Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Industrial 
control systems 
Pentes&ng PLCs 101
Who am I? 
Arnaud 
soullié 
Senior security auditor 
interests 
§ Windows Ac+ve Directory 
Can a Windows AD be secured ? ...
LAB PREREQUISITE 
What’s in the lab vm? 
LAB KALI LINUX 
ADDITIONAL TOOLS 
SCRIPTS AND FILE EXAMPLES 
§ MODBUSPAL 
§ MBT...
AGENDA 
1 
2 
3 
ICS Introduction 
MODBUS protocol 
Attacking plcs
ICS Introduction
What is an Industrial Control System (ICS)? 
Group WAN 
Corporate network 
Corporate IT 
Production 
management 
ERP serve...
A bit of vocabulary 
ICS (Industrial Control System) 
= 
IACS (Industrial Automa4on and Control Systems) 
~= 
SCADA (Super...
ICS COMPONENTS 
§ Sensors and actuators: allow interac=on with the 
physical world (pressure sensor, valves, motors, 
…) ...
SCADA SECURITY AWARENESS TIMELINE (SIMPLIFIED) 
Who cares ? 
<2011 
September 5, 2014
SCADA SECURITY AWARENESS TIMELINE (SIMPLIFIED) 
Who cares ? 
OMG ! 
OMG ! 
STUXNET !!! 
2011 
<2011 
September 5, 2014
SCADA SECURITY AWARENESS TIMELINE (SIMPLIFIED) 
2011 Under control 
Who cares ? 
OMG ! 
OMG ! 
STUXNET !!! 
<2011 
One day...
WHAT IS WRONG WITH CURRENT ICS security? 
Network 
segmentation 
security 
supervision 
Organization & 
awareness 
Vulnera...
ICS-­‐CERT listed over 250 a6acks on ICS in 2013 
59% of a6acks targeted the energy sector 
79 a6acks successfully comprom...
What is 
A PLC? 
§ Real-­‐+me digital computer used for automa+on 
§ Replaces electrical relays 
§ Lots of analogue or ...
PLC 
programming 
§ “Ladder Logic” was the first programming language for PLC, as it mimics the real-­‐life 
circuits 
§...
Finding scada systems on the internet 
I
§ Shodan is a search engine dedicated to find devices exposed to the Internet 
§ It regularly scans the whole Internet I...
FUNNy things you can find on teh interwebs 
It’s not just webcams. 
This is a crematorium. 
On the internet.
MODBUS Protocol
Modbus 
protocol 
§ Serial communica+on protocol invented in 1979 by Schneider Electric 
§ Developed for industrial appl...
Modbus 
protocol 
§ Modbus was originally made for serial communica+ons 
§ However it is now ooen used over TCP 
MODBUS/...
Modbus 
protocol 
§ The most common Modbus func+ons allow to read and write data from/to a PLC 
§ Other func+ons, such a...
Modbus 
protocol 
ALL documented MODBUS function codes (from wikipedia) h,p://en.wikipedia.org/wiki/Modbus
Lab Session #1: Analyzing a Modbus communication with Wireshark 
§ Launch Wireshark 
§ Open “modbus1.pcap” 
§ Try to un...
Lab session #2: ModbusPal 
§ Modbuspal is a modbus simulator 
$ > java –jar ModbusPal.jar 
§ Add a modbus slave 
§ Set ...
Lab session #2: ModbusPal + MBTGET 
§ Mbtget is a perl script to perform Modbus/tcp queries 
$ > cd toolz 
$ > ./mbtget -...
Lab session #2: ModbusPal + METASPLOIT 
§ A simple modbus client that I developed 
§ Can perform read and write operaHon...
Attacking 
plcs 
Never do this 
on LIVE production systems 
Attacking 
plcs 
Never do this 
on LIVE production systems
Lab session #3 : Reconnaissance 
§ ObjecHve : IdenHfy all exposed services on a device or a 
range of devices 
§ Oken th...
Lab session #3 : Reconnaissance (Nmap) 
§ The de-­‐facto tool for port scanning but can be really dangerous 
on ICS 
§ T...
Lab session #3 : Reconnaissance (PLCSCAN) 
§ h6ps://code.google.com/p/plcscan/ 
by SCADAStrangeLove (h6p://scadastrangelo...
Lab session #4 : Attacking standard services 
§ Most PLCs have standard interfaces, such as HTTP and FTP 
§ Lets’ say se...
Lab session #5 : Attacking ICS protocols 
§ Modbus 
§ Scan for registry values using mbtget 
§ Python / Ruby / Perl / P...
What can we do about it ? 
It’s difficult, but not all hope is lost. 
Network segmentation Patch when you can 
§ Do not e...
TOOLZ used during the workshop 
§ Kali Linux: h6p://www.kali.org/ 
§ MBTGET: h6ps://github.com/sourceperl/mbtget 
§ PLC...
www.solucom.fr 
Contact 
Arnaud SOULLIE 
Senior consultant 
arnaud.soullie[AT]solucom.fr
Upcoming SlideShare
Loading in …5
×

Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Europe 2014)

10,663 views

Published on

Slides from my BlackHat Europe 2014 Workshop.
Industrial Control Systems : Pentesting PLCs 101.

Published in: Technology
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi Arnaud, is it possible to get the VM Labs used in this workshop? Thanks before :)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Europe 2014)

  1. 1. Industrial control systems Pentes&ng PLCs 101
  2. 2. Who am I? Arnaud soullié Senior security auditor interests § Windows Ac+ve Directory Can a Windows AD be secured ? JSSI 2014 (French, sorry) § SCADA stuff § Wine tas+ng (we’re not going to talk about it today) @arnaudsoullie
  3. 3. LAB PREREQUISITE What’s in the lab vm? LAB KALI LINUX ADDITIONAL TOOLS SCRIPTS AND FILE EXAMPLES § MODBUSPAL § MBTGET § PLCSCAN § SNAP7 § … § PCAP SAMPLES § SCRIPTS SKELETONS § …
  4. 4. AGENDA 1 2 3 ICS Introduction MODBUS protocol Attacking plcs
  5. 5. ICS Introduction
  6. 6. What is an Industrial Control System (ICS)? Group WAN Corporate network Corporate IT Production management ERP server Supervision network / SCADA Data Historian / Scada server Maintenance laptops Supervision consoles Production network RTUs PLCs ICS PLC Wireless industrial networks Corporate IS handle data ≠ ICS handle interfaces data with physical world
  7. 7. A bit of vocabulary ICS (Industrial Control System) = IACS (Industrial Automa4on and Control Systems) ~= SCADA (Supervisory Control And Data Acquisi4on) ~= DCS (Distributed Control System) Nowadays, people tend to say “SCADA” for anything related to ICS
  8. 8. ICS COMPONENTS § Sensors and actuators: allow interac=on with the physical world (pressure sensor, valves, motors, …) § Local HMI: Human-­‐Machine Interface, permits the supervision and control of a subprocess § PLC: Programmable Logic Controller : manages the sensors and actuators § Supervision screen: remote supervision of the industrial process § Data historian: Records all the data from the produc=on and Scada networks and allows expor=ng to the corporate IS (to the ERP for instance)
  9. 9. SCADA SECURITY AWARENESS TIMELINE (SIMPLIFIED) Who cares ? <2011 September 5, 2014
  10. 10. SCADA SECURITY AWARENESS TIMELINE (SIMPLIFIED) Who cares ? OMG ! OMG ! STUXNET !!! 2011 <2011 September 5, 2014
  11. 11. SCADA SECURITY AWARENESS TIMELINE (SIMPLIFIED) 2011 Under control Who cares ? OMG ! OMG ! STUXNET !!! <2011 One day ? September 5, 2014
  12. 12. WHAT IS WRONG WITH CURRENT ICS security? Network segmentation security supervision Organization & awareness Vulnerability management third paRty management security In protocols
  13. 13. ICS-­‐CERT listed over 250 a6acks on ICS in 2013 59% of a6acks targeted the energy sector 79 a6acks successfully compromised the target 57 a6acks did not succeed in compromising the target 120 a6acks were not idenHfied/invesHgated
  14. 14. What is A PLC? § Real-­‐+me digital computer used for automa+on § Replaces electrical relays § Lots of analogue or digital inputs & outputs § Rugged devices (immune to vibra+on, electrical noise, temperature, dust, …) What’s inside ? Siemens S7-1200
  15. 15. PLC programming § “Ladder Logic” was the first programming language for PLC, as it mimics the real-­‐life circuits § IEC 61131-­‐3 defines 5 programming languages for PLCs § LD: Ladder Diagram § FBD: Func+on Block Diagram § ST: Structured Text § IL: Instruc+on List § SFC: Sequen+al Func+on Chart Ladder diagram example Structured text example (* simple state machine *) TxtState := STATES[StateMachine]; CASE StateMachine OF 1: ClosingValve(); ELSE ;; BadCase(); END_CASE; Instruction list example LD Speed GT 1000 JMPCN VOLTS_OK LD Volts VOLTS_OK LD 1 ST %Q75
  16. 16. Finding scada systems on the internet I
  17. 17. § Shodan is a search engine dedicated to find devices exposed to the Internet § It regularly scans the whole Internet IPV4 range (~4,3 billions IPs) § Results are par+ally free (you have to pay to export the results) What can you find? § All kinds of connected devices § PLCs § Webcams § Smart-­‐things (fridge, TV, …) § Things you can’t even imagine… § Example ICS report : hgps://www.shodan.io/report/l7VjfVKc ALTERNATIVES? § Scan the Internet yourself (Zmap, Massscan) § Other online services/surveys
  18. 18. FUNNy things you can find on teh interwebs It’s not just webcams. This is a crematorium. On the internet.
  19. 19. MODBUS Protocol
  20. 20. Modbus protocol § Serial communica+on protocol invented in 1979 by Schneider Electric § Developed for industrial applica+on § Royalty-­‐free § Now one of the standards for industrial communica+ons HOW it works § Master / Slave protocol § Master must regularly poll the slaves to get informa+on § Modbus addresses are 8 bits long, so only 247 slaves per master § There is no object descrip+on: a request returns a value, without any context or unit Security anyone? § Clear-­‐text § No authen+ca+on
  21. 21. Modbus protocol § Modbus was originally made for serial communica+ons § However it is now ooen used over TCP MODBUS/TCP FRAME FORMAT Name Length FuncHon TransacHon idenHfier 2 For synchronizaHon between server & client Protocol idenHfier 2 Zero for Modbus/TCP Length field 2 Number of remaining bytes in this frame Unit idenHfier 1 Slave address (255 if not used) FuncHon code 1 FuncHon codes as in other variants Data bytes or command n Data as response or commands
  22. 22. Modbus protocol § The most common Modbus func+ons allow to read and write data from/to a PLC § Other func+ons, such as file read and diagnos+cs func+ons also exist § Undocumented Modbus func+on codes can also be used to perform specific ac+ons COMMONLY USED MODBUS function codes FuncHon name FuncHon code Read coils 1 Write single coil 5 Read holding registers 3 Write single register 6 Write mulHple registers 16 Read/Write mulHple registers 23
  23. 23. Modbus protocol ALL documented MODBUS function codes (from wikipedia) h,p://en.wikipedia.org/wiki/Modbus
  24. 24. Lab Session #1: Analyzing a Modbus communication with Wireshark § Launch Wireshark § Open “modbus1.pcap” § Try to understand what’s going on § What’s the value of register #123 at the end?
  25. 25. Lab session #2: ModbusPal § Modbuspal is a modbus simulator $ > java –jar ModbusPal.jar § Add a modbus slave § Set some register values § Query it with: § MBTGET Perl script § Metasploit module § Analyze traffic with Wireshark
  26. 26. Lab session #2: ModbusPal + MBTGET § Mbtget is a perl script to perform Modbus/tcp queries $ > cd toolz $ > ./mbtget -h § Read requests § Coils (1 bit) $ > ./mbtget –r1 –a 0 –n 8 127.0.0.1 § Words (8 bits) $ > ./mbtget –r3 –a 0 –n 8 127.0.0.1 § Write requests § Coils (1 bit) $ > ./mbtget –w3 #{VALUE} –a 0 –n 8 127.0.0.1 § Words (8 bits) $ > ./mbtget –w6 #{VALUE} –a 0 –n 8 127.0.0.1
  27. 27. Lab session #2: ModbusPal + METASPLOIT § A simple modbus client that I developed § Can perform read and write operaHons on coils and registers § Included in msf’s trunk so you already have it J § Launch msf console $ > msfconsole msf > use auxiliary/scanner/scada/modbusclient msf auxiliary(modbusclient) > info § Play! msf auxiliary(modbusclient) > set ACTION
  28. 28. Attacking plcs Never do this on LIVE production systems Attacking plcs Never do this on LIVE production systems
  29. 29. Lab session #3 : Reconnaissance § ObjecHve : IdenHfy all exposed services on a device or a range of devices § Oken the first step in a pentest § We will use two tools § Nmap: The world’s finest port scanner § PLCSCAN: A reconnaissance tool dedicated to PLCs § PLCs IP addresses § 192.168.0.50: Siemens S7-­‐1200 § 192.168.0.5: Schneider m340
  30. 30. Lab session #3 : Reconnaissance (Nmap) § The de-­‐facto tool for port scanning but can be really dangerous on ICS § Two stories from NIST SP800-­‐82 § A ping sweep broke for over 50 000$ in product at a semi-­‐conductor factory § The blocking of gas distribu>on for several hours a?er a pentester went slightly off-­‐ perimeter during an assessment for a gas company § Nmap useful setup for ICS scanning § Reduce scanning speed! Use « --scan-delay=1 » to scan one port at a Hme § Perform a TCP scan instead of a SYN scan / do not perform UDP scan § Do not use fingerprinHng funcHons, and manually select scripts (do not use “– sC”)
  31. 31. Lab session #3 : Reconnaissance (PLCSCAN) § h6ps://code.google.com/p/plcscan/ by SCADAStrangeLove (h6p://scadastrangelove.org/) § Scans for ports 102 (Siemens) and 502 (Modbus) and tries to pull informaHon about the PLC (modules, firmware version,…) § Not exhausHve since not all PLCs use Modbus or are Siemens § What if I told you there was another way… SNMP ?
  32. 32. Lab session #4 : Attacking standard services § Most PLCs have standard interfaces, such as HTTP and FTP § Lets’ say security was not the first thing in mind when introducing these features … § Schneider M340 § Connect to the webserver § Default password § Hardcoded password ? § Take a look at Java applets !
  33. 33. Lab session #5 : Attacking ICS protocols § Modbus § Scan for registry values using mbtget § Python / Ruby / Perl / PHP, your call ! § Siemens S7-­‐1200 § python s7-read-new.py 192.168.0.50 § python s7-write-outputs.py 192.168.0.50 11111 § UnauthenHcated acHons § STOP/RUN msf > use auxiliary/admin/scada/modicon_command § Logic download/upload msf > use auxiliary/admin/scada/modicon_stux_transfer
  34. 34. What can we do about it ? It’s difficult, but not all hope is lost. Network segmentation Patch when you can § Do not expose your ICS on the Internet § Do not expose all of your ICS on your internal network § Use DMZ / Data diodes to export data from ICS to corporate network § Patching once a year during plant maintenance is beYer than doing nothing Apply corporate best practices § Change default passwords § Disable unused services Security supervision § IPS have signatures for ICS § Create your own signatures, it is not that difficult Y U NO SECURE ICS ? THE COST IS TOO DAMN HIGH !
  35. 35. TOOLZ used during the workshop § Kali Linux: h6p://www.kali.org/ § MBTGET: h6ps://github.com/sourceperl/mbtget § PLCSCAN: h6ps://code.google.com/p/plcscan/ § METASPLOIT MODULES § Modbusclient: included in Metasploit § modicon_stux_transfer_ASO (not totally finished): h6ps://github.com/arnaudsoullie/metasploit-­‐framework/ blob/modicon_stux_transfer/modules/auxiliary/admin/ scada/modicon_stux_transfer.rb § Scripts for the Siemens § Snap7: h6p://snap7.sourceforge.net/ § Py. wrapper: h6ps://pypi.python.org/pypi/python-­‐snap7/ § The actual scripts: h6ps://github.com/arnaudsoullie/scan7
  36. 36. www.solucom.fr Contact Arnaud SOULLIE Senior consultant arnaud.soullie[AT]solucom.fr

×