OT Security Presentation

1. MMXX
JOSE RAMON PALANCO
OT Security
ElevenPaths (Telefónica)

2. Who am I
• José Ramón Palanco
• VT Threat Intelligence ElevenPaths
• Member of: MLW.re, YARA EXCHANGE, etc…
• Skills:
• Pentester
• Reverser
• Vulnerability Researcher
• Programmer (C, Python, Java, Go, …)
• Entrepreneur (drainware, dinoflux, …)
2

3. Agenda
• Intro
• OT Protocols
• OT Lab
• Malware
• Projects
3

4. INTRO

5. What is it?
5

6. What is it?
6
Operational Technology (OT) refers to computing systems
that are used to manage industrial operations as opposed to
administrative operations. Operational systems include
production line management, mining operations control,
oil & gas monitoring etc.
Industrial control systems (ICS) is a major segment within the
operational technology sector. It comprises systems that are
used to monitor and control industrial processes. This could
be mine site conveyor belts, oil refinery cracking towers, power
consumption on electricity grids or alarms from building
information systems. ICSs are typically mission-critical
applications with a high-availability requirement.

7. DISCLAIRME
7
Attacks against critical
infrastructures (even
sending an ICMP packet)
can cause material or
personal damages.

8. Where can you find it?
8

9. Applications
•Monitor process
•Manage remote services
•Store historical data
9

10. Origins
•Parallel architecture for industry
•Availability oriented
•10 years behind IT Security
10

11. Diagram
11

12. PLC
•Network device
•Embedded system
•Proprietary communication stack
•Applications
•Firmware updates can be reversed
(credentials, backdoors..)
12

13. HMI
•Network device
•Embedded system
•Proprietary communication stack
•Applications
•Firmware updates can be reversed
(credentials, backdoors..)
13

14. End Devices
•Several kind:
•Sensor
•Valve
•Pump
•Report to PLC
14

15. Communications
•Ethernet
•Mobile phone based (GSM, GPRS, …)
•RS232/485
•WiFi
•ZigBee
•6lowpan
•Proprietary
15

16. Protocols
•Modbus
•DNP3
•OPC
•IEC 60870
•BACnet
•LonWorks
•EPICS
•FINS
•MTConnect
•MCConnect
•SLMP
•FOX
16

17. Procol attack
•Sniff
•Mostly plain, so its possible to
capture credentials, services,
systems, …
•Spoof
•Fuzz
17

18. Common problems
•Connected to internet (shodan)
•Obsolete but stable operating systems
•Defaults credentials
•Not updated. Not patched
•Easy to exploit
•Weak protocol stack implementations
18

19. Attack Vectors
•We will find a Homer always
•Pendrive
•Not working programs installed
•Insecure radio communications
•Ignorance of real network topology
19

20. Tools
• PLC Scan: https://github.com/yanlinlin82/plcscan
• Smod: https://github.com/enddo/smod
• MBGet: https://github.com/sourceperl/mbtget
• PLCInject: https://github.com/SCADACS/PLCinject
• Nmap SCADA: https://github.com/jpalanco/nmap-scada
• Sulley: https://github.com/OpenRCE/sulley
20

22. Simatic S7 300
22

23. Simatic S7 300
22

24. Simatic S7 300
22

25. Simatic S7 300
22

26. PCL Programming
23
Cont (Similar to Ladder)
List (Similar to
Assembler)
Log (Similar to
Graphset)

27. PLC Block Oriented Functions
24

28. PLC Communication protocols
• Listening on 102/tcp
• ISO-TSAP protocol
25
Profibus
R485 Serial
Profinet
Ethernet

29. Hands on attack:
Dinamic code injection
26
Atacker
host
Step 7 cli
Get OB
Modify OB
Push OB

30. Hands on attack:Security
27
Password protected access
Funny SCADA tools composed by five
Python scripts
• s7_password_hash_extractor()
Extract the password hash from the
PEData.plf file. You will find the *.plf file
into the PLC configuration.
• s7_brute_offline()
The number of connections attempts is
unlimited. We need only 5 minutes to
find the right password.
Code source protected
Thus, the code source of block is
“normally” protected (i.e unreadable).
But in fact, we can easily bypassing
this protection just by modifying from
the 16th bytes to 22nd bytes in binary
MC7 code.
It is the same hexadecimal value for all
unprotected block.

31. Hands on code: Dinamic code injection
28
Get OB Push OB

32. Easier…
29
..if we compromise a machine with TIA Portal

33. Most PLC are vulnerable
• SIL Certification (IEC 61508) doesn’t evaluate security
• Modern PLCs are micro-processor-based, programmable
systems that are configured with a basic Windows PC
• Major PLC integrate control and safety system using Ethernet
communication with open insecure protocols (Profinet, Modbus
TCP, OPC.),
• Many PLC communication interface modules run embedded
Operating System and Ethernet stack that have known
vulnerabilities and default configurations.
30

34. OT LAB

35. Lab
• Damn Vulnerable ARM Router (DVAR)
32

36. Radio Hacking with SDR
• Software
• GNU Radio
• Gqrx
• Hardware
• RTL (Receive only)
• HackRF (1 channel)
• BladeRF
• LimeSDR
33

37. Radio Hacking: Gqrx
34

38. Radio Hacking: GNU RADIO + BLADERF = 6LowPAN
35

39. Hardware hacking: UART ACCESS
• UART PINOUT
36

40. Hardware hacking: Bus Pirate
37

41. Hardware hacking: BUS PIRATE
• Serial connection to BP
38

42. Hardware hacking: BUS PIRATE
39

43. Hardware hacking: JTAG Debug
• stlink (for STM32 boards)
• Connect the CLK pad on the pcb
to SWCLK on the st-link.
• Connect DAT pad to SWDIO.
• Connect grounds GND and ST-link
GND together.
40

44. Hardware hacking: JTAG Debug
• openocd to:
• GDB: arm-none-eabi-gdb -tui /path/to/file.elf
• >target remote localhost:4444
• R2: r2 -a arm -b 32 -D gdb gdb://127.0.0.1:4444
41

45. Hardware hacking: JTAG Debug
• Dump flash
• st-flash read /tmp/output.bin 0x8000000 0x8000
• Reverse with IDA Pro
42

46. Hardware hacking: JTAGULATOR
• Bruteforce JTAG pinout
43

47. Example firmware reversing
• Siemens S7 SCALANCE X200
• Download firmware X200V2_V4321_Firmware.exe
• Strings: WinZip Self-Extractor-Dateikopf ung
44

48. Example firmware reversing
$ unzip X200V2_V4321_Firmware.exe
Archive: X200V2_V4321_Firmware.exe
inflating: X200V2_V4.3.21_Firmware.fwl
45

49. Example firmware reversing
$ binwalk X200V2_V4.3.21_Firmware.fwl
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
116 0x74 ELF 32-bit LSB executable, ARM, version 1 (ARM)
33684 0x8394 LZMA compressed data, properties: 0x5D, dictionary size: 2097152
bytes, uncompressed size: 11015760 bytes
46

50. Example firmware reversing
Extraction:
$ binwalk -eM -f binwalk.log X200V2_V4.3.21_Firmware.fwl
• Private RSA Keys
• Private SSH Key
• HTML Files
• Images
• …
47

51. Example firmware reversing
Usage: %s %s
User name | Password
-----------+-------------
%10s | %4s
debug
%10s | ****
User account was not found.
Password is to long, max %d symbols.
Password for %s is set.
admin
Null lenght password is set.
48

52. Example firmware reversing
SIMATIC-NET FW-Loader
Scalance X200RT
6GK5206-1BB00-2AA3
Flash S29GL
vxWorks.LAD
VxWorks
5.5.1
VxWorks5.5.1
Jun 29 2011, 14:27:49
...
49

53. Example firmware reversing
$ dd if=X200V2_V4.3.21_Firmware.fwl bs=1 skip=116 count=33568 of=arm.bin
File (magic)
arm.bin: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
IDA PRO
50

54. MALWARE

55. STUXNET
• WinCC: Hardcoded passwords
• STEP 7 hooked
• Centrifuges PLC trojanized
• Replicable thru pendrives
52

70. PROJECTS

71. Yara IDSIndustrial Protocol Intrusion Detection System

72. The problem
HAVEX
STUXNET
DUQU
RED OCTOBER
FLAME
SHAMOON
TRITON/TRISIS
58

73. Malware Hunting?
rule Shamoon_2_0
{
meta:
author = "Jose Ramon Palanco"
date = "2017-03-06"
description = "Shamoon 2.0"
OriginalFilename = "ntertmgr32.exe"
ref = https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf
strings:
$magic = { 4d 5a }
$s0 = { 39 33 39 39 39 45 39 4b 39 54 39 5a 39 63 39 6f 39 75 39 0d 0a }
$s1 = { 44 49 48 4b 4b 4b }
$s2 = { 32 45 32 4b 32 52 32 59 32 79 32 66 33 73 33 }
$s3 = { 33 64 33 68 33 6c 33 70 33 74 33 78 33 }
condition:
$magic at 0 and all of ($s*) and filesize > 1590KB
}
59

74. 60

75. 60

76. 61
Where to perform malware hunting?
Memory
None
Network
File System

77. 62

78. 63

79. 64
Where to perform malware hunting?
Memory
None File System
Network

80. Snort to the rescue
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
( msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound
connection"; flow:to_server,established; http_header;
content:"User-Agent|3A|
WinHttpClient",fast_pattern,nocase; http_raw_uri;
content:"//Home/"; metadata:impact_flag red,policy
balanced-ips drop,policy security-ips drop,ruleset
community; service:http;
reference:url,blog.vectranetworks.com/blog/an-analysis-
of-the-shamoon-2-malware-attack; classtype:trojan-
activity; sid:42128; rev:1; )
65

81. Now with Yara….
66

82. 67

83. RECIPE
• python
• dpkt
• yara
68

84. 1. Read packets
pcap_file = open('file.pcap')
pcap = dpkt.pcap.Reader(pcap_file)
for ts, buf in pcap:
process(buf)
69

85. 2. Process packets
def process(buf):
eth = dpkt.ethernet.Ethernet(buf)
ip = eth.data
tcp = ip.data
data = tcp.data
signature = check_yara(data)
if signature:
print(signature)
70

86. 3. Check yara
def check_yara(buf):
rules =
yara.compile(filepath='file.yar')
matches = rules.match(data=buf)
if matches:
return matches
71

87. SCADA/ICS Rule Collection (222)
• Modbus (19)
• DNP3 (10)
• EIP (7)
• FINS (37)
• MCCONNECT (46)
• MTCONNECT (8)
• OPC-DA (3)
• OPC-UA (8)
• SLMP (38)
• Siemens S7 (13)
• MQTT (5)
• Exploits (28)
72

88. DEMO
DEMO TIME
73

89. Teaser
• MOLE IDS
• Implemented in GO
• Support PF_RING
• Multithread
• Telco Roaming and
Signaling attacks
74

90. NMAP FOR SCADADiscover SCADA/ICS Devices in the network

91. NMAP SCADA
• Discovery: Siemens S7 Family devices
• WINCC (netbios)
• CommunicationsProcessor (http)
• SIMATIC (http)
• HMI (http)
• Generic S7 device(http)
• SCALANCE (snmp)
76

92. DEMO
DEMO TIME
77

93. NMAP SCADA
78

94. NMAP SCADA
79

95. NMAP SCADA
80