SCADA StrangeLove 2: We already know
- 2.
Sergey Gordeychik
Positive Hack Days Director and
Scriptwriter, WASC board member
http://www.phdays.com
Gleb Gritsai
Principal Researcher, Network security and
forensic researcher, member of PHDays
Challenges team
@repdet
- 3.
Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to
keep Purity Of Essence
Sergey Gordeychik
Roman Ilin
Artem Chaykin
Dmitry Efanov
Andrey Medov
Alexander Zaitsev
Dmitry Sklyarov
Roman Ilin
Kirill Nesterov
Gleb Gritsai
Ilya Karpov
Yuriy Dyachenko
Yuri Goltsev
Sergey Scherbel
Dmitry Serebryannikov
Alexander Timorin
Alexander Tlyapov
Denis Baranov
Sergey Bobrov
Sergey Drozdov
Vladimir Kochetkov
Timur Yunusov
Dmitry Nagibin
Vyacheslav Egoshin
Evgeny Ermakov
- 4.
Analytics “SCADA security in numbers”
Industrial Protocols
ICS systems on the internets
plcscan for S7 and modbus
Vulnerabilities
Siemens WinCC components and vulnerabilities
Lot’s of “We don’t know yet”
- 6.
To find ICS system
To find vulnerable device
Get https://scans.io/ (~500 GB) = ~$60
Index by Elastic Search (3 cpu days) = $0
Grep it all!
It’s all vulnerable (for sure!) = $0
Put in Excel (I hate it!) = $9000
CoV
($60 + $0 +$0 + $9000)/68076 = $0.1330865503261061
- 9. DATACOM, 945, 1%
Digi, 988, 1%
TAC AB, 1321, 2%
Siemens, 1322, 2%
Echelon, 1395, 2%
Other, 5933, 9%
Westermo, 1526, 2%
SAP, 1639, 2%
Tridium, 19490, 29%
Rabbit, 1958, 3%
Schneider
Electric, 2458,
4%
Generic, 2794, 4%
NRG Systems, 11715,
17%
Beck IPC, 3655, 5%
Moxa, 3949, 6%
Lantronix, 6988,
10%
Vendor
Devices
Tridium
NRG Systems
Lantronix
Moxa
Beck IPC
Generic
Schneider Electric
Rabbit
SAP
Westermo
Echelon
Siemens
TAC AB
Digi
DATACOM
Other
19490
11715
6988
3949
3655
2794
2458
1958
1639
1526
1395
1322
1321
988
945
5933
- 10. Lantronix
UDS1100, 1310,
5%
Westermo MRD-310,
1171, 5%
i.LON 600, 1395, 5%
Lantronix XPort AR,
1413, 5%
NetWeaver
Application Server,
1639, 6%
WindCube, 11715, 45%
PowerLogic ION,
1806, 7%
Lantronix SLS,
2204, 8%
IPC@CHIP, 3655, 14%
- 19.
Lot’s of new information coming up
Modbus (502)
DNP3 (20000)
http://scadastrangelove.blogspot.com/2012/11/plcscan.html
Profinet DCP
http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html
S7 (102)
http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html
MMS (102)
https://code.google.com/p/scadascan/
http://sourceforge.net/projects/dnp/
IEC104 (2404)
http://nmap.org/nsedoc/scripts/modbus-discover.html
http://scadastrangelove.blogspot.com/2012/11/plcscan.html
http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-days.html
But some protocols still not researched
[kudos to Alexander Timorin @atimorin]
- 31. This is my
encryptionkey
Metasploit module
for harvesting data from WinCC project’s database and decrypting ciphertexts
http://scadastrangelove.blogspot.com/2013/08/wincc-harvester-metasploit-module-is.html
- 36. ActiveX components
for communication
and rendering of
HMI
Another component
of WinCC.
For example,
forwarding
commands to the
PLC via the S7
protocol
IIS extension
SCSWebBridgex.dll
Manages SCS
connection and
converts data to PAL
CCEServer.exe
Yep-Yep, again)
CCEServer.exe
WinCC core:
Manages requests of
components
WebNavigatorRT.exe
Rendering HMI and
command
transmission
[kudos to Alexander Tlyapov @rigros1]
- 42.
What is Project?
Collection of ActiveX/COM/.NET objects
Event Handlers and other code (C/VB)
Configuration files, XML and other
Can Project be trusted?
Ways to spread malware with Project?
- 43.
NO!
Project
itself is dynamic code
It’s easy to patch it “on the fly”
Vulnerabilities in data handlers
How to abuse?
Simplest
handlers
way – to patch event
- 44. Sub OnClick(Byval Item)
Dim tagName, tagValue, tagFilename
Dim strFilename, strLine
Dim fso, objFile, objTag
Set fso = CreateObject("Scripting.FileSystemObject")
Set objFile = fso.CreateTextFile("%WinCC%1.exe",True)
strLine = “malware code here"
objFile.WriteLine strLine
objFile.Close
End Sub
- 52.
Understand the components roles
Define entry points (input)
how they communicate (i.e. HMI-DCS-PLC)
how they store data (i.e. account/project data)
User input, IPC communications, command
protocols
Analyze code
Resurrect structures/classes used in entry points
Research initialization and processing
- 54. Regex
# grep recv <decompiled bin function>
ret = recv(s, buf, buf_len, flags)
# grep ‘buf|buf_len’ <decompiled bin
function>
ret = recv(s, buf2, buf[42], flags)
This not supposed to work in real world!
- 68. scadasl@December 04, 2012#ping vendor.ics.jp
Request timed out.
scadasl@January 18, 2013#traceroute vendor.ics.jp
1
2
3
3 days
5 days
*
S4.Conference
jpcert.or.jp
Request timed out.
scadasl@March 04, 2013#ping vendor.ics.jp
Reply from jpcert.or.jp: Destination host reachable!
scadasl@June 19, 2013#traceroute vendor.ics.jp
1
1 days jpcert.or.jp
Customer list complete!
scadasl#echo WTF?!