SCADA hacking industrial-scale fun

SCADA HackingSCADA HackingIndustrial Scale FunIndustrial Scale Fun

Jan SeidlJan Seidl

$ whoami$ whoamiAboutAbout

Full Name: Jan SeidlFull Name: Jan Seidl

Origin: Rio de Janeiro, RJ – BrazilOrigin: Rio de Janeiro, RJ – Brazil

Work:Work:● CTO @ TI SafeCTO @ TI Safe● OpenSource contributor for: PEV, LogstashOpenSource contributor for: PEV, Logstash● Codes and snippets @ github.com/jseidlCodes and snippets @ github.com/jseidl

Features:Features:● UNIX Evangelist/Addict/Freak (but no fanboy!)UNIX Evangelist/Addict/Freak (but no fanboy!)● Python and C loverPython and C lover● Coffee dependentCoffee dependent● Hates printers and social networksHates printers and social networks● Proud DC Labs ResearcherProud DC Labs Researcher SCADA Hacking – Industrial Scale Fun. SEIDL, Jan

Hackers 2 Hackers Conference/2013 – São Paulo, Brazil

0x0 What is SCADA?0x0 What is SCADA?

0x1 Where is SCADA?0x1 Where is SCADA?

0x2 Why SCADA?0x2 Why SCADA?

0x3 Misconceptions and Reality0x3 Misconceptions and Reality

0x4 Industrial Protocols0x4 Industrial Protocols

0x5 Pentesting Scada systems0x5 Pentesting Scada systems

0x6 Industrial Malwares, the cyberweapons0x6 Industrial Malwares, the cyberweapons

0x7 Solutions for Industrial Control Systems Security0x7 Solutions for Industrial Control Systems Security

0x8 Researching SCADA0x8 Researching SCADA

0x9 Modbus Attacks Demonstration0x9 Modbus Attacks Demonstration

0xA Questions?0xA Questions?

SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil

AgendaAgenda

What is SCADA?What is SCADA?

What is What is NOTNOT SCADA? SCADA?

Programmable-Logic Controllers (PLCs)

Remote Terminal Units (RTUs)

Supervisory Control and Data Acquisition

Control devices, safety devices, electric/electronic devicesControl devices, safety devices, electric/electronic devices

Single-box solution/applicationSingle-box solution/application

Not just a user interfaceNot just a user interface

CollectsCollects data and data and controlcontrol field equipment field equipment

Saves Saves historical datahistorical data

Forwards data to other devices or systemsForwards data to other devices or systems

Provides Provides seconds-precisionseconds-precision measurements measurements

Where is SCADA?Where is SCADA?

What kind of cool stuff do they control?

Why SCADA?Why SCADA?

Do we really need computers for this?

Equipments rely on Equipments rely on very quick response timesvery quick response times

Huge amount of dataHuge amount of data needs to be collected needs to be collected

Hundreds, thousands of devices need to be controlled at same timeHundreds, thousands of devices need to be controlled at same time

Operation is almost Operation is almost never interruptednever interrupted

Can you imagine if something goes... wrong?

Russian hydro plant accident kills 12

Chemical plant explosion leaves 5 missing, 15 injured in China

Hundreds of tons of toxic waste were dumped into one of the German rivers after the serious accident at a local chemical plant.

Misconceptions and RealityMisconceptions and Reality

Do automation guys think they are in danger?

First, the misconceptions...

““SCADA networks are isolated and SCADA networks are isolated and cannot be cannot be

accessedaccessed over the Internet” over the Internet”

““We use proprietary/custom systems, protocols We use proprietary/custom systems, protocols

and equipment, thus we and equipment, thus we cannot be hackedcannot be hacked””

““HMI/some-control-software has limited HMI/some-control-software has limited

functionality and/or restrictions so it cannot be functionality and/or restrictions so it cannot be

abused”abused”

And my opinion on this...

And now comes reality...

All industrial networks are connected somehow All industrial networks are connected somehow

to the Internet or corporate networkto the Internet or corporate network

Integration software (ERP/MES), Phone/Modem/3G abuse,

Equipment misconfiguration (switches, routers, firewalls),

removable media abuse, remote access (VPN, RDP, VNC)

Most networks are operated by automation staff Most networks are operated by automation staff

with no or low IT knowlegdewith no or low IT knowlegde

Commit security abuses/incidents, unsafe computer

operation posture [games, internet browsing, downloading

stuff], careless about infosec, just want the job done

Most networks and servers areMost networks and servers are

managed by IT staffmanaged by IT staff

Low to no knowledge about industrial protocols, attack

impacts, software operation, overall ICS security, commit

several mistakes configuring equipment

99,9% of plants can be easily hacked99,9% of plants can be easily hacked

Common OS (Windows, Linux...)

Common/open protocols (HTTP, Telnet, Modbus)

All the same common bugs from IT: weak/hardcoded

passwords, silly application vulns, unpatched stuff

Industrial ProtocolsIndustrial Protocols

Current common market protocols

CIP – Common Industrial Protocol,

Ethernet/IP

Profinet, S3/5/7

CC-Link Modbus

Modbus

Very simple plaintext protocolVery simple plaintext protocol

Created in the 70s by ModiconCreated in the 70s by Modicon

Used by many vendorsUsed by many vendors

Modbus

No authentication No authentication ++ No encryption No encryption ++ No validation No validation ==

HA-HA security levelHA-HA security level

Modbus

Common architectureCommon architecture

Modbus

Protocol strucutureProtocol strucuture

Standard port tcp/502

Modbus

Protocol strucutureProtocol strucuture

Modbus

Function CodesFunction Codes

Modbus

Function Codes (the ones we care)Function Codes (the ones we care)

Read/Write Coils and Registers (Mess up stuff) [lots]

Read/Write File records [20, 21]

Device Fingerprinting & Diagnostics [43,17,8]

+ modbus supports user-defined functions!

Pentesting SCADA systemsPentesting SCADA systems

Important NoteImportant Note

When you run tests against an industrial control system

unexpected things may happen.

And they happen almost every time.

Important NoteImportant Note

Do not test LIVE systems.

Never. Ever.

Scanning / DiscoveryScanning / Discovery

Some tools available:

plcscan – Scans s7comm & modbus deviceshttps://code.google.com/p/plcscan/

modscan – Scans modbus deviceshttps://code.google.com/p/modscan/

Nmap – Famous network scannerhttp://nmap.org/

Scanning / Discovery (cont.)Scanning / Discovery (cont.)

Metasploit Modules

auxiliary/scanner/modbus/modbus_findunitid

auxiliary/scanner/modbus/modbusdetect

PLCscan

Nmap – modbus-discover.nse

Modbus Diagnostic Function code (0x2B, 43)

VendorName, ProductName, ModelName, ProductCode, MajorMinorRevision

Data ManipulationData Manipulation

Opensource ICS protocol libraries

Modlib – Scapy Extension [python]https://www.scadaforce.com/modbus

Pymodbus – Module [python]https://github.com/bashwork/pymodbus

Modbus-cli – Gem [ruby]https://rubygems.org/gems/modbus-cli

S7comm – Library [C,C++,C#,Delphi,Pascal,Perl,VB(A)]http://libnodave.sourceforge.net/

OpenDNP3 – Library [C++]https://code.google.com/p/dnp3/

Data Manipulation (cont.)Data Manipulation (cont.)

Metasploit Modules

auxiliary/scanner/modbus/modbusclient

auxiliary/admin/scada/modicon_command

auxiliary/admin/scada/igss_exec_17

auxiliary/admin/scada/multi_cip_command

Reading and Writing data

modbus-cli<https://rubygems.org/gems/modbus-cli>

R: modbus read <IP> <ADDR> <QTY>W: modbus write <IP> <ADDR> [<VAL1>,<VAL2>,<VAL3>]

pymodclient<https://github.com/jseidl/pymodbuscli>

R: pymodbuscli -f read_register -h <IP> <ADDR> <QTY>W: pymodbuscli -f write_register -h <IP> <ADDR>

[<VAL1>,<VAL2>,<VAL3>]

Modbus

Metasploit Modules (not on official tree yet)

simatic_s7_300_command.rb / simatic_s7_300_memory_view.rb / simatic_s7_1200_command.rb

S7Comm

https://github.com/d1n/s7-metasploit-modules

Sniffing TrafficSniffing Traffic

Native Wireshark dissector

Modbus

Sniffing TrafficSniffing Traffic

Opensource Wireshark dissector plugin<http://sourceforge.net/projects/s7commwireshark/>

SIEMENS S7comm

Industrial MalwaresIndustrial Malwares

StuxnetStuxnetIndustrial SabotageIndustrial Sabotage

StuxnetStuxnet

Industrial Sabotage

Discovered July 2010

Targets Siemens WinCC systems

Targets specific PLC models

100KLOC (thousands of lines of code)

StuxnetStuxnet

Industrial Sabotage

Sabotages centrifuges causing malfunction or destruction

Allegedly a sabotage plan from USA and Israel against

Iran's nuclear program

StuxnetStuxnetIndustrial Sabotage

http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=2

http://www.cbsnews.com/8301-205_162-57592862/nsa-leaker-snowden-claimed-u.s-and-israel-co-wrote-stuxnet-virus/

http://www.symantec.com/connect/blogs/w32stuxnet-dossier

StuxnetStuxnet

Industrial Sabotage

Exploits five vulnerabilities (of which four are 0-day)...

LNK File Bug – Initial Infection via USB drives/removable mediahttp://www.microsoft.com/technet/security/bulletin/ms10-046.mspx

Printer Spooler – Spreadinghttp://www.microsoft.com/technet/security/bulletin/ms10-061.mspx

Server Service (SMB) – Spreadinghttp://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Keyboard layout file – Privilege escalation

Task Scheduler – Privilege escalation

… and then installs a rootkit :)

StuxnetStuxnet

Industrial Sabotage

Which can only be installed because Stuxnet has stolen

valid digital certificates.

From Realtek and Jmicron.

StuxnetStuxnet

Industrial Sabotage

As if this weren't enough, it creates a peer-to-peer network

of infected hosts, steals intelligence, and rootkits the PLC

+ project files so engineers and operators won't notice.

DuQuDuQuIndustrial Espionage

DuQuDuQu

Industrial Espionage

Discovered September 2011

Possibly derived from Stuxnet

Objective: backdooring and data collection

Targets ICS software and hardware vendors

DuQuDuQu

Uses one Microsoft vulnerabilityMicrosoft Windows 'Win32k.sys' TrueType Font Handling Remote Code

Execution Vulnerability (BID 50462)

Does not replicate on its own

Has also stolen signed certificates

Flame / SkywiperFlame / SkywiperIndustrial Espionage

FlameFlame

Discovered ~May 2012

Mostly seen in middle-east

About 20mb in size

Has LUA plugin support

Around 20 extension modules

FlameFlame

Fingerprints countermeasure software/adapts to evade it

Multiple encryption levels

SQLite databases for storing collected data

Propagates similar to Stuxnet (LNK+Spooler)

FlameFlame

Record Skype Conversations

Keylogging + Screenlogging

Network Sniffer

Bluetooth scanning and compromise

Most affected countries: Iran, Israel, Sudan, Syria, Lebanon,

Saudi Arabia and Egypt.

GaussGaussIndustrial Espionage

GaussGauss

Discovered ~August 2012

Flame+Banking+Nasty Stuff

Same infection schemes as Stuxnet & Flame

Has encrypted payload that is only run under certain

circumstances

GaussGauss

Steals passwords and cookies from browser

Collects and reports system configuration

Infects other removable media

Enumerates files and directories

GaussGauss

Steals banking credentials from middle-east banking systems

Steals information from social networks, instant messaging

and email accounts

Solutions for ICS SecuritySolutions for ICS Security

First of AllFirst of All

There is no single-box solution.

Sorry :(

Security is not only on your hosts but

also networks and personnel

You need the best solution for each area. Each vendor has

expertise in its own area and probably won't master all of

them at the same time.

Embrace good and old defense in depth model

so...so...

Photo credit: Sentrillion

Embrace good and old defense in depth model

so...so...

Photo credit: Sentrillion

Locks, cameras etc Firewalls, IDPS, Data diodes

Segmentation, VLANs, port-mirrored IDS

WAFs, strong architechture

Encryption and access control

Whitelisting software, HIDPS, central logging

Network SegmentationNetwork Segmentation

ISA/99 Zones and Conduits Model

Network SegmentationNetwork Segmentation

Proper DMZ Model

Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs

Commercial Solutions

Tofino Security Appliance SIEMENS Scalance S

Commercial Solutions

Firewall

Industrial Protocol Enforcer

Centralized Management

OpenSource Solutions

SNORT SCADA IDS RulesSNORT SCADA IDS Rules

http://www.digitalbond.com/tools/quickdraw/

http://blog.snort.org/2012/01/snort-292-scada-preprocessors.html

Initially compiled by Digital Bond

Many rules already on SNORT main repository

Additional rules are easy to write

ModbusModbusSnort IDS rules

Ether/IPEther/IPSnort IDS rules

DNP3DNP3Snort IDS rules

Data DiodesData Diodes

Allow traffic to flow only in one direction

Enforced by hardware

Photo-resistor on one end, Photo-transmitter on other

As it depends on hardware, no open-source solution yet :(

Can be enforced via firewall but not with same efficiency

Data DiodesData Diodes

Commercial Solution

White-listing SoftwareWhite-listing Software

Anti-virus, seriously?

CEBIT 2013 Workshop: Anti-virus are an efficient solution for industrial network protection? (short answer: no)

http://slidesha.re/17AwTEd

MonitoringMonitoring

ICS networks and hosts generally operate in regular and

predictable manners.

Simple monitoring and plotting can help detect anomalies

when they happen

[White paper] Detecting problems in industrial networks though continuous monitoring

http://slidesha.re/17JyVSu

MonitoringMonitoring

• $ nmap –sV 192.168.1.1

• Communications interception (ARP Poisoning)

MonitoringMonitoring• Denial of Service

• Malware infection

MonitoringMonitoring• Unauthorized Modbus traffic

Educate your usersEducate your users

Your users don't really know the impact of using a 3G

modem to check their personal email or Facebook wall

Even less that they can ruin plant's processes by clicking

on a link sent by that hot girl he's chatting with for weeks

Never forget what your users Never forget what your users mean to your securitymean to your security

Researching SCADAResearching SCADA

ALWAYS REMEMBER!!!!ALWAYS REMEMBER!!!!

Do not test LIVE systems.

Never. Ever.

Gather documentationGather documentation

Most protocols (even proprietary ones) have

documentation available on-line

Get it from manufacturer website or just freaking google it.

Gather documentationGather documentation

DNP3 Primer

http://www.dnp.org/AboutUs/DNP3%20Primer%20Rev%20A.pdf

Modbus Specification

http://www.modbus.org/specs.php

Sniff master-slave communication with WiresharkSniff master-slave communication with Wireshark

Get a test-bedGet a test-bed

Buy from manufacturer (expensive, sometimes impeditive)

Buy from e-bay (quite easy)

Real, hardware-based

http://www.ebay.com/sch/i.html?_trksid=p2050601.m570.l1313.TR0.TRC0.Xs7-300&_nkw=s7-

300&_sacat=0&_from=R40

http://www.ebay.com/sch/i.html?_odkw=s7-300&_osacat=0&_from=R40&_trksid=p2045573.m570.l1313.TR3.TRC1.A0.Xwago+

750&_nkw=wago+750&_sacat=0

Emulated, software-based

Fully programmable

Available in many programming languages

Self-contained solutions available

Get a test-bedGet a test-bedEmulated, software-based

Pymodbus library

https://github.com/bashwork/pymodbus/blob/master/examples/common/synchronous-server.py

# initialize datastore = ModbusSlaveContext( di = ModbusSequentialDataBlock(0, [17]*100), co = ModbusSequentialDataBlock(0, [17]*100), hr = ModbusSequentialDataBlock(0, [17]*100), ir = ModbusSequentialDataBlock(0, [17]*100))context = ModbusServerContext(slaves=store, single=True)

# initialize the server informationidentity = ModbusDeviceIdentification()identity.VendorName = 'Pymodbus'identity.ProductCode = 'PM'identity.VendorUrl = 'http://github.com/bashwork/pymodbus/'identity.ProductName = 'Pymodbus Server'identity.ModelName = 'Pymodbus Server'identity.MajorMinorRevision = '1.0'

# run the server you wantStartTcpServer(context, identity=identity, address=("localhost", 5020))

Get a test-bedGet a test-bedEmulated, software-based

ModSak (commercial with free trial)

http://wingpath.co.uk/modbus/modsak.php

Get some ICS software from vendorsGet some ICS software from vendors

Vendors often have trial versions on their sites

You might have to ask them for a copy

They might not like it what you'll be using it for

Be brave. Don't desist.

Scan the crap out of itScan the crap out of it

Use network and software vulnerabilities scanners heavily, don't mind if sometimes devices go crazy

but do one at a time or you may DOS your device

For both equipment and software

Fuzz'em until smoke comes outFuzz'em until smoke comes out

Create fuzz model files based on documentation

See how they handle malformed data

Fuzz'em until smoke comes outFuzz'em until smoke comes out

Peach fuzzer

http://peachfuzzer.com/

Fuzz'em until smoke comes outFuzz'em until smoke comes outModbus PIT file for Peach Fuzzer (WIP)

https://github.com/jseidl/peach-pit/blob/master/modbus/modbus.xml

Fuzz'em until smoke comes outFuzz'em until smoke comes outROBUS & AEGIS Project

http://www.automatak.com/aegis/ & http://www.automatak.com/robus/

Set up a honeypotSet up a honeypot

Put it faced over to the internet and learn from other

attackers (caution! risky!)

Set up a honeypotSet up a honeypot

“The default configuration of Conpot simulates a basic

Siemens SIMATIC S7-200 PLC with an input/output module

and a CP 443-1 which would be needed in a real setup to

provide network connectivity.”

https://github.com/glastopf/conpot

Conpot – SCADA/ICS Honeypot

Attack DemonstrationAttack Demonstration

Questions?Questions?

Please, don't be shy!

Thanks for your time!Thanks for your time!

Hope you enjoyed it!

@jseidl

jseidl@wroot.org

http://wroot.org

https://github.com/jseidl

http://www.slideshare.net/jseidl

http://www.linkedin.com/in/janseidl

SCADA hacking industrial-scale fun

Technology

Transcript of SCADA hacking industrial-scale fun

funções SCADA

Bluetooth hacking¬´선... · 2018-08-02 · Bluetooth Hacking 결론 •최신장비들은블루투스통신을이용하여 다양한정보들을주고받을수있음 •스마트폰이장비

Modern Healthcare Hacking

Growth Hacking para Iniciantes

Material Didatico - Curso SCADA

ATIVA-HMI (SCADA) V1.19 A Solução perfeita HMI SCADA

ELIPSE SCADA - Primeiros Passos

Hacking, Ian - Ontologia Histórica

Elipse Scada Manual_br

Manual Elipse Scada

Ethical Hacking slide completo

Relatório Técnico - SCADA

Tutorial Arduino Elipse Scada

Oficina: Growth Hacking

Seminário de Growth hacking

Hacking Linux

CLUBES DE HACKING CÍVICO · Club de Hacking Cívico mencionados en el registro. II. Organizar entre 3 y 5 sesiones de hacking cívico al semestre. III. Mantener un registro actualizado

Ehtical Hacking

Culture Hacking

Scada Br001 en p