Uploaded byqqlan
PDF, PPTX7,085 views

Scada Strangelove - 29c3

This document profiles several security researchers focused on industrial control systems: - Sergey Gordeychik is the CTO of Positive Technologies and director of Positive Hack Days, focusing on ICS/SCADA security research. - Gleb Gritsai and Denis Baranov are researchers at Positive Technologies working on network security, forensics, and challenges related to ICS/SCADA systems. - The group collaborates to research vulnerabilities in common ICS/SCADA platforms like Siemens, Rockwell, Schneider Electric to help secure critical infrastructure systems from cyber attacks.

Embed presentation

Download as PDF, PPTX
Sergey Gordeychik Denis Baranov Gleb Gritsai
 Sergey Gordeychik  Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member  http://sgordey.blogspot.com, http://www.phdays.com  Gleb Gritsai  Principal Researcher, Network security and forensic researcher, member of PHDays Challenges team  @repdet, http://repdet.blogspot.com  Denis Baranov  Head of AppSec group, researcher, member of PHDays CTF team
 Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Ilya Smith Roman Ilin Alexander Tlyapov
http://scadastrangelove.blogspot.com/2012/11/scada-safety-in-numbers.html
 Siemens ProductCERT  Reallyprofessional team  Quick responses  Personal contacts  Even Patches   You guys rock!
 Common target during pentests  Most common platform (market, ShodanHQ)  Largest number of published and fixed bugs
 Invensys Wonderware  Yokogawa  ICONICS  ….  Stay tuned!
ERP BUSINESS LAYER MES OPERATION AND PRODUCTION SUPERVISION SCADA SUPERVISOR CONTROL PLC/RTU DIRECT CONTROL
 SCADA network is isolated and is not connected to other networks, all the more so to Internet  MES/SCADA/PLC is based on custom platforms, and attackers can’t hack it  HMI has limited functionality and does not allow to mount attack …
 100% of tested SCADA networks are exposed to Internet/Corporate network  Network equipment/firewalls misconfiguration  MES/OPC/ERP integration gateways  HMI external devices (Phones/Modems/USB Flash) abuse  VPN/Dialup remote access  99.9(9)% of tested SCADA can be hacked with Metasploit  Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)  Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)  Standard bugs (patch management, passwords, firewalling, application vulnerabilities)
 50% of HMI/Engineering stations are also used as desktops  Kiosk mode bypass  (Secret) Internet access  games/”keygens”/trojans and other useful software ICS security = Internet security in the early 2000 VS
• NO magic on network • Standard network protocols/channel level • NO magic on system level • Standard OS/DBMS/APPs • Windows/SQL for SCADA • Linux/QNX for PLC • NO AppSec at all • ICS guys don’t care about IT/IS • MES reality - connecting SCADA to other networks/systems (ERP etc.)
• Ethernet • Cell (GSM, GPRS, …) • RS-232/485 • Wi-Fi • ZigBee • Lot’s of other radio and wire • All can be sniffed thanks to community
• Modbus • DNP3 • OPC • S7 • And more and more … • EtherCAT • FL-net • Foundation Fieldbus
• Sniffing • Spoofing/Injection • Fingerprinting/Data collection • Fuzzing • Security?!
 Wireshark supports most of it  Third-party protocol dissectors for Wireshark  Industry grade tools and their free functions  FTE NetDecoder  No dissector/tool – No problem  Plaintext and easy to understand protocols
 Widely available tools for Modbus packet crafting  Other protocols only with general packet crafters (Scapy)  More tools to come (from us ;))  Most of protocols can be attacked by simple packet replay  Or you can write your own fuzZzer*… *But don’t forget about Python compilation issues (sec-recon, hi there)
 Well known ports  Modbus  Product, Device, GW, Unit enumeration  S7  Product, Device, Associated devices  OPC  RPC/DCOM, but authentication  Modern fingerprinting add-ons  snmp, http, management ports
By Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin Google/Shodan dorks for:  Siemens  Emerson  Allen-Bradley  Rockwell Automation  Schneider Electric  General Electric Want to be real SCADAHacker? Just click! http://bit.ly/12RzuJC
 Open Source ICS devices scan/fingerprint tool  Support modbus, S7, more to come  Software and hardware version  Device name and manufacturing  Other technical info  Thank to Dmitry Efanov
http://scadastrangelove.blogspot.ru/2012/11/plcscan.html
 Just a network device with it’s own  OS  Network stack  Applications  …vulnerabilities  How to find vulnerabilities in PLC  Nothing special  Fuzzing  Code analysis  Firmware reversing
 Firmware is in Intel HEX format  Several LZSS blobs and ARM code  Blobs contain file system for PLC  Web application source code (MSWL) … And ...
 ASCII armored certificate!  For what?  For built-in Certification Authority ?!?!??!!!??!  Is there a private key?
 …responsible answer
 Hardcoded S7 PLC CA certificate (Dmitry Sklarov) http://scadastrangelove.blogspot.com/2012/09/all- your-plc-belong-to-us.html  Multiple vulnerabilities in S7 1200 PLC Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov) http://www.siemens.com/corporatetechnology/pool/ de/forschungsfelder/siemens_security_advisory_ssa- 279823.pdf
• Network stack • Connects with PLCs, etc • OS • Database • Applications • HMI • Web • Tools
 Depends on OS/DBMS security  GUI restrictions/Kiosk mode for HMI  OS network stack and API heavily used  File shares  RPC/DCOM  Database replication  Password authentication, ACLs/RBAC  Something else?
• Nothing special • Windows/Linux • No Patches • Weak/Absence-of Passwords • Misconfiguration • Insecure defaults
• Insecurity configuration • Users/password • Configuration • ICS-related data
• Hardcoded accounts (fixed) • MS SQL listening network from the box* • “Security controller” restricts to Subnet • Two-tier architecture with Windows integrated auth and direct data access • We don’t know how to make it secure • Lot of “encrypted” stored procedures with exec
• First noticed in May 2005 • Published in April 2008 • Abused by StuxNet in 2010 • Fixed by Siemens in Nov 2010* • Still works almost everywhere *WinCC V7.0 SP2 Update 1
• {Hostname}_{Project}_TLG* • TAG data • СС_{Project}_{Timestamp}* • Project data and configuration • Users, PLCs, Priviledges
• Managed by UM app • Stored in dbo.PW_USER
• Administrator:ADMINISTRATOR • Avgur2 > Avgur
This is my encryptionkey
…responsible disclosure
 WinCC Harvester msf module  WinCC security hardening guide  Exclusive cipher tool & msf module. We don’t have yet… http://scadastrangelove.blogspot.com/2012/11/wincc-harvester.html http://scadastrangelove.blogspot.ru/2012/12/siemens-simatic-wincc-7x-security.html
 WebNavigator  Web-based HMI  IIS/ASP.NET  ActiveX client-side  DiagAgent  Diagnostic and remote management application  Custom web-server  …
 Not started by default and shouldn’t never be launched  No authentication at all  XSSes  Path Traversal (arbitrary file reading)  Buffer overflow
 Web-based HMI  XPath Injection (CVE-2012-2596)  Path Traversal (CVE-2012-2597)  XSS ~ 20 Instances (CVE-2012-2595)  Fixed in Update 2 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/60984587
 Can help to exploit server-side vulnerabilities*  Operator’s browser is proxy to SCADAnet!  ? Anybody works with SCADA and Internet using same browser? * http://www.slideshare.net/phdays/root-via-xss-10716726
http://www.surfpatrol.ru/en/report
 A lot of “WinCCed” IE from countries/companies/industries  Special prize to guys from US for WinCC 6.X at 2012
 Lot of XSS and CSRF  CVE-2012-3031  CVE-2012-3028  Lot of arbitrary file reading  CVE-2012-3030  SQL injection over SOAP  CVE-2012-3032  ActiveX abuse  CVE-2012-3034 http://bit.ly/WW0TL2
 …responsible disclosure
All pictures are taken from Dr StrangeLove movie

More Related Content

PDF
Positive Technologies - S4 - Scada under x-rays
byqqlan
 
PDF
Kaspersky SAS SCADA in the Cloud
byqqlan
 
PPTX
Scada strange love uwn-stuxnet
byPositive Hack Days
 
PDF
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
byqqlan
 
PPTX
Attacking SCADA systems: Story Of SCADASTRANGELOVE
byAleksandr Timorin
 
PPTX
Safety vs Security: How to Create Insecure Safety-Critical System
byAleksandr Timorin
 
PDF
SCADA deep inside:protocols and software architecture
byqqlan
 
PDF
Adventures in Femtoland: 350 Yuan for Invaluable Fun
byarbitrarycode
 
Positive Technologies - S4 - Scada under x-rays
byqqlan
 
Kaspersky SAS SCADA in the Cloud
byqqlan
 
Scada strange love uwn-stuxnet
byPositive Hack Days
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
byqqlan
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
byAleksandr Timorin
 
Safety vs Security: How to Create Insecure Safety-Critical System
byAleksandr Timorin
 
SCADA deep inside:protocols and software architecture
byqqlan
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
byarbitrarycode
 

What's hot

PPTX
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
byqqlan
 
PPTX
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
byPositive Hack Days
 
PPTX
SCADA Strangelove: взлом во имя
byEkaterina Melnik
 
PDF
SCADA StrangeLove 2: We already know
byqqlan
 
PDF
Techniques of attacking ICS systems
byqqlan
 
PDF
Greater China Cyber Threat Landscape - ISC 2016
bySergey Gordeychik
 
PDF
D1 t1 t. yunusov k. nesterov - bootkit via sms
byqqlan
 
PPTX
Recon: Hopeless relay protection for substation automation
bySergey Gordeychik
 
PDF
The Great Train Robbery: Fast and Furious
bySergey Gordeychik
 
PDF
Scada deep inside: protocols and security mechanisms
byAleksandr Timorin
 
PDF
SCADA deep inside: protocols and security mechanisms
byAleksandr Timorin
 
PPTX
Industrial protocols for pentesters
byAleksandr Timorin
 
PDF
Internet connected ICS/SCADA/PLC
byqqlan
 
PDF
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
byqqlan
 
PDF
Security testing in critical systems
byPeter Wood
 
PDF
Man in the middle attacks on IEC 60870-5-104
bypgmaynard
 
PPTX
Industrial protocols for pentesters
byPositive Hack Days
 
PDF
Shameful secrets of proprietary network protocols
bySlawomir Jasek
 
PDF
IoThings you don't even need to hack
bySlawomir Jasek
 
PDF
Webshield internet of things
byRaghav Shetty
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
byqqlan
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
byPositive Hack Days
 
SCADA Strangelove: взлом во имя
byEkaterina Melnik
 
SCADA StrangeLove 2: We already know
byqqlan
 
Techniques of attacking ICS systems
byqqlan
 
Greater China Cyber Threat Landscape - ISC 2016
bySergey Gordeychik
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
byqqlan
 
Recon: Hopeless relay protection for substation automation
bySergey Gordeychik
 
The Great Train Robbery: Fast and Furious
bySergey Gordeychik
 
Scada deep inside: protocols and security mechanisms
byAleksandr Timorin
 
SCADA deep inside: protocols and security mechanisms
byAleksandr Timorin
 
Industrial protocols for pentesters
byAleksandr Timorin
 
Internet connected ICS/SCADA/PLC
byqqlan
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
byqqlan
 
Security testing in critical systems
byPeter Wood
 
Man in the middle attacks on IEC 60870-5-104
bypgmaynard
 
Industrial protocols for pentesters
byPositive Hack Days
 
Shameful secrets of proprietary network protocols
bySlawomir Jasek
 
IoThings you don't even need to hack
bySlawomir Jasek
 
Webshield internet of things
byRaghav Shetty
 

Similar to Scada Strangelove - 29c3

PPTX
Scada strange love.
byPositive Hack Days
 
PPTX
ICS Security 101 by Sandeep Singh
byOWASP Delhi
 
PDF
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
byarnaudsoullie
 
PDF
[Bucharest] From SCADA to IoT Cyber Security
byOWASP EEE
 
PDF
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
byPROIDEA
 
PPTX
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
byPROIDEA
 
PDF
PT-DTS SCADA Security using MaxPatrol
byShah Sheikh
 
PDF
BruCON 2015 - Pentesting ICS 101
byWavestone
 
PDF
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
byPatricia M Watson
 
PPTX
chile-2015 (2)
byMassimiliano Falcinelli
 
PDF
OT Security - h-c0n 2020
byJose Palanco
 
PDF
BlackHat_2015_Slides_Krotofil_FINAL
byMarina Krotofil
 
PDF
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
byDefconRussia
 
PPTX
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
byInductive Automation
 
PPTX
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
byInductive Automation
 
PPTX
Security Issues in SCADA based Industrial Control Systems
byaswanthmrajeev112
 
PPTX
BSidesAugusta ICS SCADA Defense
byChris Sistrunk
 
PPT
nullcon 2011 - Exploiting SCADA Systems
byn|u - The Open Security Community
 
PPTX
Hacker Halted 2016 - How to get into ICS security
byChris Sistrunk
 
PDF
How to Get into ICS Security byChris Sistrunk
byEC-Council
 
Scada strange love.
byPositive Hack Days
 
ICS Security 101 by Sandeep Singh
byOWASP Delhi
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
byarnaudsoullie
 
[Bucharest] From SCADA to IoT Cyber Security
byOWASP EEE
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
byPROIDEA
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
byPROIDEA
 
PT-DTS SCADA Security using MaxPatrol
byShah Sheikh
 
BruCON 2015 - Pentesting ICS 101
byWavestone
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
byPatricia M Watson
 
chile-2015 (2)
byMassimiliano Falcinelli
 
OT Security - h-c0n 2020
byJose Palanco
 
BlackHat_2015_Slides_Krotofil_FINAL
byMarina Krotofil
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
byDefconRussia
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
byInductive Automation
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
byInductive Automation
 
Security Issues in SCADA based Industrial Control Systems
byaswanthmrajeev112
 
BSidesAugusta ICS SCADA Defense
byChris Sistrunk
 
nullcon 2011 - Exploiting SCADA Systems
byn|u - The Open Security Community
 
Hacker Halted 2016 - How to get into ICS security
byChris Sistrunk
 
How to Get into ICS Security byChris Sistrunk
byEC-Council
 

More from qqlan

PPTX
Миссиоцентрический подход к кибербезопасности АСУ ТП
byqqlan
 
PDF
ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...
byqqlan
 
PDF
Best of Positive Research 2013
byqqlan
 
PDF
Web-style Wireless IDS attacks, Sergey Gordeychik
byqqlan
 
PDF
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
byqqlan
 
PDF
Pt infosec - 2014 - импортозамещение
byqqlan
 
PPTX
SCADA StrangeLove Kaspersky SAS 2014 - LHC
byqqlan
 
PDF
Firebird Interbase Database engine hacks or rtfm
byqqlan
 
PDF
Positive Technologies Application Inspector
byqqlan
 
PPTX
Database honeypot by design
byqqlan
 
PDF
Positive Technologies Application Inspector
byqqlan
 
PPTX
Black Hat: XML Out-Of-Band Data Retrieval
byqqlan
 
PDF
PT - Siemens WinCC Flexible Security Hardening Guide
byqqlan
 
PDF
Positive Technologies WinCC Security Hardening Guide
byqqlan
 
PPTX
From ERP to SCADA and back
byqqlan
 
PPT
Denis Baranov: Root via XSS
byqqlan
 
PDF
How to hack a telecom and stay alive
byqqlan
 
PDF
Как взломать телеком и остаться в живых
byqqlan
 
PPT
Sergey Gordeychik - Russian.Leaks
byqqlan
 
PDF
Positive Hack Days 2011 - Russian Hackers
byqqlan
 
Миссиоцентрический подход к кибербезопасности АСУ ТП
byqqlan
 
ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...
byqqlan
 
Best of Positive Research 2013
byqqlan
 
Web-style Wireless IDS attacks, Sergey Gordeychik
byqqlan
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
byqqlan
 
Pt infosec - 2014 - импортозамещение
byqqlan
 
SCADA StrangeLove Kaspersky SAS 2014 - LHC
byqqlan
 
Firebird Interbase Database engine hacks or rtfm
byqqlan
 
Positive Technologies Application Inspector
byqqlan
 
Database honeypot by design
byqqlan
 
Positive Technologies Application Inspector
byqqlan
 
Black Hat: XML Out-Of-Band Data Retrieval
byqqlan
 
PT - Siemens WinCC Flexible Security Hardening Guide
byqqlan
 
Positive Technologies WinCC Security Hardening Guide
byqqlan
 
From ERP to SCADA and back
byqqlan
 
Denis Baranov: Root via XSS
byqqlan
 
How to hack a telecom and stay alive
byqqlan
 
Как взломать телеком и остаться в живых
byqqlan
 
Sergey Gordeychik - Russian.Leaks
byqqlan
 
Positive Hack Days 2011 - Russian Hackers
byqqlan
 

Recently uploaded

PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 

Scada Strangelove - 29c3

  • 1.
    Sergey Gordeychik Denis Baranov Gleb Gritsai
  • 2.
    Sergey Gordeychik  Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member  http://sgordey.blogspot.com, http://www.phdays.com  Gleb Gritsai  Principal Researcher, Network security and forensic researcher, member of PHDays Challenges team  @repdet, http://repdet.blogspot.com  Denis Baranov  Head of AppSec group, researcher, member of PHDays CTF team
  • 3.
    Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Ilya Smith Roman Ilin Alexander Tlyapov
  • 4.
  • 5.
    Siemens ProductCERT  Reallyprofessional team  Quick responses  Personal contacts  Even Patches   You guys rock!
  • 6.
    Common target during pentests  Most common platform (market, ShodanHQ)  Largest number of published and fixed bugs
  • 7.
    Invensys Wonderware  Yokogawa  ICONICS  ….  Stay tuned!
  • 9.
    ERP BUSINESS LAYER MES OPERATION AND PRODUCTION SUPERVISION SCADA SUPERVISOR CONTROL PLC/RTU DIRECT CONTROL
  • 12.
    SCADA network is isolated and is not connected to other networks, all the more so to Internet  MES/SCADA/PLC is based on custom platforms, and attackers can’t hack it  HMI has limited functionality and does not allow to mount attack …
  • 13.
    100% of tested SCADA networks are exposed to Internet/Corporate network  Network equipment/firewalls misconfiguration  MES/OPC/ERP integration gateways  HMI external devices (Phones/Modems/USB Flash) abuse  VPN/Dialup remote access  99.9(9)% of tested SCADA can be hacked with Metasploit  Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)  Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)  Standard bugs (patch management, passwords, firewalling, application vulnerabilities)
  • 14.
    50% of HMI/Engineering stations are also used as desktops  Kiosk mode bypass  (Secret) Internet access  games/”keygens”/trojans and other useful software ICS security = Internet security in the early 2000 VS
  • 15.
    NO magic on network • Standard network protocols/channel level • NO magic on system level • Standard OS/DBMS/APPs • Windows/SQL for SCADA • Linux/QNX for PLC • NO AppSec at all • ICS guys don’t care about IT/IS • MES reality - connecting SCADA to other networks/systems (ERP etc.)
  • 17.
    Ethernet • Cell (GSM, GPRS, …) • RS-232/485 • Wi-Fi • ZigBee • Lot’s of other radio and wire • All can be sniffed thanks to community
  • 18.
    Modbus • DNP3 • OPC • S7 • And more and more … • EtherCAT • FL-net • Foundation Fieldbus
  • 19.
    Sniffing • Spoofing/Injection • Fingerprinting/Data collection • Fuzzing • Security?!
  • 20.
    Wireshark supports most of it  Third-party protocol dissectors for Wireshark  Industry grade tools and their free functions  FTE NetDecoder  No dissector/tool – No problem  Plaintext and easy to understand protocols
  • 21.
    Widely available tools for Modbus packet crafting  Other protocols only with general packet crafters (Scapy)  More tools to come (from us ;))  Most of protocols can be attacked by simple packet replay  Or you can write your own fuzZzer*… *But don’t forget about Python compilation issues (sec-recon, hi there)
  • 22.
    Well known ports  Modbus  Product, Device, GW, Unit enumeration  S7  Product, Device, Associated devices  OPC  RPC/DCOM, but authentication  Modern fingerprinting add-ons  snmp, http, management ports
  • 24.
    By Gleb Gritsai,Alexander Timorin, Yuri Goltsev, Roman Ilin Google/Shodan dorks for:  Siemens  Emerson  Allen-Bradley  Rockwell Automation  Schneider Electric  General Electric Want to be real SCADAHacker? Just click! http://bit.ly/12RzuJC
  • 26.
    Open Source ICS devices scan/fingerprint tool  Support modbus, S7, more to come  Software and hardware version  Device name and manufacturing  Other technical info  Thank to Dmitry Efanov
  • 27.
  • 30.
    Just a network device with it’s own  OS  Network stack  Applications  …vulnerabilities  How to find vulnerabilities in PLC  Nothing special  Fuzzing  Code analysis  Firmware reversing
  • 31.
    Firmware is in Intel HEX format  Several LZSS blobs and ARM code  Blobs contain file system for PLC  Web application source code (MSWL) … And ...
  • 32.
    ASCII armored certificate!  For what?  For built-in Certification Authority ?!?!??!!!??!  Is there a private key?
  • 33.
  • 34.
    Hardcoded S7 PLC CA certificate (Dmitry Sklarov) http://scadastrangelove.blogspot.com/2012/09/all- your-plc-belong-to-us.html  Multiple vulnerabilities in S7 1200 PLC Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov) http://www.siemens.com/corporatetechnology/pool/ de/forschungsfelder/siemens_security_advisory_ssa- 279823.pdf
  • 36.
    Network stack • Connects with PLCs, etc • OS • Database • Applications • HMI • Web • Tools
  • 37.
    Depends on OS/DBMS security  GUI restrictions/Kiosk mode for HMI  OS network stack and API heavily used  File shares  RPC/DCOM  Database replication  Password authentication, ACLs/RBAC  Something else?
  • 38.
    Nothing special • Windows/Linux • No Patches • Weak/Absence-of Passwords • Misconfiguration • Insecure defaults
  • 39.
    Insecurity configuration • Users/password • Configuration • ICS-related data
  • 40.
    Hardcoded accounts (fixed) • MS SQL listening network from the box* • “Security controller” restricts to Subnet • Two-tier architecture with Windows integrated auth and direct data access • We don’t know how to make it secure • Lot of “encrypted” stored procedures with exec
  • 41.
    First noticed in May 2005 • Published in April 2008 • Abused by StuxNet in 2010 • Fixed by Siemens in Nov 2010* • Still works almost everywhere *WinCC V7.0 SP2 Update 1
  • 43.
    {Hostname}_{Project}_TLG* • TAG data • СС_{Project}_{Timestamp}* • Project data and configuration • Users, PLCs, Priviledges
  • 44.
    Managed by UM app • Stored in dbo.PW_USER
  • 46.
    Administrator:ADMINISTRATOR • Avgur2 > Avgur
  • 51.
  • 53.
  • 54.
     WinCC Harvestermsf module  WinCC security hardening guide  Exclusive cipher tool & msf module. We don’t have yet… http://scadastrangelove.blogspot.com/2012/11/wincc-harvester.html http://scadastrangelove.blogspot.ru/2012/12/siemens-simatic-wincc-7x-security.html
  • 57.
    WebNavigator  Web-based HMI  IIS/ASP.NET  ActiveX client-side  DiagAgent  Diagnostic and remote management application  Custom web-server  …
  • 59.
    Not started by default and shouldn’t never be launched  No authentication at all  XSSes  Path Traversal (arbitrary file reading)  Buffer overflow
  • 60.
    Web-based HMI  XPath Injection (CVE-2012-2596)  Path Traversal (CVE-2012-2597)  XSS ~ 20 Instances (CVE-2012-2595)  Fixed in Update 2 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/60984587
  • 61.
    Can help to exploit server-side vulnerabilities*  Operator’s browser is proxy to SCADAnet!  ? Anybody works with SCADA and Internet using same browser? * http://www.slideshare.net/phdays/root-via-xss-10716726
  • 62.
  • 63.
     A lotof “WinCCed” IE from countries/companies/industries  Special prize to guys from US for WinCC 6.X at 2012
  • 65.
    Lot of XSS and CSRF  CVE-2012-3031  CVE-2012-3028  Lot of arbitrary file reading  CVE-2012-3030  SQL injection over SOAP  CVE-2012-3032  ActiveX abuse  CVE-2012-3034 http://bit.ly/WW0TL2
  • 67.
  • 74.
    All pictures aretaken from Dr StrangeLove movie