SCADA Deep Inside Protocols and Security Mechanisms
SCADA Deep Inside Protocols and Security Mechanisms
SCADA Deep Inside Protocols and Security Mechanisms
security mechanisms
Aleksandr Timorin
!
!
!
!
!
!
!
!
Budapest, 10 - 11 October 2014
# whoami
absolutely
unbreakable ICS NETWORK
???
!
!
➡ typical network devices with default/crappy settings
➡ unpatched, old as dirt, full of junk software [malware] engineering
workstations
➡ wireless AP with WER (if the best happend)
➡ low physical security
➡ … and
➡ industrial protocols
functions:
!
• data access: read/write coils, registers, file records
• diagnostics: device identification
• user defined functions
!
!
!
tools:
!
• wireshark dissector
• plcscan ( https://code.google.com/p/plcscan/ )
• modbus-discover nse (by Alexander Rudakov)
• modbus simulators ()
security ?
• no authentication
• no encryption
• no security
!
transaction id: 2 bytes
protocol id: 2 bytes (always 0)
length: 2 bytes
unit id: 1 byte
function code: 1 byte
data …
PROFINET family
!
• Profinet CBA/IO/PTCP/DCP
• iec 61158, iec 61784 in 2003
• Ethernet type 0x8892
• exchange data in real-time cycles
• multicast discovery devices and stations
!
security ?
• no encryption
• no authentication
• no security
frame types:
• request 0xfefe
• response 0xfeff
• get/set 0xfefd
!
multicast identify (scapy code):
payload=‘fefe05000401000200800004ffff’.decode(‘hex’)
srp(Ether(type=0x8892, src=smac, dst=’01:0e:cf:00:00:00’)/payload)
!
fefe request
05 service id: identify
00 service type: request
04010002 xid (request id)
0080 delay
0004 data len
ff option: all
ff suboption: all
profinet fuzzer:
fuzz options and sub options on plc siemens s7-1200
!
CVE-2014-2252
“An attacker could cause the device
to go into defect mode if specially
crafted PROFINET packets are sent
to the device. A cold restart is required
to recover the system.”
!
what is “specially crafted profinet packets” ?
CVE-2014-2252
!
just “set” request: set network info with all zero values.
!
ip 0.0.0.0
mask 0.0.0.0
gw 0.0.0.0
!
!
!
!
DEMO: CVE-2014-2252
GSE - Generic Substation Events - fast and reliable mechanism for transfer
events data over entire substation networks:
• IEC 61850
• multicast, broadcast mechanism
!
GSE:
• GOOSE: Generic Object Oriented Substations Events
• GSSE: Generic Substation State Events
Attack scenarios:
• easy to receive multicast or broadcast packets
• easy to analyse, modify and reply packets
• DDoS
• by manipulating the state number in packet we can control the data set
which transmitted in entire network (hijacking of communication channel)
• VLAN hopping
!
Tools:
• wireshark dissector
• easy to create your own scanner or injection tool
• scapy based tool https://github.com/mdehus/goose-IEC61850-scapy
IEC 61870-5-101/104
!
standard tcp port 2404
!
tools:
• simulators: sim104, mrts-ng etc.
• wireshark dissector
• python and nmap identify scripts
!
attack vectors:
• flood udp ports
• send multicast packets with fake routing table
!
!
multicast packet —>
!
headers:
0x01000810
0x01a01001
send each second
0x433330302023303335
node name (C300 #5)
!
0x32312032
part of firmware version
full: EXP3 10.1-65.57 Sat Dec 06 20:22:33 2008 (Fri Nov 21 20:22:57
2008)
SCADA deep inside: protocols and security mechanisms Hacktivity
39
# Siemens
!
TIA Portal (Totally Intergated Automation Portal)
!
!
TIA - intellectual kernel of more than
100000 products created last 15 years.
!
!
What about users, passwords
and permissions?
!
!
!
!
!
TIA Portal V12 UPD 3
!
!
!
!
!
!
!
!
!
!
User rights - 2 bytes after second md5 hash: 0x8001 —> 0xFFFF
PRE-DEMO: plc-ownage
• CVE-2014-2250, CVE-2014-2251
• SSA-654382, SSA-456423
• Affected devices:
• Siemens S7-1200 PLC
• Siemens S7-1500 PLC
• CVSS Base Score: 8.3
!
!
uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM=
!
Mu/vgiIgtrxq0LVp26nkMtN/ocMAAQADAAKK1woAqsgAAAAAAAAAAIrXIUM=
!
tjH6vtNWCfa+QZHPDtCnKdN/ocMAAgADAAKK1woAqsgAAAAAAAAAAIrXIUM=
!
!
!
!
3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143
!
b8b8875d9513cb618c823af52a682670d37fa1c30001000200028ad70a00aac800000000000000008ad72143
!
32efef822220b6bc6ad0b569dba9e432d37fa1c30001000300028ad70a00aac800000000000000008ad72143
!
b631fabed35609f6be4191cf0ed0a729d37fa1c30002000300028ad70a00aac800000000000000008ad72143
!
!
3e6cd1f7bdf743cac6dcba708c21994f
d37fa1c30001000100028ad70a00aac800000000000000008ad72143
!
!
3e6cd1f7bdf743cac6dcba708c21994f - ?
d37fa1c3 - ?
0001 - ?
0001 - ?
00028ad7 - ?
0a00aac8 - ?
00000000000000008ad72143 - ?
!
!
!
So, what about 3e6cd1f7bdf743cac6dcba708c21994f ???
!
3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143
!
!
3e6cd1f7bdf743cac6dcba708c21994f
!
!
MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES)
!
!
What is SECRET ?
!
PRNG is a little bit harder than standard C PRNG.
!
SEED in {0x0000 , 0xFFFF}
!
!
!
!
!
!
!
!
It’s too much for bruteforce (PLC so tender >_<)
!
SEED = PLC START TIME + 320
!
320 by practical way: secret generates after ~ 3-4 seconds of PLC start using current time
!
!
How to obtain PLC START TIME ?
!
!
!
PLC START TIME = CURRENT TIME – UPTIME
!
!
!
!
!
!
!
!
Uptime via SNMP with hardcoded read
!
!
!
* 100 - calculation lapse
!
!
!
!
To generate cookie we should brute:
!
!
Still too many values to bruteforce …
But if user (admin) not logged out properly then after 7 logins it is not possible to login again
!
We should restart PLC or wait 30 minutes (cookie expire time)
!
!
!
!
!
!
!
!
We can minimize logout and issued cookies counters to 7
Exploitation dependences:
!
• >= 1 success logins to PLC after last restart
• SNMP enabled
!
BUT IT DOES NOT NEED LOGIN AND PASSWORD !!!
!
CVE Timeline:
!
• End of July 2013 – vulnerability discovered
Materials:
!
• “Exploiting Siemens Simatic S7 PLCs” by Dillon Beresford
• wireshark dissector
• libnodave - free communication library
• snap7 - open source communication suite
• plcscan
History of S7:
• S5 Communication
(FETCH/WRITE, Sinec H1)
• S7 Communication
• “Another” S7 Communication
!
Simply “another” S7 looks like:
!
!
TCP : HEADER | ISO TCP
!
ISO TCP: TPKT | COTP | S7 PDU
“Believe it or not, if you stare at the hex dumps long enough, you
start to see the patterns”
!
!
!
!
!
!
!
!
!
!
!
!
!
Simple UDP packet that set “speed” of turbine to 57 (min=0, max=100)
SCADA deep inside: protocols and security mechanisms Hacktivity
79
# real case
SCADASTRANGELOVE
!
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: