SCADA hacking industrial-scale fun

SCADA HackingSCADA HackingIndustrial Scale FunIndustrial Scale Fun

Jan SeidlJan Seidl

$ whoami$ whoamiAboutAbout

Full Name: Jan SeidlFull Name: Jan Seidl

Origin: Rio de Janeiro, RJ – BrazilOrigin: Rio de Janeiro, RJ – Brazil

Work:Work:● CTO @ TI SafeCTO @ TI Safe● OpenSource contributor for: PEV, LogstashOpenSource contributor for: PEV, Logstash● Codes and snippets @ github.com/jseidlCodes and snippets @ github.com/jseidl

Features:Features:● UNIX Evangelist/Addict/Freak (but no fanboy!)UNIX Evangelist/Addict/Freak (but no fanboy!)● Python and C loverPython and C lover● Coffee dependentCoffee dependent● Hates printers and social networksHates printers and social networks● Proud DC Labs ResearcherProud DC Labs Researcher SCADA Hacking – Industrial Scale Fun. SEIDL, Jan

Hackers 2 Hackers Conference/2013 – São Paulo, Brazil

0x0 What is SCADA?0x0 What is SCADA?

0x1 Where is SCADA?0x1 Where is SCADA?

0x2 Why SCADA?0x2 Why SCADA?

0x3 Misconceptions and Reality0x3 Misconceptions and Reality

0x4 Industrial Protocols0x4 Industrial Protocols

0x5 Pentesting Scada systems0x5 Pentesting Scada systems

0x6 Industrial Malwares, the cyberweapons0x6 Industrial Malwares, the cyberweapons

0x7 Solutions for Industrial Control Systems Security0x7 Solutions for Industrial Control Systems Security

0x8 Researching SCADA0x8 Researching SCADA

0x9 Modbus Attacks Demonstration0x9 Modbus Attacks Demonstration

0xA Questions?0xA Questions?

SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil

AgendaAgenda

What is SCADA?What is SCADA?


What is What is NOTNOT SCADA? SCADA?


Programmable-Logic Controllers (PLCs)



Remote Terminal Units (RTUs)



Supervisory Control and Data Acquisition

Control devices, safety devices, electric/electronic devicesControl devices, safety devices, electric/electronic devices

Single-box solution/applicationSingle-box solution/application

Not just a user interfaceNot just a user interface




CollectsCollects data and data and controlcontrol field equipment field equipment

Saves Saves historical datahistorical data

Forwards data to other devices or systemsForwards data to other devices or systems

Provides Provides seconds-precisionseconds-precision measurements measurements

Where is SCADA?Where is SCADA?


Where is SCADA?Where is SCADA?


What kind of cool stuff do they control?

Why SCADA?Why SCADA?




Do we really need computers for this?

Equipments rely on Equipments rely on very quick response timesvery quick response times

Huge amount of dataHuge amount of data needs to be collected needs to be collected

Hundreds, thousands of devices need to be controlled at same timeHundreds, thousands of devices need to be controlled at same time

Operation is almost Operation is almost never interruptednever interrupted



Can you imagine if something goes... wrong?

Russian hydro plant accident kills 12




Chemical plant explosion leaves 5 missing, 15 injured in China




Hundreds of tons of toxic waste were dumped into one of the German rivers after the serious accident at a local chemical plant.

Misconceptions and RealityMisconceptions and Reality




Do automation guys think they are in danger?



First, the misconceptions...

““SCADA networks are isolated and SCADA networks are isolated and cannot be cannot be

accessedaccessed over the Internet” over the Internet”




““We use proprietary/custom systems, protocols We use proprietary/custom systems, protocols

and equipment, thus we and equipment, thus we cannot be hackedcannot be hacked””




““HMI/some-control-software has limited HMI/some-control-software has limited

functionality and/or restrictions so it cannot be functionality and/or restrictions so it cannot be

abused”abused”



And my opinion on this...



And now comes reality...

All industrial networks are connected somehow All industrial networks are connected somehow

to the Internet or corporate networkto the Internet or corporate network

Integration software (ERP/MES), Phone/Modem/3G abuse,

Equipment misconfiguration (switches, routers, firewalls),

removable media abuse, remote access (VPN, RDP, VNC)




Most networks are operated by automation staff Most networks are operated by automation staff

with no or low IT knowlegdewith no or low IT knowlegde

Commit security abuses/incidents, unsafe computer

operation posture [games, internet browsing, downloading

stuff], careless about infosec, just want the job done




Most networks and servers areMost networks and servers are

managed by IT staffmanaged by IT staff

Low to no knowledge about industrial protocols, attack

impacts, software operation, overall ICS security, commit

several mistakes configuring equipment




99,9% of plants can be easily hacked99,9% of plants can be easily hacked

Common OS (Windows, Linux...)

Common/open protocols (HTTP, Telnet, Modbus)

All the same common bugs from IT: weak/hardcoded

passwords, silly application vulns, unpatched stuff

Industrial ProtocolsIndustrial Protocols




Current common market protocols

CIP – Common Industrial Protocol,

Ethernet/IP

Profinet, S3/5/7

CC-Link Modbus



Modbus

Very simple plaintext protocolVery simple plaintext protocol

Created in the 70s by ModiconCreated in the 70s by Modicon

Used by many vendorsUsed by many vendors



Modbus

No authentication No authentication ++ No encryption No encryption ++ No validation No validation ==

HA-HA security levelHA-HA security level



Modbus

Common architectureCommon architecture



Modbus

Protocol strucutureProtocol strucuture

Standard port tcp/502



Modbus

Protocol strucutureProtocol strucuture



Modbus

Function CodesFunction Codes



Modbus

Function Codes (the ones we care)Function Codes (the ones we care)

Read/Write Coils and Registers (Mess up stuff) [lots]

Read/Write File records [20, 21]

Device Fingerprinting & Diagnostics [43,17,8]

+ modbus supports user-defined functions!

Pentesting SCADA systemsPentesting SCADA systems




Important NoteImportant Note

When you run tests against an industrial control system

unexpected things may happen.

And they happen almost every time.



Important NoteImportant Note

Do not test LIVE systems.

Never. Ever.



Scanning / DiscoveryScanning / Discovery

Some tools available:

plcscan – Scans s7comm & modbus deviceshttps://code.google.com/p/plcscan/

modscan – Scans modbus deviceshttps://code.google.com/p/modscan/

Nmap – Famous network scannerhttp://nmap.org/

https://code.google.com/p/plcscan/

https://code.google.com/p/modscan/



Scanning / Discovery (cont.)Scanning / Discovery (cont.)

Metasploit Modules

auxiliary/scanner/modbus/modbus_findunitid

auxiliary/scanner/modbus/modbusdetect




PLCscan




Nmap – modbus-discover.nse




Modbus Diagnostic Function code (0x2B, 43)

VendorName, ProductName, ModelName, ProductCode, MajorMinorRevision



Data ManipulationData Manipulation

Opensource ICS protocol libraries

Modlib – Scapy Extension [python]https://www.scadaforce.com/modbus

Pymodbus – Module [python]https://github.com/bashwork/pymodbus

Modbus-cli – Gem [ruby]https://rubygems.org/gems/modbus-cli

S7comm – Library [C,C++,C#,Delphi,Pascal,Perl,VB(A)]http://libnodave.sourceforge.net/

OpenDNP3 – Library [C++]https://code.google.com/p/dnp3/

https://www.scadaforce.com/modbus

https://github.com/bashwork/pymodbus

http://libnodave.sourceforge.net/



Data Manipulation (cont.)Data Manipulation (cont.)

Metasploit Modules

auxiliary/scanner/modbus/modbusclient

auxiliary/admin/scada/modicon_command

auxiliary/admin/scada/igss_exec_17

auxiliary/admin/scada/multi_cip_command




Reading and Writing data

modbus-cli<https://rubygems.org/gems/modbus-cli>

R: modbus read <IP> <ADDR> <QTY>W: modbus write <IP> <ADDR> [<VAL1>,<VAL2>,<VAL3>]

pymodclient<https://github.com/jseidl/pymodbuscli>

R: pymodbuscli -f read_register -h <IP> <ADDR> <QTY>W: pymodbuscli -f write_register -h <IP> <ADDR>

[<VAL1>,<VAL2>,<VAL3>]

Modbus




Metasploit Modules (not on official tree yet)

simatic_s7_300_command.rb / simatic_s7_300_memory_view.rb / simatic_s7_1200_command.rb

S7Comm

https://github.com/d1n/s7-metasploit-modules



Sniffing TrafficSniffing Traffic

Native Wireshark dissector

Modbus



Sniffing TrafficSniffing Traffic

Opensource Wireshark dissector plugin<http://sourceforge.net/projects/s7commwireshark/>

SIEMENS S7comm

Industrial MalwaresIndustrial Malwares




StuxnetStuxnetIndustrial SabotageIndustrial Sabotage



StuxnetStuxnet

Industrial Sabotage

Discovered July 2010

Targets Siemens WinCC systems

Targets specific PLC models

100KLOC (thousands of lines of code)



StuxnetStuxnet

Industrial Sabotage

Sabotages centrifuges causing malfunction or destruction

Allegedly a sabotage plan from USA and Israel against

Iran's nuclear program



StuxnetStuxnetIndustrial Sabotage

http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=2




http://www.cbsnews.com/8301-205_162-57592862/nsa-leaker-snowden-claimed-u.s-and-israel-co-wrote-stuxnet-virus/




http://www.symantec.com/connect/blogs/w32stuxnet-dossier



StuxnetStuxnet

Industrial Sabotage

Exploits five vulnerabilities (of which four are 0-day)...

LNK File Bug – Initial Infection via USB drives/removable mediahttp://www.microsoft.com/technet/security/bulletin/ms10-046.mspx

Printer Spooler – Spreadinghttp://www.microsoft.com/technet/security/bulletin/ms10-061.mspx

Server Service (SMB) – Spreadinghttp://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Keyboard layout file – Privilege escalation

Task Scheduler – Privilege escalation

… and then installs a rootkit :)

http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx





StuxnetStuxnet

Industrial Sabotage

Which can only be installed because Stuxnet has stolen

valid digital certificates.

From Realtek and Jmicron.



StuxnetStuxnet

Industrial Sabotage

As if this weren't enough, it creates a peer-to-peer network

of infected hosts, steals intelligence, and rootkits the PLC

+ project files so engineers and operators won't notice.



DuQuDuQuIndustrial Espionage



DuQuDuQu

Industrial Espionage

Discovered September 2011

Possibly derived from Stuxnet

Objective: backdooring and data collection

Targets ICS software and hardware vendors



DuQuDuQu


Uses one Microsoft vulnerabilityMicrosoft Windows 'Win32k.sys' TrueType Font Handling Remote Code

Execution Vulnerability (BID 50462)

Does not replicate on its own

Has also stolen signed certificates



Flame / SkywiperFlame / SkywiperIndustrial Espionage



FlameFlame


Discovered ~May 2012

Mostly seen in middle-east

About 20mb in size

Has LUA plugin support

Around 20 extension modules



FlameFlame


Fingerprints countermeasure software/adapts to evade it

Multiple encryption levels

SQLite databases for storing collected data

Propagates similar to Stuxnet (LNK+Spooler)



FlameFlame


Record Skype Conversations

Keylogging + Screenlogging

Network Sniffer

Bluetooth scanning and compromise

Most affected countries: Iran, Israel, Sudan, Syria, Lebanon,

Saudi Arabia and Egypt.



GaussGaussIndustrial Espionage



GaussGauss


Discovered ~August 2012

Flame+Banking+Nasty Stuff

Same infection schemes as Stuxnet & Flame

Has encrypted payload that is only run under certain

circumstances



GaussGauss


Steals passwords and cookies from browser

Collects and reports system configuration

Infects other removable media

Enumerates files and directories



GaussGauss


Steals banking credentials from middle-east banking systems

Steals information from social networks, instant messaging

and email accounts

Solutions for ICS SecuritySolutions for ICS Security




First of AllFirst of All

There is no single-box solution.

Sorry :(



Security is not only on your hosts but

also networks and personnel




You need the best solution for each area. Each vendor has

expertise in its own area and probably won't master all of

them at the same time.




Embrace good and old defense in depth model

so...so...

Photo credit: Sentrillion



Embrace good and old defense in depth model

so...so...

Photo credit: Sentrillion

Locks, cameras etc Firewalls, IDPS, Data diodes

Segmentation, VLANs, port-mirrored IDS

WAFs, strong architechture

Encryption and access control

Whitelisting software, HIDPS, central logging



Network SegmentationNetwork Segmentation

ISA/99 Zones and Conduits Model



Network SegmentationNetwork Segmentation

Proper DMZ Model



Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs

Commercial Solutions

Tofino Security Appliance SIEMENS Scalance S




Commercial Solutions

Firewall

Industrial Protocol Enforcer

VPN

Centralized Management




OpenSource Solutions



SNORT SCADA IDS RulesSNORT SCADA IDS Rules

http://www.digitalbond.com/tools/quickdraw/

http://blog.snort.org/2012/01/snort-292-scada-preprocessors.html

Initially compiled by Digital Bond

Many rules already on SNORT main repository

Additional rules are easy to write

http://www.digitalbond.com/tools/quickdraw/

http://blog.snort.org/2012/01/snort-292-scada-preprocessors.html



ModbusModbusSnort IDS rules



Ether/IPEther/IPSnort IDS rules



DNP3DNP3Snort IDS rules



Data DiodesData Diodes

Allow traffic to flow only in one direction

Enforced by hardware

Photo-resistor on one end, Photo-transmitter on other

As it depends on hardware, no open-source solution yet :(

Can be enforced via firewall but not with same efficiency



Data DiodesData Diodes

Commercial Solution



White-listing SoftwareWhite-listing Software

Anti-virus, seriously?

CEBIT 2013 Workshop: Anti-virus are an efficient solution for industrial network protection? (short answer: no)

http://slidesha.re/17AwTEd



MonitoringMonitoring

ICS networks and hosts generally operate in regular and

predictable manners.

Simple monitoring and plotting can help detect anomalies

when they happen

[White paper] Detecting problems in industrial networks though continuous monitoring

http://slidesha.re/17JyVSu



MonitoringMonitoring

• $ nmap –sV 192.168.1.1

• Communications interception (ARP Poisoning)



MonitoringMonitoring• Denial of Service

•

• Malware infection



MonitoringMonitoring• Unauthorized Modbus traffic



Educate your usersEducate your users

Your users don't really know the impact of using a 3G

modem to check their personal email or Facebook wall

Even less that they can ruin plant's processes by clicking

on a link sent by that hot girl he's chatting with for weeks



Never forget what your users Never forget what your users mean to your securitymean to your security

Researching SCADAResearching SCADA




ALWAYS REMEMBER!!!!ALWAYS REMEMBER!!!!

Do not test LIVE systems.

Never. Ever.



Gather documentationGather documentation

Most protocols (even proprietary ones) have

documentation available on-line

Get it from manufacturer website or just freaking google it.



Gather documentationGather documentation

DNP3 Primer

http://www.dnp.org/AboutUs/DNP3%20Primer%20Rev%20A.pdf

Modbus Specification

http://www.modbus.org/specs.php



Sniff master-slave communication with WiresharkSniff master-slave communication with Wireshark



Get a test-bedGet a test-bed

Buy from manufacturer (expensive, sometimes impeditive)

Buy from e-bay (quite easy)

Real, hardware-based




http://www.ebay.com/sch/i.html?_trksid=p2050601.m570.l1313.TR0.TRC0.Xs7-300&_nkw=s7-

300&_sacat=0&_from=R40





http://www.ebay.com/sch/i.html?_odkw=s7-300&_osacat=0&_from=R40&_trksid=p2045573.m570.l1313.TR3.TRC1.A0.Xwago+

750&_nkw=wago+750&_sacat=0





Emulated, software-based

Fully programmable

Available in many programming languages

Self-contained solutions available



Get a test-bedGet a test-bedEmulated, software-based

Pymodbus library

https://github.com/bashwork/pymodbus/blob/master/examples/common/synchronous-server.py

# initialize datastore = ModbusSlaveContext( di = ModbusSequentialDataBlock(0, [17]*100), co = ModbusSequentialDataBlock(0, [17]*100), hr = ModbusSequentialDataBlock(0, [17]*100), ir = ModbusSequentialDataBlock(0, [17]*100))context = ModbusServerContext(slaves=store, single=True)

# initialize the server informationidentity = ModbusDeviceIdentification()identity.VendorName = 'Pymodbus'identity.ProductCode = 'PM'identity.VendorUrl = 'http://github.com/bashwork/pymodbus/'identity.ProductName = 'Pymodbus Server'identity.ModelName = 'Pymodbus Server'identity.MajorMinorRevision = '1.0'

# run the server you wantStartTcpServer(context, identity=identity, address=("localhost", 5020))



Get a test-bedGet a test-bedEmulated, software-based

ModSak (commercial with free trial)

http://wingpath.co.uk/modbus/modsak.php



Get some ICS software from vendorsGet some ICS software from vendors

Vendors often have trial versions on their sites

You might have to ask them for a copy

They might not like it what you'll be using it for

Be brave. Don't desist.



Scan the crap out of itScan the crap out of it

Use network and software vulnerabilities scanners heavily, don't mind if sometimes devices go crazy

but do one at a time or you may DOS your device

For both equipment and software



Fuzz'em until smoke comes outFuzz'em until smoke comes out

Create fuzz model files based on documentation

See how they handle malformed data




Fuzz'em until smoke comes outFuzz'em until smoke comes out

Peach fuzzer


http://peachfuzzer.com/



Fuzz'em until smoke comes outFuzz'em until smoke comes outModbus PIT file for Peach Fuzzer (WIP)


https://github.com/jseidl/peach-pit/blob/master/modbus/modbus.xml



Fuzz'em until smoke comes outFuzz'em until smoke comes outROBUS & AEGIS Project


http://www.automatak.com/aegis/ & http://www.automatak.com/robus/

http://www.automatak.com/aegis/

http://www.automatak.com/robus/



Set up a honeypotSet up a honeypot

Put it faced over to the internet and learn from other

attackers (caution! risky!)



Set up a honeypotSet up a honeypot

“The default configuration of Conpot simulates a basic

Siemens SIMATIC S7-200 PLC with an input/output module

and a CP 443-1 which would be needed in a real setup to

provide network connectivity.”

https://github.com/glastopf/conpot

Conpot – SCADA/ICS Honeypot

Attack DemonstrationAttack Demonstration


Questions?Questions?


Please, don't be shy!

Thanks for your time!Thanks for your time!


Hope you enjoyed it!

@jseidl

[email protected]

http://wroot.org

https://github.com/jseidl

http://www.slideshare.net/jseidl

http://www.linkedin.com/in/janseidl

mailto:[email protected]

http://wroot.org/

https://github.com/jseidl

http://www.slideshare.net/jseidl

SCADA hacking industrial-scale fun

Technology

Transcript of SCADA hacking industrial-scale fun