Date post: | 19-Jan-2015 |
Category: |
Technology |
Upload: | positive-hack-days |
View: | 2,328 times |
Download: | 0 times |
SCADA security
Positive Hack Days.
Industrial systems. Threats
GLEG ltd - SCADA+
Pack for CANVAS developer
http://www.gleg.net
SCADA security
Plan
Attacks against SCADA: how could it look like ?
Intro — are SCADAs accessible from Internet...
Exploration — Searching the vulnerable systems available from the web
Exploitation Post exploitation Summary
SCADA security
SCADA — events timeline
< June 2010 — seems like there were NO (?) real world examples of SCADA targeted attacks (just worm infections ...)
June 2010 — Stuxnet! The milestone in SCADA security...
> June 2010 — Hackers realized that there are there are accessible SCADA systems with vulnsaccessible SCADA systems with vulns …
– Dozens of new vulnerabilities uncovered
– Potential risk has greatly increased
SCADA security
SCADA ON THE WEB
THERE ARE HUNDREDS OF SCADA SYSTEMS ALREADY EXPOSED TO INTERNET!
Let us show «banners» for two SCADA systems,
And SHODAN search results for them....
SCADa
SCX SCADa
e.g. SCX SCADA:
SCX ADVANCED INDUSTRIAL AUTOMATION SOFTWARE
...the integrated SCX Web server is a standard component of the SCX product. Web Clients have access to all SCADA system functions...
SCADA
SCX SCADA banner
1) “SCXWebServer”****************************HTTP/1.1 200 OKContent-Encoding: deflateDate: Tue, 14 Dec 2010 19:09:52 GMTExpires: Tue, 14 Dec 2010 19:09:52 GMTCache-Control: no-cacheServer: SCXWebServer/6.0 — here is bannerContent-Type: text/xmlContent-Length: 1504***********************Search results for this:
SCADA security
Codesys ENI server exploit
CoDeSys Eni server:
In this case the banner looks like: «ENIServer»
(though there are many same kind servers available from different SCADA developers... all seems to be based on codesys...?)
Again, let's search it on the web ...and show how it could be exploited using SCADA+ Pack 0day exploit for CoDeSys Eni Server.
SCADA
SCADA
Video of exploitation:
http://pentesting.ru/eniserver.rar
SCADA security
Postexploitation:
Typical postexploitation:
Troyan
Keylogger
Hiding activities... and waiting
for login+pwd...
SCADA security
SCADA vulns
Of course there could be other vulns types... other explore and exploitation tools and techniques...
Example 2:
Some common situation for SCADA is … that local access is granted without auth by def.
e.g. in IGSS scada we have the following default project settings.... (disable access control is checked!)
SCADA
SCADA attack
This could be helpfull for hacker... you could exloit some buffer overfow, enable Rdesktop and have fun with SCADA devices
SCADA security
SCADA
Current tools has limited Functionality for SCADA... e.g. Shodan — searches only 80, 21, 22, 161, 5060
ports...
But, e.g. Realwin has vuln services on 910, 912 port
In that case you will need to search yourself... but as long as there are dozens of scanners — this is not a problem. Also you could write your own.
Безопасность АСУ
Measures:
What you should know and do: SCADA systems are already on the Internet... One should be ready for situation when SCADA
«suddenly» becomes accessible ( e.g. it is very convenient for engineers to have remote access )
Should minimize internal threats - end-point security + IDS
Keep an eye on news for scada vulns, especially those leading to possible remote access to scada functions (eg login pwd steal)!
For scada it is not good to rely on local auth, database auth, has unauth local access!
SCADA security
CounterMeasures:
Of course SCADA should be properly designed (hope it is so :) with redundancy , possibly involving different manufacturers equipment etc...
Some typical measures could also be helpfull:
Security policies and culture of personel (resistance to social eng.),
good pwds,
Penetration tests
SCADA security
Resume:
We have shown that SCADA systems ARE ALREADY AVAILABLE FROM THE INTERNET... and some could be exploited right now...