SlideShare une entreprise Scribd logo
1  sur  47
Télécharger pour lire hors ligne
Siemens	
  Sima)c	
  S7	
  PLC	
  Exploita)on	
  	
  
          S7-­‐Fu	
  (功夫)	
  with	
  Rapid7	
  Metasploit	
  
                       Black	
  Hat	
  USA+2011	
  




                     Dillon	
  Beresford	
  
                       d1n@nsslabs.com	
  
 
           	
  
Dillon	
  Beresford	
  
      狄龙 	
  
  Security	
  Researcher	
  	
  
              at	
  
With	
  assistance	
  from…	
  

      NSS	
  Labs,	
  Project	
  Funding	
  
Brian	
  Meixell,	
  Engineering	
  Support.	
  
   Ian	
  Parker,	
  Lab	
  Setup	
  and	
  QA.	
  
Tim	
  OMo,	
  Hardware	
  Procurement.	
  
  Dale	
  Peterson	
  (DigitalBond)	
  Blog	
  
 Bob	
  Radvanovsky	
  (SCADASEC)	
  List	
  
 INL/ICS-­‐CERT,	
  Disclosure	
  Process	
  
   PLCTrainer.NET	
  (PLC	
  Trainers)	
  
 IntroducVon	
  
	
  
	
  
	
  



       •  PLCs	
  are	
  computers	
  used	
  to	
  automate	
  mechanical	
  device	
  processes.	
  
       •  PLCs	
  are	
  used	
  in	
  the	
  nuclear,	
  oil	
  and	
  gas	
  refineries,	
  coal,	
  water	
  and	
  waste	
  treatment,	
  transportaVon,	
  
           aerospace,	
  defense	
  and	
  commercial	
  factories,	
  among	
  many	
  other	
  things…	
  
       •  The	
  S7-­‐300,	
  and	
  S7-­‐400	
  are	
  currently	
  the	
  most	
  common	
  PLCs	
  in	
  use,	
  however	
  the	
  S7-­‐1200	
  is	
  gaining	
  
           more	
  tracVon	
  .	
  
       •  SimaVc	
  S7	
  PLCs	
  offer	
  state	
  of	
  the	
  art	
  PROFIBUS	
  and	
  PROFINET	
  communicaVon	
  protocols.	
  	
  
       •  From	
  an	
  aMacker	
  perspecVve,	
  	
  each	
  of	
  the	
  S7	
  PLCs	
  have	
  one	
  thing	
  in	
  common.	
  They	
  communicate	
  
           over	
  ISO-­‐TSAP	
  (RFC-­‐1006)	
  on	
  TCP	
  port	
  102.	
  	
  
       •  When	
  TSAP	
  was	
  layered	
  on	
  Top	
  of	
  TCP,	
  security	
  wasn’t	
  factored	
  in.	
  	
  
       •  The	
  SimaVc	
  S7	
  PLCs	
  run	
  on	
  a	
  32-­‐bit	
  Linux	
  operaVng	
  system.	
  
       •  S7	
  PLC	
  Firmware	
  images	
  are	
  encrypted	
  and	
  hex	
  encoded,	
  some	
  are	
  using	
  simple	
  rotaVng	
  shia	
  
           sequences	
  to	
  obfuscate	
  the	
  strings	
  in	
  the	
  firmware.	
  
       •  The	
  S7-­‐300	
  we	
  are	
  going	
  to	
  exploit	
  has	
  a	
  TELNET	
  daemon	
  and	
  HTTP	
  server	
  running	
  as	
  background	
  
           process	
  which	
  are	
  used	
  by	
  the	
  Siemens	
  developers	
  for	
  debugging.	
  
       •  The	
  S7-­‐1200	
  also	
  has	
  a	
  web	
  server	
  included	
  in	
  it	
  for	
  diagnosVcs	
  and	
  HMI.	
  
TesVng	
  
Devices	
  Under	
  Test:	
  	
  
	
  	
  
          §     PLC1	
  6ES7	
  212-­‐1BD30-­‐0XB0	
  AC/DC	
  	
        	
  =>	
  Siemens	
  SimaVc	
  S7-­‐1200	
  
          §     PLC2	
  6ES7	
  212-­‐1BD30-­‐0XB0	
  AC/DC 	
           	
  =>	
  Siemens	
  SimaVc	
  S7-­‐1200	
  
          §     PLC3	
  317-­‐2EJ10-­‐0AB0 	
                  	
        	
  =>	
  Siemens	
  SimaVc	
  S7-­‐300	
  
          §     PLC4	
  317-­‐2EJ10-­‐0AB0 	
                  	
        	
  =>	
  Siemens	
  SimaVc	
  S7-­‐300	
  

          	
  
PLC	
  Firmware	
  Versions:	
  	
  
	
  
          §     Version	
  2.2	
                	
                	
     	
  =>	
  Siemens	
  SimaVc	
  S7-­‐1200	
  
          §     Version	
  2.3.4	
              	
                	
                                               	
  
                                                                          	
  =>	
  Siemens	
  SimaVc	
  	
  S7-­‐300
SimaVc	
  S7-­‐1200	
  
SimaVc	
  S7-­‐300	
  




    “The	
  Big	
  Boys”	
  
Step	
  7	
  Basic	
  
 
                                 	
  
                                 	
  
What	
  do	
  those	
  panels	
  aMached	
  to	
  the	
  PLCs	
  do	
  
          and	
  how	
  are	
  they	
  controlled?	
  
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
PLC	
  Trainer	
  LAD	
  Network	
  
PLC	
  Trainer	
  LAD	
  Network	
  
PLC	
  Trainer	
  LAD	
  Network	
  
The	
  Siemens	
  SimaVc	
  S7-­‐300,	
  S7-­‐400	
  and	
  S7-­‐1200	
  rely	
  
on	
  the	
  PROFINET	
  IEEE	
  802.3	
  Ethernet	
  standard,	
  for	
  
industrial	
  grade	
  connecVvity	
  in	
  environments	
  where	
  
Manufacturing	
  ExecuVon	
  Systems	
  (MES)	
  are	
  criVcal.	
  
	
  
	
  
	
  


	
  
	
  
PROFINET/ETHERNET	
  

Today	
  there	
  are	
  over	
  3.5	
  million	
  PROFINET	
  enabled	
  devices	
  acVvely	
  deployed.	
  


                                          PROFINET	
  Nodes	
  In	
  Use	
  By	
  2013	
  
4,500,000	
  

4,000,000	
  

3,500,000	
  

3,000,000	
  

2,500,000	
  

2,000,000	
  

1,500,000	
  

1,000,000	
  

  500,000	
  

          0	
  
                  2006	
       2007	
           2008	
       2009	
       2010	
       2011	
     2012	
     2013	
  
ISO-­‐TSAP	
  and	
  SimaVc	
  PLCs	
  
•  S7	
  PLC	
  listens	
  on	
  TCP	
  Port	
  102	
  for	
  connecVons.	
  
•  Communicates	
  w/Step	
  7	
  soaware	
  over	
  ISO-­‐TSAP.	
  
•  ISO-­‐TSAP	
  is	
  layered	
  on	
  Top	
  of	
  TCP	
  connecVons.	
  
•  S7	
  PLC	
  also	
  accepts	
  remote	
  commands	
  over	
  102.	
  
•  ISO-­‐TSAP	
  was	
  designed	
  with	
  special-­‐purpose	
  
    interfaces	
  in	
  mind	
  to	
  be	
  useful	
  in	
  the	
  short	
  term.	
  	
  
•  Expedites	
  the	
  process	
  for	
  development	
  of	
  TSAP	
  
    based	
  applicaVons	
  that	
  need	
  TCP.	
  
ISO-­‐TSAP	
  Problems	
  
•  Security	
  was	
  never	
  factored	
  into	
  the	
  equaVon.	
  
•  Packets	
  transmiMed	
  o/ISO-­‐TSAP	
  are	
  sent	
  in	
  plain-­‐
   text.	
  	
  
•  The	
  protocol	
  was	
  intended	
  to	
  be	
  open	
  and	
  
   reliable.	
  
•  Uses	
  a	
  ‘layering	
  principle’	
  which	
  means	
  that	
  even	
  
   if	
  an	
  encrypted	
  bridge	
  between	
  the	
  client	
  and	
  
   server	
  on	
  top	
  of	
  the	
  TCP	
  is	
  implemented	
  it	
  can	
  
   sVll	
  be	
  MITM	
  
•  The	
  protocol	
  hasn’t	
  been	
  revised	
  or	
  even	
  looked	
  
   at	
  since	
  the	
  late	
  80s.	
  
Don’t	
  trust	
  SimaVc	
  ‘ServerSession’	
  based	
  connecVons.	
  
An	
  aMacker,	
  can	
  disable	
  or	
  enable	
  the	
  CPU	
  protecVon	
  of	
  a	
  PLC	
  by	
  sending	
  craaed	
  packets	
  over	
  port	
  102.	
  The	
  
aMacker	
  can	
  also	
  control	
  the	
  CPU’s	
  internal	
  operaVonal	
  state,	
  change	
  logical	
  operaVons	
  in	
  the	
  PLC’s	
  OB1	
  
porVon	
  of	
  memory	
  and	
  or	
  shutdown	
  processes	
  connected	
  to	
  the	
  PLC.	
  	
  
          	
  
                     	
  	
  
          	
  
          	
  
          	
  
          	
  
          	
  
          	
  
          	
  
	
  
	
  
	
  
	
  
The	
  packets	
  in	
  the	
  red	
  are	
  being	
  generated	
  and	
  sent	
  from	
  the	
  Siemens	
  Step	
  7	
  Basic	
  so7ware.	
  The	
  packets	
  in	
  the	
  blue	
  are	
  being	
  
sent	
  by	
  the	
  PLC.	
  The	
  en@re	
  TCP	
  stream	
  is	
  11384	
  bytes.	
  Pay	
  close	
  aEen@on	
  to	
  the	
  ServerSession_ID	
  in	
  the	
  red	
  box,	
  that	
  liEle	
  ID	
  will	
  
play	
  an	
  important	
  role	
  later	
  on.  	
  
Siemens	
  claimed	
  that	
  they	
  had	
  a	
  miVgaVon	
  strategy	
  in	
  
        place,	
  and	
  they	
  did,	
  but	
  it	
  was	
  flawed.	
  
                                         	
  
    They	
  call	
  it	
  their	
  ‘password	
  protecVon’	
  feature.	
  
                                         	
  
    They	
  also	
  claim	
  that	
  its	
  not	
  possible,	
  under	
  any	
  
circumstances	
  whatsoever,	
  to	
  read	
  or	
  write	
  to	
  memory	
  
                   when	
  the	
  feature	
  is	
  enabled.	
  
S7	
  Memory	
  ProtecVon	
  
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
We	
  don’t	
  need	
  the	
  ‘password’	
  
Packet2Hex	
  	
  
Memory	
  ProtecVon?	
  
S7	
  Packet-­‐Fu	
  over	
  ISO-­‐TSAP	
  
S7-­‐1200	
  PLC	
  Memory	
  ProtecVon	
  Delta	
  
	
  
root@bt:~/cmp#	
  diff	
  1234.txt	
  4321.txt	
  
9,10c9,10	
  
<	
  "x5fx33x30x36x46x38x32x41"+	
  (x41	
  =	
  'A')	
  
<	
  "x46xa3x82x21x00x15x00xa3"+	
  
-­‐-­‐-­‐	
  
>	
  "x5fx35x30x36x43x35x36x42"+	
  (x42	
  =	
  'B')	
  
>	
  "x37xa3x82x21x00x15x00xa3"+	
  
	
  
root@bt:~/cmp#	
  
	
  
HEX	
  to	
  ASCII	
  
	
  
Server	
  Session	
  
5f	
  33	
  30	
  36	
  46	
  38	
  32	
  41	
  46	
  	
     	
  =>	
  _306F82AF	
  '1234'	
  0o‚¯ˉ	
  	
  Password	
  =>	
  ‘1234’	
  
5f	
  35	
  30	
  36	
  43	
  35	
  36	
  42	
  37	
  	
     	
  =>	
  _506C56B7	
  '4321'	
  PlV·∙	
  	
  Password	
  =>	
  ‘4321’	
  
Flawed	
  S7-­‐PLC	
  AuthenVcaVon	
  	
  
                    Take-­‐a-­‐ways	
  
If	
  an	
  aMacker	
  has	
  captured	
  packets	
  containing	
  the	
  
authenVcated	
  server	
  session,	
  from	
  the	
  automaVon	
  
network	
  they	
  can	
  re-­‐authenVcate	
  using	
  the	
  same	
  
packet	
  and	
  bypass	
  that	
  level	
  of	
  protecVon	
  without	
  ever	
  
needing	
  any	
  physical	
  access	
  to	
  the	
  engineering	
  
workstaVon	
  or	
  the	
  PLC.	
  
	
  
It	
  is	
  also	
  possible	
  to	
  generate	
  our	
  own	
  library	
  of	
  
packets	
  based	
  on	
  a	
  pre-­‐exisVng	
  packet	
  capture	
  and	
  
either	
  crack	
  the	
  password,	
  or	
  brute	
  force	
  our	
  way	
  in	
  
and	
  since	
  Siemens	
  didn’t	
  enforce	
  expired	
  sessions	
  we	
  
can	
  simply	
  use	
  any	
  ServerSession	
  ID	
  we	
  like,	
  against	
  
any	
  S7	
  PLC.	
  
Memory	
  ProtecVon	
  Take-­‐a-­‐ways	
  
•  It	
  is	
  possible	
  to	
  read	
  and	
  write	
  data	
  to	
  the	
  
    PLC’s	
  memory	
  even	
  when	
  the	
  password	
  
    protecVon	
  is	
  enabled.	
  
•  It	
  is	
  possible	
  to	
  retrieve	
  sensiVve	
  informaVon	
  
    from	
  the	
  PLC	
  through	
  memory	
  dumping.	
  
•  Its	
  is	
  also	
  possible	
  to	
  disable	
  the	
  password	
  
    protecVon	
  feature	
  on	
  the	
  PLC	
  by	
  flipping	
  the	
  
    security	
  bit	
  back	
  to	
  an	
  OFF	
  state.	
  	
  
AMack	
  Vector	
  
1.  We	
  capture	
  traffic	
  going	
  to	
  and	
  from	
  the	
  
      engineering	
  workstaVon	
  and	
  the	
  PLC.	
  
2.  We	
  dissect	
  the	
  client	
  porVon	
  of	
  the	
  TCP	
  
      Stream.	
  
3.  	
  We	
  build	
  our	
  own	
  packets	
  based	
  on	
  the	
  
      client	
  porVon.	
  
4.  We	
  can	
  replay	
  those	
  packets	
  back	
  to	
  the	
  PLC.	
  
Process	
  
§  Scrape	
  device	
  informaVon	
  from	
  memory.	
  
§  Change	
  the	
  results	
  of	
  ladder	
  logical	
  operaVons	
  on	
  the	
  PLC,	
  
    manipulate	
  the	
  logic	
  to	
  report	
  false	
  data	
  to	
  the	
  operator.	
  
    Devices	
  in	
  the	
  field	
  could	
  explode	
  or	
  spin	
  out	
  of	
  control!	
  
§  Put	
  the	
  CPU	
  in	
  START/STOP	
  mode	
  which	
  could	
  destroy	
  
    process	
  environments	
  and	
  damage	
  producVvity.	
  
§  Edit	
  PLC	
  device	
  configuraVon,	
  change	
  MAC,	
  IP	
  address,	
  device	
  
    name,	
  	
  Time	
  of	
  Day,	
  and	
  even	
  lock	
  the	
  operator	
  out	
  of	
  their	
  
    own	
  PLC.	
  
§  Frag	
  the	
  PLC	
  by	
  triggering	
  memory	
  leaks	
  in	
  bugs.	
  
§  Execute	
  arbitrary	
  commands	
  via	
  command	
  shell	
  using	
  the	
  
    hardcoded	
  credenVals.	
  
Stuxnet	
  
Metasploit	
  
Worm	
  
PropagaVon	
  
 
	
  
	
  
       We	
  can	
  own	
  everything	
  on	
  the	
  automaVon	
  network…	
  
S7	
  Recon	
  

Metasploit	
  S7-­‐1200	
  PLC	
  Auxiliary	
  Scanner	
  Module	
  
	
  
By	
  sending	
  a	
  series	
  of	
  forged	
  probe	
  packet	
  requests	
  an	
  aMacker	
  can	
  fingerprint	
  the	
  S7-­‐1200	
  
across	
  a	
  network.	
  This	
  would	
  enable	
  the	
  retrieval	
  of	
  sensiVve	
  informaVon.	
  You	
  can	
  grab	
  
informaVon	
  such	
  as	
  the	
  serial	
  number,	
  firmware	
  version,	
  model	
  number	
  and	
  PLC	
  name.	
  	
  
        	
  	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
S7-­‐1200	
  PLC	
  Memory	
  Read/Write	
  

•  Read	
  device	
  logic	
  about	
  the	
  process	
  connected	
  
     to	
  the	
  PLC	
  and	
  create	
  targeted	
  aMacks	
  based	
  
     on	
  the	
  informaVon	
  we	
  receive.	
  
•  Read/Write	
  boolean	
  operaVons.	
  
•  Read/Write	
  tag	
  names	
  from	
  datablocks	
  
•  Disable	
  protecVon,	
  CPU	
  operaVons,	
  etc..	
  
•  Put	
  the	
  CPU	
  into	
  a	
  perpetual	
  STOP	
  state.	
  
	
  
S7-­‐1200	
  PLC	
  Binary	
  Data	
  from	
  PLC	
  Memory	
  
PLC	
  Memory	
  from	
  Data_Block_1	
  
WEWT!	
  
	
  	
  
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
S7	
  Memory	
  Dump	
  
Metasploit	
  Module	
  
Remote	
  Memory	
  Dump	
  
   S7-­‐300	
  Norflash	
  
What	
  can	
  we	
  find	
  in	
  dumps?	
  
                                 •  Code	
  paths	
  
                                 •  Source	
  code	
  
                                 •  New	
  Bugs	
  
                                 	
  
S7-­‐300	
  Hardcoded	
  CredenVals	
  
Cracking	
  the	
  S7	
  Password	
  
                             User:	
  basisk	
  
                             Pass:	
  basisk	
  

                             •      Scan	
  thru	
  firmware	
  
                             •      12	
  lines	
  of	
  code	
  
                             •      Swap	
  odd	
  chars	
  
                             •      Login	
  via	
  Telnet	
  
                             •      Login	
  via	
  HTTP	
  
                             •      Dump	
  Memory	
  
                             •      Delete	
  Files	
  
                             •      Execute	
  Commands	
  
                             	
  
Owned	
  
Decoding	
  the	
  S7	
  password	
  
•  Took	
  1-­‐2	
  hours	
  to	
  locate	
  the	
  actual	
  password	
  
•  The	
  result	
  was	
  command	
  shell.	
  
	
  
s	
  =	
  'sUreS/RTP	
  sawsro/dWP.Dabisks'	
  
def	
  decode_s7_str(st):	
  
	
  	
  	
  	
  s	
  =	
  list(st)	
  
	
  	
  	
  	
  for	
  c	
  in	
  range(0,len(s),2):	
  
	
  	
  	
  	
  	
  	
  	
  	
  t=s[c]	
  
	
  	
  	
  	
  	
  	
  	
  	
  s[c]=s[c+1]	
  
	
  	
  	
  	
  	
  	
  	
  	
  s[c+1]=t	
  
	
  	
  	
  	
  return	
  "".join(s)	
  
print	
  decode_s7_str(s)	
  
	
  
	
  
Metasploit	
  Modules	
  
•      simaVc_s7_1200_cpu_cmd.rb	
  
•      simaVc_s7_300_cpu_cmd.rb	
  
•      simaVc_s7_mem_dump.rb	
  
•      simaVc_s7_1200_cpu_mem_write.rb	
  
•      simaVc_s7_disable_mem_protect.rb	
  
•      simaVc_s7_cpu_cmd_protect_bypass.rb	
  
	
  
	
  
	
  
Demo	
  

Contenu connexe

Tendances

Unit 2 - Single Purpose Processors
Unit 2 - Single Purpose ProcessorsUnit 2 - Single Purpose Processors
Unit 2 - Single Purpose ProcessorsButtaRajasekhar2
 
Data Communication Assignment
Data Communication AssignmentData Communication Assignment
Data Communication Assignmentashikul akash
 
Structural and functional testing
Structural and functional testingStructural and functional testing
Structural and functional testingHimanshu
 
Networking devices(siddique)
Networking devices(siddique)Networking devices(siddique)
Networking devices(siddique)Siddique Ibrahim
 
CAM ladder logic diagram
CAM ladder logic diagramCAM ladder logic diagram
CAM ladder logic diagramMaharshi Soni
 
Popular network devices
Popular network devicesPopular network devices
Popular network devicesMahesh_Naidu
 
verification and validation
verification and validationverification and validation
verification and validationDinesh Pasi
 
UNIT-III CASE STUDIES -FPGA & CPGA ARCHITECTURES APPLICATIONS
UNIT-III CASE STUDIES -FPGA & CPGA ARCHITECTURES APPLICATIONSUNIT-III CASE STUDIES -FPGA & CPGA ARCHITECTURES APPLICATIONS
UNIT-III CASE STUDIES -FPGA & CPGA ARCHITECTURES APPLICATIONSDr.YNM
 
Direct Memory Access(DMA)
Direct Memory Access(DMA)Direct Memory Access(DMA)
Direct Memory Access(DMA)Page Maker
 
Monitoring and Control System
Monitoring and Control SystemMonitoring and Control System
Monitoring and Control Systemmahmoud anwar
 
Modbus TCP/IP implementation in Siemens S7-300 PLC
Modbus TCP/IP implementation in Siemens S7-300 PLC Modbus TCP/IP implementation in Siemens S7-300 PLC
Modbus TCP/IP implementation in Siemens S7-300 PLC ITER-India, IPR
 
Serial Communication
Serial CommunicationSerial Communication
Serial CommunicationUshaRani289
 

Tendances (20)

Plc
PlcPlc
Plc
 
Unit 2 - Single Purpose Processors
Unit 2 - Single Purpose ProcessorsUnit 2 - Single Purpose Processors
Unit 2 - Single Purpose Processors
 
ADDRESSING MODES
ADDRESSING MODESADDRESSING MODES
ADDRESSING MODES
 
Data Communication Assignment
Data Communication AssignmentData Communication Assignment
Data Communication Assignment
 
Structural and functional testing
Structural and functional testingStructural and functional testing
Structural and functional testing
 
Bus aribration
Bus aribrationBus aribration
Bus aribration
 
Channel Allocation.pptx
Channel Allocation.pptxChannel Allocation.pptx
Channel Allocation.pptx
 
Networking devices(siddique)
Networking devices(siddique)Networking devices(siddique)
Networking devices(siddique)
 
HDLC
HDLCHDLC
HDLC
 
CAM ladder logic diagram
CAM ladder logic diagramCAM ladder logic diagram
CAM ladder logic diagram
 
Popular network devices
Popular network devicesPopular network devices
Popular network devices
 
verification and validation
verification and validationverification and validation
verification and validation
 
UNIT-III CASE STUDIES -FPGA & CPGA ARCHITECTURES APPLICATIONS
UNIT-III CASE STUDIES -FPGA & CPGA ARCHITECTURES APPLICATIONSUNIT-III CASE STUDIES -FPGA & CPGA ARCHITECTURES APPLICATIONS
UNIT-III CASE STUDIES -FPGA & CPGA ARCHITECTURES APPLICATIONS
 
Direct Memory Access(DMA)
Direct Memory Access(DMA)Direct Memory Access(DMA)
Direct Memory Access(DMA)
 
Monitoring and Control System
Monitoring and Control SystemMonitoring and Control System
Monitoring and Control System
 
Basics of plc_programming1
Basics of plc_programming1Basics of plc_programming1
Basics of plc_programming1
 
E.s unit 4 and 5
E.s unit 4 and 5E.s unit 4 and 5
E.s unit 4 and 5
 
Modbus TCP/IP implementation in Siemens S7-300 PLC
Modbus TCP/IP implementation in Siemens S7-300 PLC Modbus TCP/IP implementation in Siemens S7-300 PLC
Modbus TCP/IP implementation in Siemens S7-300 PLC
 
Serial Communication
Serial CommunicationSerial Communication
Serial Communication
 
Spice
SpiceSpice
Spice
 

En vedette

BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)Michael Smith
 
Top Ten Siemens S7 Tips and Tricks
Top Ten Siemens S7 Tips and TricksTop Ten Siemens S7 Tips and Tricks
Top Ten Siemens S7 Tips and TricksDMC, Inc.
 
Ir guns building instructions
Ir guns building instructionsIr guns building instructions
Ir guns building instructionsLenn Tilley
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...Michael Smith
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityMichael Smith
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Build Your Own 3D Scanner: 3D Scanning with Structured Lighting
Build Your Own 3D Scanner: 3D Scanning with Structured LightingBuild Your Own 3D Scanner: 3D Scanning with Structured Lighting
Build Your Own 3D Scanner: 3D Scanning with Structured LightingDouglas Lanman
 

En vedette (8)

BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
 
Top Ten Siemens S7 Tips and Tricks
Top Ten Siemens S7 Tips and TricksTop Ten Siemens S7 Tips and Tricks
Top Ten Siemens S7 Tips and Tricks
 
Ir guns building instructions
Ir guns building instructionsIr guns building instructions
Ir guns building instructions
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency Security
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Build Your Own 3D Scanner: 3D Scanning with Structured Lighting
Build Your Own 3D Scanner: 3D Scanning with Structured LightingBuild Your Own 3D Scanner: 3D Scanning with Structured Lighting
Build Your Own 3D Scanner: 3D Scanning with Structured Lighting
 

Similaire à BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)

Cisco data center support
Cisco data center supportCisco data center support
Cisco data center supportKrunal Shah
 
Edge-Core - экономия без потери качества | Семинар для интеграторов 15.06.17
Edge-Core - экономия без потери качества | Семинар для интеграторов 15.06.17Edge-Core - экономия без потери качества | Семинар для интеграторов 15.06.17
Edge-Core - экономия без потери качества | Семинар для интеграторов 15.06.17ROMSAT
 
Deploying Carrier Ethernet Features on Cisco ASR 9000
Deploying Carrier Ethernet Features on Cisco ASR 9000Deploying Carrier Ethernet Features on Cisco ASR 9000
Deploying Carrier Ethernet Features on Cisco ASR 9000Vinod Kumar Balasubramanyam
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayEnergySec
 
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure -  from Hyperv...PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure -  from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...PROIDEA
 
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power PanelLayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power PanelLayerZero Power Systems, Inc.
 
#network_engineer_CV_abw (1-326)
#network_engineer_CV_abw (1-326)#network_engineer_CV_abw (1-326)
#network_engineer_CV_abw (1-326)aim dubs
 
Presentation dc design for small and mid-size data center
Presentation   dc design for small and mid-size data centerPresentation   dc design for small and mid-size data center
Presentation dc design for small and mid-size data centerxKinAnx
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUES
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUESAdvanced PLC Programming Course EMERSON EDUARDO RODRIGUES
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUES
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUESAdvanced PLC Programming Course EMERSON EDUARDO RODRIGUES
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
26.1.7 lab snort and firewall rules
26.1.7 lab   snort and firewall rules26.1.7 lab   snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
SIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنزSIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنزEssosElectronic
 

Similaire à BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides) (20)

Cisco data center support
Cisco data center supportCisco data center support
Cisco data center support
 
Zxdsl 9210 guide
Zxdsl 9210 guideZxdsl 9210 guide
Zxdsl 9210 guide
 
Edge-Core - экономия без потери качества | Семинар для интеграторов 15.06.17
Edge-Core - экономия без потери качества | Семинар для интеграторов 15.06.17Edge-Core - экономия без потери качества | Семинар для интеграторов 15.06.17
Edge-Core - экономия без потери качества | Семинар для интеграторов 15.06.17
 
Deploying Carrier Ethernet features on ASR 9000
Deploying Carrier Ethernet features on ASR 9000Deploying Carrier Ethernet features on ASR 9000
Deploying Carrier Ethernet features on ASR 9000
 
Deploying Carrier Ethernet Features on Cisco ASR 9000
Deploying Carrier Ethernet Features on Cisco ASR 9000Deploying Carrier Ethernet Features on Cisco ASR 9000
Deploying Carrier Ethernet Features on Cisco ASR 9000
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
 
Ccnas v11 ch02_eb
Ccnas v11 ch02_ebCcnas v11 ch02_eb
Ccnas v11 ch02_eb
 
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure -  from Hyperv...PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure -  from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
 
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power PanelLayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
 
BRKARC-3146_PoE_C3k.pdf
BRKARC-3146_PoE_C3k.pdfBRKARC-3146_PoE_C3k.pdf
BRKARC-3146_PoE_C3k.pdf
 
#network_engineer_CV_abw (1-326)
#network_engineer_CV_abw (1-326)#network_engineer_CV_abw (1-326)
#network_engineer_CV_abw (1-326)
 
Presentation dc design for small and mid-size data center
Presentation   dc design for small and mid-size data centerPresentation   dc design for small and mid-size data center
Presentation dc design for small and mid-size data center
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUES
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUESAdvanced PLC Programming Course EMERSON EDUARDO RODRIGUES
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUES
 
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUES
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUESAdvanced PLC Programming Course EMERSON EDUARDO RODRIGUES
Advanced PLC Programming Course EMERSON EDUARDO RODRIGUES
 
26.1.7 lab snort and firewall rules
26.1.7 lab   snort and firewall rules26.1.7 lab   snort and firewall rules
26.1.7 lab snort and firewall rules
 
SIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنزSIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنز
 

Plus de Michael Smith

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsMichael Smith
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerMichael Smith
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeMichael Smith
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)Michael Smith
 
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKDefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKMichael Smith
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersMichael Smith
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesMichael Smith
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsMichael Smith
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksMichael Smith
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYMichael Smith
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingMichael Smith
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersMichael Smith
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesMichael Smith
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataMichael Smith
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingMichael Smith
 

Plus de Michael Smith (16)

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)
 
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKDefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water Meters
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over Powerlines
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM Attacks
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPY
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware Vulnerabilities
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter Hacking
 

Dernier

UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 

Dernier (20)

UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 

BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)

  • 1. Siemens  Sima)c  S7  PLC  Exploita)on     S7-­‐Fu  (功夫)  with  Rapid7  Metasploit   Black  Hat  USA+2011   Dillon  Beresford   d1n@nsslabs.com  
  • 2.     Dillon  Beresford   狄龙   Security  Researcher     at  
  • 3. With  assistance  from…   NSS  Labs,  Project  Funding   Brian  Meixell,  Engineering  Support.   Ian  Parker,  Lab  Setup  and  QA.   Tim  OMo,  Hardware  Procurement.   Dale  Peterson  (DigitalBond)  Blog   Bob  Radvanovsky  (SCADASEC)  List   INL/ICS-­‐CERT,  Disclosure  Process   PLCTrainer.NET  (PLC  Trainers)  
  • 4.  IntroducVon         •  PLCs  are  computers  used  to  automate  mechanical  device  processes.   •  PLCs  are  used  in  the  nuclear,  oil  and  gas  refineries,  coal,  water  and  waste  treatment,  transportaVon,   aerospace,  defense  and  commercial  factories,  among  many  other  things…   •  The  S7-­‐300,  and  S7-­‐400  are  currently  the  most  common  PLCs  in  use,  however  the  S7-­‐1200  is  gaining   more  tracVon  .   •  SimaVc  S7  PLCs  offer  state  of  the  art  PROFIBUS  and  PROFINET  communicaVon  protocols.     •  From  an  aMacker  perspecVve,    each  of  the  S7  PLCs  have  one  thing  in  common.  They  communicate   over  ISO-­‐TSAP  (RFC-­‐1006)  on  TCP  port  102.     •  When  TSAP  was  layered  on  Top  of  TCP,  security  wasn’t  factored  in.     •  The  SimaVc  S7  PLCs  run  on  a  32-­‐bit  Linux  operaVng  system.   •  S7  PLC  Firmware  images  are  encrypted  and  hex  encoded,  some  are  using  simple  rotaVng  shia   sequences  to  obfuscate  the  strings  in  the  firmware.   •  The  S7-­‐300  we  are  going  to  exploit  has  a  TELNET  daemon  and  HTTP  server  running  as  background   process  which  are  used  by  the  Siemens  developers  for  debugging.   •  The  S7-­‐1200  also  has  a  web  server  included  in  it  for  diagnosVcs  and  HMI.  
  • 5. TesVng   Devices  Under  Test:         §  PLC1  6ES7  212-­‐1BD30-­‐0XB0  AC/DC      =>  Siemens  SimaVc  S7-­‐1200   §  PLC2  6ES7  212-­‐1BD30-­‐0XB0  AC/DC    =>  Siemens  SimaVc  S7-­‐1200   §  PLC3  317-­‐2EJ10-­‐0AB0      =>  Siemens  SimaVc  S7-­‐300   §  PLC4  317-­‐2EJ10-­‐0AB0      =>  Siemens  SimaVc  S7-­‐300     PLC  Firmware  Versions:       §  Version  2.2        =>  Siemens  SimaVc  S7-­‐1200   §  Version  2.3.4          =>  Siemens  SimaVc    S7-­‐300
  • 7. SimaVc  S7-­‐300   “The  Big  Boys”  
  • 9.       What  do  those  panels  aMached  to  the  PLCs  do   and  how  are  they  controlled?  
  • 11. PLC  Trainer  LAD  Network  
  • 12. PLC  Trainer  LAD  Network  
  • 13. PLC  Trainer  LAD  Network  
  • 14. The  Siemens  SimaVc  S7-­‐300,  S7-­‐400  and  S7-­‐1200  rely   on  the  PROFINET  IEEE  802.3  Ethernet  standard,  for   industrial  grade  connecVvity  in  environments  where   Manufacturing  ExecuVon  Systems  (MES)  are  criVcal.            
  • 15. PROFINET/ETHERNET   Today  there  are  over  3.5  million  PROFINET  enabled  devices  acVvely  deployed.   PROFINET  Nodes  In  Use  By  2013   4,500,000   4,000,000   3,500,000   3,000,000   2,500,000   2,000,000   1,500,000   1,000,000   500,000   0   2006   2007   2008   2009   2010   2011   2012   2013  
  • 16. ISO-­‐TSAP  and  SimaVc  PLCs   •  S7  PLC  listens  on  TCP  Port  102  for  connecVons.   •  Communicates  w/Step  7  soaware  over  ISO-­‐TSAP.   •  ISO-­‐TSAP  is  layered  on  Top  of  TCP  connecVons.   •  S7  PLC  also  accepts  remote  commands  over  102.   •  ISO-­‐TSAP  was  designed  with  special-­‐purpose   interfaces  in  mind  to  be  useful  in  the  short  term.     •  Expedites  the  process  for  development  of  TSAP   based  applicaVons  that  need  TCP.  
  • 17. ISO-­‐TSAP  Problems   •  Security  was  never  factored  into  the  equaVon.   •  Packets  transmiMed  o/ISO-­‐TSAP  are  sent  in  plain-­‐ text.     •  The  protocol  was  intended  to  be  open  and   reliable.   •  Uses  a  ‘layering  principle’  which  means  that  even   if  an  encrypted  bridge  between  the  client  and   server  on  top  of  the  TCP  is  implemented  it  can   sVll  be  MITM   •  The  protocol  hasn’t  been  revised  or  even  looked   at  since  the  late  80s.  
  • 18. Don’t  trust  SimaVc  ‘ServerSession’  based  connecVons.   An  aMacker,  can  disable  or  enable  the  CPU  protecVon  of  a  PLC  by  sending  craaed  packets  over  port  102.  The   aMacker  can  also  control  the  CPU’s  internal  operaVonal  state,  change  logical  operaVons  in  the  PLC’s  OB1   porVon  of  memory  and  or  shutdown  processes  connected  to  the  PLC.                                 The  packets  in  the  red  are  being  generated  and  sent  from  the  Siemens  Step  7  Basic  so7ware.  The  packets  in  the  blue  are  being   sent  by  the  PLC.  The  en@re  TCP  stream  is  11384  bytes.  Pay  close  aEen@on  to  the  ServerSession_ID  in  the  red  box,  that  liEle  ID  will   play  an  important  role  later  on.  
  • 19. Siemens  claimed  that  they  had  a  miVgaVon  strategy  in   place,  and  they  did,  but  it  was  flawed.     They  call  it  their  ‘password  protecVon’  feature.     They  also  claim  that  its  not  possible,  under  any   circumstances  whatsoever,  to  read  or  write  to  memory   when  the  feature  is  enabled.  
  • 22. We  don’t  need  the  ‘password’   Packet2Hex    
  • 24. S7  Packet-­‐Fu  over  ISO-­‐TSAP   S7-­‐1200  PLC  Memory  ProtecVon  Delta     root@bt:~/cmp#  diff  1234.txt  4321.txt   9,10c9,10   <  "x5fx33x30x36x46x38x32x41"+  (x41  =  'A')   <  "x46xa3x82x21x00x15x00xa3"+   -­‐-­‐-­‐   >  "x5fx35x30x36x43x35x36x42"+  (x42  =  'B')   >  "x37xa3x82x21x00x15x00xa3"+     root@bt:~/cmp#     HEX  to  ASCII     Server  Session   5f  33  30  36  46  38  32  41  46      =>  _306F82AF  '1234'  0o‚¯ˉ    Password  =>  ‘1234’   5f  35  30  36  43  35  36  42  37      =>  _506C56B7  '4321'  PlV·∙    Password  =>  ‘4321’  
  • 25. Flawed  S7-­‐PLC  AuthenVcaVon     Take-­‐a-­‐ways   If  an  aMacker  has  captured  packets  containing  the   authenVcated  server  session,  from  the  automaVon   network  they  can  re-­‐authenVcate  using  the  same   packet  and  bypass  that  level  of  protecVon  without  ever   needing  any  physical  access  to  the  engineering   workstaVon  or  the  PLC.     It  is  also  possible  to  generate  our  own  library  of   packets  based  on  a  pre-­‐exisVng  packet  capture  and   either  crack  the  password,  or  brute  force  our  way  in   and  since  Siemens  didn’t  enforce  expired  sessions  we   can  simply  use  any  ServerSession  ID  we  like,  against   any  S7  PLC.  
  • 26. Memory  ProtecVon  Take-­‐a-­‐ways   •  It  is  possible  to  read  and  write  data  to  the   PLC’s  memory  even  when  the  password   protecVon  is  enabled.   •  It  is  possible  to  retrieve  sensiVve  informaVon   from  the  PLC  through  memory  dumping.   •  Its  is  also  possible  to  disable  the  password   protecVon  feature  on  the  PLC  by  flipping  the   security  bit  back  to  an  OFF  state.    
  • 27. AMack  Vector   1.  We  capture  traffic  going  to  and  from  the   engineering  workstaVon  and  the  PLC.   2.  We  dissect  the  client  porVon  of  the  TCP   Stream.   3.   We  build  our  own  packets  based  on  the   client  porVon.   4.  We  can  replay  those  packets  back  to  the  PLC.  
  • 28. Process   §  Scrape  device  informaVon  from  memory.   §  Change  the  results  of  ladder  logical  operaVons  on  the  PLC,   manipulate  the  logic  to  report  false  data  to  the  operator.   Devices  in  the  field  could  explode  or  spin  out  of  control!   §  Put  the  CPU  in  START/STOP  mode  which  could  destroy   process  environments  and  damage  producVvity.   §  Edit  PLC  device  configuraVon,  change  MAC,  IP  address,  device   name,    Time  of  Day,  and  even  lock  the  operator  out  of  their   own  PLC.   §  Frag  the  PLC  by  triggering  memory  leaks  in  bugs.   §  Execute  arbitrary  commands  via  command  shell  using  the   hardcoded  credenVals.  
  • 33.       We  can  own  everything  on  the  automaVon  network…  
  • 34. S7  Recon   Metasploit  S7-­‐1200  PLC  Auxiliary  Scanner  Module     By  sending  a  series  of  forged  probe  packet  requests  an  aMacker  can  fingerprint  the  S7-­‐1200   across  a  network.  This  would  enable  the  retrieval  of  sensiVve  informaVon.  You  can  grab   informaVon  such  as  the  serial  number,  firmware  version,  model  number  and  PLC  name.                                
  • 35. S7-­‐1200  PLC  Memory  Read/Write   •  Read  device  logic  about  the  process  connected   to  the  PLC  and  create  targeted  aMacks  based   on  the  informaVon  we  receive.   •  Read/Write  boolean  operaVons.   •  Read/Write  tag  names  from  datablocks   •  Disable  protecVon,  CPU  operaVons,  etc..   •  Put  the  CPU  into  a  perpetual  STOP  state.    
  • 36. S7-­‐1200  PLC  Binary  Data  from  PLC  Memory  
  • 37. PLC  Memory  from  Data_Block_1   WEWT!      
  • 39. S7  Memory  Dump   Metasploit  Module  
  • 40. Remote  Memory  Dump   S7-­‐300  Norflash  
  • 41. What  can  we  find  in  dumps?   •  Code  paths   •  Source  code   •  New  Bugs    
  • 43. Cracking  the  S7  Password   User:  basisk   Pass:  basisk   •  Scan  thru  firmware   •  12  lines  of  code   •  Swap  odd  chars   •  Login  via  Telnet   •  Login  via  HTTP   •  Dump  Memory   •  Delete  Files   •  Execute  Commands    
  • 45. Decoding  the  S7  password   •  Took  1-­‐2  hours  to  locate  the  actual  password   •  The  result  was  command  shell.     s  =  'sUreS/RTP  sawsro/dWP.Dabisks'   def  decode_s7_str(st):          s  =  list(st)          for  c  in  range(0,len(s),2):                  t=s[c]                  s[c]=s[c+1]                  s[c+1]=t          return  "".join(s)   print  decode_s7_str(s)      
  • 46. Metasploit  Modules   •  simaVc_s7_1200_cpu_cmd.rb   •  simaVc_s7_300_cpu_cmd.rb   •  simaVc_s7_mem_dump.rb   •  simaVc_s7_1200_cpu_mem_write.rb   •  simaVc_s7_disable_mem_protect.rb   •  simaVc_s7_cpu_cmd_protect_bypass.rb