1. *AllpicturesaretakenfromDr StrangeLovemovieandotherInternets

2. Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Roman Ilin Alexander Tlyapov Evgeny Ermakov Alexey Osipov Kirill Nesterov 3. Body Count's In the House: http://bit.ly/M6kS68 4. .. communication network protocols used for process or industrial automation, building automation, substation automation, automatic meter reading and vehicle automation applications (c) wiki http://en.wikipedia.org/wiki/List_of_automation_protocols 5. let's google it a little bit! 6. Old, slow, boring Google/Bing/Shodanhq/ERIPP New, fast, easy to automate ZMap, Masscan 30C3 bandwidth Homebrew scans of industrial ports Rapid7 Project Sonar Internet Census (not so new) + fast full-text search engines (Elastic Search) 7. Lots of new information coming up Modbus (502) http://nmap.org/nsedoc/scripts/modbus-discover.html http://scadastrangelove.blogspot.com/2012/11/plcscan.html DNP3 (20000) https://code.google.com/p/scadascan/ http://sourceforge.net/projects/dnp/ IEC104 (2404) http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html MMS (102) http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html S7 (102) http://scadastrangelove.blogspot.com/2012/11/plcscan.html Profinet DCP http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-days.html But some protocols still not researched [kudos to Alexander Timorin @atimorin] 8. Country Devices US 31211 DE 3793 IT 2956 BR 2461 GB 2282 CA 2276 KR 1785 SE 1345 ES 1341 NL 1312 FR 1171 TW 1126 CN 891 JP 885 9. ftp 604 1% http 49989 73% Industrial 1612 2% snmp 15253 23% telnet 671 1% dnp3, 155, 10% iec104, 44, 3% modbus, 532, 34% s7, 827, 53% 10. Tridium, 19490, 29% NRG Systems, 11715, 17% Lantronix, 6988, 10% Moxa, 3949, 6% Beck IPC, 3655, 5% Generic, 2794, 4% Schneider Electric, 2458, 4% Rabbit, 1958, 3% SAP, 1639, 2% Westermo, 1526, 2% Echelon, 1395, 2% Siemens, 1322, 2% TAC AB, 1321, 2% Digi, 988, 1% DATACOM, 945, 1% Other, 5933, 9% Vendor Devices Tridium 19490 NRG Systems 11715 Lantronix 6988 Moxa 3949 Beck IPC 3655 Generic 2794 Schneider Electric 2458 Rabbit 1958 SAP 1639 Westermo 1526 Echelon 1395 Siemens 1322 TAC AB 1321 Digi 988 DATACOM 945 Other 5933 11. Google dorks Configurations scripts FS structure etc 12. Configuration backup 13. 94 94 94 9c 9c 9c 9c 94 94 9e = 1234567890 Configuration backup 14. a:CHIP.INI 15. a:CHIP.INI a:AUTOEXEC.bat 16. a:CHIP.INI a:AUTOEXEC.bat b:http -- SolarLog homedir -> 17. a:CHIP.INI a:AUTOEXEC.bat b:http -- SolarLog homedir -> etc 18. --snip-- Comment to PT-SOL-2014001: The upload path has been changed. It is still possible to upload files, but they can't overwrite system critical parts any more. Comment to PT-SOL-2014002: The system backup is created in a randomly chosen path an deleted afterwards. Therefore an unauthorized access is made much more difficult and very unlikely. Second comment to PT-SOL-2014002: In order to compensate the weak encryption in the configuration file, the whole configuration file is now encrypted via the new HTTP transmission. --snip-- 19. The Prodigy - One Love: http://bit.ly/1dEkKR8 20. PLC1 PLC2 PLC3 Some networks WinCC Web-Client WinCC SCADA-Clients WinCC SCADA-Client +Web-Server WinCC DataMonitor WinCC Web-Client WinCC DataMonitor WinCC Servers LAN PROFINET PROFIBUS Internet, corp lan, vpns Engineering station (TIA portal/PCS7) 21. WinCCExplorer.exe/PdlRt.exe 22. This is my encryptionkey 23. Spot the Similarities 24. Popular HMI Relatively new system Platform independent Custom webserver Blind Guardian Nightfall: http://bit.ly/LRDbLs 25. http://cvedetails.com for Apache HTTP Server 26. strtok returns NULL if line = GET nn No check for return value 27. No path filtration for fopen() 28. Trust in input data: this time it is Content-length Mix up of size for memory allocation and size for copy 29. Controlling size of allocated memory Size of overflowed buffer is limited 0x19000 (with default settings) Single thread Some no ASLR modules enough to build ROP Demo 30. Please read RFC Before GET / my webserver! 31. SSA-654382 , SSA-456423 Affected devices: Siemens S7-1200 PLC Siemens S7-1500 PLC CVSS Base Score: 8.3 32. Tested on S7-1200 CPU 1212C ACDCRly , 6ES7 212-1BD30-0XB0 , firmware V 2.2.0 33. PmzR9733Q8rG3LpwjCGZT9N/ocMAAQABAAKK1woAqsgAAAAAAAAAAIrXIUM= uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM= Mu/vgiIgtrxq0LVp26nkMtN/ocMAAQADAAKK1woAqsgAAAAAAAAAAIrXIUM= tjH6vtNWCfa+QZHPDtCnKdN/ocMAAgADAAKK1woAqsgAAAAAAAAAAIrXIUM= 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 b8b8875d9513cb618c823af52a682670d37fa1c30001000200028ad70a00aac800000000000000008ad72143 32efef822220b6bc6ad0b569dba9e432d37fa1c30001000300028ad70a00aac800000000000000008ad72143 b631fabed35609f6be4191cf0ed0a729d37fa1c30002000300028ad70a00aac800000000000000008ad72143 34. 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 3e6cd1f7bdf743cac6dcba708c21994f + d37fa1c30001000100028ad70a00aac800000000000000008ad72143 3e6cd1f7bdf743cac6dcba708c21994f - ? d37fa1c3 - ? 0001 - ? 0001 - ? 00028ad7 - ? 0a00aac8 - ? 00000000000000008ad72143 - ? 35. 3e6cd1f7bdf743cac6dcba708c21994f - MD5 of ? (16 bytes) d37fa1c3 - CONST (4 bytes) 0001 - user logout counter (2 bytes) 0001 - counter of issued cookies for this user (2 bytes) 00028ad7 - value that doesnt matter (4 bytes) 0a00aac8 - user IP address (10.0.170.200) (4 bytes) 00000000000000008ad72143 - value that doesnt matter (12 bytes) So, what about 3e6cd1f7bdf743cac6dcba708c21994f ??? 36. 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 3e6cd1f7bdf743cac6dcba708c21994f MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES) What is SECRET ? 37. SECRET is generates after PLC start by PRNG. PRNG is a little bit harder than standard C PRNG. SEED in {0x0000 , 0xFFFF} Its too much for bruteforce (PLC so tender >_= 1 success logins to PLC after last restart SNMP enabled and known read community string (but by default its public ) BUT IT DOES NOT NEED LOGIN AND PASSWORD !!! 44. CVE Timeline: End of July 2013 vulnerability discovered 5 August 2013 vendor notified 20 March 2014 patch released, first public advisory 45.