insecurity configuration• Users/password• Configuration• ICS-related data
  31. 31. • Hardcoded accounts (fixed)• MS SQL listening network from the box* • “Security controller” restricts to Subnet• Two-tier architecture with Windows integrated auth and direct data access • We don’t know how to make it secure• Lot of “encrypted” stored procedures with exec
  32. 32. • First noticed in May 2005• Published in April 2008• Abused by StuxNet in 2010• Fixed by Siemens in Nov 2010*• Still works almost everywhere*WinCC V7.0 SP2 Update 1
  33. 33. • {Hostname}_{Project}_TLG* • TAG data• СС_{Project}_{Timestamp}* • Project data and configuration • Users, PLCs, Priviledges
  34. 34. • Managed by UM app• Stored in dbo.PW_USER
  35. 35. • Administrator:ADMINISTRATOR• Avgur2 > Avgur
  36. 36. This is myencryptionkey
  37. 37. …responsible disclosure
  38. 38.  WinCC Harvester msf module WinCC security hardening guide Exclusive cipher tool & msf module. We don’t have yet…http://scadastrangelove.blogspot.com/2012/11/wincc-harvester.htmlhttp://scadastrangelove.blogspot.ru/2012/12/siemens-simatic-wincc-7x-security.html
  39. 39.  WebNavigator  Web-based HMI  IIS/ASP.NET  ActiveX client-side DiagAgent  Diagnostic and remote management application  Custom web-server …
  40. 40.  Not started by default and shouldn’t never be launched No authentication at all XSSes Path Traversal (arbitrary file reading) Buffer overflow
  41. 41.  Web-based HMI XPath Injection (CVE-2012-2596) Path Traversal (CVE-2012-2597) XSS ~ 20 Instances (CVE-2012-2595) Fixed in Update 2 for WinCC V7.0 SP3http://support.automation.siemens.com/WW/view/en/60984587
  42. 42.  Can help to exploit server-side vulnerabilities* Operator’s browser is proxy to SCADAnet! ? Anybody works with SCADA and Internet using same browser?* http://www.slideshare.net/phdays/root-via-xss-10716726
  43. 43. http://www.surfpatrol.ru/en/report
  44. 44.  A lot of “WinCCed” IE fromcountries/companies/industries Special prize to guys from US for WinCC 6.X at 2012
  45. 45.  Lot of XSS and CSRF  CVE-2012-3031  CVE-2012-3028 Lot of arbitrary file reading  CVE-2012-3030 SQL injection over SOAP  CVE-2012-3032 ActiveX abuse  CVE-2012-3034http://bit.ly/WW0TL2
  46. 46. …responsible disclosure
  47. 47. All pictures are taken fromDr StrangeLove movie

×