Scada Strangelove - 29c3
-
Upload
qqlan -
Category
Technology
-
view
13.409 -
download
11
Transcript of Scada Strangelove - 29c3
![Page 1: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/1.jpg)
Sergey Gordeychik Denis Baranov
Gleb Gritsai
![Page 2: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/2.jpg)
Sergey Gordeychik Positive Technologies CTO, Positive Hack Days Director
and Scriptwriter, WASC board member
http://sgordey.blogspot.com, http://www.phdays.com
Gleb Gritsai Principal Researcher, Network security and forensic
researcher, member of PHDays Challenges team
@repdet, http://repdet.blogspot.com
Denis Baranov Head of AppSec group, researcher, member of PHDays
CTF team
![Page 3: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/3.jpg)
Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and
to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Ilya Smith Roman Ilin Alexander Tlyapov
![Page 4: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/4.jpg)
http://scadastrangelove.blogspot.com/2012/11/scada-safety-in-numbers.html
![Page 5: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/5.jpg)
Siemens ProductCERT Really professional team
Quick responses
Personal contacts
Even Patches
You guys rock!
![Page 6: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/6.jpg)
Common target during pentests
Most common platform (market, ShodanHQ)
Largest number of published and fixed bugs
![Page 7: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/7.jpg)
Invensys Wonderware
Yokogawa
ICONICS
….
Stay tuned!
![Page 8: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/8.jpg)
![Page 9: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/9.jpg)
DIRECT CONTROL
SUPERVISOR CONTROL
OPERATION AND PRODUCTION SUPERVISION
BUSINESS LAYER
PL
C/R
TU
S
CA
DA
ME
S E
RP
![Page 10: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/10.jpg)
![Page 11: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/11.jpg)
![Page 12: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/12.jpg)
SCADA network is isolated and is not connected to other networks, all the more so to Internet
MES/SCADA/PLC is based on custom platforms, and attackers can’t hack it
HMI has limited functionality and does not allow to mount attack
…
![Page 13: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/13.jpg)
100% of tested SCADA networks are exposed to Internet/Corporate network
Network equipment/firewalls misconfiguration
MES/OPC/ERP integration gateways
HMI external devices (Phones/Modems/USB Flash) abuse
VPN/Dialup remote access
99.9(9)% of tested SCADA can be hacked with Metasploit
Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)
Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)
Standard bugs (patch management, passwords, firewalling, application vulnerabilities)
![Page 14: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/14.jpg)
50% of HMI/Engineering stations are also used as desktops
Kiosk mode bypass
(Secret) Internet access
games/”keygens”/trojans and other useful software
ICS security = Internet security in the early 2000
VS
![Page 15: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/15.jpg)
• NO magic on network
• Standard network protocols/channel level
• NO magic on system level
• Standard OS/DBMS/APPs
• Windows/SQL for SCADA
• Linux/QNX for PLC
• NO AppSec at all
• ICS guys don’t care about IT/IS
• MES reality - connecting SCADA to other networks/systems (ERP etc.)
![Page 16: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/16.jpg)
![Page 17: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/17.jpg)
• Ethernet
• Cell (GSM, GPRS, …)
• RS-232/485
• Wi-Fi
• ZigBee
• Lot’s of other radio and wire
• All can be sniffed thanks to community
![Page 18: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/18.jpg)
• Modbus
• DNP3
• OPC
• S7
• And more and more …
• EtherCAT
• FL-net
• Foundation Fieldbus
![Page 19: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/19.jpg)
• Sniffing
• Spoofing/Injection
• Fingerprinting/Data collection
• Fuzzing
• Security?!
![Page 20: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/20.jpg)
Wireshark supports most of it
Third-party protocol dissectors for Wireshark
Industry grade tools and their free functions
FTE NetDecoder
No dissector/tool – No problem
Plaintext and easy to understand protocols
![Page 21: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/21.jpg)
Widely available tools for Modbus packet crafting
Other protocols only with general packet crafters (Scapy)
More tools to come (from us ;))
Most of protocols can be attacked by simple packet replay
Or you can write your own fuzZzer*…
*But don’t forget about Python compilation issues (sec-recon, hi there)
![Page 22: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/22.jpg)
Well known ports
Modbus
Product, Device, GW, Unit enumeration
S7
Product, Device, Associated devices
OPC
RPC/DCOM, but authentication
Modern fingerprinting add-ons
snmp, http, management ports
![Page 23: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/23.jpg)
![Page 24: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/24.jpg)
By Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin Google/Shodan dorks for: Siemens Emerson Allen-Bradley Rockwell Automation Schneider Electric General Electric
Want to be real SCADAHacker? Just click!
http://bit.ly/12RzuJC
![Page 25: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/25.jpg)
![Page 26: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/26.jpg)
Open Source ICS devices scan/fingerprint tool
Support modbus, S7, more to come
Software and hardware version
Device name and manufacturing
Other technical info
Thank to Dmitry Efanov
![Page 27: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/27.jpg)
http://scadastrangelove.blogspot.ru/2012/11/plcscan.html
![Page 28: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/28.jpg)
![Page 29: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/29.jpg)
![Page 30: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/30.jpg)
Just a network device with it’s own OS Network stack Applications …vulnerabilities
How to find vulnerabilities in PLC Nothing special Fuzzing Code analysis Firmware reversing
![Page 31: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/31.jpg)
Firmware is in Intel HEX format
Several LZSS blobs and ARM code
Blobs contain file system for PLC
Web application source code (MSWL)
… And ...
![Page 32: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/32.jpg)
ASCII armored certificate!
For what?
For built-in Certification Authority
?!?!??!!!??!
Is there a private key?
![Page 33: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/33.jpg)
…responsible answer
![Page 34: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/34.jpg)
Hardcoded S7 PLC CA certificate (Dmitry Sklarov) http://scadastrangelove.blogspot.com/2012/09/all-your-plc-belong-to-us.html Multiple vulnerabilities in S7 1200 PLC Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov) http://www.siemens.com/corporatetechnology/pool/de/forschungsfelder/siemens_security_advisory_ssa-279823.pdf
![Page 35: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/35.jpg)
![Page 36: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/36.jpg)
• Network stack • Connects with PLCs, etc
• OS
• Database
• Applications • HMI
• Web • Tools
![Page 37: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/37.jpg)
Depends on OS/DBMS security
GUI restrictions/Kiosk mode for HMI
OS network stack and API heavily used
File shares
RPC/DCOM
Database replication
Password authentication, ACLs/RBAC
Something else?
![Page 38: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/38.jpg)
• Nothing special
• Windows/Linux
• No Patches
• Weak/Absence-of Passwords
• Misconfiguration
• Insecure defaults
![Page 39: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/39.jpg)
• Insecurity configuration
• Users/password
• Configuration
• ICS-related data
![Page 40: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/40.jpg)
• Hardcoded accounts (fixed) • MS SQL listening network from
the box* • “Security controller” restricts to Subnet
• Two-tier architecture with Windows integrated auth and direct data access • We don’t know how to make it secure
• Lot of “encrypted” stored procedures with exec
![Page 41: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/41.jpg)
• First noticed in May 2005
• Published in April 2008
• Abused by StuxNet in 2010
• Fixed by Siemens in Nov 2010*
• Still works almost everywhere
*WinCC V7.0 SP2 Update 1
![Page 42: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/42.jpg)
![Page 43: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/43.jpg)
• {Hostname}_{Project}_TLG*
• TAG data
• СС_{Project}_{Timestamp}*
• Project data and configuration
• Users, PLCs, Priviledges
![Page 44: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/44.jpg)
• Managed by UM app
• Stored in dbo.PW_USER
![Page 45: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/45.jpg)
![Page 46: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/46.jpg)
• Administrator:ADMINISTRATOR
• Avgur2 > Avgur
![Page 47: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/47.jpg)
![Page 48: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/48.jpg)
![Page 49: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/49.jpg)
![Page 50: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/50.jpg)
![Page 51: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/51.jpg)
This is my encryptionkey
![Page 52: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/52.jpg)
![Page 53: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/53.jpg)
…responsible disclosure
![Page 54: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/54.jpg)
WinCC Harvester msf module
WinCC security hardening guide
Exclusive cipher tool & msf module. We don’t have yet…
http://scadastrangelove.blogspot.com/2012/11/wincc-harvester.html
http://scadastrangelove.blogspot.ru/2012/12/siemens-simatic-wincc-7x-security.html
![Page 55: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/55.jpg)
![Page 56: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/56.jpg)
![Page 57: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/57.jpg)
WebNavigator
Web-based HMI
IIS/ASP.NET
ActiveX client-side
DiagAgent
Diagnostic and remote management application
Custom web-server
…
![Page 58: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/58.jpg)
![Page 59: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/59.jpg)
Not started by default and shouldn’t never be launched
No authentication at all
XSSes
Path Traversal (arbitrary file reading)
Buffer overflow
![Page 60: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/60.jpg)
Web-based HMI
XPath Injection (CVE-2012-2596)
Path Traversal (CVE-2012-2597)
XSS ~ 20 Instances (CVE-2012-2595)
Fixed in Update 2 for WinCC V7.0 SP3
http://support.automation.siemens.com/WW/view/en/60984587
![Page 61: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/61.jpg)
Can help to exploit server-side vulnerabilities*
Operator’s browser is proxy to SCADAnet!
? Anybody works with SCADA and Internet
using same browser? * http://www.slideshare.net/phdays/root-via-xss-10716726
![Page 62: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/62.jpg)
http://www.surfpatrol.ru/en/report
![Page 63: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/63.jpg)
A lot of “WinCCed” IE from
countries/companies/industries
Special prize to guys from US for WinCC 6.X at 2012
![Page 64: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/64.jpg)
![Page 65: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/65.jpg)
Lot of XSS and CSRF CVE-2012-3031 CVE-2012-3028
Lot of arbitrary file reading CVE-2012-3030
SQL injection over SOAP CVE-2012-3032
ActiveX abuse CVE-2012-3034
http://bit.ly/WW0TL2
![Page 66: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/66.jpg)
![Page 67: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/67.jpg)
…responsible disclosure
![Page 68: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/68.jpg)
![Page 69: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/69.jpg)
![Page 70: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/70.jpg)
![Page 71: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/71.jpg)
![Page 72: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/72.jpg)
![Page 73: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/73.jpg)
![Page 74: Scada Strangelove - 29c3](https://reader036.fdocuments.us/reader036/viewer/2022081721/554bda58b4c905ac708b52b5/html5/thumbnails/74.jpg)
All pictures are taken from Dr StrangeLove movie