scada hacking
play

SCADA Hacking Clear and Present Danger ITAC 2014 02 Oct 2014 - PowerPoint PPT Presentation

Jan 31, 2024 •242 likes •892 views

SCADA Hacking Clear and Present Danger ITAC 2014 02 Oct 2014 Presen sented ed b by: Francis Brown Bishop Fox, LLC www.bishopfox.com Agenda O V E R V I E W Introd oduction on/B /Bac ackgr grou ound Target eting ng S

  1. SCADA Hacking Clear and Present Danger ITAC 2014 – 02 Oct 2014 Presen sented ed b by: Francis Brown Bishop Fox, LLC www.bishopfox.com

  2. Agenda O V E R V I E W • Introd oduction on/B /Bac ackgr grou ound • Target eting ng S SCADA S System ems • Google/Bing/SHODAN Hacking • Port, SNMP, and Other Active Scanning • Metasploit SCADA Scanning Modules • Internet Census 2012 – data mining NEW-Mar2013 • Attack cking ng S SCADA S System ems • Attacking admin interfaces: telnet, SSH, web, etc. • Metasploit and SCADA exploitation • Password attack against SCADA • Wireless and Bluetooth attacks • Physical attacks on SCADA networks (EXCLUSIVE FIRST LOOK) • Def efens enses es 2

  3. Introduction/Background GETTING UP TO SPEED 3

  4. Stuxnet Virus Jun 2010 B O R N I N T H E U . S . A . 4

  5. SCADA Vulnerabilities Jan 2012 E X P L O I T R E L E A S E S 5

  6. SCADA Vulnerabilities Jan 2012 M A J O R S C A D A V E N D O R S 6

  7. SCADA Vulnerabilities Jan 2012 E X P L O I T R E L E A S E S 7

  8. Project Basecamp S C A D A V U L N E R A B I L I T I E S Jan 2012 8

  9. SCADA Vulnerabilities Jan 2012 M A S S T A R G E T I N G PhD Student connects 29 29 S SHO HODAN qu queries to Goog oogle m maps 9

  10. San Diego Blackout P H Y S I C A L S A F E G U A R D S F A I L “Once this line went out, it cascaded and overloaded other lines,” Cordaro said. “It’s not supposed to happen.” 10

  11. Electric Grid Blues May 2013 W H E N T H E L I G H T S G O O U T 11

  12. Electric Grid Blues May 2013 W H E N T H E L I G H T S G O O U T 12

  13. Iran Hacker Threat May 2013 R E T U R N F I R E 13

  14. Targeting SCADA Systems TRY NOT TO TRIP OVER ALL THE SYSTEMS 14

  15. Diggity Tools S E A R C H E N G I N E H A C K I N G 15

  16. Google Diggity D I G G I T Y C O R E T O O L S 16

  17. SCADA and Google G O O G L E H A C K I N G • Targeting SCADA systems via Google, Bing, etc. 17

  18. SCADA and Google G O O G L E H A C K I N G • Targeting SCADA systems via Google, Bing, etc. 18

  19. Bing Diggity D I G G I T Y C O R E T O O L S 19

  20. SCADA and Bing B I N G H A C K I N G • Targeting SCADA systems via Google, Bing, etc. 20

  21. N E W G O O G L E H A C K I N G T O O L S SHODAN Diggity 21

  22. SHODAN Popularity M A S S T A R G E T I N G O F S C A D A 22

  23. SHODAN H A C K E R S E A R C H E N G I N E • Indexed service banners for whole Internet for HTTP (Port 80), as well as some FTP (21), SSH (22) and Telnet (23) services 23

  24. SHODAN F I N D I N G S C A D A S Y S T E M S 24

  25. SHODAN Diggity F I N D I N G S C A D A S Y S T E M S 25

  26. Target SCADA C R I T I C A L I N F R A S T R U C T U R E S E C U R I T Y • Supervisory control and data acquisition 26

  27. Target SCADA C R I T I C A L I N F R A S T R U C T U R E S E C U R I T Y • SHODAN: Target Aquired! 27

  28. A D V A N C E D D E F E N S E T O O L S SHODAN Alerts 28

  29. SHODAN Alerts S H O D A N R S S F E E D S 29

  30. Internet Census 2012 N M A P O F E N T I R E I N T E R N E T • ~420k botnet used to perform NMAP against entire IPv4 addr space! • ICMP sweeps, SYN scans, Reverse DNS, and Service probes of 662 ports • Free torrent of 568GB of NMAP results (9TB decompressed NMAP results) 30

  31. HD’s Serial Offenders D A T A M I N I N G C E N S U S 31

  32. HD’s Serial Offenders D A T A M I N I N G C E N S U S 32

  33. SNMP Scan for SCADA S C A N N I N G F O R S C A D A Serial Port Device Exposure: SNMP • SNMP “ public ” System Description • Over 114,000 Digi and Lantronix devices expose SNMP • Over 95,000 Digi devices connected via GPRS, EDGE, & 3G 33

  34. Internet Census 2012 S N M P R E S U L T S 34

  35. Internet Census 2012 S N M P R E S U L T S 35

  36. Internet Census 2012 S N M P R E S U L T S 36

  37. Port Scanning for SCADA S C A N N I N G F O R S C A D A • Port range depends on the vendor • Lant ntroni nix uses 2001-2032 and 3001-3032 • Digi uses 2001-2099 • Connect and immediately access the port • Linux root shells sitting on ports 2001/3001 37

  38. Port Scanning for SCADA S C A N N I N G F O R S C A D A • Digi igi uses the RealPort protocol on port 771 • The encrypted (SSL) version is on port 1027 • 9,043 unique IPs expose RealPort (IC2012) • Digi can expose up to 64 ports this way 38

  39. Metasploit’n Scada P O I N T N C L I C K S C A R Y Serial Port TCP Multiplexed Services • Scanning for RealPort services via Metasploit 39

  40. Metasploit’n Scada P O I N T N C L I C K S C A R Y Serial Port TCP Multiplexed Services • Scanning for RealPort shells via Metasploit 40

  41. Metasploit’n Scada P O I N T N C L I C K S C A R Y 41

  42. Metasploit’n Scada P O I N T N C L I C K S C A R Y Serial Port Device Exposure: ADDP • ADDP: Advanced Device Discovery Protocol • Obtain the IP settings of a remote Digidevice • Metasploitscanner module implemented 42

  43. Metasploit’n Scada P O I N T N C L I C K S C A R Y Serial Port Device Exposure: ADDP .. continued • Third-party products are often hardcoded for ADDP • No configuration interface to disable the ADDP protocol • Often no way to change the “dbps” password • Metasploit includes an ADDP reboot module 43

  44. Metasploit’n Scada P O I N T N C L I C K S C A R Y 44

  45. Metasploit’n Scada P O I N T N C L I C K S C A R Y 45

  46. Metasploit’n Scada P O I N T N C L I C K S C A R Y 46

  47. Default Passwords S C A D A P A S S W O R D A T T A C K S • Digi equipment defaults to root:dbps for authentication • Digi-based products often have their own defaults (“faster”) • Lantronix varies based on hardware model and access • root:root, root:PASS, root:lantronix, access:systemn • Passwords were “ dbps ”, “ digi ”, & “ faster ” 47

  48. Hard Coded Passwds S C A D A P A S S W O R D A T T A C K S 48

  49. Passwd Bruteforcing S C A D A P A S S W O R D A T T A C K S 49

  50. Passwd Bruteforcing S C A D A P A S S W O R D A T T A C K S 50

  51. Password Cracking S C A D A P A S S W O R D A T T A C K S 51

  52. Password Cracking S C A D A P A S S W O R D A T T A C K S 52

  53. Wireless Attacks S C A D A W I R E L E S S A T T A C K S 53

  54. T O O L S RFID Hacking Tools 54

  55. Badge Basics Name Frequency Distance Low Fequency (LF) 120kHz – 140kHz <3ft (Commonly under 1.5ft) High Frequency (HF) 13.56MHz 3-10 ft Ultra-High-Frequency (UHF) 860-960MHz (Regional) ~30ft 55

  56. Typical Attack A $ $ G R A B B I N G M E T H O D Existing RFID hacking tools only work when a few centimeters away from badge 56

  57. Programmable Cards Cloning to T55x7 Card using Proxmark 3 • HID Prox Cloning – example: • Indala Prox Cloning – example: 57

  58. Pwn Plug M A I N T A I N I N G A C C E S S

  59. Defenses PROTECT YO NECK 59

  60. Defenses S C A D A P R O T E C T I O N From HD Moores “Serial Offenders” recommendations: 60

  61. Defenses S C A D A P R O T E C T I O N Snort and SCADA 61

  62. Defenses S C A D A P R O T E C T I O N 62

  63. Defenses S C A D A P R O T E C T I O N NIST and other guidance docs: 63

  64. Thank You Bi Bisho hop F Fox www.bishopfox.com 64

Recommend

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK. E-Mail: andrew.blyth@southwales.ac.uk SCADA and Ukraine SCADA Hacking Typical SCADA Critical Infrastructure Architecture 4 SCADA and IPC Forensic

303 views • 17 slides
SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen Operations Support Manager Western Area Power Administration Sub Substation Ne station Netwo twork rk Sec Security urity Tyler Stinson

627 views • 13 slides
SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL INTERNAL ONLY 2 Where are the Threats Coming From? External Sources SCADA systems are often interconnected to other SCADA systems and

480 views • 12 slides
THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS COMMUNICATIONS Dieter Gtschow Telecommunications specialist Industry Association Resource Centre African Utility Week, 810 May 2006 Overview

549 views • 21 slides
Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013 Agenda SCADA 101 Attack Scenarios Common Vulnerabilities Remediation Exploit Demo SCADA 101 SCADA DCS Supervisory Distributed

626 views • 45 slides
SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and other Gleb Gritsai *All pictures are taken from Dr Group of security researchers focused on ICS/SCADA Alexander Timorin Dmitry Serebryannikov

1.13k views • 65 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor slrtu030.doc ~_-Computer Alternate Signal Path (3 x #16 wires) 3.275 Ghz Satollite Earth Station 3.275 Ghz Satellite _-'/P&quot;lnK Antenna

2.28k views • 183 slides
SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data Acquisition SCADA is the system that controls the various operating processes at our facilities. It is also the system that collects and stores

1.17k views • 23 slides
System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is SCADA? S upervisory C ontrol A nd D ata A cquisition , a computer system for gathering and analysing real-time data. SCADA systems are used to

309 views • 15 slides
Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

www.elvac.eu Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems for energetics Quality metering in class A ARTIQ 144 measurements 4V4I, communication interface RS-485, optionally Ethernet or USB,

605 views • 13 slides
Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

10/30/2015 Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh University by Dr. Liang Cheng and Dr. Shalinee Kishore. Motivation for SCADA Suppose you have a simple electrical circuit consisting

538 views • 15 slides
ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &amp;

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &amp;

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &amp; Jason Wong 1. BACKGROUND What is Spire? What is SCADA? What is SCADA? Supervisory Control and Data Acquisition Allows for centralized

530 views • 18 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan &amp; Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin 05|06|07 September 2014 # whoami penetration tester at Positive Technologies SCADA security researcher, main specialisation -

1.03k views • 81 slides
ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA

ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA

ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA networks Researchers: Wenyu Ren , Klara Nahrstedt, Tim Yardley Motivation Supervisory Control And Data Acquisition (SCADA) Problem with

1.12k views • 22 slides
SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc.

SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc.

SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc. June 22, 2012 HACK IN PARIS Agenda SCADA Basics Threats (where, why &amp; how) Challenges Recommendations and Proposals ScadaScan tool HACK

997 views • 65 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits &amp; Demos Q&amp;A Why? Wrights Law

486 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach &amp; Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides

More recommend