Jump to content
Nytro

Scada Strangelove

By Nytro, in Tutoriale video

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Scada Strangelove

Description: SCADA STRANGELOVE

or: How I Learned to Start Worrying and Love Nuclear Plants

Modern civilization unconditionally depends on information systems. It is paradoxical but true that ICS/SCADA systems are the most insecure systems in the world. From network to application, SCADA is full of configuration issues and vulnerabilities.

During our report, we will demonstrate how to obtain full access to a plant via:

a sniffer and a packet generator

FTP and Telnet

Metasploit and oslq

a webserver and a browser

About 20 new vulnerabilities in common SCADA systems including Simatic WinCC will be revealed.

Releases:

modbuspatrol (mbpatrol) – free tool to discover and fingerprint PLC

Simatic WinCC security checklist

Simatic WinCC forensic checklist and tools

close to real life attack scenario of a Simatic WinCC based plant

Intro

1.1 Who we are?

1.2 History of research

Overview of ICS/SCADA architecture

SCADA network puzzle

3.1 Overview of protocols used in SCADA networks

3.2 Modbus overview

3.3 S7 overview

3.4 Modbus/S7 SCADA/PLC fingerprint (release mbpatrol - free tool for PLC fingerprint)

Who is mister PLC?

4.1. Typical PLC architecture

4.2. Security and configuration issues

4.3. Coordinated disclosure of vulnerabilities in several PLC

DEMO. Owning plant with ftp and telnet. During demo, I will demonstrate how several vulnerabilities and configuration issues of PLC can be used to get root access to the device, install rootkit and manipulate something in real world.

Miss SCADA

6.1. Place of OS and DB in security of SCADA infrastructure

6.2. Simatic WinCC default configuration issues

6.3. Ways to abuse OS and DB vulnerabilities

6.4. Coordinated disclosure of several OS/DB WinCC vulnerabilities

6.5. Simatic WinCC security checklist

6.6. Simatic WinCC postexploitation/forensic

Heavy weapon

7.1. SCADA/HMI application architecture (based on Simatic WinCC)

7.2. Clients-side in SCADA network? (release of client-site fingerprint tool for HMI software)

7.3. Coordinated disclosure of vulnerabilities in Siemens Simatic WinCC 7.0 used in exploit.

Architecture of exploit

DEMO. Owning plant with browser. Exploit scenario. Several 0-day (but responsible disclosed) vulnerabilities in Siemens Simatic WinCC 7.0 used to:

Fingerprint presence of WinCC client software

Obtain access password to WinCC WebNavigator interface

Read registry and files on WinCC box

View and manage HMI /PLC/technological process from internet via browser of operator

10 PS. Why physical separation is not enough

Will we tell about 0-day vulnerabilities? Yes, but we will coordinate with vendor. So list of vulnerabilities depended on patching speed of Siemens.

Will instruments be presented?

29C3: SCADA Strangelove

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Sursa: Scada Strangelove

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...