scada hacking industrial-scale fun
Post on 08-May-2015
10.106 Views
Preview:
DESCRIPTION
TRANSCRIPT
SCADA HackingSCADA HackingIndustrial Scale FunIndustrial Scale Fun
Jan SeidlJan Seidl
$ whoami$ whoamiAboutAbout
Full Name: Jan SeidlFull Name: Jan Seidl
Origin: Rio de Janeiro, RJ – BrazilOrigin: Rio de Janeiro, RJ – Brazil
Work:Work:● CTO @ TI SafeCTO @ TI Safe● OpenSource contributor for: PEV, LogstashOpenSource contributor for: PEV, Logstash● Codes and snippets @ github.com/jseidlCodes and snippets @ github.com/jseidl
Features:Features:● UNIX Evangelist/Addict/Freak (but no fanboy!)UNIX Evangelist/Addict/Freak (but no fanboy!)● Python and C loverPython and C lover● Coffee dependentCoffee dependent● Hates printers and social networksHates printers and social networks● Proud DC Labs ResearcherProud DC Labs Researcher SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
0x0 What is SCADA?0x0 What is SCADA?
0x1 Where is SCADA?0x1 Where is SCADA?
0x2 Why SCADA?0x2 Why SCADA?
0x3 Misconceptions and Reality0x3 Misconceptions and Reality
0x4 Industrial Protocols0x4 Industrial Protocols
0x5 Pentesting Scada systems0x5 Pentesting Scada systems
0x6 Industrial Malwares, the cyberweapons0x6 Industrial Malwares, the cyberweapons
0x7 Solutions for Industrial Control Systems Security0x7 Solutions for Industrial Control Systems Security
0x8 Researching SCADA0x8 Researching SCADA
0x9 Modbus Attacks Demonstration0x9 Modbus Attacks Demonstration
0xA Questions?0xA Questions?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
AgendaAgenda
What is SCADA?What is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
What is What is NOTNOT SCADA? SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Programmable-Logic Controllers (PLCs)
What is What is NOTNOT SCADA? SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Remote Terminal Units (RTUs)
What is What is NOTNOT SCADA? SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Supervisory Control and Data Acquisition
Control devices, safety devices, electric/electronic devicesControl devices, safety devices, electric/electronic devices
Single-box solution/applicationSingle-box solution/application
Not just a user interfaceNot just a user interface
What is SCADA?What is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Supervisory Control and Data Acquisition
What is SCADA?What is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Supervisory Control and Data Acquisition
CollectsCollects data and data and controlcontrol field equipment field equipment
Saves Saves historical datahistorical data
Forwards data to other devices or systemsForwards data to other devices or systems
Provides Provides seconds-precisionseconds-precision measurements measurements
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
What kind of cool stuff do they control?
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
What kind of cool stuff do they control?
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
What kind of cool stuff do they control?
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
What kind of cool stuff do they control?
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
What kind of cool stuff do they control?
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
What kind of cool stuff do they control?
Why SCADA?Why SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Why SCADA?Why SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Do we really need computers for this?
Equipments rely on Equipments rely on very quick response timesvery quick response times
Huge amount of dataHuge amount of data needs to be collected needs to be collected
Hundreds, thousands of devices need to be controlled at same timeHundreds, thousands of devices need to be controlled at same time
Operation is almost Operation is almost never interruptednever interrupted
Why SCADA?Why SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Can you imagine if something goes... wrong?
Russian hydro plant accident kills 12
Why SCADA?Why SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Can you imagine if something goes... wrong?
Chemical plant explosion leaves 5 missing, 15 injured in China
Why SCADA?Why SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Can you imagine if something goes... wrong?
Hundreds of tons of toxic waste were dumped into one of the German rivers after the serious accident at a local chemical plant.
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Do automation guys think they are in danger?
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
First, the misconceptions...
““SCADA networks are isolated and SCADA networks are isolated and cannot be cannot be
accessedaccessed over the Internet” over the Internet”
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
First, the misconceptions...
““We use proprietary/custom systems, protocols We use proprietary/custom systems, protocols
and equipment, thus we and equipment, thus we cannot be hackedcannot be hacked””
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
First, the misconceptions...
““HMI/some-control-software has limited HMI/some-control-software has limited
functionality and/or restrictions so it cannot be functionality and/or restrictions so it cannot be
abused”abused”
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
And my opinion on this...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
And now comes reality...
All industrial networks are connected somehow All industrial networks are connected somehow
to the Internet or corporate networkto the Internet or corporate network
Integration software (ERP/MES), Phone/Modem/3G abuse,
Equipment misconfiguration (switches, routers, firewalls),
removable media abuse, remote access (VPN, RDP, VNC)
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
And now comes reality...
Most networks are operated by automation staff Most networks are operated by automation staff
with no or low IT knowlegdewith no or low IT knowlegde
Commit security abuses/incidents, unsafe computer
operation posture [games, internet browsing, downloading
stuff], careless about infosec, just want the job done
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
And now comes reality...
Most networks and servers areMost networks and servers are
managed by IT staffmanaged by IT staff
Low to no knowledge about industrial protocols, attack
impacts, software operation, overall ICS security, commit
several mistakes configuring equipment
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
And now comes reality...
99,9% of plants can be easily hacked99,9% of plants can be easily hacked
Common OS (Windows, Linux...)
Common/open protocols (HTTP, Telnet, Modbus)
All the same common bugs from IT: weak/hardcoded
passwords, silly application vulns, unpatched stuff
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
And now comes reality...
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Current common market protocols
CIP – Common Industrial Protocol,
Ethernet/IP
Profinet, S3/5/7
CC-Link Modbus
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Modbus
Very simple plaintext protocolVery simple plaintext protocol
Created in the 70s by ModiconCreated in the 70s by Modicon
Used by many vendorsUsed by many vendors
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Modbus
No authentication No authentication ++ No encryption No encryption ++ No validation No validation ==
HA-HA security levelHA-HA security level
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Modbus
Common architectureCommon architecture
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Modbus
Protocol strucutureProtocol strucuture
Standard port tcp/502
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Modbus
Protocol strucutureProtocol strucuture
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Modbus
Function CodesFunction Codes
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Modbus
Function Codes (the ones we care)Function Codes (the ones we care)
Read/Write Coils and Registers (Mess up stuff) [lots]
Read/Write File records [20, 21]
Device Fingerprinting & Diagnostics [43,17,8]
+ modbus supports user-defined functions!
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Important NoteImportant Note
When you run tests against an industrial control system
unexpected things may happen.
And they happen almost every time.
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Important NoteImportant Note
Do not test LIVE systems.
Never. Ever.
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Scanning / DiscoveryScanning / Discovery
Some tools available:
plcscan – Scans s7comm & modbus deviceshttps://code.google.com/p/plcscan/
modscan – Scans modbus deviceshttps://code.google.com/p/modscan/
Nmap – Famous network scannerhttp://nmap.org/
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Scanning / Discovery (cont.)Scanning / Discovery (cont.)
Metasploit Modules
auxiliary/scanner/modbus/modbus_findunitid
auxiliary/scanner/modbus/modbusdetect
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Scanning / DiscoveryScanning / Discovery
PLCscan
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Scanning / DiscoveryScanning / Discovery
Nmap – modbus-discover.nse
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Scanning / DiscoveryScanning / Discovery
Modbus Diagnostic Function code (0x2B, 43)
VendorName, ProductName, ModelName, ProductCode, MajorMinorRevision
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Data ManipulationData Manipulation
Opensource ICS protocol libraries
Modlib – Scapy Extension [python]https://www.scadaforce.com/modbus
Pymodbus – Module [python]https://github.com/bashwork/pymodbus
Modbus-cli – Gem [ruby]https://rubygems.org/gems/modbus-cli
S7comm – Library [C,C++,C#,Delphi,Pascal,Perl,VB(A)]http://libnodave.sourceforge.net/
OpenDNP3 – Library [C++]https://code.google.com/p/dnp3/
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Data Manipulation (cont.)Data Manipulation (cont.)
Metasploit Modules
auxiliary/scanner/modbus/modbusclient
auxiliary/admin/scada/modicon_command
auxiliary/admin/scada/igss_exec_17
auxiliary/admin/scada/multi_cip_command
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Data ManipulationData Manipulation
Reading and Writing data
modbus-cli<https://rubygems.org/gems/modbus-cli>
R: modbus read <IP> <ADDR> <QTY>W: modbus write <IP> <ADDR> [<VAL1>,<VAL2>,<VAL3>]
pymodclient<https://github.com/jseidl/pymodbuscli>
R: pymodbuscli -f read_register -h <IP> <ADDR> <QTY>W: pymodbuscli -f write_register -h <IP> <ADDR>
[<VAL1>,<VAL2>,<VAL3>]
Modbus
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Data ManipulationData Manipulation
Metasploit Modules (not on official tree yet)
simatic_s7_300_command.rb / simatic_s7_300_memory_view.rb / simatic_s7_1200_command.rb
S7Comm
https://github.com/d1n/s7-metasploit-modules
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Sniffing TrafficSniffing Traffic
Native Wireshark dissector
Modbus
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Sniffing TrafficSniffing Traffic
Opensource Wireshark dissector plugin<http://sourceforge.net/projects/s7commwireshark/>
SIEMENS S7comm
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
StuxnetStuxnetIndustrial SabotageIndustrial Sabotage
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
StuxnetStuxnet
Industrial Sabotage
Discovered July 2010
Targets Siemens WinCC systems
Targets specific PLC models
100KLOC (thousands of lines of code)
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
StuxnetStuxnet
Industrial Sabotage
Sabotages centrifuges causing malfunction or destruction
Allegedly a sabotage plan from USA and Israel against
Iran's nuclear program
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
StuxnetStuxnetIndustrial Sabotage
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=2
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
StuxnetStuxnetIndustrial Sabotage
http://www.cbsnews.com/8301-205_162-57592862/nsa-leaker-snowden-claimed-u.s-and-israel-co-wrote-stuxnet-virus/
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
StuxnetStuxnetIndustrial Sabotage
http://www.symantec.com/connect/blogs/w32stuxnet-dossier
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
StuxnetStuxnet
Industrial Sabotage
Exploits five vulnerabilities (of which four are 0-day)...
LNK File Bug – Initial Infection via USB drives/removable mediahttp://www.microsoft.com/technet/security/bulletin/ms10-046.mspx
Printer Spooler – Spreadinghttp://www.microsoft.com/technet/security/bulletin/ms10-061.mspx
Server Service (SMB) – Spreadinghttp://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Keyboard layout file – Privilege escalation
Task Scheduler – Privilege escalation
… and then installs a rootkit :)
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
StuxnetStuxnet
Industrial Sabotage
Which can only be installed because Stuxnet has stolen
valid digital certificates.
From Realtek and Jmicron.
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
StuxnetStuxnet
Industrial Sabotage
As if this weren't enough, it creates a peer-to-peer network
of infected hosts, steals intelligence, and rootkits the PLC
+ project files so engineers and operators won't notice.
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
DuQuDuQuIndustrial Espionage
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
DuQuDuQu
Industrial Espionage
Discovered September 2011
Possibly derived from Stuxnet
Objective: backdooring and data collection
Targets ICS software and hardware vendors
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
DuQuDuQu
Industrial Espionage
Uses one Microsoft vulnerabilityMicrosoft Windows 'Win32k.sys' TrueType Font Handling Remote Code
Execution Vulnerability (BID 50462)
Does not replicate on its own
Has also stolen signed certificates
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Flame / SkywiperFlame / SkywiperIndustrial Espionage
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
FlameFlame
Industrial Espionage
Discovered ~May 2012
Mostly seen in middle-east
About 20mb in size
Has LUA plugin support
Around 20 extension modules
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
FlameFlame
Industrial Espionage
Fingerprints countermeasure software/adapts to evade it
Multiple encryption levels
SQLite databases for storing collected data
Propagates similar to Stuxnet (LNK+Spooler)
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
FlameFlame
Industrial Espionage
Record Skype Conversations
Keylogging + Screenlogging
Network Sniffer
Bluetooth scanning and compromise
Most affected countries: Iran, Israel, Sudan, Syria, Lebanon,
Saudi Arabia and Egypt.
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
GaussGaussIndustrial Espionage
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
GaussGauss
Industrial Espionage
Discovered ~August 2012
Flame+Banking+Nasty Stuff
Same infection schemes as Stuxnet & Flame
Has encrypted payload that is only run under certain
circumstances
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
GaussGauss
Industrial Espionage
Steals passwords and cookies from browser
Collects and reports system configuration
Infects other removable media
Enumerates files and directories
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
GaussGauss
Industrial Espionage
Steals banking credentials from middle-east banking systems
Steals information from social networks, instant messaging
and email accounts
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
First of AllFirst of All
There is no single-box solution.
Sorry :(
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Security is not only on your hosts but
also networks and personnel
First of AllFirst of All
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
You need the best solution for each area. Each vendor has
expertise in its own area and probably won't master all of
them at the same time.
First of AllFirst of All
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Embrace good and old defense in depth model
so...so...
Photo credit: Sentrillion
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Embrace good and old defense in depth model
so...so...
Photo credit: Sentrillion
Locks, cameras etc Firewalls, IDPS, Data diodes
Segmentation, VLANs, port-mirrored IDS
WAFs, strong architechture
Encryption and access control
Whitelisting software, HIDPS, central logging
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Network SegmentationNetwork Segmentation
ISA/99 Zones and Conduits Model
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Network SegmentationNetwork Segmentation
Proper DMZ Model
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs
Commercial Solutions
Tofino Security Appliance SIEMENS Scalance S
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs
Commercial Solutions
Firewall
Industrial Protocol Enforcer
VPN
Centralized Management
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs
OpenSource Solutions
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
SNORT SCADA IDS RulesSNORT SCADA IDS Rules
http://www.digitalbond.com/tools/quickdraw/
http://blog.snort.org/2012/01/snort-292-scada-preprocessors.html
Initially compiled by Digital Bond
Many rules already on SNORT main repository
Additional rules are easy to write
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
ModbusModbusSnort IDS rules
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Ether/IPEther/IPSnort IDS rules
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
DNP3DNP3Snort IDS rules
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Data DiodesData Diodes
Allow traffic to flow only in one direction
Enforced by hardware
Photo-resistor on one end, Photo-transmitter on other
As it depends on hardware, no open-source solution yet :(
Can be enforced via firewall but not with same efficiency
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Data DiodesData Diodes
Commercial Solution
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
White-listing SoftwareWhite-listing Software
Anti-virus, seriously?
CEBIT 2013 Workshop: Anti-virus are an efficient solution for industrial network protection? (short answer: no)
http://slidesha.re/17AwTEd
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
MonitoringMonitoring
ICS networks and hosts generally operate in regular and
predictable manners.
Simple monitoring and plotting can help detect anomalies
when they happen
[White paper] Detecting problems in industrial networks though continuous monitoring
http://slidesha.re/17JyVSu
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
MonitoringMonitoring
• $ nmap –sV 192.168.1.1
• Communications interception (ARP Poisoning)
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
MonitoringMonitoring• Denial of Service
•
• Malware infection
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
MonitoringMonitoring• Unauthorized Modbus traffic
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Educate your usersEducate your users
Your users don't really know the impact of using a 3G
modem to check their personal email or Facebook wall
Even less that they can ruin plant's processes by clicking
on a link sent by that hot girl he's chatting with for weeks
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Never forget what your users Never forget what your users mean to your securitymean to your security
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
ALWAYS REMEMBER!!!!ALWAYS REMEMBER!!!!
Do not test LIVE systems.
Never. Ever.
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Gather documentationGather documentation
Most protocols (even proprietary ones) have
documentation available on-line
Get it from manufacturer website or just freaking google it.
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Gather documentationGather documentation
DNP3 Primer
http://www.dnp.org/AboutUs/DNP3%20Primer%20Rev%20A.pdf
Modbus Specification
http://www.modbus.org/specs.php
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Sniff master-slave communication with WiresharkSniff master-slave communication with Wireshark
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Get a test-bedGet a test-bed
Buy from manufacturer (expensive, sometimes impeditive)
Buy from e-bay (quite easy)
Real, hardware-based
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Get a test-bedGet a test-bed
http://www.ebay.com/sch/i.html?_trksid=p2050601.m570.l1313.TR0.TRC0.Xs7-300&_nkw=s7-
300&_sacat=0&_from=R40
Real, hardware-based
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Get a test-bedGet a test-bed
http://www.ebay.com/sch/i.html?_odkw=s7-300&_osacat=0&_from=R40&_trksid=p2045573.m570.l1313.TR3.TRC1.A0.Xwago+
750&_nkw=wago+750&_sacat=0
Real, hardware-based
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Get a test-bedGet a test-bed
Emulated, software-based
Fully programmable
Available in many programming languages
Self-contained solutions available
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Get a test-bedGet a test-bedEmulated, software-based
Pymodbus library
https://github.com/bashwork/pymodbus/blob/master/examples/common/synchronous-server.py
# initialize datastore = ModbusSlaveContext( di = ModbusSequentialDataBlock(0, [17]*100), co = ModbusSequentialDataBlock(0, [17]*100), hr = ModbusSequentialDataBlock(0, [17]*100), ir = ModbusSequentialDataBlock(0, [17]*100))context = ModbusServerContext(slaves=store, single=True)
# initialize the server informationidentity = ModbusDeviceIdentification()identity.VendorName = 'Pymodbus'identity.ProductCode = 'PM'identity.VendorUrl = 'http://github.com/bashwork/pymodbus/'identity.ProductName = 'Pymodbus Server'identity.ModelName = 'Pymodbus Server'identity.MajorMinorRevision = '1.0'
# run the server you wantStartTcpServer(context, identity=identity, address=("localhost", 5020))
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Get a test-bedGet a test-bedEmulated, software-based
ModSak (commercial with free trial)
http://wingpath.co.uk/modbus/modsak.php
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Get some ICS software from vendorsGet some ICS software from vendors
Vendors often have trial versions on their sites
You might have to ask them for a copy
They might not like it what you'll be using it for
Be brave. Don't desist.
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Scan the crap out of itScan the crap out of it
Use network and software vulnerabilities scanners heavily, don't mind if sometimes devices go crazy
but do one at a time or you may DOS your device
For both equipment and software
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Fuzz'em until smoke comes outFuzz'em until smoke comes out
Create fuzz model files based on documentation
See how they handle malformed data
For both equipment and software
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Fuzz'em until smoke comes outFuzz'em until smoke comes out
Peach fuzzer
For both equipment and software
http://peachfuzzer.com/
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Fuzz'em until smoke comes outFuzz'em until smoke comes outModbus PIT file for Peach Fuzzer (WIP)
For both equipment and software
https://github.com/jseidl/peach-pit/blob/master/modbus/modbus.xml
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Fuzz'em until smoke comes outFuzz'em until smoke comes outROBUS & AEGIS Project
For both equipment and software
http://www.automatak.com/aegis/ & http://www.automatak.com/robus/
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Set up a honeypotSet up a honeypot
Put it faced over to the internet and learn from other
attackers (caution! risky!)
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Set up a honeypotSet up a honeypot
“The default configuration of Conpot simulates a basic
Siemens SIMATIC S7-200 PLC with an input/output module
and a CP 443-1 which would be needed in a real setup to
provide network connectivity.”
https://github.com/glastopf/conpot
Conpot – SCADA/ICS Honeypot
Attack DemonstrationAttack Demonstration
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Questions?Questions?
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Please, don't be shy!
Thanks for your time!Thanks for your time!
SCADA Hacking – Industrial Scale Fun. SEIDL, JanHackers 2 Hackers Conference/2013 – São Paulo, Brazil
Hope you enjoyed it!
@jseidl
jseidl@wroot.org
http://wroot.org
https://github.com/jseidl
http://www.slideshare.net/jseidl
http://www.linkedin.com/in/janseidl
top related