Speakers: Alexander Timorin, Alexander Tlyapov, Gleb Gritsai This talk will feature a technical description and a detailed analysis of such popular industrial protocols as Profinet DCP, IEC 61850-8-1 (MMS), IEC 61870-5-101/104, based on case studies. We will disclose potential opportunities that those protocols provide to attackers, as well as the authentication mechanism of the Siemens proprietary protocol called S7. Besides protocols, the results of the research called Siemens Simatic WinCC will be presented. The overall component interaction architecture, HTTP protocols and interaction mechanisms, authorization and internal logic vulnerabilities will be shown. The talk will be concluded with a methodological approach to network protocol analysis, recommendation, and script release.

1. All pictures are taken from
Dr StrangeLove movie
by Gleb Gritsai (as Alexander Timorin)
and Alexander Tlyapov

2. 
Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to
keep Purity Of Essence
Sergey Gordeychik
Roman Ilin
Artem Chaykin
Dmitry Efanov
Andrey Medov
Alexander Zaitsev
Dmitry Sklyarov
Roman Ilin
Kirill Nesterov
Gleb Gritsai
Ilya Karpov
Yuriy Dyachenko
Yuri Goltsev
Sergey Scherbel
Dmitry Serebryannikov
Alexander Timorin
Alexander Tlyapov
Denis Baranov
Sergey Bobrov
Sergey Drozdov
Vladimir Kochetkov
Timur Yunusov
Dmitry Nagibin
Vyacheslav Egoshin
Evgeny Ermakov

3. 
Gleb Gritsai




Penetration tester @ptsecurity
ICS researcher and expert
Member of @scadasl
Alexander Tlyapov
Reverse engineer @ptsecurity
 ICS researcher
 Member of @scadasl


4. 
ICS 101


Industrial protocols (Gleb Gritsai)



This 101 is useless
Functions and weakness of protocols
Penetration tester’s view
WinCC architecture (Alexander Tlyapov)



Internal protocols
Authorization process
And how no to pay attention and get to serious stuff

6. 
HMI


PLC


Programmable Logic Controller
RTU


Human Machine Interface
Remote Telemetry Unit
IED, SCADA,
DSC, Sensor,
Actuator, …

7. 
Movinged from Serial to Ethernet


Actually five senses of ICS by




Sometimes to Radio (GSM, ZigBee, WiFi, etc)
Controlling physical processes
Delivering feedback
Available starting from OSI/ISO layer 3
Industry and application specific
Delivering real time data from sensor or configuring
network settings of PLC or reflashing RTU
 Operating in one subnet or providing remote telemetry
and supervisory


Developed without security in mind and in coders

“Times they are a changin‘”, but slowly

8. 
Manufacturing Message Specification
 A protocol, but more a specification for messaging


Originally developed at 1980
“Heavy”
 See MODBUS packet: [gw_unit; function; register; value]

Applications
 IED, PLC, SCADA, RTU

Vendors
 GE, Siemens, Schneider, Daimler, ABB

9. 
Domains
 Named memory regions for managing data/code blobs
 Abstraction for devices





Program invocations
Journals
Files (Yes, files)
Named variables and lists (groups of vars)
Events
 State machines for alarms and events


Operators station (HMI)
Init semaphores
 Concurrent access

10. 
IEC 62351-4 is security for IEC 61850-8-1
 IEC 61850-8-1 is MMS

Application level
 ACSE AARQ and AARE PDUs



Transport level – TLS (62351-3)
Access Control Lists
Original port 102 to 3782 if secured

11. 

Application security is in ACSE layer (i.e. Association
Control Service Element) which is rarely implemented
No password requirements defined for software


Welcome to the “123”
Application security is plain password

Bruteforce
 Just try to keep port alive as no locking exist

Interception
 Simple ARP spoofing is still a kill switch for ICS networks (do
this in labs or disconnected SCADAs if you care)

12. 
Access must be defined to every object
(according to standard)



Kind of: read, write, delete
Optional
TLS, srsly?


No options to set it up seen in products
Not supported (not even with stubs in code)

13. 
Discovery & Fingerprint
 Port 102 is also S7 and … - COTP (Connection Oriented
Transport Protocol) & TPKT (Transport packet)
 “Identify” request for Vendor, Model and Version

Enumeration of objects
 Enumerate everything: Domains, Variables, Files, etc
 Good thing – named variables (no need for db with
tags/registers/etc description) for understanding logic
 Domains: IEDInverter, IEDBattery, IEDPhysical_Measurements
 Variables for IEDBattery: ZBAT1$MX$Vol, ZBAT1$MX$Amp,
ZBAT1$ST$Health
 Better than WriteCoil(coil=X, value=Y)

14. 
Open source libs - easy to extract API for better
code coverage while fuzzing PLCs, IEDs, RTUs, …


Ain’t it fun fuzzing embedded devices
Lot’s of open source libs, single DLL APIs and
simulators

libiec61850 is C and free
 http://libiec61850.com

openmuc is java and free
 http://openmuc.org/

Smartgridware and others non free, but trial
 http://www.smartgridware.com/
 http://nettedautomation.com/iec61850li/dll/index.html

15. 


Is actually IEC 61870-5-104
Master, Slave, Master-Slave
No security mechanisms in standard and in
implementations


Extensible and vice versa by design


Vendors publish checklists with supported functions
Mainly for gathering telemetry in electricity
distribution and power system automation


Except the IP addresses of Masters defined on Slaves
interrogations
Can feature control functions

write, command, execute

16. 
Discovery


TCP port 2404
Application level ASDU broadcast address
 As soon as RTU receives broadcast to enumerate IEC
104 endpoints it sends broadcast itself
 If there is an RTU nearby you’ll get infinite broadcast
 BCR (Binary Counter Reading) hack with frozen binary
counter can mitigate this
 Do it at home unless … don’t do it

17. 
Reading data


Writing data


Done by interrogations which provides set of
controlled data
Inspect vendor document on supported protocol
features
Simulators, libraries and fingerprint tool
 https://github.com/atimorin/PoC2013/blob/master/i
ec-60870-5-104/iec-60870-5-104.py
 https://code.google.com/p/mrts-ng/
 https://code.google.com/p/sim104/

18. IEC 104 travels
over dedicated
network
Remote Control
IEC 104

Power plant 1
Power plant 2
Power Plant N

19. 

IEC 104 flows through
RTU to SCADA Server
SCADA Server
reads/writes data
as requested
Power plant 1
FW: IEC 104 port opened
RTU
FW: IEC 104 port opened
SCADA Server
Open/Close
the Door
PLC

20. Remote Control
IEC 104, SMB,
HTTP, etc
corp.company.loc
Power plant 1
Power plant 2
Power Plant N
office.pp1.company.loc
office.pp2.company.loc
office.ppN.company.loc

21. 
corp.company.loc
Now this does
look like
typical pentest
Remote Control
IEC 104, SMB,
HTTP, etc
Internets
E-mail
Sharepoint
Remote applications
Web sites
Power plant 1
Power plant 2
Power Plant N
office.pp1.company.loc
office.pp2.company.loc
office.ppN.company.loc

22. 
corp.company.loc
Now this does
look like one of the
pentest attack
vectors
Remote Control
IEC 104, SMB,
HTTP, etc
Internets
E-mail
Sharepoint
Remote applications
Web sites
Power plant 1
Power plant 2
Power Plant N
office.pp1.company.loc
office.pp2.company.loc
office.ppN.company.loc

23. 


Internal protocols
Authorization process
And how no to pay attention and get to serious
stuff

24. WinCC
Web-Client
Internet,
corp lan,
vpn’s
WinCC
DataMonitor
Some
networks
WinCC
SCADA-Clients
LAN
WinCC
Web-Client
WinCC
SCADA-Client
+Web-Server
WinCC
Servers
Engineering station
(TIA portal/PCS7)
PROFINET
PROFIBUS
PLC1
PLC2
WinCC
DataMonitor
PLC3

25. ActiveX components
for communication
and rendering of
HMI
Another component
of WinCC.
For example,
forwarding
commands to the
PLC via the S7
protocol
IIS extension
SCSWebBridgex.dll
Manages SCS
connection and
converts data to PAL
CCEServer.exe
Yep-Yep, again)
CCEServer.exe
WinCC core:
Manages requests of
components
WebNavigatorRT.exe
Rendering HMI and
command
transmission

26. •
•
•
•
The POST requests from the client contains the binary data of SCS
protocol
Basic-authorization
Authorization is “two-stage” (we’ll cover this later)
For the real identification of client a specially “generated” ID is
used

27. 


SQL query to database (using COM objects)
Verification "special" Windows User
The "hardcode" and etc.
For successful authentication any path will do

29. Authentication of
user in the database
through the COM
object on the server
Getting ServerID
and the “magic”
activity for the
password to
WebBridge
Using received
"magic" password to
work with
SCSWebBridgeX

30. Oh! En/c(r)ypt[10]n!
ServerID = Base64(RC2(pass, key)), where key
= MD5(dll hardcode)

31. And forget that before
we entered a another
password...
Not my department password!

32. Sql injection in Basic-authorization.
It is too hard for me.

33. Passwords in database is
not plaintext…
CVE-2013-0676

34. But, it’s just XOR with very secret string.
CVE-2013-0678

35. This is my
encryptionkey

36. So, we have another way to get ServerID and later access
SCSWebBridgex.dll

37. Still not quite ...

38. 



"Magic" password = MD5(WNUSR_DC92D7179E29.WinPassword)
Stored in the registry and encrypted with DPAPI. But with no luck.
Wrong flag allows any users (including Guest) on this host to get
password for special Siemens user. BTW, this user is local admin.
Password generation features very good charset, but chars used
uniquely and length is 12 to 14 chars which is not making cracking
MD5 harder

39. 

All further communications authorized with
this password
For dispatching requests a special ID is used
that is generated ... in some weird and funny
way

40. Offset
Description
Size
0
AlwaysNULL
4
4
dwCode
4
8
Unknown
4
12
DataLen
4
16
ID
4
20
DataChunkNum
4
24
CRC
4
28
ChuckLen
4
32
DataChunkStart
…

41. Transmitted ID represents index and identifier in
the pool of objects which is responsible for storing
the data and dispatching requests
Offset
Description
Size
0
PoolID
2
2
PoolIndex
2

43. HMI
Other
components
CCEServer
PLC
Communication
License
server
To start communication components must call CAL_StartListen in the service
CCEServer. This function is passing all the necessary information about the
component. Such as:
• Component’s GUID
• His PID
• Required callbacks
• Etc

44. 
During initial communications SCS packet is transmitted with GUID
describing target component

45. 


According to received identifier component's object is looked up
Further communication occurs in the context of an established
connection, through a protocol called CAL
The mechanism of data transmission in the CAL protocol is
based on a global MappedSections

47. For sending data:
Section = ("GlobalSCS%08X%04X%04X%04XSAM", PID, SomeW, MapKey, Null);
ReadyEvent = ("GlobalSCS%08X%04X%04X%04XSAN", PID, SomeW, MapKey, Null);
SendEvent = ("GlobalSCS%08X%04X%04X%04XSAF", PID, SomeW, MapKey, Null);
For receiving data:
Section = ("GlobalSCS%08X%04X%04X%04XASM", PID, SomeW, MapKey, Null);
ReadyEvent = ("GlobalSCS%08X%04X%04X%04XASN", PID, SomeW, MapKey, Null);
ReciveEvent = ("GlobalSCS%08X%04X%04X%04XASF", PID, SomeW, MapKey, Null);

48. 
SQLi for retrieving HMI user passwords from db
 And XOR decryption tool





Hardcoded credentials for retrieving ServerID
Crack ServerID for Siemens windows user
Use ServerID for communication WebBridge
Session hijacking for privilege escalation on HMI
Exploiting architecture weakness to use arbitrary
components of WinCC (like PLC comms)

49. Contact despair:
Gleb Gritsai
ggritsai@ptsecurity.com
@repdet
Alexander Tlyapov
atlyapov@ptsecurity.com
@Rigros1