scada hacking
play

SCADA Hacking Clear and Present Danger ITAC 2014 02 Oct 2014 - PowerPoint PPT Presentation

Jan 31, 2024 •242 likes •892 views

SCADA Hacking Clear and Present Danger ITAC 2014 02 Oct 2014 Presen sented ed b by: Francis Brown Bishop Fox, LLC www.bishopfox.com Agenda O V E R V I E W Introd oduction on/B /Bac ackgr grou ound Target eting ng S

  1. SCADA Hacking Clear and Present Danger ITAC 2014 – 02 Oct 2014 Presen sented ed b by: Francis Brown Bishop Fox, LLC www.bishopfox.com

  2. Agenda O V E R V I E W • Introd oduction on/B /Bac ackgr grou ound • Target eting ng S SCADA S System ems • Google/Bing/SHODAN Hacking • Port, SNMP, and Other Active Scanning • Metasploit SCADA Scanning Modules • Internet Census 2012 – data mining NEW-Mar2013 • Attack cking ng S SCADA S System ems • Attacking admin interfaces: telnet, SSH, web, etc. • Metasploit and SCADA exploitation • Password attack against SCADA • Wireless and Bluetooth attacks • Physical attacks on SCADA networks (EXCLUSIVE FIRST LOOK) • Def efens enses es 2

  3. Introduction/Background GETTING UP TO SPEED 3

  4. Stuxnet Virus Jun 2010 B O R N I N T H E U . S . A . 4

  5. SCADA Vulnerabilities Jan 2012 E X P L O I T R E L E A S E S 5

  6. SCADA Vulnerabilities Jan 2012 M A J O R S C A D A V E N D O R S 6

  7. SCADA Vulnerabilities Jan 2012 E X P L O I T R E L E A S E S 7

  8. Project Basecamp S C A D A V U L N E R A B I L I T I E S Jan 2012 8

  9. SCADA Vulnerabilities Jan 2012 M A S S T A R G E T I N G PhD Student connects 29 29 S SHO HODAN qu queries to Goog oogle m maps 9

  10. San Diego Blackout P H Y S I C A L S A F E G U A R D S F A I L “Once this line went out, it cascaded and overloaded other lines,” Cordaro said. “It’s not supposed to happen.” 10

  11. Electric Grid Blues May 2013 W H E N T H E L I G H T S G O O U T 11

  12. Electric Grid Blues May 2013 W H E N T H E L I G H T S G O O U T 12

  13. Iran Hacker Threat May 2013 R E T U R N F I R E 13

  14. Targeting SCADA Systems TRY NOT TO TRIP OVER ALL THE SYSTEMS 14

  15. Diggity Tools S E A R C H E N G I N E H A C K I N G 15

  16. Google Diggity D I G G I T Y C O R E T O O L S 16

  17. SCADA and Google G O O G L E H A C K I N G • Targeting SCADA systems via Google, Bing, etc. 17

  18. SCADA and Google G O O G L E H A C K I N G • Targeting SCADA systems via Google, Bing, etc. 18

  19. Bing Diggity D I G G I T Y C O R E T O O L S 19

  20. SCADA and Bing B I N G H A C K I N G • Targeting SCADA systems via Google, Bing, etc. 20

  21. N E W G O O G L E H A C K I N G T O O L S SHODAN Diggity 21

  22. SHODAN Popularity M A S S T A R G E T I N G O F S C A D A 22

  23. SHODAN H A C K E R S E A R C H E N G I N E • Indexed service banners for whole Internet for HTTP (Port 80), as well as some FTP (21), SSH (22) and Telnet (23) services 23

  24. SHODAN F I N D I N G S C A D A S Y S T E M S 24

  25. SHODAN Diggity F I N D I N G S C A D A S Y S T E M S 25

  26. Target SCADA C R I T I C A L I N F R A S T R U C T U R E S E C U R I T Y • Supervisory control and data acquisition 26

  27. Target SCADA C R I T I C A L I N F R A S T R U C T U R E S E C U R I T Y • SHODAN: Target Aquired! 27

  28. A D V A N C E D D E F E N S E T O O L S SHODAN Alerts 28

  29. SHODAN Alerts S H O D A N R S S F E E D S 29

  30. Internet Census 2012 N M A P O F E N T I R E I N T E R N E T • ~420k botnet used to perform NMAP against entire IPv4 addr space! • ICMP sweeps, SYN scans, Reverse DNS, and Service probes of 662 ports • Free torrent of 568GB of NMAP results (9TB decompressed NMAP results) 30

  31. HD’s Serial Offenders D A T A M I N I N G C E N S U S 31

  32. HD’s Serial Offenders D A T A M I N I N G C E N S U S 32

  33. SNMP Scan for SCADA S C A N N I N G F O R S C A D A Serial Port Device Exposure: SNMP • SNMP “ public ” System Description • Over 114,000 Digi and Lantronix devices expose SNMP • Over 95,000 Digi devices connected via GPRS, EDGE, & 3G 33

  34. Internet Census 2012 S N M P R E S U L T S 34

  35. Internet Census 2012 S N M P R E S U L T S 35

  36. Internet Census 2012 S N M P R E S U L T S 36

  37. Port Scanning for SCADA S C A N N I N G F O R S C A D A • Port range depends on the vendor • Lant ntroni nix uses 2001-2032 and 3001-3032 • Digi uses 2001-2099 • Connect and immediately access the port • Linux root shells sitting on ports 2001/3001 37

  38. Port Scanning for SCADA S C A N N I N G F O R S C A D A • Digi igi uses the RealPort protocol on port 771 • The encrypted (SSL) version is on port 1027 • 9,043 unique IPs expose RealPort (IC2012) • Digi can expose up to 64 ports this way 38

  39. Metasploit’n Scada P O I N T N C L I C K S C A R Y Serial Port TCP Multiplexed Services • Scanning for RealPort services via Metasploit 39

  40. Metasploit’n Scada P O I N T N C L I C K S C A R Y Serial Port TCP Multiplexed Services • Scanning for RealPort shells via Metasploit 40

  41. Metasploit’n Scada P O I N T N C L I C K S C A R Y 41

  42. Metasploit’n Scada P O I N T N C L I C K S C A R Y Serial Port Device Exposure: ADDP • ADDP: Advanced Device Discovery Protocol • Obtain the IP settings of a remote Digidevice • Metasploitscanner module implemented 42

  43. Metasploit’n Scada P O I N T N C L I C K S C A R Y Serial Port Device Exposure: ADDP .. continued • Third-party products are often hardcoded for ADDP • No configuration interface to disable the ADDP protocol • Often no way to change the “dbps” password • Metasploit includes an ADDP reboot module 43

  44. Metasploit’n Scada P O I N T N C L I C K S C A R Y 44

  45. Metasploit’n Scada P O I N T N C L I C K S C A R Y 45

  46. Metasploit’n Scada P O I N T N C L I C K S C A R Y 46

  47. Default Passwords S C A D A P A S S W O R D A T T A C K S • Digi equipment defaults to root:dbps for authentication • Digi-based products often have their own defaults (“faster”) • Lantronix varies based on hardware model and access • root:root, root:PASS, root:lantronix, access:systemn • Passwords were “ dbps ”, “ digi ”, & “ faster ” 47

  48. Hard Coded Passwds S C A D A P A S S W O R D A T T A C K S 48

  49. Passwd Bruteforcing S C A D A P A S S W O R D A T T A C K S 49

  50. Passwd Bruteforcing S C A D A P A S S W O R D A T T A C K S 50

  51. Password Cracking S C A D A P A S S W O R D A T T A C K S 51

  52. Password Cracking S C A D A P A S S W O R D A T T A C K S 52

  53. Wireless Attacks S C A D A W I R E L E S S A T T A C K S 53

  54. T O O L S RFID Hacking Tools 54

  55. Badge Basics Name Frequency Distance Low Fequency (LF) 120kHz – 140kHz <3ft (Commonly under 1.5ft) High Frequency (HF) 13.56MHz 3-10 ft Ultra-High-Frequency (UHF) 860-960MHz (Regional) ~30ft 55

  56. Typical Attack A $ $ G R A B B I N G M E T H O D Existing RFID hacking tools only work when a few centimeters away from badge 56

  57. Programmable Cards Cloning to T55x7 Card using Proxmark 3 • HID Prox Cloning – example: • Indala Prox Cloning – example: 57

  58. Pwn Plug M A I N T A I N I N G A C C E S S

  59. Defenses PROTECT YO NECK 59

  60. Defenses S C A D A P R O T E C T I O N From HD Moores “Serial Offenders” recommendations: 60

  61. Defenses S C A D A P R O T E C T I O N Snort and SCADA 61

  62. Defenses S C A D A P R O T E C T I O N 62

  63. Defenses S C A D A P R O T E C T I O N NIST and other guidance docs: 63

  64. Thank You Bi Bisho hop F Fox www.bishopfox.com 64

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK. E-Mail: andrew.blyth@southwales.ac.uk SCADA and Ukraine SCADA Hacking Typical SCADA Critical Infrastructure Architecture 4 SCADA and IPC Forensic

303 views • 17 slides
SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen Operations Support Manager Western Area Power Administration Sub Substation Ne station Netwo twork rk Sec Security urity Tyler Stinson

627 views • 13 slides
SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL INTERNAL ONLY 2 Where are the Threats Coming From? External Sources SCADA systems are often interconnected to other SCADA systems and

480 views • 12 slides
THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS COMMUNICATIONS Dieter Gtschow Telecommunications specialist Industry Association Resource Centre African Utility Week, 810 May 2006 Overview

549 views • 21 slides
Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013 Agenda SCADA 101 Attack Scenarios Common Vulnerabilities Remediation Exploit Demo SCADA 101 SCADA DCS Supervisory Distributed

626 views • 45 slides
SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and other Gleb Gritsai *All pictures are taken from Dr Group of security researchers focused on ICS/SCADA Alexander Timorin Dmitry Serebryannikov

1.13k views • 65 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor slrtu030.doc ~_-Computer Alternate Signal Path (3 x #16 wires) 3.275 Ghz Satollite Earth Station 3.275 Ghz Satellite _-'/P&quot;lnK Antenna

2.28k views • 183 slides
SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data Acquisition SCADA is the system that controls the various operating processes at our facilities. It is also the system that collects and stores

1.17k views • 23 slides
System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is SCADA? S upervisory C ontrol A nd D ata A cquisition , a computer system for gathering and analysing real-time data. SCADA systems are used to

309 views • 15 slides
Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

www.elvac.eu Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems for energetics Quality metering in class A ARTIQ 144 measurements 4V4I, communication interface RS-485, optionally Ethernet or USB,

605 views • 13 slides
Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

10/30/2015 Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh University by Dr. Liang Cheng and Dr. Shalinee Kishore. Motivation for SCADA Suppose you have a simple electrical circuit consisting

538 views • 15 slides
ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &amp;

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &amp;

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &amp; Jason Wong 1. BACKGROUND What is Spire? What is SCADA? What is SCADA? Supervisory Control and Data Acquisition Allows for centralized

530 views • 18 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan &amp; Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin 05|06|07 September 2014 # whoami penetration tester at Positive Technologies SCADA security researcher, main specialisation -

1.03k views • 81 slides
Nikhil Mittal (SamratAshok) } SamratAshok } Twitter - @nikhil_mitt } I am interested in

Nikhil Mittal (SamratAshok) } SamratAshok } Twitter - @nikhil_mitt } I am interested in

Nikhil Mittal (SamratAshok) } SamratAshok } Twitter - @nikhil_mitt } I am interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. } Previous Talks Compromising a highly secure environment

505 views • 48 slides
Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson

Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson

Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Remote Access Telnet Rlogin X-Windows X-Windows FTP General

765 views • 52 slides
access-list 103 remark VTY Telnet Access ACL access-list 103 permit tcp host &lt;IP address&gt;

access-list 103 remark VTY Telnet Access ACL access-list 103 permit tcp host &lt;IP address&gt;

Router Device Security Lab Configuring Secure Passwords 1. Configure the enable secret and password enable password TRUSTME enable secret letmein Look at the configuration: show config terminal Note the difference between the number 5 and

375 views • 5 slides
Flying the Unfriendly Skies: Overcoming Obstacles in Legacy Simulations to Improve Training John

Flying the Unfriendly Skies: Overcoming Obstacles in Legacy Simulations to Improve Training John

Flying the Unfriendly Skies: Overcoming Obstacles in Legacy Simulations to Improve Training John Williamson, Jennifer Lewis john.e.williamson@saic.com jennifer.e.lewis@saic.com 4 Experienced Development Team 5 INTRODUCTION 1,211 Pilot

574 views • 25 slides
Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and Stephen Remias COMPASS Lab Wayne State University DIMVA, June 19, 2019 Understanding the Security of Traffic Signal Infrastructure, DIMVA 19 1

952 views • 53 slides
Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji

Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji

Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji Novotn Pavel eleda Radek Krej novotny@ics.muni.cz celeda@ics.muni.cz krejci@liberouter.org DeepSec In-Depth Security Conference 2010

652 views • 52 slides
The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH Introduction About Johannes Dahse Master IT Security at RUB, Germany (2006 - 2012) Capture The Flag (CTF) Contests Security Consultant

673 views • 64 slides
Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015 Gschlberger/Gttfert 1 Introduction Research Studios Austria FG MicroLearning and Information Environments Bernhard Gschlberger

488 views • 19 slides

More recommend