SlideShare a Scribd company logo

Industrial protocols for pentesters

Positive Hack Days
Positive Hack Days

This document summarizes an presentation on industrial protocols for pentesters. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Example tools for scanning devices and extracting information via these protocols are also presented. The document concludes with a reminder of resources for further information on industrial control systems security.

TechnologyBusiness
1 of 45
Industrial protocols for pentesters AlexanderTimorin Dmitry Efanov Positive Technologies PHDays III
Who We Are Timorin Alexander • Lead specialist of the penetration testing team at Positive Technologies • Main interests: penetration testing, SCADA systems, industrial protocols, password cracking • atimorin@ptsecurity.ru
Who We Are Efanov Dmitry • Lead specialist of the security development team at Positive Technologies • Main interests: penetration testing, network protocols and hex-numbers • defanov@ptsecurity.ru
ICS Industrial Control System
ICS in the World
ICS in the World
ICS in the World
What will we talk about ? • Modbus • Mystical S7 • Authentication and protection • PROFINET
Industrial Protocols • CIP • BACnet • CC-Link • Ethernet/IP • Modbus • PROFINET • S3 / S5 / S7 • DNP3
Old Modbus • Published by Modicon (now Schneider Electric) in 1979. • Widely used for connecting industrial electronic devices • Schneider Electric • Advanced Micro Controls • ABB • Emerson • Chinese NONAME • and other vendors
Modbus in XX
Modbus in XXI
Modbus TCP Standard port – 502/tcp Modbus request packet: • No authentication • No encryption • No security
Modbus Functions • Data access • Read/Write Coils and Registers • Read/Write File Records • Diagnostics • Device Identification • … • + User Defined Functions
Modbus Device Identification Standard Function (opcode 0x2B, subcode 0x0E) • VendorName • ProductCode • MajorMinorRevision • VendorUrl • ProductName • ModelName • UserApplicationName
Modbus Device Identification
Modbus Tools • Emulators: • http://www.modbustools.com/download.asp • Device Discovery: • https://code.google.com/p/plcscan/ • https://code.google.com/p/modscan/ • … • Wireshark • Python
Modbus Demo
Mystic S7 Standard port – 102/tcp In Siemens docs – ISO-on-TCP, RFC 1006
S7 Materials • Exploiting Siemens SIMATIC S7 PLCs (by Dillon Beresford) http://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf • Wireshark dissector http://sourceforge.net/projects/s7commwireshark/ • Libnodave – free communication library http://sourceforge.net/projects/libnodave/
ISO-on-TCP (RFC 1006) • Transport layer only • Require source and destination TSAP (Transport Service Access Point) for connection • TSAP (2 bytes) • Connection type (PG – 0x01, OP– 0x02) • Rack/Slot ID
What is under ISO-on-TCP?
What is under ISO-on-TCP? S5 Communication aka FETCH / WRITE aka Sinec H1 S7 Communication Another S7 Communication
S7 Communication S7 packet: PDU-types: • 0x01 – Request • 0x02 – Acknowledgement • 0x03 – Response • 0x07– User Data
What We Can Do • Read / Write data • Start / Stop CPU • Upload / Download Blocks • List blocks • Get blocks info • Read SZL (System Status List) • Module Identification • Component Identification • LED’s status
Device Identification • PLC scan (https://code.google.com/p/plcscan/) • For S7-300: Module : 6ES7 151-8AB01-0AB0 v.2 Basic Hardware : 6ES7 151-8AB01-0AB0 v.2 Basic Firmware : v.3.2.6 PLC Name : SIMATIC 300(Bla_bla_name) Module Name : IM151-8 PN/DP CPU Plant ID : Copyright : Original Siemens Equipment Module Serial Number : S C-BOUV49xxxxx1 Module Type Name : IM151-8 PN/DP CPU Memory Card Serial Number : MMC 6CAxxxx0 Module OEM ID : Module Location : • For S7-1200: Module : 6ES7 212-1BD30-0XB0 v.2 Basic Hardware : 6ES7 212-1BD30-0XB0 v.2 Basic Firmware : 6ES7 212-1BD30-0XB0 v.2.2.0
S7-300 Password Protection Password (8 bytes) «Encryption»:
S7comm on S7-1200 S7-300 S7-1200 Read/Write Vars + + Device Identification + +/- Start/Stop CPU + - Upload/Download Blocks + - Blocks Info + - LED’s status + -
«Another S7 Communication» Simple S7 packet (connection establishment) 72 01 – S7 data delimiter
TIA Portal Read/Write Protection PLC read/write password protection for main operations: CPU start/stop/data change, project upload, firmware update, etc.
TIA Portal PEData.plf passwords history Simple SHA-1 passwords: 456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40} redbox value: password_length * 2 + 1
S7 Password Hashes Extractor source: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.py Extracting all password SHA1 hashes from a TIA Portal project file and simple bruteforce It’s also possible to intercept password hashes when uploading a new project to PLC. It’s easy. Know-how protection: • prevent code blocks (OB, FB, FC, DB) from unauthorized access • base64( sha1(password-in-unicode) )
SCADA <-> PLC S7 Authentication 1. SCADA-> PLC : auth request 2. SCADA <- PLC : challenge 3. SCADA-> PLC : response = HMAC( SHA1(password), challenge ) 4. SCADA <- PLC : auth result Sending an authentication challenge from a PLC to a SCADA workstation
SCADA <-> PLC S7 Authentication Sending an authentication response from the SCADA workstation to the PLC
SCADA <-> PLC S7 Authentication • ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02 • John the Ripper Jumbo patch: https://github.com/magnumripper/JohnTheRipper/pull/193 • http://www.digitalbond.com/blog/2013/05/10/john-the-ripper-s7-password- cracking/
S7 Challenge-Response Extractor source: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.py Extracting challenge-response values from a pcap file and simple bruteforce pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32‘ -> auth ok pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732‘ -> auth bad Other researches/materials: • Dillon Beresford: http://scadahacker.com/exploits/exploits-dillonbh2011.html
PROFINET Family 2003: IEC 61158, IEC 61784 • PROFINET CBA (Component Based Automation) • PROFINET IO
PROFINET IO • Master–slave communications • RT (~ 10 ms), IRT (~ 1 ms) • PROFINET PTCP (Precision Time Control Protocol) • PROFINET DCP (Discovery and Basic Configuration Protocol) profinet dcp identify response
PROFINET DCP Scanner Source: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.py Discovering all SCADA devices (PC, HMI, PLC) in a subnet
PROFINET DCP Scanner payload = 'fefe05000401000200800004ffff0000' pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/payload.decode('hex') fefe 2b: DCP multicast header 05 1b: Identify service 00 1b: Request type 04010002 4b: Xid (request identificator) 0080 2b: Response delay 0004 2b: DCP data length ffff0000 4b: dcp dataOption(All), Suboption(All) Also we can: • change the name of the station • change IP and gateway • request network info • LED flashing: PLC, HMI (is something wrong with PLC or devices ?) • and much more … profinet video demo
How to analyze protocols ? • search-analyze-search-analyze-search … • Rob Savoye: “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns.” • Rob Savoye: FOSDEM 2009 Reverse Engineering of Proprietary Protocols, Tools and Techniques: http://youtu.be/t3s-mG5yUjY • Netzob: http://www.netzob.org • Fuzzing • Wireshark tcpdump Python Scapy Hex viewer
Outro • Positive Technologies SCADA analytics: http://www.ptsecurity.com/download/SCADA_analytics_english.pdf • Findings • Recommendations: • http://scadastrangelove.org • http://www.scadahacker.com • http://www.digitalbond.com • http://ics-cert.us-cert.gov • Releases: https://code.google.com/p/scada-tools/ https://code.google.com/p/plcscan/ • Greetz to: SCADASTRANGELOVE TEAM • QA • And now …
S7-300. Live Demo
Thanks to all…. To be continued Alexander Timorin atimorin@ptsecurity.ru Dmitry Efanov defanov@ptsecurity.ru Stay in touch and feel free …
Industrial protocols for pentesters

Recommended

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Positive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Aleksandr Timorin
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Industrial Automation Control Systems Cybersecurity Certification. Chapter II
Industrial Automation Control Systems Cybersecurity Certification. Chapter IIIndustrial Automation Control Systems Cybersecurity Certification. Chapter II
Industrial Automation Control Systems Cybersecurity Certification. Chapter II
Javier Tallón
 

Recommended

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Positive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Aleksandr Timorin
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Industrial Automation Control Systems Cybersecurity Certification. Chapter II
Industrial Automation Control Systems Cybersecurity Certification. Chapter IIIndustrial Automation Control Systems Cybersecurity Certification. Chapter II
Industrial Automation Control Systems Cybersecurity Certification. Chapter II
Javier Tallón
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
pgmaynard
 
Effective Linux Development Using PetaLinux Tools 2017.4
Effective Linux Development Using PetaLinux Tools 2017.4Effective Linux Development Using PetaLinux Tools 2017.4
Effective Linux Development Using PetaLinux Tools 2017.4
Zach Pfeffer
 
Linux : PSCI
Linux : PSCILinux : PSCI
Linux : PSCI
Mr. Vengineer
 
Soc architecture and design
Soc architecture and designSoc architecture and design
Soc architecture and design
Satya Harish
 
Microchip's PIC Micro Controller
Microchip's PIC Micro ControllerMicrochip's PIC Micro Controller
Microchip's PIC Micro Controller
Midhu S V Unnithan
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 
Board Bringup
Board BringupBoard Bringup
Board Bringup
Anil Kumar Pugalia
 
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environmentProtecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Itai Grady
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013
Wave Digitech
 
Ardui no
Ardui no Ardui no
Ardui no
Amol Sakhalkar
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBC
Moises Silva
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Hardware interfacing basics using AVR
Hardware interfacing basics using AVRHardware interfacing basics using AVR
Hardware interfacing basics using AVR
Mohamed Abdallah
 
LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ
LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ
LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ
BGA Cyber Security
 
2 STM32's Interrupts.pptx
2 STM32's Interrupts.pptx2 STM32's Interrupts.pptx
2 STM32's Interrupts.pptx
MdRayhanTanvir
 
Language for Embedded System
Language for Embedded System Language for Embedded System
Language for Embedded System
vkrhanjeeth .
 
Introduction to Arduino
Introduction to ArduinoIntroduction to Arduino
Introduction to Arduino
baabtra.com - No. 1 supplier of quality freshers
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
Sri Manakula Vinayagar Engineering College
 
Video Drivers
Video DriversVideo Drivers
Video Drivers
Anil Kumar Pugalia
 
My presentation raspberry pi
My presentation raspberry piMy presentation raspberry pi
My presentation raspberry pi
HusainBhaldar21
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Positive Hack Days
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 

More Related Content

What's hot

Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
pgmaynard
 
Effective Linux Development Using PetaLinux Tools 2017.4
Effective Linux Development Using PetaLinux Tools 2017.4Effective Linux Development Using PetaLinux Tools 2017.4
Effective Linux Development Using PetaLinux Tools 2017.4
Zach Pfeffer
 
Linux : PSCI
Linux : PSCILinux : PSCI
Linux : PSCI
Mr. Vengineer
 
Soc architecture and design
Soc architecture and designSoc architecture and design
Soc architecture and design
Satya Harish
 
Microchip's PIC Micro Controller
Microchip's PIC Micro ControllerMicrochip's PIC Micro Controller
Microchip's PIC Micro Controller
Midhu S V Unnithan
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 
Board Bringup
Board BringupBoard Bringup
Board Bringup
Anil Kumar Pugalia
 
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environmentProtecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Itai Grady
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013
Wave Digitech
 
Ardui no
Ardui no Ardui no
Ardui no
Amol Sakhalkar
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBC
Moises Silva
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Hardware interfacing basics using AVR
Hardware interfacing basics using AVRHardware interfacing basics using AVR
Hardware interfacing basics using AVR
Mohamed Abdallah
 
LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ
LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ
LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ
BGA Cyber Security
 
2 STM32's Interrupts.pptx
2 STM32's Interrupts.pptx2 STM32's Interrupts.pptx
2 STM32's Interrupts.pptx
MdRayhanTanvir
 
Language for Embedded System
Language for Embedded System Language for Embedded System
Language for Embedded System
vkrhanjeeth .
 
Introduction to Arduino
Introduction to ArduinoIntroduction to Arduino
Introduction to Arduino
baabtra.com - No. 1 supplier of quality freshers
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
Sri Manakula Vinayagar Engineering College
 
Video Drivers
Video DriversVideo Drivers
Video Drivers
Anil Kumar Pugalia
 
My presentation raspberry pi
My presentation raspberry piMy presentation raspberry pi
My presentation raspberry pi
HusainBhaldar21
 

What's hot (20)

Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
Effective Linux Development Using PetaLinux Tools 2017.4
Effective Linux Development Using PetaLinux Tools 2017.4Effective Linux Development Using PetaLinux Tools 2017.4
Effective Linux Development Using PetaLinux Tools 2017.4
 
Linux : PSCI
Linux : PSCILinux : PSCI
Linux : PSCI
 
Soc architecture and design
Soc architecture and designSoc architecture and design
Soc architecture and design
 
Microchip's PIC Micro Controller
Microchip's PIC Micro ControllerMicrochip's PIC Micro Controller
Microchip's PIC Micro Controller
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
 
Board Bringup
Board BringupBoard Bringup
Board Bringup
 
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environmentProtecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013
 
Ardui no
Ardui no Ardui no
Ardui no
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBC
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Hardware interfacing basics using AVR
Hardware interfacing basics using AVRHardware interfacing basics using AVR
Hardware interfacing basics using AVR
 
LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ
LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ
LINUX, WINDOWS VE AĞ SİSTEMLERİ SIZMA TESTLERİ
 
2 STM32's Interrupts.pptx
2 STM32's Interrupts.pptx2 STM32's Interrupts.pptx
2 STM32's Interrupts.pptx
 
Language for Embedded System
Language for Embedded System Language for Embedded System
Language for Embedded System
 
Introduction to Arduino
Introduction to ArduinoIntroduction to Arduino
Introduction to Arduino
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
 
Video Drivers
Video DriversVideo Drivers
Video Drivers
 
My presentation raspberry pi
My presentation raspberry piMy presentation raspberry pi
My presentation raspberry pi
 

Similar to Industrial protocols for pentesters

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Positive Hack Days
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
Positive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
Ekaterina Melnik
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
Aleksandr Timorin
 
Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...
OptimalPlus
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
Jose Palanco
 
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessS4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
Nathan Wallace, PhD, PE
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
qqlan
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
PROIDEA
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
PROIDEA
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
qqlan
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
aaajjj4
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
ssuserb4d806
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Saumil Shah
 

Similar to Industrial protocols for pentesters (20)

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessS4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Positive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
Positive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
Positive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
Positive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
Positive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
Positive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
Positive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
Positive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
Positive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
Positive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 

Recently uploaded (20)

5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 

Industrial protocols for pentesters

  • 2. Who We Are Timorin Alexander • Lead specialist of the penetration testing team at Positive Technologies • Main interests: penetration testing, SCADA systems, industrial protocols, password cracking • atimorin@ptsecurity.ru
  • 3. Who We Are Efanov Dmitry • Lead specialist of the security development team at Positive Technologies • Main interests: penetration testing, network protocols and hex-numbers • defanov@ptsecurity.ru
  • 5. ICS in the World
  • 6. ICS in the World
  • 7. ICS in the World
  • 8. What will we talk about ? • Modbus • Mystical S7 • Authentication and protection • PROFINET
  • 9. Industrial Protocols • CIP • BACnet • CC-Link • Ethernet/IP • Modbus • PROFINET • S3 / S5 / S7 • DNP3
  • 10. Old Modbus • Published by Modicon (now Schneider Electric) in 1979. • Widely used for connecting industrial electronic devices • Schneider Electric • Advanced Micro Controls • ABB • Emerson • Chinese NONAME • and other vendors
  • 13. Modbus TCP Standard port – 502/tcp Modbus request packet: • No authentication • No encryption • No security
  • 14. Modbus Functions • Data access • Read/Write Coils and Registers • Read/Write File Records • Diagnostics • Device Identification • … • + User Defined Functions
  • 15. Modbus Device Identification Standard Function (opcode 0x2B, subcode 0x0E) • VendorName • ProductCode • MajorMinorRevision • VendorUrl • ProductName • ModelName • UserApplicationName
  • 17. Modbus Tools • Emulators: • http://www.modbustools.com/download.asp • Device Discovery: • https://code.google.com/p/plcscan/ • https://code.google.com/p/modscan/ • … • Wireshark • Python
  • 19. Mystic S7 Standard port – 102/tcp In Siemens docs – ISO-on-TCP, RFC 1006
  • 20. S7 Materials • Exploiting Siemens SIMATIC S7 PLCs (by Dillon Beresford) http://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf • Wireshark dissector http://sourceforge.net/projects/s7commwireshark/ • Libnodave – free communication library http://sourceforge.net/projects/libnodave/
  • 21. ISO-on-TCP (RFC 1006) • Transport layer only • Require source and destination TSAP (Transport Service Access Point) for connection • TSAP (2 bytes) • Connection type (PG – 0x01, OP– 0x02) • Rack/Slot ID
  • 22. What is under ISO-on-TCP?
  • 23. What is under ISO-on-TCP? S5 Communication aka FETCH / WRITE aka Sinec H1 S7 Communication Another S7 Communication
  • 24. S7 Communication S7 packet: PDU-types: • 0x01 – Request • 0x02 – Acknowledgement • 0x03 – Response • 0x07– User Data
  • 25. What We Can Do • Read / Write data • Start / Stop CPU • Upload / Download Blocks • List blocks • Get blocks info • Read SZL (System Status List) • Module Identification • Component Identification • LED’s status
  • 26. Device Identification • PLC scan (https://code.google.com/p/plcscan/) • For S7-300: Module : 6ES7 151-8AB01-0AB0 v.2 Basic Hardware : 6ES7 151-8AB01-0AB0 v.2 Basic Firmware : v.3.2.6 PLC Name : SIMATIC 300(Bla_bla_name) Module Name : IM151-8 PN/DP CPU Plant ID : Copyright : Original Siemens Equipment Module Serial Number : S C-BOUV49xxxxx1 Module Type Name : IM151-8 PN/DP CPU Memory Card Serial Number : MMC 6CAxxxx0 Module OEM ID : Module Location : • For S7-1200: Module : 6ES7 212-1BD30-0XB0 v.2 Basic Hardware : 6ES7 212-1BD30-0XB0 v.2 Basic Firmware : 6ES7 212-1BD30-0XB0 v.2.2.0
  • 27. S7-300 Password Protection Password (8 bytes) «Encryption»:
  • 28. S7comm on S7-1200 S7-300 S7-1200 Read/Write Vars + + Device Identification + +/- Start/Stop CPU + - Upload/Download Blocks + - Blocks Info + - LED’s status + -
  • 29. «Another S7 Communication» Simple S7 packet (connection establishment) 72 01 – S7 data delimiter
  • 30. TIA Portal Read/Write Protection PLC read/write password protection for main operations: CPU start/stop/data change, project upload, firmware update, etc.
  • 31. TIA Portal PEData.plf passwords history Simple SHA-1 passwords: 456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40} redbox value: password_length * 2 + 1
  • 32. S7 Password Hashes Extractor source: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.py Extracting all password SHA1 hashes from a TIA Portal project file and simple bruteforce It’s also possible to intercept password hashes when uploading a new project to PLC. It’s easy. Know-how protection: • prevent code blocks (OB, FB, FC, DB) from unauthorized access • base64( sha1(password-in-unicode) )
  • 33. SCADA <-> PLC S7 Authentication 1. SCADA-> PLC : auth request 2. SCADA <- PLC : challenge 3. SCADA-> PLC : response = HMAC( SHA1(password), challenge ) 4. SCADA <- PLC : auth result Sending an authentication challenge from a PLC to a SCADA workstation
  • 34. SCADA <-> PLC S7 Authentication Sending an authentication response from the SCADA workstation to the PLC
  • 35. SCADA <-> PLC S7 Authentication • ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02 • John the Ripper Jumbo patch: https://github.com/magnumripper/JohnTheRipper/pull/193 • http://www.digitalbond.com/blog/2013/05/10/john-the-ripper-s7-password- cracking/
  • 36. S7 Challenge-Response Extractor source: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.py Extracting challenge-response values from a pcap file and simple bruteforce pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32‘ -> auth ok pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732‘ -> auth bad Other researches/materials: • Dillon Beresford: http://scadahacker.com/exploits/exploits-dillonbh2011.html
  • 37. PROFINET Family 2003: IEC 61158, IEC 61784 • PROFINET CBA (Component Based Automation) • PROFINET IO
  • 38. PROFINET IO • Master–slave communications • RT (~ 10 ms), IRT (~ 1 ms) • PROFINET PTCP (Precision Time Control Protocol) • PROFINET DCP (Discovery and Basic Configuration Protocol) profinet dcp identify response
  • 39. PROFINET DCP Scanner Source: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.py Discovering all SCADA devices (PC, HMI, PLC) in a subnet
  • 40. PROFINET DCP Scanner payload = 'fefe05000401000200800004ffff0000' pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/payload.decode('hex') fefe 2b: DCP multicast header 05 1b: Identify service 00 1b: Request type 04010002 4b: Xid (request identificator) 0080 2b: Response delay 0004 2b: DCP data length ffff0000 4b: dcp dataOption(All), Suboption(All) Also we can: • change the name of the station • change IP and gateway • request network info • LED flashing: PLC, HMI (is something wrong with PLC or devices ?) • and much more … profinet video demo
  • 41. How to analyze protocols ? • search-analyze-search-analyze-search … • Rob Savoye: “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns.” • Rob Savoye: FOSDEM 2009 Reverse Engineering of Proprietary Protocols, Tools and Techniques: http://youtu.be/t3s-mG5yUjY • Netzob: http://www.netzob.org • Fuzzing • Wireshark tcpdump Python Scapy Hex viewer
  • 42. Outro • Positive Technologies SCADA analytics: http://www.ptsecurity.com/download/SCADA_analytics_english.pdf • Findings • Recommendations: • http://scadastrangelove.org • http://www.scadahacker.com • http://www.digitalbond.com • http://ics-cert.us-cert.gov • Releases: https://code.google.com/p/scada-tools/ https://code.google.com/p/plcscan/ • Greetz to: SCADASTRANGELOVE TEAM • QA • And now …
  • 44. Thanks to all…. To be continued Alexander Timorin atimorin@ptsecurity.ru Dmitry Efanov defanov@ptsecurity.ru Stay in touch and feel free …