samuraistfu* · debian*packages*for*samurai*projects* * author: justin searle created date:...
TRANSCRIPT
1 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
SamuraiSTFU Security Tes0ng Framework for U0li0es
Jus0n Searle Managing Partner – U0liSec
[email protected] // [email protected] // @meeas
2 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Who is U0liSec
• A security services company specializing in helping electric u0li0es end energy sector vendors
• Managing Partners – Darren Highfill ([email protected]) – Jus0n Searle ([email protected])
• List of services – Cri0cal Func0onality in Industry Collabora0on – Security Architecture Guidance and Review – Penetra0on Tes0ng and Security Assessments – On the Job and Classroom Training – Policy Composi0on
3 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Previous Presenta0ons
• Several at Black Hat, DEFCON, Nullcon, OWASP, etc...
Source: http://www.sgiclearinghouse.org/ConceptualModel
FRVW�EHQHILW�UDWLR�)LJXUH���GHPRQVWUDWHV�KRZ�WKH�IROORZLQJ�VHFWLRQV�RI�WKLV�GRFXPHQW�LQWHUUHODWH�WR�HDFK�RWKHU�DQG�ZKHQ�WKH\�DUH�LQLWLDWHG�LQ�D�W\SLFDO�SHQHWUDWLRQ�WHVW���7KLV�GLDJUDP�VKRZV�WKH�RYHUDOO�SURFHVV�IORZ�RI�D�W\SLFDO�SHQHWUDWLRQ�WHVW�DV�GHVFULEHG�LQ�WKLV�GRFXPHQW���(DFK�ER[�UHSUHVHQWV�D�PDMRU�VHFWLRQ�LQ�WKLV�GRFXPHQW�DQG�VKRZV�ZKLFK�VHFWLRQV�QHHG�WR�EH�SHUIRUPHG�LQ�VHULDO�DQG�ZKLFK�VHFWLRQV�FDQ�EH�SHUIRUPHG�LQ�SDUDOOHO��
)LJXUH��D���7\SLFDO�3HQHWUDWLRQ�7HVWLQJ�3URFHVV�
$OO�SHQHWUDWLRQ�WHVWV�VKRXOG�VWDUW�ZLWK�SURSHU�SODQQLQJ�DQG�VFRSLQJ�RI�WKH�HQJDJHPHQW���2QFH�WKDW�LV�FRPSOHWH��WKH�SHQHWUDWLRQ�WHVWLQJ�WDVNV�FDQ�EH�EURNHQ�LQWR�WKH�IRXU�GLVWLQFW�FDWHJRULHV�GLVSOD\HG�LQ�)LJXUH��D���(DFK�RI�WKHVH�WDVN�FDWHJRULHV�DOVR�UHTXLUHV�GLIIHUHQW�VNLOO�VHWV�IURP�WKH�WHVWLQJ�WHDP���,I�WKHUH�LV�VXIILFLHQW�VWDII��WKHVH�IRXU�SHQHWUDWLRQ�WDVN�FDWHJRULHV�FDQ�EH�SHUIRUPHG�LQ�SDUDOOHO���2QFH�WKHVH�WDVNV�DUH�FRPSOHWHG��WKH�WHDP�VKRXOG�SHUIRUP�D�JDS�DQDO\VLV�WR�YHULI\�DOO�GHVLUHG�WHVWV�KDYH�EHHQ�SHUIRUPHG�DQG�DOO�JRDOV�PHW���)LQDOO\��WKH�WHDP�VKRXOG�JHQHUDWH�D�UHSRUW�GRFXPHQWLQJ�WKHLU�ILQGLQJV��LQWHUSUHW�WKHVH�ILQGLQJV�LQ�WKH�FRQWH[W�RI�WKH�XWLOLW\¶V�GHSOR\PHQW��DQG�GHYHORS�UHFRPPHQGDWLRQV�WR�UHVROYH�RU�PLWLJDWH�WKHVH�YXOQHUDELOLWLHV�
�
Overview of U0li0es Architectures
Overview of Pentes0ng Methodology
4 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Largest Obstacles to ICS Pentes0ng • Not enough people in the energy sector with the necessary
knowledge or experience • Many security firms with highly technical staff have the
knowledge for 80% of the work, but don't realize it – Wired and Wireless Network Tes0ng – Web and Tradi0onal Applica0on Tes0ng – Embedded Hardware Tes0ng
• U0li0es are hesitant to bring in security firms with li]le Smart Grid specific experience
• Few u0li0es have the in-‐house exper0se • Very few security tools exist to work with Smart Grid protocols
beyond packet capture and decode
5 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Goals of SamuraiSTFU • Leverage last 5 years of experience developing and managing the
SamuraiWTF (Web Tes0ng Framework) project • Live DVD / VM for Smart Grid penetra0on tes0ng
– Primary audience is electric u0lity security teams – Secondary audience is security contractors and independent researchers
• Include "cream of the crop" free and open source tools for all aspects of SG Pentes0ng – Best web pentes0ng tools (small subset of SamuraiWTF) – Best network pentes0ng tools (small subset of Backtrack) – Best hardware pentes0ng tools (not currently included on any distribu0on)
• Include documenta0on on tools, architecture, methodology, and protocols
• Include simulated Smart Grid systems for educa0onal purposes • Include sample packet captures and data dumps for exercises
6 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Tools Included in Public Release • Network Pentest Tools
– nmap – Nessus / NeXpose – Metasploit – Wireshark
• Web Pentes0ng Tools – Zed A]ack Proxy – Burp Suite – w3af – sqlmap – BeEF
• Wireless Pentest Tools – Kismet – Aircrack-‐ng – KillerBee – Ubertooth – RfCat – GNU Radio / GRC
• Hardware Pentest Tools – GoodFET – Bus Pirate – Total Phase Aardvark – Total Phase Beagle – entropy_graph – bindiff
7 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Energy Theh
8 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Generic Control System Architecture
RTU
Monitor Point
Monitor Point
Control Point
Control Point
Master Server
RTU
Remote Terminal Unit
Remote Terminal Unit
PLC
Programmable Logic Controller
Usually Running Windows or Linux
with Control Sohware
Ohen Running Embedded Linux
PLC
Monitor Point
Control Point Programmable
Logic Controller
HMI
Human Machine Interface
HMI
Human Machine Interface
Ohen a Web Interface Now
Usually with Field Tech Interface
9 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Smart Meter Circuit Breakdown 1. 240v Connec0ons 2. Microcontroller
(Teridian 71M6531F SOC) 3. Dual Opera0onal Amplifier
(LM2904) 4. ISM Band RF Amplifier
(RFMD RF2172) 5. ISM Band RF
(TI CC1110F32) 6. EEPROM
Source - http://www.edn.com/design/power-management/4368353/What-s-inside-a-smart-meter-iFixit-tears-it-down
6
10 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Bus Pirate's I2C Protocol
• Wri0ng to I2C based EEPROMs: A 0 0 0 I2C Write Command: 0x 0x
Chip Address 0 0 0 0
Write = 0 Read = 1
Memory Block
Memory Location
0 0 0x
Data to Write
B E 0x
A 1 r r I2C Read Command: 0x r r r r
A 0 0 0 Write Address to Read: 0x 0x 0 0 0x
Each "r" = read 1 byte Chip Address 0 0 1 0
Write = 0 Read = 1
Memory Block
E F 0x
• Reading from I2C based EEPROMs:
11 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Task: Bus Snooping Data in Mo0on
12 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Disassembled Code
13 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
RF Capture and Demodulate
14 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
ICS Network Protocol Ports • Common ICS Ports
– BACnet/IP -‐ UDP/47808 – DNP3 -‐ TCP/20000, UDP/20000 – EtherCAT -‐ UDP/34980 – Ethernet/IP -‐ TCP/44818, UDP/2222, UDP/44818 – FL-‐net -‐ UDP/55000 to 55003 – Founda0on Fieldbus HSE -‐ TCP/1089 to 1091, UDP/1089 to 1091 – ICCP -‐ TCP/102 – Modbus TCP -‐ TCP/502 – OPC UA Binary -‐ Vendor Applica0on Specific – OPC UA Discovery Server -‐ TCP/4840 – OPC UA XML -‐ TCP/80, TCP/443 – PROFINET -‐ TCP/34962 to 34964, UDP/34962 to 34964 – ROC PLus -‐ TCP/UDP 4000
• For more detailed lists on ICS protocol ports see: h]ps://www.digitalbond.com/tools/the-‐rack/control-‐system-‐port-‐list/
15 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Dangers of Port Scanning • Port scanning can crash systems if not careful!
– OS Fingerprin0ng is usually the most likely culprit • Don't use the -‐O or -‐A flags in nmap • Most problema0c on embedded devices not running Windows or Linux • Can do ARP scans locally on each subnet and use MAC to ID devices
– Scanning too fast is another problem • Use nmap's -‐T2 serng sets this at 0.4 seconds • Or use nmap's -‐-‐scan-‐delay to scan 1 port at a 0me per host
– Scanning UDP ports with null payloads also causes problems • Don't use the -‐sU op0on in nmap
– Service fingerprin0ng usually safe, but can occasionally cause problems • Use nmap's -‐sV selec0vely on new subnets
• Most vulnerability scanners don't give you this control – Do authen0cated vuln scans and only port scan for those needed ports – Use Digital Bond's Nessus scan policy from their Bandolier project
• h]ps://www.digitalbond.com/tools/bandolier/nerc-‐cip-‐scan-‐policies/
• When in doubt, do a packet captures and analysis instead
16 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Dangers of Automated Tools
• Remember that on control systems with web interfaces, it is usually simple GET and POST requests that cause ac0ons to happen! – Disconnect func0on on smart meters – Opera0ng feeder switches – Pushing firmware updates to field devices
• Many web pentes0ng tools automa0cally send every GET and POST request they find – A]emp0ng to Spider/Crawl a web applica0on – Fuzzing requests for vulnerabili0es
• Do everything manually and only turn on automa0on on select pages that are safe to run them on
17 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
SamuraiSTFU Availability • Distribu0on is available at www.SamuraiSTFU.org
– Freely available under an open source license – Does not require user registra0on or personal informa0on
• U0liSec will provide op0onal commercial support for interested en00es, including: – Distribu0on customiza0on – Public and Private training courses on its use
• Upcoming Public Courses: – 5 days at SANS ICS Summit in Singapore (December 4-‐7) – 4 days at Black Hat West Coast Trainings in Sea]le, WA (December 9-‐12) – 2 days at Nullcon in Goa, India (February 12-‐13, 2014) – 5 days at SANS ICS Summit in Orlando, FL (March 12-‐16, 2014)
18 Copyright 2012, 2013 Justin Searle! www.utilisec.com!
Contact Informa0on
Jus0n Searle personal: [email protected] work: [email protected]
cell: 801-‐784-‐2052 twi]er: @meeas
www.u0lisec.com [email protected]
Open Unpaid Internships: Django app for Smart Grid visualiza0on custom msp430 chronos firmware
python scripts for buspirate Debian packages for Samurai projects