Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Prochain SlideShare
What to Upload to SlideShare
Suivant
Télécharger pour lire hors ligne et voir en mode plein écran

1

Partager

Télécharger pour lire hors ligne

OT Security - h-c0n 2020

Télécharger pour lire hors ligne

OT Security Presentation

OT Security - h-c0n 2020

  1. 1. MMXX JOSE RAMON PALANCO OT Security ElevenPaths (Telefónica)
  2. 2. Who am I • José Ramón Palanco • VT Threat Intelligence ElevenPaths • Member of: MLW.re, YARA EXCHANGE, etc… • Skills: • Pentester • Reverser • Vulnerability Researcher • Programmer (C, Python, Java, Go, …) • Entrepreneur (drainware, dinoflux, …) 2
  3. 3. Agenda • Intro • OT Protocols • OT Lab • Malware • Projects 3
  4. 4. INTRO
  5. 5. What is it? 5
  6. 6. What is it? 6 Operational Technology (OT) refers to computing systems that are used to manage industrial operations as opposed to administrative operations. Operational systems include production line management, mining operations control, oil & gas monitoring etc. Industrial control systems (ICS) is a major segment within the operational technology sector. It comprises systems that are used to monitor and control industrial processes. This could be mine site conveyor belts, oil refinery cracking towers, power consumption on electricity grids or alarms from building information systems. ICSs are typically mission-critical applications with a high-availability requirement.
  7. 7. DISCLAIRME 7 Attacks against critical infrastructures (even sending an ICMP packet) can cause material or personal damages.
  8. 8. Where can you find it? 8
  9. 9. Applications •Monitor process •Manage remote services •Store historical data 9
  10. 10. Origins •Parallel architecture for industry •Availability oriented •10 years behind IT Security 10
  11. 11. Diagram 11
  12. 12. PLC •Network device •Embedded system •Proprietary communication stack •Applications •Firmware updates can be reversed (credentials, backdoors..) 12
  13. 13. HMI •Network device •Embedded system •Proprietary communication stack •Applications •Firmware updates can be reversed (credentials, backdoors..) 13
  14. 14. End Devices •Several kind: •Sensor •Valve •Pump •Report to PLC 14
  15. 15. Communications •Ethernet •Mobile phone based (GSM, GPRS, …) •RS232/485 •WiFi •ZigBee •6lowpan •Proprietary 15
  16. 16. Protocols •Modbus •DNP3 •OPC •IEC 60870 •BACnet •LonWorks •EPICS •FINS •MTConnect •MCConnect •SLMP •FOX 16
  17. 17. Procol attack •Sniff •Mostly plain, so its possible to capture credentials, services, systems, … •Spoof •Fuzz 17
  18. 18. Common problems •Connected to internet (shodan) •Obsolete but stable operating systems •Defaults credentials •Not updated. Not patched •Easy to exploit •Weak protocol stack implementations 18
  19. 19. Attack Vectors •We will find a Homer always •Pendrive •Not working programs installed •Insecure radio communications •Ignorance of real network topology 19
  20. 20. Tools • PLC Scan: https://github.com/yanlinlin82/plcscan • Smod: https://github.com/enddo/smod • MBGet: https://github.com/sourceperl/mbtget • PLCInject: https://github.com/SCADACS/PLCinject • Nmap SCADA: https://github.com/jpalanco/nmap-scada • Sulley: https://github.com/OpenRCE/sulley 20
  21. 21. Simatic S7 300 22
  22. 22. Simatic S7 300 22
  23. 23. Simatic S7 300 22
  24. 24. Simatic S7 300 22
  25. 25. PCL Programming 23 Cont (Similar to Ladder) List (Similar to Assembler) Log (Similar to Graphset)
  26. 26. PLC Block Oriented Functions 24
  27. 27. PLC Communication protocols • Listening on 102/tcp • ISO-TSAP protocol 25 Profibus R485 Serial Profinet Ethernet
  28. 28. Hands on attack: Dinamic code injection 26 Atacker host Step 7 cli Get OB Modify OB Push OB
  29. 29. Hands on attack:Security 27 Password protected access Funny SCADA tools composed by five Python scripts • s7_password_hash_extractor() Extract the password hash from the PEData.plf file. You will find the *.plf file into the PLC configuration. • s7_brute_offline() The number of connections attempts is unlimited. We need only 5 minutes to find the right password. Code source protected Thus, the code source of block is “normally” protected (i.e unreadable). But in fact, we can easily bypassing this protection just by modifying from the 16th bytes to 22nd bytes in binary MC7 code. It is the same hexadecimal value for all unprotected block.
  30. 30. Hands on code: Dinamic code injection 28 Get OB Push OB
  31. 31. Easier… 29 ..if we compromise a machine with TIA Portal
  32. 32. Most PLC are vulnerable • SIL Certification (IEC 61508) doesn’t evaluate security • Modern PLCs are micro-processor-based, programmable systems that are configured with a basic Windows PC • Major PLC integrate control and safety system using Ethernet communication with open insecure protocols (Profinet, Modbus TCP, OPC.), • Many PLC communication interface modules run embedded Operating System and Ethernet stack that have known vulnerabilities and default configurations. 30
  33. 33. OT LAB
  34. 34. Lab • Damn Vulnerable ARM Router (DVAR) 32
  35. 35. Radio Hacking with SDR • Software • GNU Radio • Gqrx • Hardware • RTL (Receive only) • HackRF (1 channel) • BladeRF • LimeSDR 33
  36. 36. Radio Hacking: Gqrx 34
  37. 37. Radio Hacking: GNU RADIO + BLADERF = 6LowPAN 35
  38. 38. Hardware hacking: UART ACCESS • UART PINOUT 36
  39. 39. Hardware hacking: Bus Pirate 37
  40. 40. Hardware hacking: BUS PIRATE • Serial connection to BP 38
  41. 41. Hardware hacking: BUS PIRATE 39
  42. 42. Hardware hacking: JTAG Debug • stlink (for STM32 boards) • Connect the CLK pad on the pcb to SWCLK on the st-link. • Connect DAT pad to SWDIO. • Connect grounds GND and ST-link GND together. 40
  43. 43. Hardware hacking: JTAG Debug • openocd to: • GDB: arm-none-eabi-gdb -tui /path/to/file.elf • >target remote localhost:4444 • R2: r2 -a arm -b 32 -D gdb gdb://127.0.0.1:4444 41
  44. 44. Hardware hacking: JTAG Debug • Dump flash • st-flash read /tmp/output.bin 0x8000000 0x8000 • Reverse with IDA Pro 42
  45. 45. Hardware hacking: JTAGULATOR • Bruteforce JTAG pinout 43
  46. 46. Example firmware reversing • Siemens S7 SCALANCE X200 • Download firmware X200V2_V4321_Firmware.exe • Strings: WinZip Self-Extractor-Dateikopf ung 44
  47. 47. Example firmware reversing $ unzip X200V2_V4321_Firmware.exe Archive: X200V2_V4321_Firmware.exe inflating: X200V2_V4.3.21_Firmware.fwl 45
  48. 48. Example firmware reversing $ binwalk X200V2_V4.3.21_Firmware.fwl DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------------------- 116 0x74 ELF 32-bit LSB executable, ARM, version 1 (ARM) 33684 0x8394 LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, uncompressed size: 11015760 bytes 46
  49. 49. Example firmware reversing Extraction: $ binwalk -eM -f binwalk.log X200V2_V4.3.21_Firmware.fwl • Private RSA Keys • Private SSH Key • HTML Files • Images • … 47
  50. 50. Example firmware reversing Usage: %s %s User name | Password -----------+------------- %10s | %4s debug %10s | **** User account was not found. Password is to long, max %d symbols. Password for %s is set. admin Null lenght password is set. 48
  51. 51. Example firmware reversing SIMATIC-NET FW-Loader Scalance X200RT 6GK5206-1BB00-2AA3 Flash S29GL vxWorks.LAD VxWorks 5.5.1 VxWorks5.5.1 Jun 29 2011, 14:27:49 ... 49
  52. 52. Example firmware reversing $ dd if=X200V2_V4.3.21_Firmware.fwl bs=1 skip=116 count=33568 of=arm.bin File (magic) arm.bin: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped IDA PRO 50
  53. 53. MALWARE
  54. 54. STUXNET • WinCC: Hardcoded passwords • STEP 7 hooked • Centrifuges PLC trojanized • Replicable thru pendrives 52
  55. 55. PROJECTS
  56. 56. Yara IDSIndustrial Protocol Intrusion Detection System
  57. 57. The problem HAVEX STUXNET DUQU RED OCTOBER FLAME SHAMOON TRITON/TRISIS 58
  58. 58. Malware Hunting? rule Shamoon_2_0 { meta: author = "Jose Ramon Palanco" date = "2017-03-06" description = "Shamoon 2.0" OriginalFilename = "ntertmgr32.exe" ref = https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf strings: $magic = { 4d 5a } $s0 = { 39 33 39 39 39 45 39 4b 39 54 39 5a 39 63 39 6f 39 75 39 0d 0a } $s1 = { 44 49 48 4b 4b 4b } $s2 = { 32 45 32 4b 32 52 32 59 32 79 32 66 33 73 33 } $s3 = { 33 64 33 68 33 6c 33 70 33 74 33 78 33 } condition: $magic at 0 and all of ($s*) and filesize > 1590KB } 59
  59. 59. 60
  60. 60. 60
  61. 61. 61 Where to perform malware hunting? Memory None Network File System
  62. 62. 62
  63. 63. 63
  64. 64. 64 Where to perform malware hunting? Memory None File System Network
  65. 65. Snort to the rescue alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| WinHttpClient",fast_pattern,nocase; http_raw_uri; content:"//Home/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.vectranetworks.com/blog/an-analysis- of-the-shamoon-2-malware-attack; classtype:trojan- activity; sid:42128; rev:1; ) 65
  66. 66. Now with Yara…. 66
  67. 67. 67
  68. 68. RECIPE • python • dpkt • yara 68
  69. 69. 1. Read packets pcap_file = open('file.pcap') pcap = dpkt.pcap.Reader(pcap_file) for ts, buf in pcap: process(buf) 69
  70. 70. 2. Process packets def process(buf): eth = dpkt.ethernet.Ethernet(buf) ip = eth.data tcp = ip.data data = tcp.data signature = check_yara(data) if signature: print(signature) 70
  71. 71. 3. Check yara def check_yara(buf): rules = yara.compile(filepath='file.yar') matches = rules.match(data=buf) if matches: return matches 71
  72. 72. SCADA/ICS Rule Collection (222) • Modbus (19) • DNP3 (10) • EIP (7) • FINS (37) • MCCONNECT (46) • MTCONNECT (8) • OPC-DA (3) • OPC-UA (8) • SLMP (38) • Siemens S7 (13) • MQTT (5) • Exploits (28) 72
  73. 73. DEMO DEMO TIME 73
  74. 74. Teaser • MOLE IDS • Implemented in GO • Support PF_RING • Multithread • Telco Roaming and Signaling attacks 74
  75. 75. NMAP FOR SCADADiscover SCADA/ICS Devices in the network
  76. 76. NMAP SCADA • Discovery: Siemens S7 Family devices • WINCC (netbios) • CommunicationsProcessor (http) • SIMATIC (http) • HMI (http) • Generic S7 device(http) • SCALANCE (snmp) 76
  77. 77. DEMO DEMO TIME 77
  78. 78. NMAP SCADA 78
  79. 79. NMAP SCADA 79
  80. 80. NMAP SCADA 80
  • AhmadMAlShangiti

    Feb. 19, 2020

OT Security Presentation

Vues

Nombre de vues

244

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

162

Actions

Téléchargements

9

Partages

0

Commentaires

0

Mentions J'aime

1

×