Our speech at Chaos Communication Congress #29C3.
Starts at 8:55.
Slides
Starts at 8:55.
Slides
Friday, December 28, 2012
Thursday, December 27, 2012
ICS/SCADA/PLC Google/Shodan Cheat Sheet
No success?
SCADAStrangeLove strike forces to the rescue!
With our Pretty Shiny Sparkly™ ICS/SCADA/PLC Google/Shodanhq Cheat Sheet you will become real SCADAHacker and search for SCADA with Shodan for free!
Forget about "effective" CVSS score - only Google, only hardcore! Get Siemens S7 PLCs, Scalance S, WinCC, Emerson DeltaV and Schneider Electric PowerLogic in one click!
Special #29C3 release by Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin.
Enjoy: http://www.slideshare.net/qqlan/icsscadaplc-googleshodanhq-cheat-sheet
SIEMENS SIMATIC WINCC 7.X SECURITY HARDENING GUIDE
Contents.
OPERATING SYSTEM CONFIGURATION SYSTEM NETWORK PARAMETERS CONFIGURATION
DBMS CONFIGURATION
ADDITIONAL SECURITY TOOLS
SIMATIC WINCC (SYSTEM PARAMETERS)
SIMATIC WINCC (SIMATIC LOGON CONFIGURATIONS)
SIMATIC WINCC (ACCESS CONFIGURATIONS)
SIMATIC WINCC (EVENTS LOGGING)
SIMATIC WINCC (PROJECT CONTROL)
SIMATIC WINCC (WEBNAVIGATOR — SCREEN PUBLISHING)
Hope you'll find it useful. Any feedback is highly appreciated.
Download link: http://www.slideshare.net/qqlan/positive-technologies-wincc-security-hardening-guide
Special thanks to: Roman Ilin, Sergey Gordeychik, Ilya Karpov
Happy New Year!
Sunday, December 9, 2012
SCADA and Chaos
Please find speech description and schedule here:
http://events.ccc.de/congress/2012/Fahrplan/events/5059.en.html
Yuri Goltsev and Segey Scherbel will drive on 29C3 $natch (Snatch) competition, real-time internet banking hacking contest. Please join and show your skills: http://events.ccc.de/congress/2012/wiki/$natch.
See you in Hambur!
PS. Full 29C3 agenda and 29C3 schedule for workshops:
http://events.ccc.de/congress/2012/Fahrplan/
http://events.ccc.de/congress/2012/wiki/Workshops
Wednesday, November 28, 2012
Security of the morning calm
Many photos are under the cut.
Wednesday, November 7, 2012
WinCC Harvester
Use WinCC MS SQL access to harvest sensitive information (users, roles, PLCs) from the database.
Copy this file to: /opt/metasploit/msf3/modules/auxiliary/admin/scada/
Use: use auxiliary/admin/scada/wincc_harvester
Thanks to Vyacheslav Egoshin, Dmitry Nagibin, Gleb Gritsai.
Link: https://github.com/nxnrt/wincc_harvester
PLCScan the Internet
Tool for scan PLC devices over s7comm or modbus protocols.
Usage examples
plcscan.py 192.168.0.1
plcscan.py --timeout 2 192.168.0.1:102 10.0.0.0/24
plcscan.py --hosts-list hosts.txt
Link again: https://code.google.com/p/plcscan/
Tuesday, November 6, 2012
SCADA Safety in numbers
It takes more than a month to fix each fifth vulnerability.
50% of vulnerabilities allow a hacker to execute code.
There are exploits for 35% of vulnerabilities.
41% of vulnerabilities are critical.
More than 40% of systems available from the Internet can be hacked by unprofessional users.
The third part of systems available from the Internet is located in the USA.
The fourth part of vulnerabilities is related to the lack of necessary security updates.
54% and 39% of systems available from the Internet in Europe and North America respectively are vulnerable.
Enjoy.
Thursday, September 13, 2012
All your PLC are belong to us
Siemens has
published advisory “SSA-240718: Insecure storage of HTTPS CA certificate inS7-1200 V2.x” about bug, discovered by our team. Very funny
one, because PLC have built-in CA and generates valid certificates based on IP.
So you can trust to CA certificate and you will have security SSL sessions with
all PLCs. But as you understand all PLC have same private/public key pair for
CA and private key hardcoded into firmware.
Not easy
bug to fix, but we hope Siemens will do it.
Thus, allyour PLC are belong to us.
Tuesday, September 11, 2012
New vulnerabilities in Siemens SIMATIC WinCC
Siemens has fixed vulnerabilities in SIMATIC WinCC 7.0 and SIMATIC PCS7 V8 discovered by SCADAStrangeLove team. There are
very different one, from trivial XSS and CSRF (last one still unfixed) to arbitrary
file reading and awesome username and password disclosure.
ShortList of bugs addresed in SSA-864051:
- Lot of XSS and CSRF (CVE-2012-3031, CVE-2012-3028)
- Lot of to arbitrary file reading (CVE-2012-3030)
- SQL injection over SOAP (CVE-2012-3032)
- Username and password disclosure via ActiveX abuse (CVE-2012-3034)
Thanks to Denis
Baranov Sergey Bobrov, Artem Chaykin, Vladimir Kochetkov, Timur Yunusov.
Now we had
more info for our speech at power of community. The world has become
safer! Hurray!
Monday, September 10, 2012
SCADA StrangeLove and Power Of Community
New releases comming soon.
Links:
http://www.powerofcommunity.net
https://twitter.com/#!/search/realtime/powerofcommunity
See you @Seoul
Monday, July 30, 2012
Positive Hack Days video report
Video report from best security event in Europe.
Video of reports:
http://www.phdays.com/press/news/7903/
Slides:
http://www.phdays.com/program/conference/
http://www.phdays.com/program/workshops/
Twitter:
https://twitter.com/#!/search/realtime/%23phdays
Video of reports:
http://www.phdays.com/press/news/7903/
Slides:
http://www.phdays.com/program/conference/
http://www.phdays.com/program/workshops/
Twitter:
https://twitter.com/#!/search/realtime/%23phdays
Defcon talks canceled, releases delayed
Due some reasons, we canceled our Defcon 20 talk about vulnerabilities in SCADA systems. But hope we will release our research on Power Of Community conference in Korea.
Due mourning we delayed our releases for several weeks. Sorry.
PS. Siemens not associated with cancellation of our talk. Just someone is afraid of our plans.
Wow, we are on Darkreading!
http://www.darkreading.com/advanced-threats/167901091/security/vulnerabilities/240004520/power-plant-hack-talk-free-tools-pulled-from-def-con-lineup.html
Wednesday, July 25, 2012
WinCC default password: 7 years long story
JFYI, this vulnerability wide known for 7 years from May 2005. First time it published on Siemens forum and publicly disclosed in April 2008.
Link and screenshot for history: http://iadt.siemens.ru/forum/viewtopic.php?p=2974
So correct credits for advisory: Max Prilepsky & Cyber.
PS. Mikko - perfect Cyrillic screen for you slides!
PPS. AC/DC? No way!
Tuesday, July 24, 2012
How to pwn nuclear plant with metasploit?
"...I received a series of emails from Iran. ... Atomic Energy Organization of Iran (AEOI)....
He wrote:
I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.
According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down...I believe it was playing 'Thunderstruck' by AC/DC..."
Looks like somebody know our secret and can pwn nuclear plant with metasploit.
2 Mikko:
Mikko, we know, you likes Russian guys, but this totally different case. It's not our fault. Really.
Proof.
Q: AC/DC?
A: No way!
Sunday, July 8, 2012
XSS in HMI? So what?
Sometimes XSS
(and other client-side) very useful! Can help to exploit
server-side vulnerabilities. Operator’s browser is
proxy to SCADAnet!
Question: Anybody
works with SCADA and Internet using same browser?
Correct answer: Yes!
Check it out: http://surfpatrol.ru/en/report
And enjoy the melody.
Monday, June 18, 2012
SCADA Strangelove or: How I Learned to Start Worrying and Love Nuclear Plants
Tuesday, June 5, 2012
SSA-223158 : Multiple Security Vulnerabilities in WinCC 7.0 SP3
Our first release:
- X-Path Injection in WinCC DiagAgent and WebNavigator
- Directory Traversal in WinCC DiagAgent and WebNavigator
- Buffer overflow ain WinCC DiagAgent web server
- Reflected Cross-Site Scripting in WinCC DiagAgent and WebNavigator
(CVE-2012-2596) (CVE-2012-2597) (CVE-2012-2598) (CVE-2012-2595) (CVE-2012-3003)
Enjoy.
Monday, June 4, 2012
Thursday, May 31, 2012
Subscribe to:
Posts (Atom)