![
Lot’s of new information coming up
Modbus (502)
DNP3 (20000)
http://scadastrangelove.blogspot.com/2012/11/plcscan.html
Profinet DCP
http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html
S7 (102)
http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html
MMS (102)
https://code.google.com/p/scadascan/
http://sourceforge.net/projects/dnp/
IEC104 (2404)
http://nmap.org/nsedoc/scripts/modbus-discover.html
http://scadastrangelove.blogspot.com/2012/11/plcscan.html
http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-days.html
But some protocols still not researched
[kudos to Alexander Timorin @atimorin]](https://image.slidesharecdn.com/scadastrangelove-30c3-publish-140104170355-phpapp01/85/SCADA-StrangeLove-2-We-already-know-19-320.jpg)
![ActiveX components
for communication
and rendering of
HMI
Another component
of WinCC.
For example,
forwarding
commands to the
PLC via the S7
protocol
IIS extension
SCSWebBridgex.dll
Manages SCS
connection and
converts data to PAL
CCEServer.exe
Yep-Yep, again)
CCEServer.exe
WinCC core:
Manages requests of
components
WebNavigatorRT.exe
Rendering HMI and
command
transmission
[kudos to Alexander Tlyapov @rigros1]](https://image.slidesharecdn.com/scadastrangelove-30c3-publish-140104170355-phpapp01/85/SCADA-StrangeLove-2-We-already-know-36-320.jpg)
![Regex
# grep recv <decompiled bin function>
ret = recv(s, buf, buf_len, flags)
# grep ‘buf|buf_len’ <decompiled bin
function>
ret = recv(s, buf2, buf[42], flags)
This not supposed to work in real world!](https://image.slidesharecdn.com/scadastrangelove-30c3-publish-140104170355-phpapp01/85/SCADA-StrangeLove-2-We-already-know-54-320.jpg)
SCADA StrangeLove 2: We already know
- 1. http://scadasl.org *All pictures are taken from Dr StrangeLove movie and other Internets
- 2. Sergey Gordeychik Positive Hack Days Director and Scriptwriter, WASC board member http://www.phdays.com Gleb Gritsai Principal Researcher, Network security and forensic researcher, member of PHDays Challenges team @repdet
- 3. Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Roman Ilin Artem Chaykin Dmitry Efanov Andrey Medov Alexander Zaitsev Dmitry Sklyarov Roman Ilin Kirill Nesterov Gleb Gritsai Ilya Karpov Yuriy Dyachenko Yuri Goltsev Sergey Scherbel Dmitry Serebryannikov Alexander Timorin Alexander Tlyapov Denis Baranov Sergey Bobrov Sergey Drozdov Vladimir Kochetkov Timur Yunusov Dmitry Nagibin Vyacheslav Egoshin Evgeny Ermakov
- 4. Analytics “SCADA security in numbers” Industrial Protocols ICS systems on the internets plcscan for S7 and modbus Vulnerabilities Siemens WinCC components and vulnerabilities Lot’s of “We don’t know yet”
- 6. To find ICS system To find vulnerable device Get https://scans.io/ (~500 GB) = ~$60 Index by Elastic Search (3 cpu days) = $0 Grep it all! It’s all vulnerable (for sure!) = $0 Put in Excel (I hate it!) = $9000 CoV ($60 + $0 +$0 + $9000)/68076 = $0.1330865503261061
- 7. Old, slow, boring Google/Bing/Shodanhq/ERIPP New, fast, easy to automate ZMap, Masscan Homebrew scans of industrial ports Rapid7 Project Sonar Internet Census (not so new) + fast full-text search engines
- 9. DATACOM, 945, 1% Digi, 988, 1% TAC AB, 1321, 2% Siemens, 1322, 2% Echelon, 1395, 2% Other, 5933, 9% Westermo, 1526, 2% SAP, 1639, 2% Tridium, 19490, 29% Rabbit, 1958, 3% Schneider Electric, 2458, 4% Generic, 2794, 4% NRG Systems, 11715, 17% Beck IPC, 3655, 5% Moxa, 3949, 6% Lantronix, 6988, 10% Vendor Devices Tridium NRG Systems Lantronix Moxa Beck IPC Generic Schneider Electric Rabbit SAP Westermo Echelon Siemens TAC AB Digi DATACOM Other 19490 11715 6988 3949 3655 2794 2458 1958 1639 1526 1395 1322 1321 988 945 5933
- 10. Lantronix UDS1100, 1310, 5% Westermo MRD-310, 1171, 5% i.LON 600, 1395, 5% Lantronix XPort AR, 1413, 5% NetWeaver Application Server, 1639, 6% WindCube, 11715, 45% PowerLogic ION, 1806, 7% Lantronix SLS, 2204, 8% IPC@CHIP, 3655, 14%
- 13. dnp3, 155, 10% iec104, 44, 3% s7, 827, 53% modbus, 532, 34%
- 16. What RDP/VNC/Radmin can hide?... …we will never know
- 17. Computer Based Interlocking RBC RBC MMI GSM-R Fixed Eurobalise to peripherals: signals, point machines, etc. Plain Line Data GSM-R ETCS Onboard GSM-R Fixed Eurobalise Station Onboard
- 18. Computer Based Interlocking RBC RBC MMI GSM-R Fixed Eurobalise to peripherals: signals, point machines, etc. Plain Line Data GSM-R ETCS Onboard GSM-R Fixed Eurobalise Station Onboard
- 19. Lot’s of new information coming up Modbus (502) DNP3 (20000) http://scadastrangelove.blogspot.com/2012/11/plcscan.html Profinet DCP http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html S7 (102) http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html MMS (102) https://code.google.com/p/scadascan/ http://sourceforge.net/projects/dnp/ IEC104 (2404) http://nmap.org/nsedoc/scripts/modbus-discover.html http://scadastrangelove.blogspot.com/2012/11/plcscan.html http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-days.html But some protocols still not researched [kudos to Alexander Timorin @atimorin]
- 20. Native broadcast to identify all components
- 21. Resource index = 0x82 Resource name = 0x5345???????????? (SE??????) Packet counter = 0x3ba1
- 25. WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
- 30. WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
- 31. This is my encryptionkey Metasploit module for harvesting data from WinCC project’s database and decrypting ciphertexts http://scadastrangelove.blogspot.com/2013/08/wincc-harvester-metasploit-module-is.html
- 33. This is my encryptionkey is AUHFPPCY PPCY POEK LWUBWMKKEKJWVOPP WLDZ HSLWEK
- 34. This is SHA "0xC280" x len(password) + "0xC280" x len(password)
- 35. WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
- 36. ActiveX components for communication and rendering of HMI Another component of WinCC. For example, forwarding commands to the PLC via the S7 protocol IIS extension SCSWebBridgex.dll Manages SCS connection and converts data to PAL CCEServer.exe Yep-Yep, again) CCEServer.exe WinCC core: Manages requests of components WebNavigatorRT.exe Rendering HMI and command transmission [kudos to Alexander Tlyapov @rigros1]
- 37. HMI Other components CCEServer PLC Communication License server To register component in the CCEServer call CAL_StartListen(Component’s GUID, PID, Required callbacks, etc)
- 38. During initial communications SCS packet is sent with GUID describing target component
- 42. What is Project? Collection of ActiveX/COM/.NET objects Event Handlers and other code (C/VB) Configuration files, XML and other Can Project be trusted? Ways to spread malware with Project?
- 43. NO! Project itself is dynamic code It’s easy to patch it “on the fly” Vulnerabilities in data handlers How to abuse? Simplest handlers way – to patch event
- 44. Sub OnClick(Byval Item) Dim tagName, tagValue, tagFilename Dim strFilename, strLine Dim fso, objFile, objTag Set fso = CreateObject("Scripting.FileSystemObject") Set objFile = fso.CreateTextFile("%WinCC%1.exe",True) strLine = “malware code here" objFile.WriteLine strLine objFile.Close End Sub
- 50. Self-written HTTP server Self written “pseudo” DNS diagrams from http://cvedetails.com for Apache HTTP Server and ICS BIND
- 51. 1000 899 900 800 700 600 500 400 285 300 200 73 100 0 1 2 9 7 6 10 11 14 100 96 94 135 81 17 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
- 52. Understand the components roles Define entry points (input) how they communicate (i.e. HMI-DCS-PLC) how they store data (i.e. account/project data) User input, IPC communications, command protocols Analyze code Resurrect structures/classes used in entry points Research initialization and processing
- 54. Regex # grep recv <decompiled bin function> ret = recv(s, buf, buf_len, flags) # grep ‘buf|buf_len’ <decompiled bin function> ret = recv(s, buf2, buf[42], flags) This not supposed to work in real world!
- 55. 7 verified RCE vulnerabilities 4 verified DoS vulnerabilities (all NPD)
- 57. “cb” is buffer size
- 68. scadasl@December 04, 2012#ping vendor.ics.jp Request timed out. scadasl@January 18, 2013#traceroute vendor.ics.jp 1 2 3 3 days 5 days * S4.Conference jpcert.or.jp Request timed out. scadasl@March 04, 2013#ping vendor.ics.jp Reply from jpcert.or.jp: Destination host reachable! scadasl@June 19, 2013#traceroute vendor.ics.jp 1 1 days jpcert.or.jp Customer list complete! scadasl#echo WTF?!
- 80. http://scadasl.org *All pictures are taken from Dr StrangeLove movie and other Internets