Friday, December 28, 2012

Thursday, December 27, 2012

ICS/SCADA/PLC Google/Shodan Cheat Sheet

Trying to find SCADA/PLC/HMI in Internet?
No success?

SCADAStrangeLove strike forces to the rescue!

With our Pretty Shiny Sparkly™ ICS/SCADA/PLC Google/Shodanhq Cheat Sheet you will become real SCADAHacker and search for  SCADA with Shodan for free!
Forget about "effective" CVSS score - only Google, only hardcore! Get Siemens S7 PLCs, Scalance S, WinCC, Emerson DeltaV and Schneider Electric PowerLogic in one click!
Special #29C3 release by Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin.



Special release for 29C3.



Hope you'll find it useful.  Any feedback is highly appreciated.

Download link:

Special thanks to: Roman Ilin, Sergey Gordeychik, Ilya Karpov

Happy New Year!

Sunday, December 9, 2012

SCADA and Chaos

Our team will participate 29th Chaos Communication Congress. Sergey Gordeychik, Gleb Gritsai and  Denis Baranov will talk about our new researches in  ICS security and vulnerabilities in SCADA and PLC systems. 

Please find speech description and schedule here:

Yuri Goltsev and Segey Scherbel will drive on 29C3 $natch (Snatch) competition, real-time internet banking hacking contest. Please join and show your skills:$natch.

See you in Hambur!

PS. Full 29C3 agenda and 29C3 schedule for workshops:

Wednesday, November 28, 2012

Security of the morning calm

In early November 2012, the SCADAStrangeLove striking force was thoughtless enough to accept an offer to speak at the Power of Community (POC) conference held in Seoul, South Korea. While I am still under the impression, I want to tell you how they do security in the Land of the Morning Freshness.
Many photos are under the cut.

Wednesday, November 7, 2012

WinCC Harvester

Metasploit module for Siemens SIMATIC WinCC forensic/postexploitation.

Use WinCC MS SQL access to harvest sensitive information (users, roles, PLCs) from the database.

Copy this file to: /opt/metasploit/msf3/modules/auxiliary/admin/scada/
Use: use auxiliary/admin/scada/wincc_harvester

Thanks to Vyacheslav Egoshin, Dmitry Nagibin, Gleb Gritsai.


PLCScan the Internet

Special release for Power of Community 2012 by Dmitry Efanov: PLCScan. Feel free to contribute!

Tool for scan PLC devices over s7comm or modbus protocols.

Usage examples --timeout 2 --hosts-list hosts.txt

Link again:

Tuesday, November 6, 2012

SCADA Safety in numbers

The number of detected vulnerabilities has increased by 20 times since 2010. 
It takes more than a month to fix each fifth vulnerability.
50% of vulnerabilities allow a hacker to execute code.
There are exploits for 35% of vulnerabilities.
41% of vulnerabilities are critical.
More than 40% of systems available from the Internet can be hacked by unprofessional users.
The third part of systems available from the Internet is located in the USA.
The fourth part of vulnerabilities is related to the lack of necessary security updates.
54% and 39% of systems available from the Internet in Europe and North America respectively are vulnerable.


Thursday, September 13, 2012

All your PLC are belong to us

Siemens has published advisory “SSA-240718: Insecure storage of HTTPS CA certificate inS7-1200 V2.x”  about bug, discovered by our team. Very funny one, because PLC have built-in CA and generates valid certificates based on IP. So you can trust to CA certificate and you will have security SSL sessions with all PLCs. But as you understand all PLC have same private/public key pair for CA and private key hardcoded into firmware.
Not easy bug to fix, but we hope Siemens will do it.

Tuesday, September 11, 2012

New vulnerabilities in Siemens SIMATIC WinCC

Siemens has fixed vulnerabilities in SIMATIC WinCC 7.0 and SIMATIC PCS7 V8 discovered by SCADAStrangeLove team. There are very different one, from trivial XSS and CSRF (last one still unfixed) to arbitrary file reading and awesome username and password disclosure.
ShortList of bugs addresed in SSA-864051:

  • Lot of XSS and CSRF (CVE-2012-3031, CVE-2012-3028)
  • Lot of to arbitrary file reading (CVE-2012-3030)
  • SQL injection over SOAP (CVE-2012-3032)
  • Username and password disclosure via ActiveX abuse (CVE-2012-3034)

Thanks to Denis Baranov Sergey Bobrov, Artem Chaykin, Vladimir Kochetkov, Timur Yunusov.

Now we had more info for our speech at power of community. The world has become safer! Hurray!

Monday, July 30, 2012

Wednesday, July 25, 2012

WinCC default password: 7 years long story

Siemens recently published advisory about vulnerability in WinCC. Default hardcoded MS SQL passwords ('WinCCConnect/2WSXcder', 'WinCCAdmin/2WSXcde.')was used by StuxNet worm for infection. This vulnerability was fixed long time ago in SIMATIC WinCC V7.0 SP2 Update 1 (V Current patchlevel for WinCC is V7.0 SP3 Update 2. Looks like this is kindly reminder.
JFYI, this vulnerability wide known for 7 years from May 2005. First time it published on Siemens forum and publicly disclosed in April 2008.

Link and screenshot for history:

So correct credits for advisory: Max Prilepsky & Cyber.

PS. Mikko - perfect Cyrillic screen for you slides!

PPS. AC/DC? No way!

Tuesday, July 24, 2012

How to pwn nuclear plant with metasploit?

Mikko Hypponen wrote:

"...I received a series of emails from Iran. ... Atomic Energy Organization of Iran (AEOI)....

He wrote:

I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.

According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down...I believe it was playing 'Thunderstruck' by AC/DC...

Looks like somebody know our secret and can pwn nuclear plant with metasploit.

2 Mikko:

Mikko, we know, you likes Russian guys, but this totally different case. It's not our fault. Really.

A: No way!

Sunday, July 8, 2012

XSS in HMI? So what?

Sometimes XSS  (and other client-side) very useful! Can help to exploit server-side vulnerabilities. Operator’s browser is proxy to SCADAnet!

Question: Anybody works with SCADA and Internet using same browser?
Correct answer: Yes!

Monday, June 18, 2012

Tuesday, June 5, 2012

SSA-223158 : Multiple Security Vulnerabilities in WinCC 7.0 SP3

Our first release:

- X-Path Injection in WinCC DiagAgent and WebNavigator
- Directory Traversal in WinCC DiagAgent and WebNavigator
- Buffer overflow ain WinCC DiagAgent web server
- Reflected Cross-Site Scripting in  WinCC DiagAgent and WebNavigator

(CVE-2012-2596)  (CVE-2012-2597) (CVE-2012-2598) (CVE-2012-2595)  (CVE-2012-3003)


Monday, June 4, 2012

Thursday, May 31, 2012