Upload
qqlan
View
3.838
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
*All pictures are taken from Dr StrangeLove movie and other Internets
http://scadasl.org
Sergey Gordeychik
Positive Hack Days Director and Scriptwriter, WASC board member
http://www.phdays.com
Gleb Gritsai
Principal Researcher, Network security and forensic researcher, member of PHDaysChallenges team
@repdet
Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to keep Purity Of Essence
Sergey Gordeychik Gleb Gritsai Denis BaranovRoman Ilin Ilya Karpov Sergey BobrovArtem Chaykin Yuriy Dyachenko Sergey DrozdovDmitry Efanov Yuri Goltsev Vladimir KochetkovAndrey Medov Sergey Scherbel Timur YunusovAlexander Zaitsev Dmitry Serebryannikov Dmitry NagibinDmitry Sklyarov Alexander Timorin Vyacheslav EgoshinRoman Ilin Alexander Tlyapov Evgeny ErmakovKirill Nesterov
Analytics “SCADA security in numbers”
ICS systems on the internets
Industrial Protocols
plcscan for S7 and modbus
Vulnerabilities
Siemens WinCC components and vulnerabilities
Lot’s of “We don’t know yet”
To find ICS system
Get https://scans.io/ (~500 GB) = ~$60
Index by Elastic Search (3 cpu days) = $0
Grep it all!
To find vulnerable device
It’s all vulnerable (for sure!) = $0
Put in Excel (I hate it!) = $9000
CoV
($60 + $0 +$0 + $9000)/68076 = $0.1330865503261061
Old, slow, boring
Google/Bing/Shodanhq/ERIPP
New, fast, easy to automate
ZMap, Masscan
Homebrew scans of industrial ports
Rapid7 Project Sonar
Internet Census (not so new)
+ fast full-text search engines
Country Devices
US 31211
DE 3793
IT 2956
BR 2461
GB 2282
CA 2276
KR 1785
SE 1345
ES 1341
NL 1312
FR 1171
TW 1126
CN 891
JP 885
Tridium, 19490, 29%
NRG Systems, 11715, 17%
Lantronix, 6988, 10%
Moxa, 3949, 6%
Beck IPC, 3655, 5%
Generic, 2794, 4%
Schneider Electric, 2458,
4%
Rabbit, 1958, 3%
SAP, 1639, 2%
Westermo, 1526, 2%
Echelon, 1395, 2%
Siemens, 1322, 2%
TAC AB, 1321, 2%
Digi, 988, 1%
DATACOM, 945, 1%
Other, 5933, 9%
Vendor Devices
Tridium 19490
NRG Systems 11715
Lantronix 6988
Moxa 3949
Beck IPC 3655
Generic 2794
Schneider Electric 2458
Rabbit 1958
SAP 1639
Westermo 1526
Echelon 1395
Siemens 1322
TAC AB 1321
Digi 988
DATACOM 945
Other 5933
WindCube, 11715, 45%
IPC@CHIP, 3655, 14%
Lantronix SLS, 2204, 8%
PowerLogic ION, 1806, 7%
NetWeaver Application Server,
1639, 6%
Lantronix XPort AR, 1413, 5%
i.LON 600, 1395, 5%
Lantronix UDS1100, 1310,
5%
Westermo MRD-310, 1171, 5%
ftp6041%
http4998973%
Industrial16122%
snmp1525323%
telnet6711%
dnp3, 155, 10%
iec104, 44, 3%
modbus, 532, 34%
s7, 827, 53%
http://scadastrangelove.blogspot.com/2013/12/internet-connected-icsscadaplc30c3.html
Kudos to http://www.scadaexposure.com/
What RDP/VNC/Radmin can hide?...
…we will never know
Plain Line
Station
Computer Based
Interlocking
to peripherals:
signals, point
machines, etc.
RBC
Fixed
Eurobalise
RBC
MMI
Fixed
Eurobalise
GSM-R
GSM-R
Onboard
ETCS Onboard
DataGSM-R
Plain Line
Station
Computer Based
Interlocking
to peripherals:
signals, point
machines, etc.
RBC
Fixed
Eurobalise
RBC
MMI
Fixed
Eurobalise
GSM-R
GSM-R
Onboard
ETCS Onboard
DataGSM-R
Lot’s of new information coming up Modbus (502)
http://nmap.org/nsedoc/scripts/modbus-discover.html http://scadastrangelove.blogspot.com/2012/11/plcscan.html
DNP3 (20000) https://code.google.com/p/scadascan/ http://sourceforge.net/projects/dnp/
IEC104 (2404) http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html
MMS (102) http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html
S7 (102) http://scadastrangelove.blogspot.com/2012/11/plcscan.html
Profinet DCP http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-days.html
But some protocols still not researched
[kudos to Alexander Timorin @atimorin]
Native broadcast to identify all components
Resource index = 0x82
Resource name = 0x5345???????????? (SE??????)
Packet counter = 0x3ba1
https://www.thc.org/thc-hydra/
…responsible disclosure
PLC1 PLC2 PLC3
Some networks
WinCCWeb-Client
WinCCSCADA-Clients
WinCCSCADA-Client +Web-Server
WinCCDataMonitor
WinCCWeb-Client
WinCCDataMonitor
WinCCServers
LAN
PROFINET
PROFIBUS
Internet, corp lan,
vpn’s
Engineering station(TIA portal/PCS7)
http://www.youtube.com/watch?v=bE2r7r7VVic
PLC1 PLC2 PLC3
Some networks
WinCCWeb-Client
WinCCSCADA-Clients
WinCCSCADA-Client +Web-Server
WinCCDataMonitor
WinCCWeb-Client
WinCCDataMonitor
WinCCServers
LAN
PROFINET
PROFIBUS
Internet, corp lan,
vpn’s
Engineering station(TIA portal/PCS7)
This is my encryptionkey
Metasploit module for harvesting data from WinCC project’s database and decrypting ciphertextshttp://scadastrangelove.blogspot.com/2013/08/wincc-harvester-metasploit-module-is.html
This is myencryptionkeyisAUHFPPCY PPCY POEKLWUBWMKKEKJWVOPPWLDZ HSLWEK
This is SHA
"0xC280" x len(password)
+ "0xC280" x len(password)
PLC1 PLC2 PLC3
Some networks
WinCCWeb-Client
WinCCSCADA-Clients
WinCCSCADA-Client +Web-Server
WinCCDataMonitor
WinCCWeb-Client
WinCCDataMonitor
WinCCServers
LAN
PROFINET
PROFIBUS
Internet, corp lan,
vpn’s
Engineering station(TIA portal/PCS7)
ActiveX components for communication and rendering of
HMI
IIS extension SCSWebBridgex.dll
Manages SCS connection and
converts data to PAL
CCEServer.exe
WinCC core:Manages requests of
components
WebNavigatorRT.exe
Rendering HMI and command
transmission
CCEServer.exe
Yep-Yep, again)
Another component of WinCC.
For example, forwarding
commands to the PLC via the S7
protocol
[kudos to Alexander Tlyapov @rigros1]
CCEServer
HMI
PLC Communication
Licenseserver
Other components
To register component in the CCEServer call
CAL_StartListen(Component’s GUID, PID, Required callbacks, etc)
During initial communications SCS packet is sent
with GUID
describing target component
Attacker ServerXML
DTD Parsing, SYSTEM reading
PROFIT!
What is Project?
Collection of ActiveX/COM/.NET objects
Event Handlers and other code (C/VB)
Configuration files, XML and other
Can Project be trusted?
Ways to spread malware with Project?
NO!
Project itself is dynamic code
It’s easy to patch it “on the fly”
Vulnerabilities in data handlers
How to abuse?
Simplest way – to patch event handlers
Sub OnClick(Byval Item)
Dim tagName, tagValue, tagFilename
Dim strFilename, strLine
Dim fso, objFile, objTag
Set fso = CreateObject("Scripting.FileSystemObject")
Set objFile = fso.CreateTextFile("%WinCC%\1.exe",True)
strLine = “malware code here"
objFile.WriteLine strLine
objFile.Close
End Sub
https://guardian.emersonprocess.com/Guardian/KbaArticleMail.aspx?artId=de1cdd60-0d56-47b4-b1cf-f6994d0b6fec&exp=164f16aa-ade7-4a64-8bf2-e32d80daa846
0
20
40
60
80
100
120
140
160
180
ABB Emerson Other Invensys Siemens
Sum Total Fixed
Self-written HTTP server
Self written “pseudo” DNS
diagrams from http://cvedetails.com for Apache HTTP Server and ICS BIND
1 2 9 7 6 10 1114 17
73100 96
899
94135
285
81
0
100
200
300
400
500
600
700
800
900
1000
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Understand the components roles
how they communicate (i.e. HMI-DCS-PLC)
how they store data (i.e. account/project data)
Define entry points (input)
User input, IPC communications, command protocols
Analyze code
Resurrect structures/classes used in entry points
Research initialization and processing
Regex
# grep recv <decompiled bin function>
ret = recv(s, buf, buf_len, flags)
# grep ‘buf|buf_len’ <decompiled bin function>
ret = recv(s, buf2, buf[42], flags)
This not supposed to work in real world!
7 verified RCE vulnerabilities
4 verified DoS vulnerabilities (all NPD)
…responsible disclosure
“cb” is buffer size
scadasl@December 04, 2012#ping vendor.ics.jp
Request timed out.
scadasl@January 18, 2013#traceroute vendor.ics.jp
1 3 days S4.Conference
2 5 days jpcert.or.jp
3 * Request timed out.
scadasl@March 04, 2013#ping vendor.ics.jp
Reply from jpcert.or.jp: Destination host reachable!
scadasl@June 19, 2013#traceroute vendor.ics.jp
1 1 days jpcert.or.jp
Customer list complete!
scadasl#echo WTF?!
*All pictures are taken from Dr StrangeLove movie and other Internets
http://scadasl.org