29C3 - Version 1.9
Speakers | |
---|---|
Denis Baranov | |
Gleb Gritsai | |
Sergey Gordeychik |
Schedule | |
---|---|
Day | Day 1 - 2012-12-27 |
Room | Saal 6 |
Start time | 23:00 |
Duration | 01:00 |
Info | |
ID | 5059 |
Event type | Lecture |
Language used for presentation | English |
Feedback | |
---|---|
Did you attend this event? Give Feedback |
SCADA Strangelove
or: How I Learned to Start Worrying and Love Nuclear Plants
Modern civilization unconditionally depends on information systems. It is paradoxical but true that ICS/SCADA systems are the most insecure systems in the world. From network to application, SCADA is full of configuration issues and vulnerabilities.
During our report, we will demonstrate how to obtain full access to a plant via:
- a sniffer and a packet generator
- FTP and Telnet
- Metasploit and oslq
- a webserver and a browser
About 20 new vulnerabilities in common SCADA systems including Simatic WinCC will be revealed.
Releases:
- modbuspatrol (mbpatrol) – free tool to discover and fingerprint PLC
- Simatic WinCC security checklist
- Simatic WinCC forensic checklist and tools
close to real life attack scenario of a Simatic WinCC based plant
- Intro
- 1.1 Who we are?
- 1.2 History of research
- Overview of ICS/SCADA architecture
- SCADA network puzzle
- 3.1 Overview of protocols used in SCADA networks
- 3.2 Modbus overview
- 3.3 S7 overview
- 3.4 Modbus/S7 SCADA/PLC fingerprint (release mbpatrol - free tool for PLC fingerprint)
- Who is mister PLC?
- 4.1. Typical PLC architecture
- 4.2. Security and configuration issues
- 4.3. Coordinated disclosure of vulnerabilities in several PLC
- DEMO. Owning plant with ftp and telnet. During demo, I will demonstrate how several vulnerabilities and configuration issues of PLC can be used to get root access to the device, install rootkit and manipulate something in real world.
- Miss SCADA
- 6.1. Place of OS and DB in security of SCADA infrastructure
- 6.2. Simatic WinCC default configuration issues
- 6.3. Ways to abuse OS and DB vulnerabilities
- 6.4. Coordinated disclosure of several OS/DB WinCC vulnerabilities
- 6.5. Simatic WinCC security checklist
- 6.6. Simatic WinCC postexploitation/forensic
- Heavy weapon
- 7.1. SCADA/HMI application architecture (based on Simatic WinCC)
- 7.2. Clients-side in SCADA network? (release of client-site fingerprint tool for HMI software)
- 7.3. Coordinated disclosure of vulnerabilities in Siemens Simatic WinCC 7.0 used in exploit.
- Architecture of exploit
- DEMO. Owning plant with browser. Exploit scenario. Several 0-day (but responsible disclosed) vulnerabilities in Siemens Simatic WinCC 7.0 used to:
- Fingerprint presence of WinCC client software
- Obtain access password to WinCC WebNavigator interface
- Read registry and files on WinCC box
- View and manage HMI /PLC/technological process from internet via browser of operator
- 10 PS. Why physical separation is not enough
Will we tell about 0-day vulnerabilities? Yes, but we will coordinate with vendor. So list of vulnerabilities depended on patching speed of Siemens.
Will instruments be presented?
Releases:
- modbuspatrol (mbpatrol) – free tool to discover and fingerprint PLC
- Simatic WinCC security checklist
- Simatic WinCC forensic checklist and tools