Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software...
-
Upload
defconrussia -
Category
Technology
-
view
780 -
download
5
description
Transcript of Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software...
All pictures are taken from Dr StrangeLove movie
by Gleb Gritsai (as Alexander Timorin) and Alexander Tlyapov
Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to keep Purity Of Essence
Sergey Gordeychik Gleb Gritsai Denis BaranovRoman Ilin Ilya Karpov Sergey BobrovArtem Chaykin Yuriy Dyachenko Sergey DrozdovDmitry Efanov Yuri Goltsev Vladimir KochetkovAndrey Medov Sergey Scherbel Timur YunusovAlexander Zaitsev Dmitry Serebryannikov Dmitry NagibinDmitry Sklyarov Alexander Timorin Vyacheslav EgoshinRoman Ilin Alexander Tlyapov Evgeny ErmakovKirill Nesterov
Gleb Gritsai
Penetration tester @ptsecurity
ICS researcher and expert
Member of @scadasl
Alexander Tlyapov
Reverse engineer @ptsecurity
ICS researcher
Member of @scadasl
ICS 101
This 101 is useless
Industrial protocols (Gleb Gritsai)
Functions and weakness of protocols
Penetration tester’s view
WinCC architecture (Alexander Tlyapov)
Internal protocols
Authorization process
And how no to pay attention and get to serious stuff
HMI Human Machine Interface
PLC Programmable Logic Controller
RTU Remote Telemetry Unit
IED, SCADA,
DSC, Sensor,
Actuator, …
Movinged from Serial to Ethernet Sometimes to Radio (GSM, ZigBee, WiFi, etc)
Actually five senses of ICS by Controlling physical processes Delivering feedback
Available starting from OSI/ISO layer 3 Industry and application specific
Delivering real time data from sensor or configuring network settings of PLC or reflashing RTU
Operating in one subnet or providing remote telemetry and supervisory
Developed without security in mind and in coders “Times they are a changin‘”, but slowly
Manufacturing Message Specification A protocol, but more a specification for messaging
Originally developed at 1980
“Heavy” See MODBUS packet: [gw_unit; function; register; value]
Applications IED, PLC, SCADA, RTU
Vendors GE, Siemens, Schneider, Daimler, ABB
Domains Named memory regions for managing data/code blobs Abstraction for devices
Program invocations Journals Files (Yes, files) Named variables and lists (groups of vars) Events
State machines for alarms and events
Operators station (HMI) Init semaphores
Concurrent access
IEC 62351-4 is security for IEC 61850-8-1 IEC 61850-8-1 is MMS
Application level ACSE AARQ and AARE PDUs
Transport level – TLS (62351-3)
Access Control Lists
Original port 102 to 3782 if secured
Application security is in ACSE layer (i.e. Association
Control Service Element) which is rarely implemented
No password requirements defined for software Welcome to the “123”
Application security is plain password Bruteforce
Just try to keep port alive as no locking exist
Interception
Simple ARP spoofing is still a kill switch for ICS networks (do this in labs or disconnected SCADAs if you care)
Access must be defined to every object (according to standard)
Kind of: read, write, delete
Optional
TLS, srsly?
No options to set it up seen in products
Not supported (not even with stubs in code)
Discovery & Fingerprint Port 102 is also S7 and … - COTP (Connection Oriented
Transport Protocol) & TPKT (Transport packet)
“Identify” request for Vendor, Model and Version
Enumeration of objects Enumerate everything: Domains, Variables, Files, etc
Good thing – named variables (no need for db with tags/registers/etc description) for understanding logic
Domains: IEDInverter, IEDBattery, IEDPhysical_Measurements
Variables for IEDBattery: ZBAT1$MX$Vol, ZBAT1$MX$Amp, ZBAT1$ST$Health
Better than WriteCoil(coil=X, value=Y)
Open source libs - easy to extract API for better code coverage while fuzzing PLCs, IEDs, RTUs, … Ain’t it fun fuzzing embedded devices
Lot’s of open source libs, single DLL APIs and simulators libiec61850 is C and free
http://libiec61850.com
openmuc is java and free http://openmuc.org/
Smartgridware and others non free, but trial http://www.smartgridware.com/
http://nettedautomation.com/iec61850li/dll/index.html
Is actually IEC 61870-5-104 Master, Slave, Master-Slave No security mechanisms in standard and in
implementations Except the IP addresses of Masters defined on Slaves
Extensible and vice versa by design Vendors publish checklists with supported functions
Mainly for gathering telemetry in electricity distribution and power system automation interrogations
Can feature control functions write, command, execute
Discovery
TCP port 2404
Application level ASDU broadcast address
As soon as RTU receives broadcast to enumerate IEC 104 endpoints it sends broadcast itself
If there is an RTU nearby you’ll get infinite broadcast
BCR (Binary Counter Reading) hack with frozen binary counter can mitigate this
Do it at home unless … don’t do it
Reading data
Done by interrogations which provides set of controlled data
Writing data
Inspect vendor document on supported protocol features
Simulators, libraries and fingerprint tool https://github.com/atimorin/PoC2013/blob/master/i
ec-60870-5-104/iec-60870-5-104.py
https://code.google.com/p/mrts-ng/
https://code.google.com/p/sim104/
IEC 104 travels
over dedicated
network
Power plant 1 Power plant 2 Power Plant N
Remote Control
IEC
10
4
Power plant 1
office.pp1.company.loc
RTU
SCADA Server
FW: IEC 104 port opened
FW: IEC 104 port opened
PLC
Open/Close the Door
IEC 104 flows through
RTU to SCADA Server
SCADA Server
reads/writes data
as requested
corp.company.loc
Power plant 1 Power plant 2 Power Plant N
Remote Control
IEC
10
4, S
MB
, H
TTP
, etc
office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc
corp.company.loc
Power plant 1 Power plant 2 Power Plant N
Remote Control
IEC
10
4, S
MB
, H
TTP
, etc
office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc
Internets
E-mailSharepoint
Remote applicationsWeb sites
Now this does
look like
typical pentest
corp.company.loc
Power plant 1 Power plant 2 Power Plant N
Remote Control
IEC
10
4, S
MB
, H
TTP
, etc
office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc
Internets
E-mailSharepoint
Remote applicationsWeb sites
Now this does
look like one of the
pentest attack
vectors
Internal protocols
Authorization process
And how no to pay attention and get to serious stuff
PLC1 PLC2 PLC3
Some networks
WinCCWeb-Client
WinCCSCADA-Clients
WinCCSCADA-Client +Web-Server
WinCCDataMonitor
WinCCWeb-Client
WinCCDataMonitor
WinCCServers
LAN
PROFINET
PROFIBUS
Internet, corp lan,
vpn’s
Engineering station(TIA portal/PCS7)
ActiveX components for communication and rendering of
HMI
IIS extension SCSWebBridgex.dll
Manages SCS connection and
converts data to PAL
CCEServer.exe
WinCC core:Manages requests of
components
WebNavigatorRT.exe
Rendering HMI and command
transmission
CCEServer.exe
Yep-Yep, again)
Another component of WinCC.
For example, forwarding
commands to the PLC via the S7
protocol
• The POST requests from the client contains the binary data of SCS
protocol
• Basic-authorization
• Authorization is “two-stage” (we’ll cover this later)
• For the real identification of client a specially “generated” ID is
used
SQL query to database (using COM objects)
Verification "special" Windows User
The "hardcode" and etc.
For successful authentication any path will do
Authentication of user in the database through the COM
object on the server
Getting ServerIDand the “magic” activity for the
password to WebBridge
Using received "magic" password to
work with SCSWebBridgeX
Oh! En/c(r)ypt[10]n!
ServerID = Base64(RC2(pass, key)), where key = MD5(dll hardcode)
Not my department password!
And forget that before we entered a another
password...
Sql injection in Basic-authorization.
It is too hard for me.
CVE-2013-0676
Passwords in database is not plaintext…
CVE-2013-0678
But, it’s just XOR with very secret string.
This is my encryptionkey
So, we have another way to get ServerID and later access
SCSWebBridgex.dll
Still not quite ...
"Magic" password = MD5(WNUSR_DC92D7179E29.WinPassword)
Stored in the registry and encrypted with DPAPI. But with no luck.
Wrong flag allows any users (including Guest) on this host to get password for special Siemens user. BTW, this user is local admin.
Password generation features very good charset, but chars used uniquely and length is 12 to 14 chars which is not making cracking MD5 harder
All further communications authorized with this password
For dispatching requests a special ID is used that is generated ... in some weird and funny way
Offset Description Size
0 AlwaysNULL 4
4 dwCode 4
8 Unknown 4
12 DataLen 4
16 ID 4
20 DataChunkNum 4
24 CRC 4
28 ChuckLen 4
32 DataChunkStart …
Transmitted ID represents index and identifier inthe pool of objects which is responsible for storingthe data and dispatching requests
Offset Description Size
0 PoolID 2
2 PoolIndex 2
CCEServer
HMI
PLC Communication
Licenseserver
Other components
To start communication components must call CAL_StartListen in the service
CCEServer. This function is passing all the necessary information about the
component. Such as:
• Component’s GUID
• His PID• Required callbacks• Etc
During initial communications SCS packet is transmitted with GUID
describing target component
According to received identifier component's object is looked up
Further communication occurs in the context of an established connection, through a protocol called CAL
The mechanism of data transmission in the CAL protocol is based on a global MappedSections
For sending data:
Section = ("Global\\SCS%08X%04X%04X%04XSAM", PID, SomeW, MapKey, Null);
ReadyEvent = ("Global\\SCS%08X%04X%04X%04XSAN", PID, SomeW, MapKey, Null);
SendEvent = ("Global\\SCS%08X%04X%04X%04XSAF", PID, SomeW, MapKey, Null);
For receiving data:
Section = ("Global\\SCS%08X%04X%04X%04XASM", PID, SomeW, MapKey, Null);
ReadyEvent = ("Global\\SCS%08X%04X%04X%04XASN", PID, SomeW, MapKey, Null);
ReciveEvent = ("Global\\SCS%08X%04X%04X%04XASF", PID, SomeW, MapKey, Null);
SQLi for retrieving HMI user passwords from db And XOR decryption tool
Hardcoded credentials for retrieving ServerID
Crack ServerID for Siemens windows user
Use ServerID for communication WebBridge
Session hijacking for privilege escalation on HMI
Exploiting architecture weakness to use arbitrary components of WinCC (like PLC comms)
Contact despair:
Gleb Gritsai Alexander Tlyapov
[email protected] [email protected]
@repdet @Rigros1