[CLASS 2014] Palestra Técnica - Jan Seidl

SSCCAADDAA HHaacckkiinngg IInndduussttrriiaall SSccaallee FFuunn
JJaann SSeeiiddll

$$ wwhhooaammii
AAbboouutt
FFuullll NNaammee:: JJaann SSeeiiddll
OOrriiggiinn:: RRiioo ddee JJaanneeiirroo,, RRJJ –– BBrraazziill
WWoorrkk::
● CCTTOO @@ TTII SSaaffee
● OOppeennSSoouurrccee ccoonnttrriibbuuttoorr ffoorr:: PPEEVV,, LLooggssttaasshh
● CCooddeess aanndd ssnniippppeettss @@ ggiitthhuubb..ccoomm//jjsseeiiddll
FFeeaattuurreess::
● UUNNIIXX EEvvaannggeelliisstt//AAddddiicctt//FFrreeaakk ((bbuutt nnoo ffaannbbooyy!!))
● PPyytthhoonn aanndd CC lloovveerr
● CCooffffeeee ddeeppeennddeenntt
● HHaatteess pprriinntteerrss aanndd ssoocciiaall nneettwwoorrkkss
● PPrroouudd DDCC LLaabbss RReesseeaarrcchheerr SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paulo, Brazil

00xx00 WWhhaatt iiss SSCCAADDAA??
00xx11 WWhheerree iiss SSCCAADDAA??
00xx22 WWhhyy SSCCAADDAA??
00xx33 MMiissccoonncceeppttiioonnss aanndd RReeaalliittyy
00xx44 IInndduussttrriiaall PPrroottooccoollss
00xx55 PPeenntteessttiinngg SSccaaddaa ssyysstteemmss
00xx66 IInndduussttrriiaall MMaallwwaarreess,, tthhee ccyybbeerrwweeaappoonnss
00xx77 SSoolluuttiioonnss ffoorr IInndduussttrriiaall CCoonnttrrooll SSyysstteemmss SSeeccuurriittyy
00xx88 RReesseeaarrcchhiinngg SSCCAADDAA
00xx99 MMooddbbuuss AAttttaacckkss DDeemmoonnssttrraattiioonn
00xxAA QQuueessttiioonnss??
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
AAggeennddaa

WWhhaatt iiss SSCCAADDAA??

WWhhaatt iiss NNOOTT SSCCAADDAA??
Programmable-Logic Controllers (PLCs)

Remote Terminal Units (RTUs)

Supervisory Control and Data Acquisition
CCoonnttrrooll ddeevviicceess,, ssaaffeettyy ddeevviicceess,, eelleeccttrriicc//eelleeccttrroonniicc ddeevviicceess
SSiinnggllee--bbooxx ssoolluuttiioonn//aapppplliiccaattiioonn
NNoott jjuusstt aa uusseerr iinntteerrffaaccee

CCoolllleeccttss ddaattaa aanndd ccoonnttrrooll ffiieelldd eeqquuiippmmeenntt
SSaavveess hhiissttoorriiccaall ddaattaa
FFoorrwwaarrddss ddaattaa ttoo ootthheerr ddeevviicceess oorr ssyysstteemmss
PPrroovviiddeess sseeccoonnddss--pprreecciissiioonn mmeeaassuurreemmeennttss

WWhheerree iiss SSCCAADDAA??

WWhheerree iiss SSCCAADDAA??
What kind of cool stuff do they control?

WWhhyy SSCCAADDAA??

WWhhyy SSCCAADDAA??
Do we really need computers for this?
EEqquuiippmmeennttss rreellyy oonn vveerryy qquuiicckk rreessppoonnssee ttiimmeess
HHuuggee aammoouunntt ooff ddaattaa nneeeeddss ttoo bbee ccoolllleecctteedd
HHuunnddrreeddss,, tthhoouussaannddss ooff ddeevviicceess nneeeedd ttoo bbee ccoonnttrroolllleedd aatt ssaammee ttiimmee
OOppeerraattiioonn iiss aallmmoosstt nneevveerr iinntteerrrruupptteedd

WWhhyy SSCCAADDAA??
Can you imagine if something goes... wrong?
Russian hydro plant accident kills 12

WWhhyy SSCCAADDAA??
Chemical plant explosion leaves 5 missing,
15 injured in China

WWhhyy SSCCAADDAA??
Hundreds of tons of toxic waste were dumped into one of the German rivers
after the serious accident at a local chemical plant.

MMiissccoonncceeppttiioonnss aanndd RReeaalliittyy

Do automation guys think they are in danger?

““SSCCAADDAA nneettwwoorrkkss aarree iissoollaatteedd aanndd ccaannnnoott bbee
aacccceesssseedd oovveerr tthhee IInntteerrnneett””
First, the misconceptions...

““WWee uussee pprroopprriieettaarryy//ccuussttoomm ssyysstteemmss,, pprroottooccoollss
aanndd eeqquuiippmmeenntt,, tthhuuss wwee ccaannnnoott bbee hhaacckkeedd””

““HHMMII//ssoommee--ccoonnttrrooll--ssooffttwwaarree hhaass lliimmiitteedd
ffuunnccttiioonnaalliittyy aanndd//oorr rreessttrriiccttiioonnss ssoo iitt ccaannnnoott bbee
aabbuusseedd””

And my opinion on this...

And now comes reality...
AAllll iinndduussttrriiaall nneettwwoorrkkss aarree ccoonnnneecctteedd ssoommeehhooww
ttoo tthhee IInntteerrnneett oorr ccoorrppoorraattee nneettwwoorrkk
Integration software (ERP/MES), Phone/Modem/3G abuse,
Equipment misconfiguration (switches, routers, firewalls),
removable media abuse, remote access (VPN, RDP, VNC)

MMoosstt nneettwwoorrkkss aarree ooppeerraatteedd bbyy aauuttoommaattiioonn ssttaaffff
wwiitthh nnoo oorr llooww IITT kknnoowwlleeggddee
Commit security abuses/incidents, unsafe computer
operation posture [games, internet browsing, downloading
stuff], careless about infosec, just want the job done

MMoosstt nneettwwoorrkkss aanndd sseerrvveerrss aarree
mmaannaaggeedd bbyy IITT ssttaaffff
Low to no knowledge about industrial protocols, attack
impacts, software operation, overall ICS security, commit
several mistakes configuring equipment

9999,,99%% ooff ppllaannttss ccaann bbee eeaassiillyy hhaacckkeedd
Common OS (Windows, Linux...)
Common/open protocols (HTTP, Telnet, Modbus)
All the same common bugs from IT: weak/hardcoded
passwords, silly application vulns, unpatched stuff

IInndduussttrriiaall PPrroottooccoollss

Current common market protocols
CIP – Common
Industrial Protocol,
Ethernet/IP
Profinet, S3/5/7
CC-Link Modbus

Modbus
VVeerryy ssiimmppllee ppllaaiinntteexxtt pprroottooccooll
CCrreeaatteedd iinn tthhee 7700ss bbyy MMooddiiccoonn
UUsseedd bbyy mmaannyy vveennddoorrss

Modbus
NNoo aauutthheennttiiccaattiioonn ++ NNoo eennccrryyppttiioonn ++ NNoo vvaalliiddaattiioonn
==
HHAA--HHAA sseeccuurriittyy lleevveell

Modbus
CCoommmmoonn aarrcchhiitteeccttuurree

Modbus
PPrroottooccooll ssttrruuccuuttuurree
Standard port tcp/502

Modbus
PPrroottooccooll ssttrruuccuuttuurree

Modbus
FFuunnccttiioonn CCooddeess

Modbus
FFuunnccttiioonn CCooddeess ((tthhee oonneess wwee ccaarree))
Read/Write Coils and Registers (Mess up stuff) [lots]
Read/Write File records [20, 21]
Device Fingerprinting & Diagnostics [43,17,8]
+ modbus supports user-defined functions!

PPeenntteessttiinngg SSCCAADDAA ssyysstteemmss

IImmppoorrttaanntt NNoottee
When you run tests against an industrial control system
unexpected things may happen.
And they happen almost every time.

IImmppoorrttaanntt NNoottee
Do not test LIVE systems.
Never. Ever.

SSccaannnniinngg // DDiissccoovveerryy
Some tools available:
plcscan – Scans s7comm & modbus devices
https://code.google.com/p/plcscan/
modscan – Scans modbus devices
https://code.google.com/p/modscan/
Nmap – Famous network scanner
http://nmap.org/

SSccaannnniinngg // DDiissccoovveerryy ((ccoonntt..))
Metasploit Modules
auxiliary/scanner/modbus/modbus_findunitid
auxiliary/scanner/modbus/modbusdetect

PLCscan

Nmap – modbus-discover.nse

Modbus Diagnostic Function code (0x2B, 43)
VendorName, ProductName, ModelName, ProductCode,
MajorMinorRevision

DDaattaa MMaanniippuullaattiioonn
Opensource ICS protocol libraries
Modlib – Scapy Extension [python]
https://www.scadaforce.com/modbus
Pymodbus – Module [python]
https://github.com/bashwork/pymodbus
Modbus-cli – Gem [ruby]
https://rubygems.org/gems/modbus-cli
S7comm – Library [C,C++,C#,Delphi,Pascal,Perl,VB(A)]
http://libnodave.sourceforge.net/
OpenDNP3 – Library [C++]
https://code.google.com/p/dnp3/

DDaattaa MMaanniippuullaattiioonn ((ccoonntt..))
Metasploit Modules
auxiliary/scanner/modbus/modbusclient
auxiliary/admin/scada/modicon_command
auxiliary/admin/scada/igss_exec_17
auxiliary/admin/scada/multi_cip_command

Reading and Writing data
modbus-cli
<https://rubygems.org/gems/modbus-cli>
R: modbus read <IP> <ADDR> <QTY>
W: modbus write <IP> <ADDR> [<VAL1>,<VAL2>,<VAL3>]
pymodclient
<https://github.com/jseidl/pymodbuscli>
R: pymodbuscli -f read_register -h <IP> <ADDR> <QTY>
W: pymodbuscli -f write_register -h <IP> <ADDR>
[<VAL1>,<VAL2>,<VAL3>]
Modbus

Metasploit Modules (not on official tree yet)
simatic_s7_300_command.rb / simatic_s7_300_memory_view.rb /
simatic_s7_1200_command.rb
S7Comm
https://github.com/d1n/s7-metasploit-modules

SSnniiffffiinngg TTrraaffffiicc
Native Wireshark dissector
Modbus

SSnniiffffiinngg TTrraaffffiicc
Opensource Wireshark dissector plugin
<http://sourceforge.net/projects/s7commwireshark/>
SIEMENS S7comm

IInndduussttrriiaall MMaallwwaarreess

IInndduussttrriiaall SSaabboottaaggee
SSttuuxxnneett

SSttuuxxnneett
Industrial Sabotage
Discovered July 2010
Targets Siemens WinCC systems
Targets specific PLC models
100KLOC (thousands of lines of code)

SSttuuxxnneett
Industrial Sabotage
Sabotages centrifuges causing malfunction or destruction
Allegedly a sabotage plan from USA and Israel against
Iran's nuclear program

SSttuuxxnneett
Industrial Sabotage
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-
of-cyberattacks-against-iran.html?pagewanted=all&_r=2

SSttuuxxnneett
Industrial Sabotage
http://www.cbsnews.com/8301-205_162-57592862/nsa-leaker-snowden-claimed-
u.s-and-israel-co-wrote-stuxnet-virus/

SSttuuxxnneett
Industrial Sabotage
http://www.symantec.com/connect/blogs/w32stuxnet-dossier

SSttuuxxnneett
Industrial Sabotage
Exploits five vulnerabilities (of which four are 0-day)...
LNK File Bug – Initial Infection via USB drives/removable media
http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx
Printer Spooler – Spreading
Server Service (SMB) – Spreading
Keyboard layout file – Privilege escalation
Task Scheduler – Privilege escalation
… and then installs a rootkit :)

SSttuuxxnneett
Industrial Sabotage
Which can only be installed because Stuxnet has stolen
valid digital certificates.
From Realtek and Jmicron.

SSttuuxxnneett
Industrial Sabotage
As if this weren't enough, it creates a peer-to-peer network
of infected hosts, steals intelligence, and rootkits the PLC
+ project files so engineers and operators won't notice.

Industrial Espionage
DDuuQQuu

DDuuQQuu
Discovered September 2011
Possibly derived from Stuxnet
Objective: backdooring and data collection
Targets ICS software and hardware vendors

DDuuQQuu
Uses one Microsoft vulnerability
Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code
Execution Vulnerability (BID 50462)
Does not replicate on its own
Has also stolen signed certificates

FFllaammee // SSkkyywwiippeerr

FFllaammee
Discovered ~May 2012
Mostly seen in middle-east
About 20mb in size
Has LUA plugin support
Around 20 extension modules

FFllaammee
Fingerprints countermeasure software/adapts to evade it
Multiple encryption levels
SQLite databases for storing collected data
Propagates similar to Stuxnet (LNK+Spooler)

FFllaammee
Record Skype Conversations
Keylogging + Screenlogging
Network Sniffer
Bluetooth scanning and compromise
Most affected countries: Iran, Israel, Sudan, Syria, Lebanon,
Saudi Arabia and Egypt.

GGaauussss

GGaauussss
Discovered ~August 2012
Flame+Banking+Nasty Stuff
Same infection schemes as Stuxnet & Flame
Has encrypted payload that is only run under certain
circumstances

GGaauussss
Steals passwords and cookies from browser
Collects and reports system configuration
Infects other removable media
Enumerates files and directories

GGaauussss
Steals banking credentials from middle-east banking
systems
Steals information from social networks, instant messaging
and email accounts

SSoolluuttiioonnss ffoorr IICCSS SSeeccuurriittyy

FFiirrsstt ooff AAllll
There is no single-box solution.
Sorry :(

Security is not only on your hosts but
also networks and personnel

You need the best solution for each area. Each vendor has
expertise in its own area and probably won't master all of
them at the same time.

ssoo......
Embrace good and old defense in depth model
Photo credit: Sentrillion

ssoo......
Embrace good and old defense in depth model
Locks, cameras etc Firewalls, IDPS,
Photo credit: Sentrillion
Data diodes
Segmentation, VLANs,
port-mirrored IDS
WAFs, strong
architechture
Whitelisting
software, HIDPS,
central logging
Encryption and access
control

NNeettwwoorrkk SSeeggmmeennttaattiioonn
ISA/99 Zones and Conduits Model

NNeettwwoorrkk SSeeggmmeennttaattiioonn
Proper DMZ Model

IInndduussttrriiaall CCoonnttrrooll SSyysstteemmss FFiirreewwaallllss//IIDDSSss
Commercial Solutions
Tofino Security Appliance SIEMENS Scalance S

Commercial Solutions
Firewall
Industrial Protocol Enforcer
VPN
Centralized Management

OpenSource Solutions

SSNNOORRTT SSCCAADDAA IIDDSS RRuulleess
Initially compiled by Digital Bond
Many rules already on SNORT main repository
Additional rules are easy to write
http://www.digitalbond.com/tools/quickdraw/
http://blog.snort.org/2012/01/snort-292-scada-preprocessors.html

MMooddbbuuss
Snort IDS rules

EEtthheerr//IIPP
Snort IDS rules

DDNNPP33
Snort IDS rules

DDaattaa DDiiooddeess
Allow traffic to flow only in one direction
Enforced by hardware
Photo-resistor on one end, Photo-transmitter on other
As it depends on hardware, no open-source solution yet :(
Can be enforced via firewall but not with same efficiency

DDaattaa DDiiooddeess
Commercial Solution

WWhhiittee--lliissttiinngg SSooffttwwaarree
Anti-virus, seriously?
CEBIT 2013 Workshop: Anti-virus are an efficient solution for
industrial network protection? (short answer: no)
http://slidesha.re/17AwTEd

MMoonniittoorriinngg
ICS networks and hosts generally operate in regular and
predictable manners.
Simple monitoring and plotting can help detect anomalies
when they happen
[White paper] Detecting problems in industrial networks though
continuous monitoring
http://slidesha.re/17JyVSu

• Communications interception (ARP Poisoning)
• $ nmap –sV 192.168.1.1

MMoonniittoorriinngg • Denial of Service
•
• Malware infection

• Unauthorized Modbus traffic

EEdduuccaattee yyoouurr uusseerrss
Your users don't really know the impact of using a 3G
modem to check their personal email or Facebook wall
Even less that they can ruin plant's processes by clicking
on a link sent by that hot girl he's chatting with for weeks

NNeevveerr ffoorrggeett wwhhaatt yyoouurr uusseerrss
mmeeaann ttoo yyoouurr sseeccuurriittyy

RReesseeaarrcchhiinngg SSCCAADDAA

AALLWWAAYYSS RREEMMEEMMBBEERR!!!!!!!!
Do not test LIVE systems.
Never. Ever.

GGaatthheerr ddooccuummeennttaattiioonn
Most protocols (even proprietary ones) have
documentation available on-line
Get it from manufacturer website or just freaking google it.

GGaatthheerr ddooccuummeennttaattiioonn
DNP3 Primer
http://www.dnp.org/AboutUs/DNP3%20Primer%20Rev%20A.pdf
Modbus Specification
http://www.modbus.org/specs.php

SSnniiffff mmaasstteerr--ssllaavvee ccoommmmuunniiccaattiioonn wwiitthh WWiirreesshhaarrkk

GGeett aa tteesstt--bbeedd
Buy from manufacturer (expensive, sometimes impeditive)
Buy from e-bay (quite easy)
Real, hardware-based

http://www.ebay.com/sch/i.html?
_trksid=p2050601.m570.l1313.TR0.TRC0.Xs7-300&_nkw=s7-
300&_sacat=0&_from=R40

http://www.ebay.com/sch/i.html?_odkw=s7-
300&_osacat=0&_from=R40&_trksid=p2045573.m570.l1313.TR3.TRC1.A0.Xwago+
750&_nkw=wago+750&_sacat=0

Emulated, software-based
Fully programmable
Available in many programming languages
Self-contained solutions available

Pymodbus library
https://github.com/bashwork/pymodbus/blob/master/examples/common/synchro
nous-server.py
# initialize data
store = ModbusSlaveContext(
di = ModbusSequentialDataBlock(0, [17]*100),
co = ModbusSequentialDataBlock(0, [17]*100),
hr = ModbusSequentialDataBlock(0, [17]*100),
ir = ModbusSequentialDataBlock(0, [17]*100))
context = ModbusServerContext(slaves=store, single=True)
# initialize the server information
identity = ModbusDeviceIdentification()
identity.VendorName = 'Pymodbus'
identity.ProductCode = 'PM'
identity.VendorUrl = 'http://github.com/bashwork/pymodbus/'
identity.ProductName = 'Pymodbus Server'
identity.ModelName = 'Pymodbus Server'
identity.MajorMinorRevision = '1.0'
# run the server you want
StartTcpServer(context, identity=identity, address=("localhost", 5020))

ModSak (commercial with free trial)
http://wingpath.co.uk/modbus/modsak.php

GGeett ssoommee IICCSS ssooffttwwaarree ffrroomm vveennddoorrss
Vendors often have trial versions on their sites
You might have to ask them for a copy
They might not like it what you'll be using it for
Be brave. Don't desist.

For both equipment and software
SSccaann tthhee ccrraapp oouutt ooff iitt
Use network and software vulnerabilities scanners heavily,
don't mind if sometimes devices go crazy
but do one at a time or you may DOS your device

FFuuzzzz''eemm uunnttiill ssmmookkee ccoommeess oouutt
Create fuzz model files based on documentation
See how they handle malformed data

Peach fuzzer
http://peachfuzzer.com/

Modbus PIT file for Peach Fuzzer (WIP)
https://github.com/jseidl/peach-pit/blob/master/modbus/modbus.xml

ROBUS & AEGIS Project
http://www.automatak.com/aegis/ & http://www.automatak.com/robus/

SSeett uupp aa hhoonneeyyppoott
Put it faced over to the internet and learn from other
attackers (caution! risky!)

Conpot – SCADA/ICS Honeypot
SSeett uupp aa hhoonneeyyppoott
“The default configuration of Conpot simulates a basic
Siemens SIMATIC S7-200 PLC with an input/output module
and a CP 443-1 which would be needed in a real setup to
provide network connectivity.”
https://github.com/glastopf/conpot

AAttttaacckk DDeemmoonnssttrraattiioonn

QQuueessttiioonnss??
Please, don't be shy!

TThhaannkkss ffoorr yyoouurr ttiimmee!!
Hope you enjoyed it!
@jseidl
jseidl@wroot.org
http://wroot.org
https://github.com/jseidl
http://www.slideshare.net/jseidl
http://www.linkedin.com/in/janseidl

[CLASS 2014] Palestra Técnica - Jan Seidl

Recommended

Recommended

More Related Content

Similar to [CLASS 2014] Palestra Técnica - Jan Seidl

Similar to [CLASS 2014] Palestra Técnica - Jan Seidl (20)

More from TI Safe

More from TI Safe (20)

Recently uploaded

Recently uploaded (20)

[CLASS 2014] Palestra Técnica - Jan Seidl