SlideShare a Scribd company logo

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters

Positive Hack Days
Positive Hack Days

This document summarizes an presentation on industrial protocols for pentesters. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Specific exploitation techniques are mentioned such as extracting password hashes from TIA Portal project files or intercepting S7 authentication challenges and responses. The presenters provide resources for further information on industrial control systems and security.

TechnologyBusiness
1 of 44
Industrial protocols for pentesters Timorin Alexander Efanov Dmitry Positive Technologies PHDays III
Who We Are Timorin Alexander • Lead specialist of penetration testing team at Positive Technologies • Main interests: penetration testing, SCADA systems, industrial protocols, password cracking • atimorin@ptsecurity.ru
Who We Are Efanov Dmitry • Lead specialist of security development team at Positive Technologies • Main interests: penetration testing, network protocols and hex-numbers • defanov@ptsecurity.ru
ICS Industrial Control System
ICS in the World
ICS in the World
ICS in the World
What we will talk about ? • Modbus • Mystical S7 • Authentication and protection • Profinet
Industrial protocols • CIP • BACnet • CC-Link • Ethernet/IP • Modbus • Profinet • S3 / S5 / S7 • DNP3
Old Modbus • Published by Modicon (now Schneider Electric) in 1979. • Widely used for connecting industrial electronic devices • Schneider Electric • Advanced Micro Controls • ABB • Emerson • Chinese NONAME • and all other vendors
Modbus in XX
Modbus in XXI
Modbus TCP Standard port – 502/tcp Modbus Request packet: • No authentication • No encryption • No security
Modbus Functions • Data access • Read/Write Coils and Registers • Read/Write File Records • Diagnostics • Device Identification • … • + User Defined Functions
Modbus Device Identification Standard Function (opcode 0x2B, subcode 0x0E) • VendorName • ProductCode • MajorMinorRevision • VendorUrl • ProductName • ModelName • UserApplicationName
Modbus Device Identification
Modbus Tools • Emulators: • http://www.modbustools.com/download.asp • Device Discovery: • https://code.google.com/p/plcscan/ • https://code.google.com/p/modscan/ • … • Wireshark • python
Modbus Demo
Mystic S7 Standard port – 102/tcp In Siemens docs - iso-on-tcp, rfc 1006
S7 materials • Exploiting Siemens Simatic S7 PLCs (by Dillon Beresford) http://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf • Wireshark dissector http://sourceforge.net/projects/s7commwireshark/ • Libnodave – free communication library http://sourceforge.net/projects/libnodave/
ISO-on-TCP (RFC 1006) • Transport layer only • Require source and destination TSAP (Transport Service Access Point) for connection • TSAP (2 bytes) • Connection type (PG – 0x01, OP– 0x02) • Rack/Slot Id
What is under ISO-on-TCP?
What is under ISO-on-TCP? S5 Communication aka FETCH / WRITE aka Sinec H1 S7 Communication Another S7 Communication
S7 communication S7 packet: PDU-types: • 0x01 – Request • 0x02 – Acknowledgement • 0x03 – Response • 0x07– User Data
What we can do • Read / Write data • Start / Stop CPU • Upload / Download Blocks • List blocks • Get blocks info • Read SZL (System Status List) • Module Identification • Component Identification • LED’s status
Device Identification • PLC scan (https://code.google.com/p/plcscan/) • For s7-300: Module : 6ES7 151-8AB01-0AB0 v.2 Basic Hardware : 6ES7 151-8AB01-0AB0 v.2 Basic Firmware : v.3.2.6 PLC Name : SIMATIC 300(Bla_bla_name) Module Name : IM151-8 PN/DP CPU Plant ID : Copyright : Original Siemens Equipment Module Serial number : S C-BOUV49xxxxx1 Module type name : IM151-8 PN/DP CPU Memory card Serial number : MMC 6CAxxxx0 Module OEM ID : Module Location : • For s7-1200: Module : 6ES7 212-1BD30-0XB0 v.2 Basic Hardware : 6ES7 212-1BD30-0XB0 v.2 Basic Firmware : 6ES7 212-1BD30-0XB0 v.2.2.0
S7-300 password protection Password (8 bytes) «Encryption»:
S7comm on S7-1200 S7-300 S7-1200 Read/Write Vars + + Device Identification + +/- Start/Stop CPU + - Upload/Download Blocks + - Blocks Info + - LED’s status + -
«Another S7 communication» Simple S7 packet ( connection establishment) 72 01 – S7 data delimiter
TIA Portal read/write protection PLC read/write password protection for main operations: CPU start/stop/data change, project upload, firmware update, etc.
TIA Portal PEData.plf passwords history Simple SHA-1 passwords: 456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40} redbox value: password_length * 2 + 1
S7 password hashes extractor source: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.py extracting all password sha1 hashes from TIA Portal project file and simple bruteforce. Also possible to intercept password hash when uploading new project to PLC. It’s easy. Know-how protection: • prevent code blocks (OB, FB, FC, DB) from unauthorized access • base64( sha1(password-in-unicode) )
SCADA <-> PLC S7 authentication 1. SCADA-> PLC : auth request 2. SCADA <- PLC : challenge 3. SCADA-> PLC : response = HMAC( SHA1(password), challenge ) 4. SCADA <- PLC : auth result sending authentication challenge from PLC to SCADA workstation
SCADA <-> PLC S7 authentication sending authentication response from SCADA workstation to PLC
SCADA <-> PLC S7 authentication • ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02 • John the Ripper Jumbo patch: https://github.com/magnumripper/JohnTheRipper/pull/193 • http://www.digitalbond.com/blog/2013/05/10/john-the-ripper-s7-password- cracking/
S7 challenge-response extractor source: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.py extracting challenge-response values from pcap file and simple bruteforce. pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32‘ -> auth ok pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732‘ -> auth bad Other researches/materials: • Dillon Beresford: http://scadahacker.com/exploits/exploits-dillonbh2011.html
PROFINET family 2003: IEC 61158, IEC 61784 • PROFINET CBA (Component Based Automation) • PROFINET IO
PROFINET IO • master – slave communications • RT (~ 10 ms), IRT (~ 1 ms) • PROFINET PTCP (Precision Time Control Protocol) • PROFINET DCP (Discovery and Basic Configuration Protocol) profinet dcp identify response
PROFINET DCP scanner source: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.py discovering all SCADA devices (PC, HMI, PLC) in subnet
PROFINET DCP scanner payload = 'fefe05000401000200800004ffff0000' pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/payload.decode('hex') fefe 2b: DCP multicast header 05 1b: Identify service 00 1b: Request type 04010002 4b: Xid (request identificator) 0080 2b: Response delay 0004 2b: DCP data length ffff0000 4b: dcp dataOption(All), Suboption(All) Also we can: • change name of station • change ip, gateway • request network info • LED flashing: PLC, HMI (something wrong with PLC or devices ?? ) • and much more … profinet video demo
How to analyze protocols ? • search-analyze-search-analyze-search … • Rob Savoye: “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” • Rob Savoye: FOSDEM 2009 Reverse Engineering of Proprietary Protocols, Tools and Techniques : http://youtu.be/t3s-mG5yUjY • Netzob: http://www.netzob.org • Fuzzing • wireshark tcpdump python scapy hex viewer
Outro • Positive Technologies SCADA analytics: http://www.ptsecurity.com/download/SCADA_analytics_english.pdf • Findings • Recommendations: • http://scadastrangelove.org • http://www.scadahacker.com • http://www.digitalbond.com • http://ics-cert.us-cert.gov • Releases: https://code.google.com/p/scada-tools/ https://code.google.com/p/plcscan/ • Greetz to: SCADASTRANGELOVE TEAM • QA • And now …
S7-300. Live Demo
Thanks to all … to be continued Timorin Alexander atimorin@ptsecurity.ru Efanov Dmitry defanov@ptsecurity.ru Stay in touch and feel free …

Recommended

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
MPI DevCon Hsinchu City 2017: MIPI C-PHY/D-PHY Dual Mode Subsystem Performanc...
MPI DevCon Hsinchu City 2017: MIPI C-PHY/D-PHY Dual Mode Subsystem Performanc...MPI DevCon Hsinchu City 2017: MIPI C-PHY/D-PHY Dual Mode Subsystem Performanc...
MPI DevCon Hsinchu City 2017: MIPI C-PHY/D-PHY Dual Mode Subsystem Performanc...MIPI Alliance
 
Rust Embedded Development on ESP32 and basics of Async with Embassy
Rust Embedded Development on ESP32 and basics of Async with EmbassyRust Embedded Development on ESP32 and basics of Async with Embassy
Rust Embedded Development on ESP32 and basics of Async with EmbassyJuraj Michálek
 
System On Chip
System On ChipSystem On Chip
System On ChipA B Shinde
 
Programmable Switches for Programmable Logic Devices
Programmable Switches for Programmable Logic DevicesProgrammable Switches for Programmable Logic Devices
Programmable Switches for Programmable Logic DevicesUsha Mehta
 
Vlsi stick daigram (JCE)
Vlsi stick daigram (JCE)Vlsi stick daigram (JCE)
Vlsi stick daigram (JCE)Hrishikesh Kamat
 
introduction of c langauge(I unit)
introduction of c langauge(I unit)introduction of c langauge(I unit)
introduction of c langauge(I unit)Prashant Sharma
 
PROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control SpecialistsPROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control SpecialistsPROFIBUS and PROFINET InternationaI - PI UK
 

Recommended

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
MPI DevCon Hsinchu City 2017: MIPI C-PHY/D-PHY Dual Mode Subsystem Performanc...
MPI DevCon Hsinchu City 2017: MIPI C-PHY/D-PHY Dual Mode Subsystem Performanc...MPI DevCon Hsinchu City 2017: MIPI C-PHY/D-PHY Dual Mode Subsystem Performanc...
MPI DevCon Hsinchu City 2017: MIPI C-PHY/D-PHY Dual Mode Subsystem Performanc...MIPI Alliance
 
Rust Embedded Development on ESP32 and basics of Async with Embassy
Rust Embedded Development on ESP32 and basics of Async with EmbassyRust Embedded Development on ESP32 and basics of Async with Embassy
Rust Embedded Development on ESP32 and basics of Async with EmbassyJuraj Michálek
 
System On Chip
System On ChipSystem On Chip
System On ChipA B Shinde
 
Programmable Switches for Programmable Logic Devices
Programmable Switches for Programmable Logic DevicesProgrammable Switches for Programmable Logic Devices
Programmable Switches for Programmable Logic DevicesUsha Mehta
 
Vlsi stick daigram (JCE)
Vlsi stick daigram (JCE)Vlsi stick daigram (JCE)
Vlsi stick daigram (JCE)Hrishikesh Kamat
 
introduction of c langauge(I unit)
introduction of c langauge(I unit)introduction of c langauge(I unit)
introduction of c langauge(I unit)Prashant Sharma
 
PROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control SpecialistsPROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control SpecialistsPROFIBUS and PROFINET InternationaI - PI UK
 
Mosfet ppt by dhwani sametriya
Mosfet ppt by dhwani sametriyaMosfet ppt by dhwani sametriya
Mosfet ppt by dhwani sametriyaDhwani Sametriya
 
Integrated Circuits
Integrated CircuitsIntegrated Circuits
Integrated CircuitsANAND G
 
MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...
MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...
MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...MIPI Alliance
 
All About VLSI In PPT
All About VLSI In PPT All About VLSI In PPT
All About VLSI In PPT ErVishalJangade
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processorsRISC-V International
 
301378156 design-of-sram-in-verilog
301378156 design-of-sram-in-verilog301378156 design-of-sram-in-verilog
301378156 design-of-sram-in-verilogSrinivas Naidu
 
Unit II Arm 7 Introduction
Unit II Arm 7 IntroductionUnit II Arm 7 Introduction
Unit II Arm 7 IntroductionDr. Pankaj Zope
 
VLSI TECHNOLOGY
VLSI TECHNOLOGYVLSI TECHNOLOGY
VLSI TECHNOLOGYAbidaSultanaAkhi1
 
FPGA
FPGAFPGA
FPGAAbhilash Nair
 
RADIATION HARDENED CHIPS
RADIATION HARDENED CHIPSRADIATION HARDENED CHIPS
RADIATION HARDENED CHIPSI'am Ajas
 
Vino's 8086 interrupts
Vino's 8086 interruptsVino's 8086 interrupts
Vino's 8086 interruptsVinod K Payyannur
 
ITE - Chapter 2
ITE - Chapter 2ITE - Chapter 2
ITE - Chapter 2Irsandi Hasan
 
SISTec Microelectronics VLSI design
SISTec Microelectronics VLSI designSISTec Microelectronics VLSI design
SISTec Microelectronics VLSI designDr. Ravi Mishra
 
Interrupts
InterruptsInterrupts
InterruptsAnil Kumar Pugalia
 
ASIC Design Flow
ASIC Design FlowASIC Design Flow
ASIC Design FlowRiseTime Semiconductors
 
Ins and Outs of GPIO Programming
Ins and Outs of GPIO ProgrammingIns and Outs of GPIO Programming
Ins and Outs of GPIO ProgrammingICS
 
SRAM Design
SRAM DesignSRAM Design
SRAM DesignBharat Biyani
 
System On Chip (SOC)
System On Chip (SOC)System On Chip (SOC)
System On Chip (SOC)Shivam Gupta
 
Study of vlsi design methodologies and limitations using cad tools for cmos t...
Study of vlsi design methodologies and limitations using cad tools for cmos t...Study of vlsi design methodologies and limitations using cad tools for cmos t...
Study of vlsi design methodologies and limitations using cad tools for cmos t...Lakshmi Narain College of Technology & Science Bhopal
 
Analog Layout and Process Concern
Analog Layout and Process ConcernAnalog Layout and Process Concern
Analog Layout and Process Concernasinghsaroj
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 

More Related Content

What's hot

Mosfet ppt by dhwani sametriya
Mosfet ppt by dhwani sametriyaMosfet ppt by dhwani sametriya
Mosfet ppt by dhwani sametriyaDhwani Sametriya
 
Integrated Circuits
Integrated CircuitsIntegrated Circuits
Integrated CircuitsANAND G
 
MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...
MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...
MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...MIPI Alliance
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processorsRISC-V International
 
301378156 design-of-sram-in-verilog
301378156 design-of-sram-in-verilog301378156 design-of-sram-in-verilog
301378156 design-of-sram-in-verilogSrinivas Naidu
 
Unit II Arm 7 Introduction
Unit II Arm 7 IntroductionUnit II Arm 7 Introduction
Unit II Arm 7 IntroductionDr. Pankaj Zope
 
RADIATION HARDENED CHIPS
RADIATION HARDENED CHIPSRADIATION HARDENED CHIPS
RADIATION HARDENED CHIPSI'am Ajas
 
SISTec Microelectronics VLSI design
SISTec Microelectronics VLSI designSISTec Microelectronics VLSI design
SISTec Microelectronics VLSI designDr. Ravi Mishra
 
Ins and Outs of GPIO Programming
Ins and Outs of GPIO ProgrammingIns and Outs of GPIO Programming
Ins and Outs of GPIO ProgrammingICS
 
System On Chip (SOC)
System On Chip (SOC)System On Chip (SOC)
System On Chip (SOC)Shivam Gupta
 
Analog Layout and Process Concern
Analog Layout and Process ConcernAnalog Layout and Process Concern
Analog Layout and Process Concernasinghsaroj
 

What's hot (20)

Mosfet ppt by dhwani sametriya
Mosfet ppt by dhwani sametriyaMosfet ppt by dhwani sametriya
Mosfet ppt by dhwani sametriya
 
Integrated Circuits
Integrated CircuitsIntegrated Circuits
Integrated Circuits
 
MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...
MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...
MIPI DevCon Bangalore 2017: C-PHY and How it Enables Next Generation Display ...
 
All About VLSI In PPT
All About VLSI In PPT All About VLSI In PPT
All About VLSI In PPT
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processors
 
301378156 design-of-sram-in-verilog
301378156 design-of-sram-in-verilog301378156 design-of-sram-in-verilog
301378156 design-of-sram-in-verilog
 
Unit II Arm 7 Introduction
Unit II Arm 7 IntroductionUnit II Arm 7 Introduction
Unit II Arm 7 Introduction
 
VLSI TECHNOLOGY
VLSI TECHNOLOGYVLSI TECHNOLOGY
VLSI TECHNOLOGY
 
FPGA
FPGAFPGA
FPGA
 
RADIATION HARDENED CHIPS
RADIATION HARDENED CHIPSRADIATION HARDENED CHIPS
RADIATION HARDENED CHIPS
 
Vino's 8086 interrupts
Vino's 8086 interruptsVino's 8086 interrupts
Vino's 8086 interrupts
 
ITE - Chapter 2
ITE - Chapter 2ITE - Chapter 2
ITE - Chapter 2
 
SISTec Microelectronics VLSI design
SISTec Microelectronics VLSI designSISTec Microelectronics VLSI design
SISTec Microelectronics VLSI design
 
Interrupts
InterruptsInterrupts
Interrupts
 
ASIC Design Flow
ASIC Design FlowASIC Design Flow
ASIC Design Flow
 
Ins and Outs of GPIO Programming
Ins and Outs of GPIO ProgrammingIns and Outs of GPIO Programming
Ins and Outs of GPIO Programming
 
SRAM Design
SRAM DesignSRAM Design
SRAM Design
 
System On Chip (SOC)
System On Chip (SOC)System On Chip (SOC)
System On Chip (SOC)
 
Study of vlsi design methodologies and limitations using cad tools for cmos t...
Study of vlsi design methodologies and limitations using cad tools for cmos t...Study of vlsi design methodologies and limitations using cad tools for cmos t...
Study of vlsi design methodologies and limitations using cad tools for cmos t...
 
Analog Layout and Process Concern
Analog Layout and Process ConcernAnalog Layout and Process Concern
Analog Layout and Process Concern
 

Similar to Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...OptimalPlus
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...PROIDEA
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessS4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessNathan Wallace, PhD, PE
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...PROIDEA
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 

Similar to Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters (20)

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessS4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimaginedpanagenda
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideStefan Dietze
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024Stephen Perrenod
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?Paolo Missier
 

Recently uploaded (20)

Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters

  • 1. Industrial protocols for pentesters Timorin Alexander Efanov Dmitry Positive Technologies PHDays III
  • 2. Who We Are Timorin Alexander • Lead specialist of penetration testing team at Positive Technologies • Main interests: penetration testing, SCADA systems, industrial protocols, password cracking • atimorin@ptsecurity.ru
  • 3. Who We Are Efanov Dmitry • Lead specialist of security development team at Positive Technologies • Main interests: penetration testing, network protocols and hex-numbers • defanov@ptsecurity.ru
  • 5. ICS in the World
  • 6. ICS in the World
  • 7. ICS in the World
  • 8. What we will talk about ? • Modbus • Mystical S7 • Authentication and protection • Profinet
  • 9. Industrial protocols • CIP • BACnet • CC-Link • Ethernet/IP • Modbus • Profinet • S3 / S5 / S7 • DNP3
  • 10. Old Modbus • Published by Modicon (now Schneider Electric) in 1979. • Widely used for connecting industrial electronic devices • Schneider Electric • Advanced Micro Controls • ABB • Emerson • Chinese NONAME • and all other vendors
  • 13. Modbus TCP Standard port – 502/tcp Modbus Request packet: • No authentication • No encryption • No security
  • 14. Modbus Functions • Data access • Read/Write Coils and Registers • Read/Write File Records • Diagnostics • Device Identification • … • + User Defined Functions
  • 15. Modbus Device Identification Standard Function (opcode 0x2B, subcode 0x0E) • VendorName • ProductCode • MajorMinorRevision • VendorUrl • ProductName • ModelName • UserApplicationName
  • 17. Modbus Tools • Emulators: • http://www.modbustools.com/download.asp • Device Discovery: • https://code.google.com/p/plcscan/ • https://code.google.com/p/modscan/ • … • Wireshark • python
  • 19. Mystic S7 Standard port – 102/tcp In Siemens docs - iso-on-tcp, rfc 1006
  • 20. S7 materials • Exploiting Siemens Simatic S7 PLCs (by Dillon Beresford) http://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf • Wireshark dissector http://sourceforge.net/projects/s7commwireshark/ • Libnodave – free communication library http://sourceforge.net/projects/libnodave/
  • 21. ISO-on-TCP (RFC 1006) • Transport layer only • Require source and destination TSAP (Transport Service Access Point) for connection • TSAP (2 bytes) • Connection type (PG – 0x01, OP– 0x02) • Rack/Slot Id
  • 22. What is under ISO-on-TCP?
  • 23. What is under ISO-on-TCP? S5 Communication aka FETCH / WRITE aka Sinec H1 S7 Communication Another S7 Communication
  • 24. S7 communication S7 packet: PDU-types: • 0x01 – Request • 0x02 – Acknowledgement • 0x03 – Response • 0x07– User Data
  • 25. What we can do • Read / Write data • Start / Stop CPU • Upload / Download Blocks • List blocks • Get blocks info • Read SZL (System Status List) • Module Identification • Component Identification • LED’s status
  • 26. Device Identification • PLC scan (https://code.google.com/p/plcscan/) • For s7-300: Module : 6ES7 151-8AB01-0AB0 v.2 Basic Hardware : 6ES7 151-8AB01-0AB0 v.2 Basic Firmware : v.3.2.6 PLC Name : SIMATIC 300(Bla_bla_name) Module Name : IM151-8 PN/DP CPU Plant ID : Copyright : Original Siemens Equipment Module Serial number : S C-BOUV49xxxxx1 Module type name : IM151-8 PN/DP CPU Memory card Serial number : MMC 6CAxxxx0 Module OEM ID : Module Location : • For s7-1200: Module : 6ES7 212-1BD30-0XB0 v.2 Basic Hardware : 6ES7 212-1BD30-0XB0 v.2 Basic Firmware : 6ES7 212-1BD30-0XB0 v.2.2.0
  • 27. S7-300 password protection Password (8 bytes) «Encryption»:
  • 28. S7comm on S7-1200 S7-300 S7-1200 Read/Write Vars + + Device Identification + +/- Start/Stop CPU + - Upload/Download Blocks + - Blocks Info + - LED’s status + -
  • 29. «Another S7 communication» Simple S7 packet ( connection establishment) 72 01 – S7 data delimiter
  • 30. TIA Portal read/write protection PLC read/write password protection for main operations: CPU start/stop/data change, project upload, firmware update, etc.
  • 31. TIA Portal PEData.plf passwords history Simple SHA-1 passwords: 456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40} redbox value: password_length * 2 + 1
  • 32. S7 password hashes extractor source: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.py extracting all password sha1 hashes from TIA Portal project file and simple bruteforce. Also possible to intercept password hash when uploading new project to PLC. It’s easy. Know-how protection: • prevent code blocks (OB, FB, FC, DB) from unauthorized access • base64( sha1(password-in-unicode) )
  • 33. SCADA <-> PLC S7 authentication 1. SCADA-> PLC : auth request 2. SCADA <- PLC : challenge 3. SCADA-> PLC : response = HMAC( SHA1(password), challenge ) 4. SCADA <- PLC : auth result sending authentication challenge from PLC to SCADA workstation
  • 34. SCADA <-> PLC S7 authentication sending authentication response from SCADA workstation to PLC
  • 35. SCADA <-> PLC S7 authentication • ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02 • John the Ripper Jumbo patch: https://github.com/magnumripper/JohnTheRipper/pull/193 • http://www.digitalbond.com/blog/2013/05/10/john-the-ripper-s7-password- cracking/
  • 36. S7 challenge-response extractor source: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.py extracting challenge-response values from pcap file and simple bruteforce. pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32‘ -> auth ok pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732‘ -> auth bad Other researches/materials: • Dillon Beresford: http://scadahacker.com/exploits/exploits-dillonbh2011.html
  • 37. PROFINET family 2003: IEC 61158, IEC 61784 • PROFINET CBA (Component Based Automation) • PROFINET IO
  • 38. PROFINET IO • master – slave communications • RT (~ 10 ms), IRT (~ 1 ms) • PROFINET PTCP (Precision Time Control Protocol) • PROFINET DCP (Discovery and Basic Configuration Protocol) profinet dcp identify response
  • 39. PROFINET DCP scanner source: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.py discovering all SCADA devices (PC, HMI, PLC) in subnet
  • 40. PROFINET DCP scanner payload = 'fefe05000401000200800004ffff0000' pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/payload.decode('hex') fefe 2b: DCP multicast header 05 1b: Identify service 00 1b: Request type 04010002 4b: Xid (request identificator) 0080 2b: Response delay 0004 2b: DCP data length ffff0000 4b: dcp dataOption(All), Suboption(All) Also we can: • change name of station • change ip, gateway • request network info • LED flashing: PLC, HMI (something wrong with PLC or devices ?? ) • and much more … profinet video demo
  • 41. How to analyze protocols ? • search-analyze-search-analyze-search … • Rob Savoye: “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” • Rob Savoye: FOSDEM 2009 Reverse Engineering of Proprietary Protocols, Tools and Techniques : http://youtu.be/t3s-mG5yUjY • Netzob: http://www.netzob.org • Fuzzing • wireshark tcpdump python scapy hex viewer
  • 42. Outro • Positive Technologies SCADA analytics: http://www.ptsecurity.com/download/SCADA_analytics_english.pdf • Findings • Recommendations: • http://scadastrangelove.org • http://www.scadahacker.com • http://www.digitalbond.com • http://ics-cert.us-cert.gov • Releases: https://code.google.com/p/scada-tools/ https://code.google.com/p/plcscan/ • Greetz to: SCADASTRANGELOVE TEAM • QA • And now …
  • 44. Thanks to all … to be continued Timorin Alexander atimorin@ptsecurity.ru Efanov Dmitry defanov@ptsecurity.ru Stay in touch and feel free …