Scada Strangelove - 29c3

Sergey Gordeychik
Denis Baranov
Gleb Gritsai

 Sergey Gordeychik
 Positive Technologies CTO, Positive Hack Days Director
and Scriptwriter, WASC board member
 http://sgordey.blogspot.com, http://www.phdays.com

 Gleb Gritsai
 Principal Researcher, Network security and forensic
researcher, member of PHDays Challenges team
 @repdet, http://repdet.blogspot.com

 Denis Baranov
 Head of AppSec group, researcher, member of PHDays
CTF team

 Group of security researchers focused on ICS/SCADA

to save Humanity from industrial disaster and
to keep Purity Of Essence
Sergey Gordeychik Gleb Gritsai Denis Baranov
Roman Ilin Ilya Karpov Sergey Bobrov
Artem Chaykin Yuriy Dyachenko Sergey Drozdov
Dmitry Efanov Yuri Goltsev Vladimir Kochetkov
Andrey Medov Sergey Scherbel Timur Yunusov
Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin
Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin
Ilya Smith Roman Ilin Alexander Tlyapov

http://scadastrangelove.blogspot.com/2012/11/scada-safety-in-numbers.html

 Siemens ProductCERT
 Reallyprofessional team
 Quick responses
 Personal contacts
 Even Patches 

 You guys rock!

 Common target during pentests
 Most common platform (market, ShodanHQ)
 Largest number of published and fixed bugs

 Invensys Wonderware
 Yokogawa
 ICONICS
 ….

 Stay tuned!

ERP

BUSINESS LAYER
MES

OPERATION AND
PRODUCTION
SUPERVISION
SCADA

SUPERVISOR
CONTROL
PLC/RTU

DIRECT CONTROL

 SCADA network is isolated and is not connected to other
networks, all the more so to Internet

 MES/SCADA/PLC is based on custom platforms, and
attackers can’t hack it

 HMI has limited functionality and does not allow to
mount attack

…

 100% of tested SCADA networks are exposed to
Internet/Corporate network
 Network equipment/firewalls misconfiguration
 MES/OPC/ERP integration gateways
 HMI external devices (Phones/Modems/USB Flash) abuse
 VPN/Dialup remote access

 99.9(9)% of tested SCADA can be hacked with Metasploit
 Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)
 Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)
 Standard bugs (patch management, passwords, firewalling,
application vulnerabilities)

 50% of HMI/Engineering stations are also used as
desktops
 Kiosk mode bypass
 (Secret) Internet access
 games/”keygens”/trojans and other useful software

ICS security = Internet security in the early 2000

VS

• NO magic on network
• Standard network protocols/channel level
• NO magic on system level
• Standard OS/DBMS/APPs
• Windows/SQL for SCADA
• Linux/QNX for PLC
• NO AppSec at all
• ICS guys don’t care about IT/IS
• MES reality - connecting SCADA to other
networks/systems (ERP etc.)

• Ethernet
• Cell (GSM, GPRS, …)
• RS-232/485
• Wi-Fi
• ZigBee
• Lot’s of other radio and wire

• All can be sniffed thanks to community

• Modbus
• DNP3
• OPC
• S7

• And more and more …
• EtherCAT
• FL-net
• Foundation Fieldbus

• Sniffing
• Spoofing/Injection
• Fingerprinting/Data collection
• Fuzzing
• Security?!

 Wireshark supports most of it
 Third-party protocol dissectors for
Wireshark
 Industry grade tools and their free
functions
 FTE NetDecoder
 No dissector/tool – No problem
 Plaintext and easy to understand protocols

 Widely available tools for Modbus packet
crafting
 Other protocols only with general packet
crafters (Scapy)
 More tools to come (from us ;))
 Most of protocols can be attacked by simple
packet replay
 Or you can write your own fuzZzer*…

*But don’t forget about Python compilation issues (sec-recon, hi there)

 Well known ports
 Modbus
 Product, Device, GW, Unit enumeration
 S7
 Product, Device, Associated devices
 OPC
 RPC/DCOM, but authentication
 Modern fingerprinting add-ons
 snmp, http, management ports

By Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin

Google/Shodan dorks for:
 Siemens
 Emerson
 Allen-Bradley
 Rockwell Automation
 Schneider Electric
 General Electric

Want to be real SCADAHacker?
Just click!
http://bit.ly/12RzuJC

 Open Source ICS devices scan/fingerprint tool

 Support modbus, S7, more to come

 Software and hardware version
 Device name and manufacturing
 Other technical info

 Thank to Dmitry Efanov

http://scadastrangelove.blogspot.ru/2012/11/plcscan.html

 Just a network device with it’s own
 OS
 Network stack
 Applications
 …vulnerabilities
 How to find vulnerabilities in PLC
 Nothing special
 Fuzzing
 Code analysis
 Firmware reversing

 Firmware is in Intel HEX format
 Several LZSS blobs and ARM code
 Blobs contain file system for PLC
 Web application source code (MSWL)

… And ...

 ASCII armored certificate!
 For what?
 For built-in Certification Authority

?!?!??!!!??!

 Is there a private key?

 Hardcoded S7 PLC CA certificate (Dmitry Sklarov)

http://scadastrangelove.blogspot.com/2012/09/all-
your-plc-belong-to-us.html

 Multiple vulnerabilities in S7 1200 PLC Web
interface (Dmitriy Serebryannikov, Artem Chaikin,
Yury Goltsev, Timur Yunusov)

http://www.siemens.com/corporatetechnology/pool/
de/forschungsfelder/siemens_security_advisory_ssa-
279823.pdf

• Network stack
• Connects with PLCs, etc
• OS
• Database
• Applications
• HMI
• Web
• Tools

 Depends on OS/DBMS security
 GUI restrictions/Kiosk mode for HMI
 OS network stack and API heavily used
 File shares
 RPC/DCOM
 Database replication
 Password authentication, ACLs/RBAC
 Something else?

• Nothing special
• Windows/Linux
• No Patches
• Weak/Absence-of Passwords
• Misconfiguration
• Insecure defaults

• Insecurity configuration
• Users/password
• Configuration
• ICS-related data

• Hardcoded accounts (fixed)
• MS SQL listening network from
the box*
• “Security controller” restricts to Subnet
• Two-tier architecture with
Windows integrated auth and
direct data access
• We don’t know how to make it secure
• Lot of “encrypted” stored
procedures with exec

• First noticed in May 2005
• Published in April 2008
• Abused by StuxNet in 2010
• Fixed by Siemens in Nov 2010*
• Still works almost everywhere

*WinCC V7.0 SP2 Update 1

• {Hostname}_{Project}_TLG*
• TAG data

• СС_{Project}_{Timestamp}*
• Project data and configuration
• Users, PLCs, Priviledges

• Managed by UM app
• Stored in dbo.PW_USER

• Administrator:ADMINISTRATOR
• Avgur2 > Avgur

 WinCC Harvester msf module
 WinCC security hardening guide

 Exclusive cipher tool & msf
module. We don’t have yet…

http://scadastrangelove.blogspot.com/2012/11/wincc-harvester.html
http://scadastrangelove.blogspot.ru/2012/12/siemens-simatic-wincc-7x-security.html

 WebNavigator
 Web-based HMI
 IIS/ASP.NET
 ActiveX client-side
 DiagAgent
 Diagnostic and remote management application
 Custom web-server
 …

 Not started by default and shouldn’t never be
launched

 No authentication at all
 XSSes
 Path Traversal (arbitrary file reading)
 Buffer overflow

 Web-based HMI

 XPath Injection (CVE-2012-2596)
 Path Traversal (CVE-2012-2597)
 XSS ~ 20 Instances (CVE-2012-2595)

 Fixed in Update 2 for WinCC V7.0 SP3

http://support.automation.siemens.com/WW/view/en/60984587

 Can help to exploit server-side vulnerabilities*
 Operator’s browser is proxy to SCADAnet!


?
Anybody works with SCADA and Internet
using same browser?
* http://www.slideshare.net/phdays/root-via-xss-10716726

http://www.surfpatrol.ru/en/report

 A lot of “WinCCed” IE from
countries/companies/industries

 Special prize to guys from US for
WinCC 6.X at 2012

 Lot of XSS and CSRF
 CVE-2012-3031
 CVE-2012-3028
 Lot of arbitrary file reading
 CVE-2012-3030
 SQL injection over SOAP
 CVE-2012-3032
 ActiveX abuse
 CVE-2012-3034

http://bit.ly/WW0TL2

All pictures are taken from
Dr StrangeLove movie

Scada Strangelove - 29c3

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Scada Strangelove - 29c3

Similar to Scada Strangelove - 29c3 (20)

More from qqlan

More from qqlan (20)

Recently uploaded

Recently uploaded (20)

Scada Strangelove - 29c3