6. What is it?
6
Operational Technology (OT) refers to computing systems
that are used to manage industrial operations as opposed to
administrative operations. Operational systems include
production line management, mining operations control,
oil & gas monitoring etc.
Industrial control systems (ICS) is a major segment within the
operational technology sector. It comprises systems that are
used to monitor and control industrial processes. This could
be mine site conveyor belts, oil refinery cracking towers, power
consumption on electricity grids or alarms from building
information systems. ICSs are typically mission-critical
applications with a high-availability requirement.
18. Common problems
•Connected to internet (shodan)
•Obsolete but stable operating systems
•Defaults credentials
•Not updated. Not patched
•Easy to exploit
•Weak protocol stack implementations
18
19. Attack Vectors
•We will find a Homer always
•Pendrive
•Not working programs installed
•Insecure radio communications
•Ignorance of real network topology
19
30. Hands on attack:Security
27
Password protected access
Funny SCADA tools composed by five
Python scripts
• s7_password_hash_extractor()
Extract the password hash from the
PEData.plf file. You will find the *.plf file
into the PLC configuration.
• s7_brute_offline()
The number of connections attempts is
unlimited. We need only 5 minutes to
find the right password.
Code source protected
Thus, the code source of block is
“normally” protected (i.e unreadable).
But in fact, we can easily bypassing
this protection just by modifying from
the 16th bytes to 22nd bytes in binary
MC7 code.
It is the same hexadecimal value for all
unprotected block.
33. Most PLC are vulnerable
• SIL Certification (IEC 61508) doesn’t evaluate security
• Modern PLCs are micro-processor-based, programmable
systems that are configured with a basic Windows PC
• Major PLC integrate control and safety system using Ethernet
communication with open insecure protocols (Profinet, Modbus
TCP, OPC.),
• Many PLC communication interface modules run embedded
Operating System and Ethernet stack that have known
vulnerabilities and default configurations.
30
43. Hardware hacking: JTAG Debug
• stlink (for STM32 boards)
• Connect the CLK pad on the pcb
to SWCLK on the st-link.
• Connect DAT pad to SWDIO.
• Connect grounds GND and ST-link
GND together.
40
44. Hardware hacking: JTAG Debug
• openocd to:
• GDB: arm-none-eabi-gdb -tui /path/to/file.elf
• >target remote localhost:4444
• R2: r2 -a arm -b 32 -D gdb gdb://127.0.0.1:4444
41
45. Hardware hacking: JTAG Debug
• Dump flash
• st-flash read /tmp/output.bin 0x8000000 0x8000
• Reverse with IDA Pro
42
51. Example firmware reversing
Usage: %s %s
User name | Password
-----------+-------------
%10s | %4s
debug
%10s | ****
User account was not found.
Password is to long, max %d symbols.
Password for %s is set.
admin
Null lenght password is set.
48
84. 1. Read packets
pcap_file = open('file.pcap')
pcap = dpkt.pcap.Reader(pcap_file)
for ts, buf in pcap:
process(buf)
69
85. 2. Process packets
def process(buf):
eth = dpkt.ethernet.Ethernet(buf)
ip = eth.data
tcp = ip.data
data = tcp.data
signature = check_yara(data)
if signature:
print(signature)
70