SlideShare una empresa de Scribd logo

Industrial protocols for pentesters

Positive Hack Days
Positive Hack Days
TecnologíaEmpresariales
1 de 46
Industrial protocols for pentesters Timorin Alexander Efanov Dmitry Positive Technologies PHDays III
Who We Are Timorin Alexander • Lead specialist of penetration testing team at Positive Technologies • Main interests: penetration testing, SCADA systems, industrial protocols, password cracking • atimorin@ptsecurity.ru
Who We Are Efanov Dmitry • Lead specialist of security development team at Positive Technologies • Main interests: penetration testing, network protocols and hex-numbers • defanov@ptsecurity.ru
ICS Industrial Control System
ICS in the World
ICS in the World
ICS in the World
What we will talk about ? • Modbus • Mystical S7 • Authentication and protection • Profinet
Industrial protocols • CIP • BACnet • CC-Link • Ethernet/IP • Modbus • Profinet • S3 / S5 / S7 • DNP3
Old Modbus • Published by Modicon (now Schneider Electric) in 1979. • Widely used for connecting industrial electronic devices • Schneider Electric • Advanced Micro Controls • ABB • Emerson • Chinese NONAME • and all other vendors
Modbus in XX
Modbus in XXI
Modbus TCP Standard port – 502/tcp Modbus Request packet: • No authentication • No encryption • No security
Modbus Functions • Data access • Read/Write Coils and Registers • Read/Write File Records • Diagnostics • Device Identification • … • + User Defined Functions
Modbus Device Identification Standard Function (opcode 0x2B, subcode 0x0E) • VendorName • ProductCode • MajorMinorRevision • VendorUrl • ProductName • ModelName • UserApplicationName
Modbus Device Identification
Modbus Tools • Emulators: • http://www.modbustools.com/download.asp • Device Discovery: • https://code.google.com/p/plcscan/ • https://code.google.com/p/modscan/ • … • Wireshark • python
Modbus Demo
Mystic S7 Standard port – 102/tcp In Siemens docs - iso-on-tcp, rfc 1006
S7 materials • Exploiting Siemens Simatic S7 PLCs (by Dillon Beresford) http://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf • Wireshark dissector http://sourceforge.net/projects/s7commwireshark/ • Libnodave – free communication library http://sourceforge.net/projects/libnodave/
ISO-on-TCP (RFC 1006) • Transport layer only • Require source and destination TSAP (Transport Service Access Point) for connection • TSAP (2 bytes) • Connection type (PG – 0x01, OP– 0x02) • Rack/Slot Id
What is under ISO-on-TCP?
What is under ISO-on-TCP? S5 Communication aka FETCH / WRITE aka Sinec H1 S7 Communication Another S7 Communication
S7 communication S7 packet: PDU-types: • 0x01 – Request • 0x02 – Acknowledgement • 0x03 – Response • 0x07– User Data
What we can do • Read / Write data • Start / Stop CPU • Upload / Download Blocks • List blocks • Get blocks info • Read SZL (System Status List) • Module Identification • Component Identification • LED’s status
Device Identification • PLC scan (https://code.google.com/p/plcscan/) • For s7-300: Module : 6ES7 151-8AB01-0AB0 v.2 Basic Hardware : 6ES7 151-8AB01-0AB0 v.2 Basic Firmware : v.3.2.6 PLC Name : SIMATIC 300(Bla_bla_name) Module Name : IM151-8 PN/DP CPU Plant ID : Copyright : Original Siemens Equipment Module Serial number : S C-BOUV49xxxxx1 Module type name : IM151-8 PN/DP CPU Memory card Serial number : MMC 6CAxxxx0 Module OEM ID : Module Location : • For s7-1200: Module : 6ES7 212-1BD30-0XB0 v.2 Basic Hardware : 6ES7 212-1BD30-0XB0 v.2 Basic Firmware : 6ES7 212-1BD30-0XB0 v.2.2.0
S7-300 password protection Password (8 bytes) «Encryption»:
S7comm on S7-1200 S7-300 S7-1200 Read/Write Vars + + Device Identification + +/- Start/Stop CPU + - Upload/Download Blocks + - Blocks Info + - LED’s status + -
«Another S7 communication» Simple S7 packet ( connection establishment) 72 01 – S7 data delimiter
TIA Portal read/write protection PLC read/write password protection for main operations: CPU start/stop/data change, project upload, firmware update, etc.
TIA Portal PEData.plf passwords history Simple SHA-1 passwords: 456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40} redbox value: password_length * 2 + 1
S7 password hashes extractor source: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.py extracting all password sha1 hashes from TIA Portal project file and simple bruteforce. Also possible to intercept password hash when uploading new project to PLC. It’s easy. Know-how protection: • prevent code blocks (OB, FB, FC, DB) from unauthorized access • base64( sha1(password-in-unicode) )
SCADA <-> PLC S7 authentication 1. SCADA-> PLC : auth request 2. SCADA <- PLC : challenge 3. SCADA-> PLC : response = HMAC( SHA1(password), challenge ) 4. SCADA <- PLC : auth result sending authentication challenge from PLC to SCADA workstation
SCADA <-> PLC S7 authentication sending authentication response from SCADA workstation to PLC
SCADA <-> PLC S7 authentication • ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02 • John the Ripper Jumbo patch: https://github.com/magnumripper/JohnTheRipper/pull/193 • http://www.digitalbond.com/blog/2013/05/10/john-the-ripper-s7-password- cracking/
S7 challenge-response extractor source: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.py extracting challenge-response values from pcap file and simple bruteforce. pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32‘ -> auth ok pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732‘ -> auth bad Other researches/materials: • Dillon Beresford: http://scadahacker.com/exploits/exploits-dillonbh2011.html
PROFINET family 2003: IEC 61158, IEC 61784 • PROFINET CBA (Component Based Automation) • PROFINET IO
PROFINET IO • master – slave communications • RT (~ 10 ms), IRT (~ 1 ms) • PROFINET PTCP (Precision Time Control Protocol) • PROFINET DCP (Discovery and Basic Configuration Protocol) profinet dcp identify response
PROFINET DCP scanner source: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.py discovering all SCADA devices (PC, HMI, PLC) in subnet
PROFINET DCP scanner payload = 'fefe05000401000200800004ffff0000' pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/payload.decode('hex') fefe 2b: DCP multicast header 05 1b: Identify service 00 1b: Request type 04010002 4b: Xid (request identificator) 0080 2b: Response delay 0004 2b: DCP data length ffff0000 4b: dcp dataOption(All), Suboption(All) Also we can: • change name of station • change ip, gateway • request network info • LED flashing: PLC, HMI (something wrong with PLC or devices ?? ) • and much more … profinet video demo
How to analyze protocols ? • search-analyze-search-analyze-search … • Rob Savoye: “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” • Rob Savoye: FOSDEM 2009 Reverse Engineering of Proprietary Protocols, Tools and Techniques : http://youtu.be/t3s-mG5yUjY • Netzob: http://www.netzob.org • Fuzzing • wireshark tcpdump python scapy hex viewer
Outro • Positive Technologies SCADA analytics: http://www.ptsecurity.com/download/SCADA_analytics_english.pdf • Findings • Recommendations: • http://scadastrangelove.org • http://www.scadahacker.com • http://www.digitalbond.com • http://ics-cert.us-cert.gov • Releases: https://code.google.com/p/scada-tools/ https://code.google.com/p/plcscan/ • Greetz to: SCADASTRANGELOVE TEAM • QA • And now …
S7-300. Live Demo
Thanks to all … to be continued Timorin Alexander atimorin@ptsecurity.ru Efanov Dmitry defanov@ptsecurity.ru Stay in touch and feel free …
Industrial protocols for pentesters

Recomendados

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Scada strange love uwn-stuxnet
Scada strange love uwn-stuxnetScada strange love uwn-stuxnet
Scada strange love uwn-stuxnetPositive Hack Days
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloudqqlan
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 

Recomendados

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Scada strange love uwn-stuxnet
Scada strange love uwn-stuxnetScada strange love uwn-stuxnet
Scada strange love uwn-stuxnetPositive Hack Days
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloudqqlan
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowqqlan
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionRiscure
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Esp32 datasheet
Esp32 datasheetEsp32 datasheet
Esp32 datasheetMoises .
 
16f88
16f8816f88
16f88Alfredo Santillan
 
High availability deep dive high-end srx series
High availability deep dive high-end srx seriesHigh availability deep dive high-end srx series
High availability deep dive high-end srx seriesMuhammad Denis Iqbal
 
Datasheet PIC16f887
Datasheet PIC16f887Datasheet PIC16f887
Datasheet PIC16f887whendygarcia
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Cyclone II FPGA Overview
Cyclone II FPGA OverviewCyclone II FPGA Overview
Cyclone II FPGA OverviewPremier Farnell
 
E.E Smith Resume 2016
E.E Smith Resume 2016E.E Smith Resume 2016
E.E Smith Resume 2016Etiwan Smith
 
Non-abrasive
Non-abrasiveNon-abrasive
Non-abrasiveHeskins LLC
 

Más contenido relacionado

La actualidad más candente

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowqqlan
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionRiscure
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Esp32 datasheet
Esp32 datasheetEsp32 datasheet
Esp32 datasheetMoises .
 
High availability deep dive high-end srx series
High availability deep dive high-end srx seriesHigh availability deep dive high-end srx series
High availability deep dive high-end srx seriesMuhammad Denis Iqbal
 
Datasheet PIC16f887
Datasheet PIC16f887Datasheet PIC16f887
Datasheet PIC16f887whendygarcia
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Cyclone II FPGA Overview
Cyclone II FPGA OverviewCyclone II FPGA Overview
Cyclone II FPGA OverviewPremier Farnell
 

La actualidad más candente (20)

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
 
Esp32 datasheet
Esp32 datasheetEsp32 datasheet
Esp32 datasheet
 
16f88
16f8816f88
16f88
 
High availability deep dive high-end srx series
High availability deep dive high-end srx seriesHigh availability deep dive high-end srx series
High availability deep dive high-end srx series
 
Datasheet PIC16f887
Datasheet PIC16f887Datasheet PIC16f887
Datasheet PIC16f887
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Cyclone II FPGA Overview
Cyclone II FPGA OverviewCyclone II FPGA Overview
Cyclone II FPGA Overview
 

Destacado

E.E Smith Resume 2016
E.E Smith Resume 2016E.E Smith Resume 2016
E.E Smith Resume 2016Etiwan Smith
 
Agile Design and Development
Agile Design and DevelopmentAgile Design and Development
Agile Design and DevelopmentMax Cameron
 
A Spectral Domain Dominant Feature Extraction Algorithm for Palm-print Recogn...
A Spectral Domain Dominant Feature Extraction Algorithm for Palm-print Recogn...A Spectral Domain Dominant Feature Extraction Algorithm for Palm-print Recogn...
A Spectral Domain Dominant Feature Extraction Algorithm for Palm-print Recogn...CSCJournals
 
Variable Thinning Using Historical Stand Structure Data to Create Fire-Resili...
Variable Thinning Using Historical Stand Structure Data to Create Fire-Resili...Variable Thinning Using Historical Stand Structure Data to Create Fire-Resili...
Variable Thinning Using Historical Stand Structure Data to Create Fire-Resili...National Institute of Food and Agriculture
 
02 sexual reproduction in flowering plants
02 sexual reproduction in flowering plants02 sexual reproduction in flowering plants
02 sexual reproduction in flowering plantsAditya Srivastava
 
PV2 Tools & Technology for Permaculture Homesteads
PV2 Tools & Technology for Permaculture HomesteadsPV2 Tools & Technology for Permaculture Homesteads
PV2 Tools & Technology for Permaculture HomesteadsGrant Schultz
 
Система мониторинга Zabbix в процессах разработки и тестирования | Алексей Буров
Система мониторинга Zabbix в процессах разработки и тестирования | Алексей БуровСистема мониторинга Zabbix в процессах разработки и тестирования | Алексей Буров
Система мониторинга Zabbix в процессах разработки и тестирования | Алексей БуровPositive Hack Days
 
Introduction to Google BigQuery
Introduction to Google BigQueryIntroduction to Google BigQuery
Introduction to Google BigQueryCsaba Toth
 
Dairy Farm Business Planning
Dairy Farm Business Planning Dairy Farm Business Planning
Dairy Farm Business Planning Dr. Tom Armstrong
 

Destacado (11)

E.E Smith Resume 2016
E.E Smith Resume 2016E.E Smith Resume 2016
E.E Smith Resume 2016
 
Non-abrasive
Non-abrasiveNon-abrasive
Non-abrasive
 
Agile Design and Development
Agile Design and DevelopmentAgile Design and Development
Agile Design and Development
 
A Spectral Domain Dominant Feature Extraction Algorithm for Palm-print Recogn...
A Spectral Domain Dominant Feature Extraction Algorithm for Palm-print Recogn...A Spectral Domain Dominant Feature Extraction Algorithm for Palm-print Recogn...
A Spectral Domain Dominant Feature Extraction Algorithm for Palm-print Recogn...
 
Variable Thinning Using Historical Stand Structure Data to Create Fire-Resili...
Variable Thinning Using Historical Stand Structure Data to Create Fire-Resili...Variable Thinning Using Historical Stand Structure Data to Create Fire-Resili...
Variable Thinning Using Historical Stand Structure Data to Create Fire-Resili...
 
02 sexual reproduction in flowering plants
02 sexual reproduction in flowering plants02 sexual reproduction in flowering plants
02 sexual reproduction in flowering plants
 
PV2 Tools & Technology for Permaculture Homesteads
PV2 Tools & Technology for Permaculture HomesteadsPV2 Tools & Technology for Permaculture Homesteads
PV2 Tools & Technology for Permaculture Homesteads
 
Devops episodio 1. devOpsTnf
Devops episodio 1. devOpsTnf Devops episodio 1. devOpsTnf
Devops episodio 1. devOpsTnf
 
Система мониторинга Zabbix в процессах разработки и тестирования | Алексей Буров
Система мониторинга Zabbix в процессах разработки и тестирования | Алексей БуровСистема мониторинга Zabbix в процессах разработки и тестирования | Алексей Буров
Система мониторинга Zabbix в процессах разработки и тестирования | Алексей Буров
 
Introduction to Google BigQuery
Introduction to Google BigQueryIntroduction to Google BigQuery
Introduction to Google BigQuery
 
Dairy Farm Business Planning
Dairy Farm Business Planning Dairy Farm Business Planning
Dairy Farm Business Planning
 

Similar a Industrial protocols for pentesters

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...OptimalPlus
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...PROIDEA
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessS4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessNathan Wallace, PhD, PE
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...PROIDEA
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...aaajjj4
 
Case Study At91RM9200 Data Hub Controller
Case Study At91RM9200 Data Hub ControllerCase Study At91RM9200 Data Hub Controller
Case Study At91RM9200 Data Hub ControllerPromwad
 

Similar a Industrial protocols for pentesters (20)

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...Securing your supply chain from counterfeit parts through real time electroni...
Securing your supply chain from counterfeit parts through real time electroni...
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering ProcessS4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
S4x19 Stage 2 Making Power System Cybersecurity Part of the Engineering Process
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Case Study At91RM9200 Data Hub Controller
Case Study At91RM9200 Data Hub ControllerCase Study At91RM9200 Data Hub Controller
Case Study At91RM9200 Data Hub Controller
 
M7vcm10
M7vcm10M7vcm10
M7vcm10
 

Más de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Más de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Último

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Último (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Industrial protocols for pentesters

  • 1.
  • 2. Industrial protocols for pentesters Timorin Alexander Efanov Dmitry Positive Technologies PHDays III
  • 3. Who We Are Timorin Alexander • Lead specialist of penetration testing team at Positive Technologies • Main interests: penetration testing, SCADA systems, industrial protocols, password cracking • atimorin@ptsecurity.ru
  • 4. Who We Are Efanov Dmitry • Lead specialist of security development team at Positive Technologies • Main interests: penetration testing, network protocols and hex-numbers • defanov@ptsecurity.ru
  • 6. ICS in the World
  • 7. ICS in the World
  • 8. ICS in the World
  • 9. What we will talk about ? • Modbus • Mystical S7 • Authentication and protection • Profinet
  • 10. Industrial protocols • CIP • BACnet • CC-Link • Ethernet/IP • Modbus • Profinet • S3 / S5 / S7 • DNP3
  • 11. Old Modbus • Published by Modicon (now Schneider Electric) in 1979. • Widely used for connecting industrial electronic devices • Schneider Electric • Advanced Micro Controls • ABB • Emerson • Chinese NONAME • and all other vendors
  • 14. Modbus TCP Standard port – 502/tcp Modbus Request packet: • No authentication • No encryption • No security
  • 15. Modbus Functions • Data access • Read/Write Coils and Registers • Read/Write File Records • Diagnostics • Device Identification • … • + User Defined Functions
  • 16. Modbus Device Identification Standard Function (opcode 0x2B, subcode 0x0E) • VendorName • ProductCode • MajorMinorRevision • VendorUrl • ProductName • ModelName • UserApplicationName
  • 18. Modbus Tools • Emulators: • http://www.modbustools.com/download.asp • Device Discovery: • https://code.google.com/p/plcscan/ • https://code.google.com/p/modscan/ • … • Wireshark • python
  • 20. Mystic S7 Standard port – 102/tcp In Siemens docs - iso-on-tcp, rfc 1006
  • 21. S7 materials • Exploiting Siemens Simatic S7 PLCs (by Dillon Beresford) http://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf • Wireshark dissector http://sourceforge.net/projects/s7commwireshark/ • Libnodave – free communication library http://sourceforge.net/projects/libnodave/
  • 22. ISO-on-TCP (RFC 1006) • Transport layer only • Require source and destination TSAP (Transport Service Access Point) for connection • TSAP (2 bytes) • Connection type (PG – 0x01, OP– 0x02) • Rack/Slot Id
  • 23. What is under ISO-on-TCP?
  • 24. What is under ISO-on-TCP? S5 Communication aka FETCH / WRITE aka Sinec H1 S7 Communication Another S7 Communication
  • 25. S7 communication S7 packet: PDU-types: • 0x01 – Request • 0x02 – Acknowledgement • 0x03 – Response • 0x07– User Data
  • 26. What we can do • Read / Write data • Start / Stop CPU • Upload / Download Blocks • List blocks • Get blocks info • Read SZL (System Status List) • Module Identification • Component Identification • LED’s status
  • 27. Device Identification • PLC scan (https://code.google.com/p/plcscan/) • For s7-300: Module : 6ES7 151-8AB01-0AB0 v.2 Basic Hardware : 6ES7 151-8AB01-0AB0 v.2 Basic Firmware : v.3.2.6 PLC Name : SIMATIC 300(Bla_bla_name) Module Name : IM151-8 PN/DP CPU Plant ID : Copyright : Original Siemens Equipment Module Serial number : S C-BOUV49xxxxx1 Module type name : IM151-8 PN/DP CPU Memory card Serial number : MMC 6CAxxxx0 Module OEM ID : Module Location : • For s7-1200: Module : 6ES7 212-1BD30-0XB0 v.2 Basic Hardware : 6ES7 212-1BD30-0XB0 v.2 Basic Firmware : 6ES7 212-1BD30-0XB0 v.2.2.0
  • 28. S7-300 password protection Password (8 bytes) «Encryption»:
  • 29. S7comm on S7-1200 S7-300 S7-1200 Read/Write Vars + + Device Identification + +/- Start/Stop CPU + - Upload/Download Blocks + - Blocks Info + - LED’s status + -
  • 30. «Another S7 communication» Simple S7 packet ( connection establishment) 72 01 – S7 data delimiter
  • 31. TIA Portal read/write protection PLC read/write password protection for main operations: CPU start/stop/data change, project upload, firmware update, etc.
  • 32. TIA Portal PEData.plf passwords history Simple SHA-1 passwords: 456e6372797074656450617373776f72[a-f0-9]{240,360}000101000000[a-f0-9]{40} redbox value: password_length * 2 + 1
  • 33. S7 password hashes extractor source: http://code.google.com/p/scada-tools/source/browse/s7_password_hashes_extractor.py extracting all password sha1 hashes from TIA Portal project file and simple bruteforce. Also possible to intercept password hash when uploading new project to PLC. It’s easy. Know-how protection: • prevent code blocks (OB, FB, FC, DB) from unauthorized access • base64( sha1(password-in-unicode) )
  • 34. SCADA <-> PLC S7 authentication 1. SCADA-> PLC : auth request 2. SCADA <- PLC : challenge 3. SCADA-> PLC : response = HMAC( SHA1(password), challenge ) 4. SCADA <- PLC : auth result sending authentication challenge from PLC to SCADA workstation
  • 35. SCADA <-> PLC S7 authentication sending authentication response from SCADA workstation to PLC
  • 36. SCADA <-> PLC S7 authentication • ICS-CERT alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-016-02 • John the Ripper Jumbo patch: https://github.com/magnumripper/JohnTheRipper/pull/193 • http://www.digitalbond.com/blog/2013/05/10/john-the-ripper-s7-password- cracking/
  • 37. S7 challenge-response extractor source: http://code.google.com/p/scada-tools/source/browse/s7_brute_offline.py extracting challenge-response values from pcap file and simple bruteforce. pckt_len+14 == 84 and hexlify(r[pckt_indx].load)[14:24] == '7202000f32‘ -> auth ok pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] == '7202001732‘ -> auth bad Other researches/materials: • Dillon Beresford: http://scadahacker.com/exploits/exploits-dillonbh2011.html
  • 38. PROFINET family 2003: IEC 61158, IEC 61784 • PROFINET CBA (Component Based Automation) • PROFINET IO
  • 39. PROFINET IO • master – slave communications • RT (~ 10 ms), IRT (~ 1 ms) • PROFINET PTCP (Precision Time Control Protocol) • PROFINET DCP (Discovery and Basic Configuration Protocol) profinet dcp identify response
  • 40. PROFINET DCP scanner source: http://code.google.com/p/scada-tools/source/browse/profinet_scanner.py discovering all SCADA devices (PC, HMI, PLC) in subnet
  • 41. PROFINET DCP scanner payload = 'fefe05000401000200800004ffff0000' pp = Ether(type=0x8892, src=src_mac, dst=01:0e:cf:00:00:00)/payload.decode('hex') fefe 2b: DCP multicast header 05 1b: Identify service 00 1b: Request type 04010002 4b: Xid (request identificator) 0080 2b: Response delay 0004 2b: DCP data length ffff0000 4b: dcp dataOption(All), Suboption(All) Also we can: • change name of station • change ip, gateway • request network info • LED flashing: PLC, HMI (something wrong with PLC or devices ?? ) • and much more … profinet video demo
  • 42. How to analyze protocols ? • search-analyze-search-analyze-search … • Rob Savoye: “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” • Rob Savoye: FOSDEM 2009 Reverse Engineering of Proprietary Protocols, Tools and Techniques : http://youtu.be/t3s-mG5yUjY • Netzob: http://www.netzob.org • Fuzzing • wireshark tcpdump python scapy hex viewer
  • 43. Outro • Positive Technologies SCADA analytics: http://www.ptsecurity.com/download/SCADA_analytics_english.pdf • Findings • Recommendations: • http://scadastrangelove.org • http://www.scadahacker.com • http://www.digitalbond.com • http://ics-cert.us-cert.gov • Releases: https://code.google.com/p/scada-tools/ https://code.google.com/p/plcscan/ • Greetz to: SCADASTRANGELOVE TEAM • QA • And now …
  • 45. Thanks to all … to be continued Timorin Alexander atimorin@ptsecurity.ru Efanov Dmitry defanov@ptsecurity.ru Stay in touch and feel free …