SlideShare una empresa de Scribd logo

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters

Positive Hack Days
Positive Hack Days

This document summarizes an presentation on industrial protocols for pentesters. It discusses several common industrial protocols including Modbus, Siemens S7, PROFINET, and provides information on analyzing them such as looking for patterns in hex dumps. Specific exploitation techniques are mentioned such as extracting password hashes from TIA Portal project files or intercepting S7 authentication challenges and responses. The presenters provide resources for further information on industrial control systems and security.

TecnologíaEmpresariales
1 de 44
Industrial protocols for pentesters Timorin Alexander Efanov Dmitry Positive Technologies PHDays III
Who We Are Timorin Alexander • Lead specialist of penetration testing team at Positive Technologies • Main interests: penetration testing, SCADA systems, industrial protocols, password cracking • atimorin@ptsecurity.ru
Who We Are Efanov Dmitry • Lead specialist of security development team at Positive Technologies • Main interests: penetration testing, network protocols and hex-numbers • defanov@ptsecurity.ru
ICS Industrial Control System
ICS in the World
ICS in the World
ICS in the World
What we will talk about ? • Modbus • Mystical S7 • Authentication and protection • Profinet
Industrial protocols • CIP • BACnet • CC-Link • Ethernet/IP • Modbus • Profinet • S3 / S5 / S7 • DNP3
Old Modbus • Published by Modicon (now Schneider Electric) in 1979. • Widely used for connecting industrial electronic devices • Schneider Electric • Advanced Micro Controls • ABB • Emerson • Chinese NONAME • and all other vendors
Modbus in XX
Modbus in XXI
Modbus TCP Standard port – 502/tcp Modbus Request packet: • No authentication • No encryption • No security
Modbus Functions • Data access • Read/Write Coils and Registers • Read/Write File Records • Diagnostics • Device Identification • … • + User Defined Functions
Modbus Device Identification Standard Function (opcode 0x2B, subcode 0x0E) • VendorName • ProductCode • MajorMinorRevision • VendorUrl • ProductName • ModelName • UserApplicationName
Modbus Device Identification
Modbus Tools • Emulators: • http://www.modbustools.com/download.asp • Device Discovery: • https://code.google.com/p/plcscan/ • https://code.google.com/p/modscan/ • … • Wireshark • python
Modbus Demo
Mystic S7 Standard port – 102/tcp In Siemens docs - iso-on-tcp, rfc 1006
S7 materials • Exploiting Siemens Simatic S7 PLCs (by Dillon Beresford) http://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf • Wireshark dissector http://sourceforge.net/projects/s7commwireshark/ • Libnodave – free communication library http://sourceforge.net/projects/libnodave/
ISO-on-TCP (RFC 1006) • Transport layer only • Require source and destination TSAP (Transport Service Access Point) for connection • TSAP (2 bytes) • Connection type (PG – 0x01, OP– 0x02) • Rack/Slot Id
What is under ISO-on-TCP?
What is under ISO-on-TCP? S5 Communication aka FETCH / WRITE aka Sinec H1 S7 Communication Another S7 Communication
S7 communication S7 packet: PDU-types: • 0x01 – Request • 0x02 – Acknowledgement • 0x03 – Response • 0x07– User Data
What we can do • Read / Write data • Start / Stop CPU • Upload / Download Blocks • List blocks • Get blocks info • Read SZL (System Status List) • Module Identification • Component Identification • LED’s status
Device Identification • PLC scan (https://code.google.com/p/plcscan/) • For s7-300: Module : 6ES7 151-8AB01-0AB0 v.2 Basic Hardware : 6ES7 151-8AB01-0AB0 v.2 Basic Firmware : v.3.2.6 PLC Name : SIMATIC 300(Bla_bla_name) Module Name : IM151-8 PN/DP CPU Plant ID : Copyright : Original Siemens Equipment Module Serial number : S C-BOUV49xxxxx1 Module type name : IM151-8 PN/DP CPU Memory card Serial number : MMC 6CAxxxx0 Module OEM ID : Module Location : • For s7-1200: Module : 6ES7 212-1BD30-0XB0 v.2 Basic Hardware : 6ES7 212-1BD30-0XB0 v.2 Basic Firmware : 6ES7 212-1BD30-0XB0 v.2.2.0
S7-300 password protection Password (8 bytes) «Encryption»:
S7comm on S7-1200 S7-300 S7-1200 Read/Write Vars + + Device Identification + +/- Start/Stop CPU + - Upload/Download Blocks + - Blocks Info + - LED’s status + -
«Another S7 communication» Simple S7 packet ( connection establishment) 72 01 – S7 data delimiter
TIA Portal read/write protection PLC read/write password protection for main operations: CPU start/stop/data change, project upload, firmware update, etc.
TIA Portal PEData.plf passwords history Simple SHA-1 passwords: 456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40} redbox value: password_length * 2 + 1
S7 password hashes extractor source: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.py extracting all password sha1 hashes from TIA Portal project file and simple bruteforce. Also possible to intercept password hash when uploading new project to PLC. It’s easy. Know-how protection: • prevent code blocks (OB, FB, FC, DB) from unauthorized access • base64( sha1(password-in-unicode) )
SCADA <-> PLC S7 authentication 1. SCADA-> PLC : auth request 2. SCADA <- PLC : challenge 3. SCADA-> PLC : response = HMAC( SHA1(password), challenge ) 4. SCADA <- PLC : auth result sending authentication challenge from PLC to SCADA workstation
SCADA <-> PLC S7 authentication sending authentication response from SCADA workstation to PLC
SCADA <-> PLC S7 authentication • ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02 • John the Ripper Jumbo patch: https://github.com/magnumripper/JohnTheRipper/pull/193 • http://www.digitalbond.com/blog/2013/05/10/john-the-ripper-s7-password- cracking/
S7 challenge-response extractor source: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.py extracting challenge-response values from pcap file and simple bruteforce. pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32‘ -> auth ok pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732‘ -> auth bad Other researches/materials: • Dillon Beresford: http://scadahacker.com/exploits/exploits-dillonbh2011.html
PROFINET family 2003: IEC 61158, IEC 61784 • PROFINET CBA (Component Based Automation) • PROFINET IO
PROFINET IO • master – slave communications • RT (~ 10 ms), IRT (~ 1 ms) • PROFINET PTCP (Precision Time Control Protocol) • PROFINET DCP (Discovery and Basic Configuration Protocol) profinet dcp identify response
PROFINET DCP scanner source: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.py discovering all SCADA devices (PC, HMI, PLC) in subnet
PROFINET DCP scanner payload = 'fefe05000401000200800004ffff0000' pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/payload.decode('hex') fefe 2b: DCP multicast header 05 1b: Identify service 00 1b: Request type 04010002 4b: Xid (request identificator) 0080 2b: Response delay 0004 2b: DCP data length ffff0000 4b: dcp dataOption(All), Suboption(All) Also we can: • change name of station • change ip, gateway • request network info • LED flashing: PLC, HMI (something wrong with PLC or devices ?? ) • and much more … profinet video demo
How to analyze protocols ? • search-analyze-search-analyze-search … • Rob Savoye: “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” • Rob Savoye: FOSDEM 2009 Reverse Engineering of Proprietary Protocols, Tools and Techniques : http://youtu.be/t3s-mG5yUjY • Netzob: http://www.netzob.org • Fuzzing • wireshark tcpdump python scapy hex viewer
Outro • Positive Technologies SCADA analytics: http://www.ptsecurity.com/download/SCADA_analytics_english.pdf • Findings • Recommendations: • http://scadastrangelove.org • http://www.scadahacker.com • http://www.digitalbond.com • http://ics-cert.us-cert.gov • Releases: https://code.google.com/p/scada-tools/ https://code.google.com/p/plcscan/ • Greetz to: SCADASTRANGELOVE TEAM • QA • And now …
S7-300. Live Demo
Thanks to all … to be continued Timorin Alexander atimorin@ptsecurity.ru Efanov Dmitry defanov@ptsecurity.ru Stay in touch and feel free …

Recomendados

Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
02 pcs 7 documentation and support v1.00 en
02 pcs 7 documentation and support v1.00 en02 pcs 7 documentation and support v1.00 en
02 pcs 7 documentation and support v1.00 enconfidencial
 
Ch8 v70 os_en
Ch8 v70 os_enCh8 v70 os_en
Ch8 v70 os_enconfidencial
 
Allenbradley Micro logix 1400 Plc Hardware information Guide
Allenbradley Micro logix 1400 Plc Hardware information GuideAllenbradley Micro logix 1400 Plc Hardware information Guide
Allenbradley Micro logix 1400 Plc Hardware information GuideDEEPAK GORAI
 

Recomendados

Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
02 pcs 7 documentation and support v1.00 en
02 pcs 7 documentation and support v1.00 en02 pcs 7 documentation and support v1.00 en
02 pcs 7 documentation and support v1.00 enconfidencial
 
Ch8 v70 os_en
Ch8 v70 os_enCh8 v70 os_en
Ch8 v70 os_enconfidencial
 
Allenbradley Micro logix 1400 Plc Hardware information Guide
Allenbradley Micro logix 1400 Plc Hardware information GuideAllenbradley Micro logix 1400 Plc Hardware information Guide
Allenbradley Micro logix 1400 Plc Hardware information GuideDEEPAK GORAI
 
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environmentProtecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environmentItai Grady
 
Simatic getting-started-pcs7
Simatic getting-started-pcs7Simatic getting-started-pcs7
Simatic getting-started-pcs7ionut grozav
 
Building careers in embedded
Building careers in embeddedBuilding careers in embedded
Building careers in embeddedEmertxe Information Technologies Pvt Ltd
 
Allen bradley
Allen bradleyAllen bradley
Allen bradleyAKANSHA GURELE
 
E1000 is faster than VMXNET3
E1000 is faster than VMXNET3E1000 is faster than VMXNET3
E1000 is faster than VMXNET3Eric Sloof
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
OpenSplice DDS Tutorial -- Part II
OpenSplice DDS Tutorial -- Part IIOpenSplice DDS Tutorial -- Part II
OpenSplice DDS Tutorial -- Part IIAngelo Corsaro
 
Differences of the Cisco Operating Systems
Differences of the Cisco Operating SystemsDifferences of the Cisco Operating Systems
Differences of the Cisco Operating Systems美兰 曾
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco Canada
 
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020Joe Speed
 
10 basics automatic mode control v1.00_en
10 basics automatic mode control v1.00_en10 basics automatic mode control v1.00_en
10 basics automatic mode control v1.00_enconfidencial
 
Zenoh Tutorial
Zenoh TutorialZenoh Tutorial
Zenoh TutorialAngelo Corsaro
 
SIEMENS S7-300c.ppt
SIEMENS S7-300c.pptSIEMENS S7-300c.ppt
SIEMENS S7-300c.pptSidharth Mohapatra
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
DDS Tutorial -- Part I
DDS Tutorial -- Part IDDS Tutorial -- Part I
DDS Tutorial -- Part IAngelo Corsaro
 
Firmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using VerilatorFirmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using VerilatorSeyed Amir Alavi
 
06 station and network configuration v1.00_en
06 station and network configuration v1.00_en06 station and network configuration v1.00_en
06 station and network configuration v1.00_enconfidencial
 
Siemens s7 300 programming
Siemens s7 300 programming Siemens s7 300 programming
Siemens s7 300 programming satyajit patra
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Jakub Botwicz
 
【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪
【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪
【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪MAKERPRO.cc
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 

Más contenido relacionado

La actualidad más candente

Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environmentProtecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environmentItai Grady
 
Simatic getting-started-pcs7
Simatic getting-started-pcs7Simatic getting-started-pcs7
Simatic getting-started-pcs7ionut grozav
 
E1000 is faster than VMXNET3
E1000 is faster than VMXNET3E1000 is faster than VMXNET3
E1000 is faster than VMXNET3Eric Sloof
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
OpenSplice DDS Tutorial -- Part II
OpenSplice DDS Tutorial -- Part IIOpenSplice DDS Tutorial -- Part II
OpenSplice DDS Tutorial -- Part IIAngelo Corsaro
 
Differences of the Cisco Operating Systems
Differences of the Cisco Operating SystemsDifferences of the Cisco Operating Systems
Differences of the Cisco Operating Systems美兰 曾
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco Canada
 
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020Joe Speed
 
10 basics automatic mode control v1.00_en
10 basics automatic mode control v1.00_en10 basics automatic mode control v1.00_en
10 basics automatic mode control v1.00_enconfidencial
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
DDS Tutorial -- Part I
DDS Tutorial -- Part IDDS Tutorial -- Part I
DDS Tutorial -- Part IAngelo Corsaro
 
Firmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using VerilatorFirmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using VerilatorSeyed Amir Alavi
 
06 station and network configuration v1.00_en
06 station and network configuration v1.00_en06 station and network configuration v1.00_en
06 station and network configuration v1.00_enconfidencial
 
Siemens s7 300 programming
Siemens s7 300 programming Siemens s7 300 programming
Siemens s7 300 programming satyajit patra
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Jakub Botwicz
 
【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪
【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪
【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪MAKERPRO.cc
 

La actualidad más candente (20)

Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environmentProtecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
 
Simatic getting-started-pcs7
Simatic getting-started-pcs7Simatic getting-started-pcs7
Simatic getting-started-pcs7
 
Building careers in embedded
Building careers in embeddedBuilding careers in embedded
Building careers in embedded
 
Allen bradley
Allen bradleyAllen bradley
Allen bradley
 
E1000 is faster than VMXNET3
E1000 is faster than VMXNET3E1000 is faster than VMXNET3
E1000 is faster than VMXNET3
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
 
OpenSplice DDS Tutorial -- Part II
OpenSplice DDS Tutorial -- Part IIOpenSplice DDS Tutorial -- Part II
OpenSplice DDS Tutorial -- Part II
 
Differences of the Cisco Operating Systems
Differences of the Cisco Operating SystemsDifferences of the Cisco Operating Systems
Differences of the Cisco Operating Systems
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
 
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
 
10 basics automatic mode control v1.00_en
10 basics automatic mode control v1.00_en10 basics automatic mode control v1.00_en
10 basics automatic mode control v1.00_en
 
Zenoh Tutorial
Zenoh TutorialZenoh Tutorial
Zenoh Tutorial
 
SIEMENS S7-300c.ppt
SIEMENS S7-300c.pptSIEMENS S7-300c.ppt
SIEMENS S7-300c.ppt
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
DDS Tutorial -- Part I
DDS Tutorial -- Part IDDS Tutorial -- Part I
DDS Tutorial -- Part I
 
Firmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using VerilatorFirmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
Firmware Co-Design & Development for IP Cores in C++/SystemC using Verilator
 
06 station and network configuration v1.00_en
06 station and network configuration v1.00_en06 station and network configuration v1.00_en
06 station and network configuration v1.00_en
 
Siemens s7 300 programming
Siemens s7 300 programming Siemens s7 300 programming
Siemens s7 300 programming
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
 
【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪
【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪
【1110ROS社群開講】ROS 2與DDS應用於工業領域_王健豪
 

Similar a Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...OptimalPlus
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...PROIDEA
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessS4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessNathan Wallace, PhD, PE
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...PROIDEA
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 

Similar a Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters (20)

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessS4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 

Más de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Más de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Último

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters

  • 1. Industrial protocols for pentesters Timorin Alexander Efanov Dmitry Positive Technologies PHDays III
  • 2. Who We Are Timorin Alexander • Lead specialist of penetration testing team at Positive Technologies • Main interests: penetration testing, SCADA systems, industrial protocols, password cracking • atimorin@ptsecurity.ru
  • 3. Who We Are Efanov Dmitry • Lead specialist of security development team at Positive Technologies • Main interests: penetration testing, network protocols and hex-numbers • defanov@ptsecurity.ru
  • 5. ICS in the World
  • 6. ICS in the World
  • 7. ICS in the World
  • 8. What we will talk about ? • Modbus • Mystical S7 • Authentication and protection • Profinet
  • 9. Industrial protocols • CIP • BACnet • CC-Link • Ethernet/IP • Modbus • Profinet • S3 / S5 / S7 • DNP3
  • 10. Old Modbus • Published by Modicon (now Schneider Electric) in 1979. • Widely used for connecting industrial electronic devices • Schneider Electric • Advanced Micro Controls • ABB • Emerson • Chinese NONAME • and all other vendors
  • 13. Modbus TCP Standard port – 502/tcp Modbus Request packet: • No authentication • No encryption • No security
  • 14. Modbus Functions • Data access • Read/Write Coils and Registers • Read/Write File Records • Diagnostics • Device Identification • … • + User Defined Functions
  • 15. Modbus Device Identification Standard Function (opcode 0x2B, subcode 0x0E) • VendorName • ProductCode • MajorMinorRevision • VendorUrl • ProductName • ModelName • UserApplicationName
  • 17. Modbus Tools • Emulators: • http://www.modbustools.com/download.asp • Device Discovery: • https://code.google.com/p/plcscan/ • https://code.google.com/p/modscan/ • … • Wireshark • python
  • 19. Mystic S7 Standard port – 102/tcp In Siemens docs - iso-on-tcp, rfc 1006
  • 20. S7 materials • Exploiting Siemens Simatic S7 PLCs (by Dillon Beresford) http://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf • Wireshark dissector http://sourceforge.net/projects/s7commwireshark/ • Libnodave – free communication library http://sourceforge.net/projects/libnodave/
  • 21. ISO-on-TCP (RFC 1006) • Transport layer only • Require source and destination TSAP (Transport Service Access Point) for connection • TSAP (2 bytes) • Connection type (PG – 0x01, OP– 0x02) • Rack/Slot Id
  • 22. What is under ISO-on-TCP?
  • 23. What is under ISO-on-TCP? S5 Communication aka FETCH / WRITE aka Sinec H1 S7 Communication Another S7 Communication
  • 24. S7 communication S7 packet: PDU-types: • 0x01 – Request • 0x02 – Acknowledgement • 0x03 – Response • 0x07– User Data
  • 25. What we can do • Read / Write data • Start / Stop CPU • Upload / Download Blocks • List blocks • Get blocks info • Read SZL (System Status List) • Module Identification • Component Identification • LED’s status
  • 26. Device Identification • PLC scan (https://code.google.com/p/plcscan/) • For s7-300: Module : 6ES7 151-8AB01-0AB0 v.2 Basic Hardware : 6ES7 151-8AB01-0AB0 v.2 Basic Firmware : v.3.2.6 PLC Name : SIMATIC 300(Bla_bla_name) Module Name : IM151-8 PN/DP CPU Plant ID : Copyright : Original Siemens Equipment Module Serial number : S C-BOUV49xxxxx1 Module type name : IM151-8 PN/DP CPU Memory card Serial number : MMC 6CAxxxx0 Module OEM ID : Module Location : • For s7-1200: Module : 6ES7 212-1BD30-0XB0 v.2 Basic Hardware : 6ES7 212-1BD30-0XB0 v.2 Basic Firmware : 6ES7 212-1BD30-0XB0 v.2.2.0
  • 27. S7-300 password protection Password (8 bytes) «Encryption»:
  • 28. S7comm on S7-1200 S7-300 S7-1200 Read/Write Vars + + Device Identification + +/- Start/Stop CPU + - Upload/Download Blocks + - Blocks Info + - LED’s status + -
  • 29. «Another S7 communication» Simple S7 packet ( connection establishment) 72 01 – S7 data delimiter
  • 30. TIA Portal read/write protection PLC read/write password protection for main operations: CPU start/stop/data change, project upload, firmware update, etc.
  • 31. TIA Portal PEData.plf passwords history Simple SHA-1 passwords: 456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40} redbox value: password_length * 2 + 1
  • 32. S7 password hashes extractor source: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.py extracting all password sha1 hashes from TIA Portal project file and simple bruteforce. Also possible to intercept password hash when uploading new project to PLC. It’s easy. Know-how protection: • prevent code blocks (OB, FB, FC, DB) from unauthorized access • base64( sha1(password-in-unicode) )
  • 33. SCADA <-> PLC S7 authentication 1. SCADA-> PLC : auth request 2. SCADA <- PLC : challenge 3. SCADA-> PLC : response = HMAC( SHA1(password), challenge ) 4. SCADA <- PLC : auth result sending authentication challenge from PLC to SCADA workstation
  • 34. SCADA <-> PLC S7 authentication sending authentication response from SCADA workstation to PLC
  • 35. SCADA <-> PLC S7 authentication • ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02 • John the Ripper Jumbo patch: https://github.com/magnumripper/JohnTheRipper/pull/193 • http://www.digitalbond.com/blog/2013/05/10/john-the-ripper-s7-password- cracking/
  • 36. S7 challenge-response extractor source: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.py extracting challenge-response values from pcap file and simple bruteforce. pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32‘ -> auth ok pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732‘ -> auth bad Other researches/materials: • Dillon Beresford: http://scadahacker.com/exploits/exploits-dillonbh2011.html
  • 37. PROFINET family 2003: IEC 61158, IEC 61784 • PROFINET CBA (Component Based Automation) • PROFINET IO
  • 38. PROFINET IO • master – slave communications • RT (~ 10 ms), IRT (~ 1 ms) • PROFINET PTCP (Precision Time Control Protocol) • PROFINET DCP (Discovery and Basic Configuration Protocol) profinet dcp identify response
  • 39. PROFINET DCP scanner source: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.py discovering all SCADA devices (PC, HMI, PLC) in subnet
  • 40. PROFINET DCP scanner payload = 'fefe05000401000200800004ffff0000' pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/payload.decode('hex') fefe 2b: DCP multicast header 05 1b: Identify service 00 1b: Request type 04010002 4b: Xid (request identificator) 0080 2b: Response delay 0004 2b: DCP data length ffff0000 4b: dcp dataOption(All), Suboption(All) Also we can: • change name of station • change ip, gateway • request network info • LED flashing: PLC, HMI (something wrong with PLC or devices ?? ) • and much more … profinet video demo
  • 41. How to analyze protocols ? • search-analyze-search-analyze-search … • Rob Savoye: “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” • Rob Savoye: FOSDEM 2009 Reverse Engineering of Proprietary Protocols, Tools and Techniques : http://youtu.be/t3s-mG5yUjY • Netzob: http://www.netzob.org • Fuzzing • wireshark tcpdump python scapy hex viewer
  • 42. Outro • Positive Technologies SCADA analytics: http://www.ptsecurity.com/download/SCADA_analytics_english.pdf • Findings • Recommendations: • http://scadastrangelove.org • http://www.scadahacker.com • http://www.digitalbond.com • http://ics-cert.us-cert.gov • Releases: https://code.google.com/p/scada-tools/ https://code.google.com/p/plcscan/ • Greetz to: SCADASTRANGELOVE TEAM • QA • And now …
  • 44. Thanks to all … to be continued Timorin Alexander atimorin@ptsecurity.ru Efanov Dmitry defanov@ptsecurity.ru Stay in touch and feel free …