SCADA hacking industrial-scale fun

SCADA HackingSCADA Hacking
Industrial Scale FunIndustrial Scale Fun
Jan SeidlJan Seidl

$ whoami$ whoami
AboutAbout
Full Name: Jan SeidlFull Name: Jan Seidl
Origin: Rio de Janeiro, RJ – BrazilOrigin: Rio de Janeiro, RJ – Brazil
Work:Work:
●
CTO @ TI SafeCTO @ TI Safe
●
OpenSource contributor for: PEV, LogstashOpenSource contributor for: PEV, Logstash
●
Codes and snippets @ github.com/jseidlCodes and snippets @ github.com/jseidl
Features:Features:
●
UNIX Evangelist/Addict/Freak (but no fanboy!)UNIX Evangelist/Addict/Freak (but no fanboy!)
●
Python and C loverPython and C lover
●
Coffee dependentCoffee dependent
●
Hates printers and social networksHates printers and social networks
●
Proud DC Labs ResearcherProud DC Labs Researcher SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paulo, Brazil

0x0 What is SCADA?0x0 What is SCADA?
0x1 Where is SCADA?0x1 Where is SCADA?
0x2 Why SCADA?0x2 Why SCADA?
0x3 Misconceptions and Reality0x3 Misconceptions and Reality
0x4 Industrial Protocols0x4 Industrial Protocols
0x5 Pentesting Scada systems0x5 Pentesting Scada systems
0x6 Industrial Malwares, the cyberweapons0x6 Industrial Malwares, the cyberweapons
0x7 Solutions for Industrial Control Systems Security0x7 Solutions for Industrial Control Systems Security
0x8 Researching SCADA0x8 Researching SCADA
0x9 Modbus Attacks Demonstration0x9 Modbus Attacks Demonstration
0xA Questions?0xA Questions?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
AgendaAgenda

What is SCADA?What is SCADA?

What isWhat is NOTNOT SCADA?SCADA?
Programmable-Logic Controllers (PLCs)

Remote Terminal Units (RTUs)

Supervisory Control and Data Acquisition
Control devices, safety devices, electric/electronic devicesControl devices, safety devices, electric/electronic devices
Single-box solution/applicationSingle-box solution/application
Not just a user interfaceNot just a user interface

CollectsCollects data anddata and controlcontrol field equipmentfield equipment
SavesSaves historical datahistorical data
Forwards data to other devices or systemsForwards data to other devices or systems
ProvidesProvides seconds-precisionseconds-precision measurementsmeasurements

Where is SCADA?Where is SCADA?

Where is SCADA?Where is SCADA?
What kind of cool stuff do they control?

Why SCADA?Why SCADA?

Do we really need computers for this?
Equipments rely onEquipments rely on very quick response timesvery quick response times
Huge amount of dataHuge amount of data needs to be collectedneeds to be collected
Hundreds, thousands of devices need to be controlled at same timeHundreds, thousands of devices need to be controlled at same time
Operation is almostOperation is almost never interruptednever interrupted

Can you imagine if something goes... wrong?
Russian hydro plant accident kills 12

Chemical plant explosion leaves 5 missing,
15 injured in China

Hundreds of tons of toxic waste were dumped into one of the German rivers
after the serious accident at a local chemical plant.

Misconceptions and RealityMisconceptions and Reality

Do automation guys think they are in danger?

First, the misconceptions...
““SCADA networks are isolated andSCADA networks are isolated and cannot becannot be
accessedaccessed over the Internet”over the Internet”

““We use proprietary/custom systems, protocolsWe use proprietary/custom systems, protocols
and equipment, thus weand equipment, thus we cannot be hackedcannot be hacked””

““HMI/some-control-software has limitedHMI/some-control-software has limited
functionality and/or restrictions so it cannot befunctionality and/or restrictions so it cannot be
abused”abused”

And my opinion on this...

And now comes reality...
All industrial networks are connected somehowAll industrial networks are connected somehow
to the Internet or corporate networkto the Internet or corporate network
Integration software (ERP/MES), Phone/Modem/3G abuse,
Equipment misconfiguration (switches, routers, firewalls),
removable media abuse, remote access (VPN, RDP, VNC)

Most networks are operated by automation staffMost networks are operated by automation staff
with no or low IT knowlegdewith no or low IT knowlegde
Commit security abuses/incidents, unsafe computer
operation posture [games, internet browsing, downloading
stuff], careless about infosec, just want the job done

Most networks and servers areMost networks and servers are
managed by IT staffmanaged by IT staff
Low to no knowledge about industrial protocols, attack
impacts, software operation, overall ICS security, commit
several mistakes configuring equipment

99,9% of plants can be easily hacked99,9% of plants can be easily hacked
Common OS (Windows, Linux...)
Common/open protocols (HTTP, Telnet, Modbus)
All the same common bugs from IT: weak/hardcoded
passwords, silly application vulns, unpatched stuff

Industrial ProtocolsIndustrial Protocols

Current common market protocols
CIP – Common
Industrial Protocol,
Ethernet/IP
Profinet, S3/5/7
CC-Link Modbus

Modbus
Very simple plaintext protocolVery simple plaintext protocol
Created in the 70s by ModiconCreated in the 70s by Modicon
Used by many vendorsUsed by many vendors

Modbus
No authenticationNo authentication ++ No encryptionNo encryption ++ No validationNo validation
==
HA-HA security levelHA-HA security level

Modbus
Common architectureCommon architecture

Modbus
Protocol strucutureProtocol strucuture
Standard port tcp/502

Modbus
Protocol strucutureProtocol strucuture

Modbus
Function CodesFunction Codes

Modbus
Function Codes (the ones we care)Function Codes (the ones we care)
Read/Write Coils and Registers (Mess up stuff) [lots]
Read/Write File records [20, 21]
Device Fingerprinting & Diagnostics [43,17,8]
+ modbus supports user-defined functions!

Pentesting SCADA systemsPentesting SCADA systems

Important NoteImportant Note
When you run tests against an industrial control system
unexpected things may happen.
And they happen almost every time.

Important NoteImportant Note
Do not test LIVE systems.
Never. Ever.

Scanning / DiscoveryScanning / Discovery
Some tools available:
plcscan – Scans s7comm & modbus devices
https://code.google.com/p/plcscan/
modscan – Scans modbus devices
https://code.google.com/p/modscan/
Nmap – Famous network scanner
http://nmap.org/

Scanning / Discovery (cont.)Scanning / Discovery (cont.)
Metasploit Modules
auxiliary/scanner/modbus/modbus_findunitid
auxiliary/scanner/modbus/modbusdetect

PLCscan

Nmap – modbus-discover.nse

Modbus Diagnostic Function code (0x2B, 43)
VendorName, ProductName, ModelName, ProductCode,
MajorMinorRevision

Data ManipulationData Manipulation
Opensource ICS protocol libraries
Modlib – Scapy Extension [python]
https://www.scadaforce.com/modbus
Pymodbus – Module [python]
https://github.com/bashwork/pymodbus
Modbus-cli – Gem [ruby]
https://rubygems.org/gems/modbus-cli
S7comm – Library [C,C++,C#,Delphi,Pascal,Perl,VB(A)]
http://libnodave.sourceforge.net/
OpenDNP3 – Library [C++]
https://code.google.com/p/dnp3/

Data Manipulation (cont.)Data Manipulation (cont.)
Metasploit Modules
auxiliary/scanner/modbus/modbusclient
auxiliary/admin/scada/modicon_command
auxiliary/admin/scada/igss_exec_17
auxiliary/admin/scada/multi_cip_command

Reading and Writing data
modbus-cli
<https://rubygems.org/gems/modbus-cli>
R: modbus read <IP> <ADDR> <QTY>
W: modbus write <IP> <ADDR> [<VAL1>,<VAL2>,<VAL3>]
pymodclient
<https://github.com/jseidl/pymodbuscli>
R: pymodbuscli -f read_register -h <IP> <ADDR> <QTY>
W: pymodbuscli -f write_register -h <IP> <ADDR>
[<VAL1>,<VAL2>,<VAL3>]
Modbus

Metasploit Modules (not on official tree yet)
simatic_s7_300_command.rb / simatic_s7_300_memory_view.rb /
simatic_s7_1200_command.rb
S7Comm
https://github.com/d1n/s7-metasploit-modules

Sniffing TrafficSniffing Traffic
Native Wireshark dissector
Modbus

Sniffing TrafficSniffing Traffic
Opensource Wireshark dissector plugin
<http://sourceforge.net/projects/s7commwireshark/>
SIEMENS S7comm

Industrial MalwaresIndustrial Malwares

StuxnetStuxnet
Industrial SabotageIndustrial Sabotage

StuxnetStuxnet
Industrial Sabotage
Discovered July 2010
Targets Siemens WinCC systems
Targets specific PLC models
100KLOC (thousands of lines of code)

StuxnetStuxnet
Industrial Sabotage
Sabotages centrifuges causing malfunction or destruction
Allegedly a sabotage plan from USA and Israel against
Iran's nuclear program

StuxnetStuxnet
Industrial Sabotage
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-
wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=2

StuxnetStuxnet
Industrial Sabotage
http://www.cbsnews.com/8301-205_162-57592862/nsa-leaker-snowden-
claimed-u.s-and-israel-co-wrote-stuxnet-virus/

StuxnetStuxnet
Industrial Sabotage
http://www.symantec.com/connect/blogs/w32stuxnet-dossier

StuxnetStuxnet
Industrial Sabotage
Exploits five vulnerabilities (of which four are 0-day)...
LNK File Bug – Initial Infection via USB drives/removable media
http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx
Printer Spooler – Spreading
Server Service (SMB) – Spreading
Keyboard layout file – Privilege escalation
Task Scheduler – Privilege escalation
… and then installs a rootkit :)

StuxnetStuxnet
Industrial Sabotage
Which can only be installed because Stuxnet has stolen
valid digital certificates.
From Realtek and Jmicron.

StuxnetStuxnet
Industrial Sabotage
As if this weren't enough, it creates a peer-to-peer network
of infected hosts, steals intelligence, and rootkits the PLC
+ project files so engineers and operators won't notice.

DuQuDuQu
Industrial Espionage

DuQuDuQu
Discovered September 2011
Possibly derived from Stuxnet
Objective: backdooring and data collection
Targets ICS software and hardware vendors

DuQuDuQu
Uses one Microsoft vulnerability
Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code
Execution Vulnerability (BID 50462)
Does not replicate on its own
Has also stolen signed certificates

Flame / SkywiperFlame / Skywiper

FlameFlame
Discovered ~May 2012
Mostly seen in middle-east
About 20mb in size
Has LUA plugin support
Around 20 extension modules

FlameFlame
Fingerprints countermeasure software/adapts to evade it
Multiple encryption levels
SQLite databases for storing collected data
Propagates similar to Stuxnet (LNK+Spooler)

FlameFlame
Record Skype Conversations
Keylogging + Screenlogging
Network Sniffer
Bluetooth scanning and compromise
Most affected countries: Iran, Israel, Sudan, Syria, Lebanon,
Saudi Arabia and Egypt.

GaussGauss

GaussGauss
Discovered ~August 2012
Flame+Banking+Nasty Stuff
Same infection schemes as Stuxnet & Flame
Has encrypted payload that is only run under certain
circumstances

GaussGauss
Steals passwords and cookies from browser
Collects and reports system configuration
Infects other removable media
Enumerates files and directories

GaussGauss
Steals banking credentials from middle-east banking
systems
Steals information from social networks, instant messaging
and email accounts

Solutions for ICS SecuritySolutions for ICS Security

First of AllFirst of All
There is no single-box solution.
Sorry :(

Security is not only on your hosts but
also networks and personnel

You need the best solution for each area. Each vendor has
expertise in its own area and probably won't master all of
them at the same time.

Embrace good and old defense in depth model
so...so...
Photo credit: Sentrillion

Embrace good and old defense in depth model
so...so...
Photo credit: Sentrillion
Locks, cameras etc Firewalls, IDPS,
Data diodes
Segmentation, VLANs,
port-mirrored IDS
WAFs, strong
architechture
Encryption and access
control
Whitelisting
software, HIDPS,
central logging

Network SegmentationNetwork Segmentation
ISA/99 Zones and Conduits Model

Network SegmentationNetwork Segmentation
Proper DMZ Model

Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs
Commercial Solutions
Tofino Security Appliance SIEMENS Scalance S

Commercial Solutions
Firewall
Industrial Protocol Enforcer
VPN
Centralized Management

OpenSource Solutions

SNORT SCADA IDS RulesSNORT SCADA IDS Rules
http://www.digitalbond.com/tools/quickdraw/
http://blog.snort.org/2012/01/snort-292-scada-preprocessors.html
Initially compiled by Digital Bond
Many rules already on SNORT main repository
Additional rules are easy to write

ModbusModbus
Snort IDS rules

Ether/IPEther/IP
Snort IDS rules

DNP3DNP3
Snort IDS rules

Data DiodesData Diodes
Allow traffic to flow only in one direction
Enforced by hardware
Photo-resistor on one end, Photo-transmitter on other
As it depends on hardware, no open-source solution yet :(
Can be enforced via firewall but not with same efficiency

Data DiodesData Diodes
Commercial Solution

White-listing SoftwareWhite-listing Software
Anti-virus, seriously?
CEBIT 2013 Workshop: Anti-virus are an efficient solution for
industrial network protection? (short answer: no)
http://slidesha.re/17AwTEd

MonitoringMonitoring
ICS networks and hosts generally operate in regular and
predictable manners.
Simple monitoring and plotting can help detect anomalies
when they happen
[White paper] Detecting problems in industrial networks though
continuous monitoring
http://slidesha.re/17JyVSu

• $ nmap –sV 192.168.1.1
• Communications interception (ARP Poisoning)

• Denial of Service
•
• Malware infection

• Unauthorized Modbus traffic

Educate your usersEducate your users
Your users don't really know the impact of using a 3G
modem to check their personal email or Facebook wall
Even less that they can ruin plant's processes by clicking
on a link sent by that hot girl he's chatting with for weeks

Never forget what your usersNever forget what your users
mean to your securitymean to your security

Researching SCADAResearching SCADA

ALWAYS REMEMBER!!!!ALWAYS REMEMBER!!!!
Do not test LIVE systems.
Never. Ever.

Gather documentationGather documentation
Most protocols (even proprietary ones) have
documentation available on-line
Get it from manufacturer website or just freaking google it.

Gather documentationGather documentation
DNP3 Primer
http://www.dnp.org/AboutUs/DNP3%20Primer%20Rev%20A.pdf
Modbus Specification
http://www.modbus.org/specs.php

Sniff master-slave communication with WiresharkSniff master-slave communication with Wireshark

Get a test-bedGet a test-bed
Buy from manufacturer (expensive, sometimes impeditive)
Buy from e-bay (quite easy)
Real, hardware-based

http://www.ebay.com/sch/i.html?
_trksid=p2050601.m570.l1313.TR0.TRC0.Xs7-300&_nkw=s7-
300&_sacat=0&_from=R40

http://www.ebay.com/sch/i.html?_odkw=s7-
300&_osacat=0&_from=R40&_trksid=p2045573.m570.l1313.TR3.TRC1.A0.Xwago+
750&_nkw=wago+750&_sacat=0

Emulated, software-based
Fully programmable
Available in many programming languages
Self-contained solutions available

Pymodbus library
https://github.com/bashwork/pymodbus/blob/master/examples/common/synchro
nous-server.py
# initialize data
store = ModbusSlaveContext(
di = ModbusSequentialDataBlock(0, [17]*100),
co = ModbusSequentialDataBlock(0, [17]*100),
hr = ModbusSequentialDataBlock(0, [17]*100),
ir = ModbusSequentialDataBlock(0, [17]*100))
context = ModbusServerContext(slaves=store, single=True)
# initialize the server information
identity = ModbusDeviceIdentification()
identity.VendorName = 'Pymodbus'
identity.ProductCode = 'PM'
identity.VendorUrl = 'http://github.com/bashwork/pymodbus/'
identity.ProductName = 'Pymodbus Server'
identity.ModelName = 'Pymodbus Server'
identity.MajorMinorRevision = '1.0'
# run the server you want
StartTcpServer(context, identity=identity, address=("localhost", 5020))

ModSak (commercial with free trial)
http://wingpath.co.uk/modbus/modsak.php

Get some ICS software from vendorsGet some ICS software from vendors
Vendors often have trial versions on their sites
You might have to ask them for a copy
They might not like it what you'll be using it for
Be brave. Don't desist.

Scan the crap out of itScan the crap out of it
Use network and software vulnerabilities scanners heavily,
don't mind if sometimes devices go crazy
but do one at a time or you may DOS your device
For both equipment and software

Fuzz'em until smoke comes outFuzz'em until smoke comes out
Create fuzz model files based on documentation
See how they handle malformed data

Peach fuzzer
http://peachfuzzer.com/

Modbus PIT file for Peach Fuzzer (WIP)
https://github.com/jseidl/peach-pit/blob/master/modbus/modbus.xml

ROBUS & AEGIS Project
http://www.automatak.com/aegis/ & http://www.automatak.com/robus/

Set up a honeypotSet up a honeypot
Put it faced over to the internet and learn from other
attackers (caution! risky!)

Set up a honeypotSet up a honeypot
“The default configuration of Conpot simulates a basic
Siemens SIMATIC S7-200 PLC with an input/output module
and a CP 443-1 which would be needed in a real setup to
provide network connectivity.”
https://github.com/glastopf/conpot
Conpot – SCADA/ICS Honeypot

Attack DemonstrationAttack Demonstration

Questions?Questions?
Please, don't be shy!

Thanks for your time!Thanks for your time!
Hope you enjoyed it!
@jseidl
jseidl@wroot.org
http://wroot.org
https://github.com/jseidl
http://www.slideshare.net/jseidl
http://www.linkedin.com/in/janseidl

SCADA hacking industrial-scale fun

More Related Content

What's hot (20)

Similar to SCADA hacking industrial-scale fun (20)

More from Jan Seidl (6)

Recently uploaded (20)

SCADA hacking industrial-scale fun