SCADA (in)security in pictures #1

How to find an HMI in the Internet

How to hack WinCC 

 How to find an PLC in (your) network

How to recover S7 PLC/TIA portal password

Don’t try this at home.

And don't panic. ICS (in)security so young...

Not by SCADA alone: SCADA StrangeLove @BlackHat

Alexey Osipov and Timur Yunusov from Positive Technologies and SCADA StrangeLove team will present new attack technique at BlackHat Europe 2013.  XML out-of-band data retrieval. Сool stuff.

Due research guys have found a way to use this attack against browsers, IDEs, security products and of course - SCADA. Several useful 0-1-2-3-days will be presented.

Magic "XXE OOB Exploitation Toolkit for Automation" to released.
Don’t miss your chance to became XML-hacker.  XML and SCADA… Tastier together

http://www.blackhat.com/eu-13/briefings.html#Osipov

Comments on ICS CERT ICS-ALERT-13-016-02

There is a flame in media about our S7 bruteforce tool

Just for instance:  "...and have unfortunately made the code available before the Siemens had the opportunity patch the flaw or offer mitigations..." (src = http://www.net-security.org/secworld.php?id=14303).
C'mon, guys, you serious? Mitigation against offline bruteforce in password-based authentication? Maybe you should take a lessen or two on information security?

1.    There are no any security vulnerability disclosed by released tool. SHA-1 and HMAC-SHA-1 crypto implementation in S7 according our analysis strong enough. No salt? May be...
2.    Issue related to S7 password known for a while and documented on Siemens site. Prooflink: http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&objid=51401544&nodeid0=10805148&switchLang;51401544;2.x=34&switchLang;51401544;2.y=4&lang=en&siteid=cseus&aktprim=0&objaction=csopen&extranet=standard&viewreg=WW
3.    Published tool (and JtR plug-in) require valid challenge-response packets, so risk of potential abuse is very low because attacker need to intercept communications before.
4. It's hard to use Rainbow Tables. Because of challenge-response attacker need to spoof challenge, e.g. to mount MITM attack in adjacent network.

Thus we agree with Siemens, they don't need to release a patch (src = http://www.darkreading.com/vulnerability-management/167901026/security/news/240146748/scada-password-cracking-tool-for-siemens-s7-plcs-released.html)

PS. Yes, we know a bit about SSL. Prooflink: http://scadastrangelove.blogspot.com/2012/09/all-your-plc-belong-to-us.html

PPS. Yes, there are situations where  you don't need to brute HMAC-SHA-1 to get S7 password. But...

Only 3 days left!

27 of January 2013 first wave of PHDays III CFP will be closed.

mind = noosphere .connect()

paper = mind.generate(something genius, true)

paper.submit('http://phdays.com/program/call_for_papers/')

enjoy the melody

Siemens S7 @ JtR

John the Ripper password cracker (JtR-jumbo) now support S7 challenge response. Tool for .pcap files parsing to JtR compatible hashes also included.

Thanks to Dhiru Kholia and Narendra Kangralkar.

Enjoy.

https://github.com/magnumripper/JohnTheRipper/pull/193

S4x13 presentation slides: SCADA under X-rays

Download from qqlan

S4x13 Releases: S7 password offline bruteforce tool

As you know S7 protocol, used to communication between Engineering Stations, SCADA, HMI and PLC can be protected by password.




On-line authentication is a simple challenge-response protocol.

• Password hashed (SHA1) on client (TIA Portal)
• Server (PLC) provide 20 byte challenge
• Client calculate HMAC-SHA1(challenge, SHA1(password) as response

Enjoy our special S4x13 release by Alexander Timorin, Dmitry Sklyarov
Parameters are hardcoded, sorry.
 

cfg_pcap_file = 'path to .pcap file'
cfg_dictionary_file = 'path to dictionary file'

Feel free to contribute.

Download link: http://pastebin.com/0G9Q2k6y

S4x13 Releases: WinCC Flexible Security Hardening Guide

Special release for Scada Security Scientific Symposium (http://www.digitalbond.com/s4/) 

WinCC Flexible (TIA Portal) Security Hardening Guide

Table of content

OS CONFIGURATION
DBMS СONFIGURATION
ADDITIONAL MEANS OF PROTECTION
RUNTIME SECURITY SETTINGS
SIMATIC SIEMENS WINCC FLEXIBLE ACCESS SETTINGS
SM@RTSERVER SECURITY SETTINGS
MINIWEB (HTTP) SECURITY SETTINGS
OPC SERVER SECURITY SETTINGS
WEB SERVICE (SOAP) SECURITY SETTINGS
SMTP SECURITY SETTINGS
LOGGING
PROJECT MANAGEMENT
WEB SERVER: HTML PAGES

Download link

PS. *-Rays and Engineer Garin is our new hero. Enjoy.

Cities Built On Sand

Our interview to Deutschlandfunk on SCADA Security at 29th Chaos Communication Congress:

http://cdn.dradio.de/audio/dlf/forschak/ccc/2012/Industriesysteme.mp3

Nice overview of 29C3 (Deutsch):
http://www.dradio.de/dlf/sendungen/forschak/1953767/

Ontopic piece of art

SCADA in the Cloud

There is a question about Cloud Computing for SCADA during our talk at Chaos Communication Congress. May be our answer was not very clear but we have said everything on this topic after FSB secret data leak in 2011. Please check out Record #103404-09.



PS. PHDays III CFP