SlideShare ist ein Scribd-Unternehmen logo

Scada strange love.

Positive Hack Days
Positive Hack Days
Technologie
1 von 82
All pictures are taken from Dr StrangeLove movie
 Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Roman Ilin Alexander Tlyapov
 Goals to automate security assessment of ICS platforms and environment  Objectives to understand system to assess built-in security features to create security audit/hardening guides to automate process Vulnerabilities – waste production
 Goal to create PoC of Stuxnet-style attack  Initial conditions common ICS components and configuration common ICS security tools only ICS components weakness vulnerabilities by SCADA StrangeLove team
 Engineering tools  STEP 7  PCS7  TIA PORTAL  SCADA/HMI  WinCC (Windows)  WinCC Flexible/Advanced (Windows/Win CE)  S7 family PLC  Old line (200, 300, 400)  New line (1200, 1500)
 WinCC Server  Windows/MSSQL based SCADA  WinCC Client (HMI)  WinCC runtime + Project + OPC  WinCC Web Server (WebNavigator)  IIS/MSSQL/ASP/ASP.NET/SOAP  WinCC WebClient (HMI)  ActiveX/HTML/JS
1 2 9 7 6 10 11 14 17 73 100 96 899 94 135 285 81 0 100 200 300 400 500 600 700 800 900 1000 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
 Cyber Weapon  Tactics, Techniques, and Procedures (TTP's)  APT1  APT 2.0  Cyber Kill Chain
 ChinJa (R) (tm)  Breaking through  Harvesting  Creeping death  Chaos
That is a question!
http://bit.ly/RI6FtQ http://bit.ly/UXn7d1
http://www.surfpatrol.ru/en/report
 A lot of “WinCCed” IE from countries/companies/industries  Special prize to guys from US for WinCC 6.X at 2012
 XPath Injection (CVE-2012-2596)  Path Traversal (CVE-2012-2597)  XSS ~ 20 Instances (CVE-2012-2595) Fixed in Update 2 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/60984587
 Lot of XSS and CSRF  CVE-2012-3031  CVE-2012-3028  Lot of arbitrary file reading  CVE-2012-3030  SQL injection over SOAP  CVE-2012-3032  Username and password disclosure via ActiveX abuse  CVE-2012-3034 Fixed in Update 3 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/63472422
 Path Traversal  CVE-2013-0679  Buffer overflow in ActiveX  CVE-2013-0674  XXE OOB  CVE-2013-0677  Missing encryption of sensitive data  CVE-2013-0678  Improper authorization  CVE-2013-0676f Fixed in WinCC 7.2/SIMATIC PCS7 V8.0 SP 1 http://www.siemens.com/corporate- technology/pool/de/forschungsfelder/siemens_security_advisory_ssa- 714398.pdf
 Network-level  Active scan  S7, Modbus, MSSQL (WinCC Instance), HTTP(S)  SNMP (public/private hardcoded for PLC and HMI Panels)  Passive scan  Profinet  Host-level  WinCC forensic
Dmitry Efanov http://scadastrangelove.blogspot.ru/2012/11/plcscan.html
Alexander Timorin PHDays III release
 PdlRt.exe – graphic runtime  CCRtsLoader.EXE – loader  s7otbxsx.exe – network  Inter process communication:  RPC  Sections (memory mapped files)  BaseNamedObjectsTCPSharedMm and other interesting stuff
 Detecting active project: HKCUSoftwareSIEMENSWINCCControl CenterDefault Settings  LastOpenPath  LastProject  Detecting MS SQL database name (timestamp) ArchiveManagerAlarmLogging ArchiveManagerTagLogging* Obtaining information from database and system objects
• {Hostname}_{Project}_TLG* • TAG data • СС_{Project}_{Timestamp}* • Project data and configuration • Users, PLCs, Privileges
• Managed by UM app • Stored in dbo.PW_USER
CVE-2013-0676
• Administrator:ADMINISTRATOR • Avgur2 > Avgur
This is my encryptionkey
 Select from MS SQL via COM objects  “Special” Windows Account  Shortcuts* *we don’t know yet, you know
Authentication via SQL-stored accounts ServerID magic to get WebBridge password Magic is used for SCSWebBridgeX
Too hard for me…
Oh! En/c(r)ypt[10]n! ServerID = Base64(RC2(pass, key)), were key = MD5(dll hardcode)
Not my department password!
 All other confections use WNUSR for authentication  For authorization ID parameter is used
Not yet…
 «Magic» password = MD5(WNUSR_DC92D7179E29.Password)  WNUSR_DC92D7179E29.Password generated during installation  Stored in registry via DPAPI  Good length and chartset but…
 WinCC clients use hardcoded account to communicate with OPC Web bridge  Password for WNUSR_DC92D7179E29 generated during installation and probably strong  MD5(WNUSR_.Password) stored with DPAPI protection  “Encrypted” password for WNUSR_DC* can be obtained by request to WinCCWebBridge.dll  WNUSR_DC92D7179E29 is only account used for work with Windows/Database
…responsible disclosure
 What is Project?  Collection of ActiveX/COM/.NET objects  Event Handlers and other code (C/VB)  Configuration files, XML and other  Can Project be trusted?  Ways to spread malware with Project?
 NO!  Project itself is dynamic code  It’s easy to patch it “on the fly”  Vulnerabilities in data handlers (CVE-2013-0677)  How to abuse?  Simplest way – to patch event handlers
 Hardcoded SNMP community string (unfixed)  Hardcoded S7 PLC CA certificate (Dmitry Sklarov) http://scadastrangelove.blogspot.com/2012/09/all-your-plc- belong-to-us.html  Multiple vulnerabilities in S7 1200 PLC Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov) http://www.siemens.com/corporatetechnology/pool/de/fors chungsfelder/siemens_security_advisory_ssa-279823.pdf
 Can be protected by password  Authentication – simple challenge- response  Password hashed (SHA1) on client (TIA Portal)  Server (PLC) provide 20 byte challenge  Client calculate HMAC- SHA1(challenge, SHA1(password) as response
 Can be protected by password  Authentication – simple challenge- response  Password hashed (SHA1) on client (TIA Portal)  Server (PLC) provide 20 byte challenge  Client calculate HMAC- SHA1(challenge, SHA1(password)) as response
 SHA-1 stored in PLC project files  It can be intercepted during firmware update/project upload  It can be extracted from project file SHA-1(pass) VS HMAC-SHA1(challenge, SHA1(pass))
 Buffer overflow  CVE-2013-0669  Cross-Site Scripting  CVE-2013-0672/CVE-2013-0670/CVE-2013-0668  Directory traversal/Response splitting  CVE-2013-0671  Server-side script injection  CVE-2012-3032 Fixed in WinCC (TIA Portal) V12 http://www.siemens.com/corporate- technology/pool/de/forschungsfelder/siemens_security_advisory_s sa-212483.pdf
 Profinet scanner  WinCC Harvester 2.0 http://scadastrangelove.blogspot.com/search/label/Releases
 TIA portal Security Hardening Guide  S7 protocol password brute force tool and JtR  Simatic WinCC Security Hardening Guide  PLCScan tool  ICS/SCADA/PLC Google/Shodan Cheat Sheet  SCADA Safety in Numbers http://scadastrangelove.blogspot.com/search/label/Releases
All pictures are taken from Dr StrangeLove movie

Empfohlen

MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Positive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening GuidePositive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening Guideqqlan
 
CHRISTOPHER HADDON3
CHRISTOPHER HADDON3CHRISTOPHER HADDON3
CHRISTOPHER HADDON3Christopher Haddon
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
 
Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)José Ferreiro
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the corePositive Hack Days
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 

Empfohlen

MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Positive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening GuidePositive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening Guideqqlan
 
CHRISTOPHER HADDON3
CHRISTOPHER HADDON3CHRISTOPHER HADDON3
CHRISTOPHER HADDON3Christopher Haddon
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
 
Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)José Ferreiro
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the corePositive Hack Days
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...DefconRussia
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat ScenariosLuigi Auriemma
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowqqlan
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloudqqlan
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA Jeffrey Wang , P.Eng
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADAJeffrey Wang , P.Eng
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychikqqlan
 
Vishwanath rakesh ece 561
Vishwanath rakesh ece 561Vishwanath rakesh ece 561
Vishwanath rakesh ece 561RAKESH_CSU
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
final year diploma projects training institutes bangalore
final year diploma projects training institutes bangalorefinal year diploma projects training institutes bangalore
final year diploma projects training institutes bangaloreIGEEKS TECHNOLOGIES
 
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIGEEKS TECHNOLOGIES
 
Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...James A. Savage
 
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfEnterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfDmitri Shiryaev
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...CODE BLUE
 
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 

Weitere ähnliche Inhalte

Ähnlich wie Scada strange love.

Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...DefconRussia
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowqqlan
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloudqqlan
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychikqqlan
 
Vishwanath rakesh ece 561
Vishwanath rakesh ece 561Vishwanath rakesh ece 561
Vishwanath rakesh ece 561RAKESH_CSU
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
final year diploma projects training institutes bangalore
final year diploma projects training institutes bangalorefinal year diploma projects training institutes bangalore
final year diploma projects training institutes bangaloreIGEEKS TECHNOLOGIES
 
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIGEEKS TECHNOLOGIES
 
Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...James A. Savage
 
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfEnterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfDmitri Shiryaev
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...CODE BLUE
 

Ähnlich wie Scada strange love. (20)

Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat Scenarios
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloud
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychik
 
Vishwanath rakesh ece 561
Vishwanath rakesh ece 561Vishwanath rakesh ece 561
Vishwanath rakesh ece 561
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
final year diploma projects training institutes bangalore
final year diploma projects training institutes bangalorefinal year diploma projects training institutes bangalore
final year diploma projects training institutes bangalore
 
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
 
Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...
 
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfEnterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
 

Mehr von Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Mehr von Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Kürzlich hochgeladen

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Kürzlich hochgeladen (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

Scada strange love.

  • 1. All pictures are taken from Dr StrangeLove movie
  • 2.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Roman Ilin Alexander Tlyapov
  • 3.
  • 4.  Goals to automate security assessment of ICS platforms and environment  Objectives to understand system to assess built-in security features to create security audit/hardening guides to automate process Vulnerabilities – waste production
  • 5.  Goal to create PoC of Stuxnet-style attack  Initial conditions common ICS components and configuration common ICS security tools only ICS components weakness vulnerabilities by SCADA StrangeLove team
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.  Engineering tools  STEP 7  PCS7  TIA PORTAL  SCADA/HMI  WinCC (Windows)  WinCC Flexible/Advanced (Windows/Win CE)  S7 family PLC  Old line (200, 300, 400)  New line (1200, 1500)
  • 13.  WinCC Server  Windows/MSSQL based SCADA  WinCC Client (HMI)  WinCC runtime + Project + OPC  WinCC Web Server (WebNavigator)  IIS/MSSQL/ASP/ASP.NET/SOAP  WinCC WebClient (HMI)  ActiveX/HTML/JS
  • 14.
  • 15.
  • 16. 1 2 9 7 6 10 11 14 17 73 100 96 899 94 135 285 81 0 100 200 300 400 500 600 700 800 900 1000 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  • 17.
  • 18.  Cyber Weapon  Tactics, Techniques, and Procedures (TTP's)  APT1  APT 2.0  Cyber Kill Chain
  • 19.  ChinJa (R) (tm)  Breaking through  Harvesting  Creeping death  Chaos
  • 20.
  • 21. That is a question!
  • 24.  A lot of “WinCCed” IE from countries/companies/industries  Special prize to guys from US for WinCC 6.X at 2012
  • 25.
  • 26.
  • 27.  XPath Injection (CVE-2012-2596)  Path Traversal (CVE-2012-2597)  XSS ~ 20 Instances (CVE-2012-2595) Fixed in Update 2 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/60984587
  • 28.  Lot of XSS and CSRF  CVE-2012-3031  CVE-2012-3028  Lot of arbitrary file reading  CVE-2012-3030  SQL injection over SOAP  CVE-2012-3032  Username and password disclosure via ActiveX abuse  CVE-2012-3034 Fixed in Update 3 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/63472422
  • 29.  Path Traversal  CVE-2013-0679  Buffer overflow in ActiveX  CVE-2013-0674  XXE OOB  CVE-2013-0677  Missing encryption of sensitive data  CVE-2013-0678  Improper authorization  CVE-2013-0676f Fixed in WinCC 7.2/SIMATIC PCS7 V8.0 SP 1 http://www.siemens.com/corporate- technology/pool/de/forschungsfelder/siemens_security_advisory_ssa- 714398.pdf
  • 30.
  • 31.
  • 32.  Network-level  Active scan  S7, Modbus, MSSQL (WinCC Instance), HTTP(S)  SNMP (public/private hardcoded for PLC and HMI Panels)  Passive scan  Profinet  Host-level  WinCC forensic
  • 35.
  • 36.  PdlRt.exe – graphic runtime  CCRtsLoader.EXE – loader  s7otbxsx.exe – network  Inter process communication:  RPC  Sections (memory mapped files)  BaseNamedObjectsTCPSharedMm and other interesting stuff
  • 37.  Detecting active project: HKCUSoftwareSIEMENSWINCCControl CenterDefault Settings  LastOpenPath  LastProject  Detecting MS SQL database name (timestamp) ArchiveManagerAlarmLogging ArchiveManagerTagLogging* Obtaining information from database and system objects
  • 38. • {Hostname}_{Project}_TLG* • TAG data • СС_{Project}_{Timestamp}* • Project data and configuration • Users, PLCs, Privileges
  • 39. • Managed by UM app • Stored in dbo.PW_USER
  • 41.
  • 43.
  • 44.
  • 45.
  • 47.
  • 48.
  • 49.
  • 50.  Select from MS SQL via COM objects  “Special” Windows Account  Shortcuts* *we don’t know yet, you know
  • 51.
  • 52. Authentication via SQL-stored accounts ServerID magic to get WebBridge password Magic is used for SCSWebBridgeX
  • 53. Too hard for me…
  • 54. Oh! En/c(r)ypt[10]n! ServerID = Base64(RC2(pass, key)), were key = MD5(dll hardcode)
  • 55. Not my department password!
  • 56.  All other confections use WNUSR for authentication  For authorization ID parameter is used
  • 58.  «Magic» password = MD5(WNUSR_DC92D7179E29.Password)  WNUSR_DC92D7179E29.Password generated during installation  Stored in registry via DPAPI  Good length and chartset but…
  • 59.
  • 60.  WinCC clients use hardcoded account to communicate with OPC Web bridge  Password for WNUSR_DC92D7179E29 generated during installation and probably strong  MD5(WNUSR_.Password) stored with DPAPI protection  “Encrypted” password for WNUSR_DC* can be obtained by request to WinCCWebBridge.dll  WNUSR_DC92D7179E29 is only account used for work with Windows/Database
  • 61.
  • 63.  What is Project?  Collection of ActiveX/COM/.NET objects  Event Handlers and other code (C/VB)  Configuration files, XML and other  Can Project be trusted?  Ways to spread malware with Project?
  • 64.  NO!  Project itself is dynamic code  It’s easy to patch it “on the fly”  Vulnerabilities in data handlers (CVE-2013-0677)  How to abuse?  Simplest way – to patch event handlers
  • 65.
  • 66.  Hardcoded SNMP community string (unfixed)  Hardcoded S7 PLC CA certificate (Dmitry Sklarov) http://scadastrangelove.blogspot.com/2012/09/all-your-plc- belong-to-us.html  Multiple vulnerabilities in S7 1200 PLC Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov) http://www.siemens.com/corporatetechnology/pool/de/fors chungsfelder/siemens_security_advisory_ssa-279823.pdf
  • 67.  Can be protected by password  Authentication – simple challenge- response  Password hashed (SHA1) on client (TIA Portal)  Server (PLC) provide 20 byte challenge  Client calculate HMAC- SHA1(challenge, SHA1(password) as response
  • 68.
  • 69.
  • 70.  Can be protected by password  Authentication – simple challenge- response  Password hashed (SHA1) on client (TIA Portal)  Server (PLC) provide 20 byte challenge  Client calculate HMAC- SHA1(challenge, SHA1(password)) as response
  • 71.  SHA-1 stored in PLC project files  It can be intercepted during firmware update/project upload  It can be extracted from project file SHA-1(pass) VS HMAC-SHA1(challenge, SHA1(pass))
  • 72.
  • 73.
  • 74.
  • 75.
  • 76.  Buffer overflow  CVE-2013-0669  Cross-Site Scripting  CVE-2013-0672/CVE-2013-0670/CVE-2013-0668  Directory traversal/Response splitting  CVE-2013-0671  Server-side script injection  CVE-2012-3032 Fixed in WinCC (TIA Portal) V12 http://www.siemens.com/corporate- technology/pool/de/forschungsfelder/siemens_security_advisory_s sa-212483.pdf
  • 77.
  • 78.
  • 79.
  • 80.  Profinet scanner  WinCC Harvester 2.0 http://scadastrangelove.blogspot.com/search/label/Releases
  • 81.  TIA portal Security Hardening Guide  S7 protocol password brute force tool and JtR  Simatic WinCC Security Hardening Guide  PLCScan tool  ICS/SCADA/PLC Google/Shodan Cheat Sheet  SCADA Safety in Numbers http://scadastrangelove.blogspot.com/search/label/Releases
  • 82. All pictures are taken from Dr StrangeLove movie