GradeZero Music Band

Monday, November 11, 2013

What hack may come

Last week four guys of the SCADA StrangeLove team took part in Power of Community conference in Seoul, South Korea.
Alexander Timorin, Yuri Goltsev and Ilya Karpov run Choo Choo PWN challenge and workshop, and Sergey Gordeychik spoke on automatic exploit generation.

Choo Choo PWN challenge was built for PHDays III and it was the first time it was presented in Korea.

The team arrived on different planes. Sergey who arrived earlier spent the time teaching hacking at the street near Hacking Academia in Seoul.

Choo Choo PWN is a model of real-world  SCADA, and we spent a lot of time to get it prepared for the travel. We even managed to get an awesome wooden case for the basement of the model, which weighs as much as the other parts of the test bed altogether. We had to do some physical exercise during the travel, but in the end, fragile ICS tools were transported safe and sound.  

We spent more than one day before the event to mount it, but it was worth it.
On the first day, Vangelis kindly provided us with timeslot to speak @POC2013 and to overview ICS penetration testing and security research process.

This talk will share SCADA StrangeLove team experience in penetration testing in ICS environment. From network level to application and from 0-day hunting to project management. Toolkit/tip and tricks/real world examples. What you should do and what you do not ever have to do. SCADA StrangeLove hopes this talk will help you to win Choo Choo Pwn prize.

During the talk we released new tools for S7, Profinet, IEC-60870-5-104, iec-61850-8-1, including offline bruteforce tool for S7-1500 PLC passwords.

After the talk, challenge began.  We were surprised by a large number of participants.

More than 30+ people tried to hack Choo Choo PWN testbed. At POC2013, testbed was built with the following platforms:

•    Wonderware InToch 10 HMI + Rockwell Allen-Bradley MicroLogix 1400 series PLC to manage barrier and cars over DNP3 protocol
•    WinCC Flexible 2008+ ICP DAS RTU to operate cargo crane by Modbus TCP/UDP

•    Siemens WinCC 7 + S7 1200 PLC + Siemens SIMATIC Touch Panel KTP600 to manage trains’ speed and direction (S7 and Profinet)

Some guys understood Modbus from the scratch and started to fight for the cargo crane management. Nevertheless, Jonas Zaddach used 0-day for S7 PLC (by Lucian Cojocar) to switch it to CPU Stop state, so we have bad time trying to recover it.

During challenge we experienced some kind of language problems until Paul Kwon joined us to help with Korean.

 Paul helped us to give interview to DailySecu – Korean security media.

Alex and Sergey also shared with DailySecu readers how they got introduced to security industry

On the second day, our participants switched from piece-of-cake Modbus to S7 and WinCC. Jenny Kim from Japan and Chin Bin In vivisected S7 protocol structure and prepared some kind of blind fuzzer of tags. Jenny also managed to get shell access on WinCC box.

In the end we get 6 winners of Choo Choo PWN at #POC2013

1.    Lim Jung Won (Modbus)
2.    Hee-chan Lee and Eun-chang Lee  (Modbus)
3.    Jenny Kim (S7 protocol and WinCC SCADA)
4.    Chin Bin In (S7 protocol and WinCC SCADA)
5.    Grace Kim (S7 protocol)
6.    Special prize: Jonas Zaddach and Co (S7-1200 PLC DoS)

On the second day, Sergey and Alexey Moskvin spoke about automatic exploit generation for application source code analysis. It sounds like magic ant it is actually magic!

The algorithm is full of mathematical hardcore, so Sergey had to wear a tie to look like a professor.
During POC2013, Power of XX  CTF challenge was held. Power of XX is a hacking contest for WOMEN ONLY, hosted by SISS (Sookmyung Information Security Study) and Hackerschool as an event at POC2013. Power of XX is an event where women interested in hacking and information security gather, share knowledge on information security, and showcase defense strategy against hacking.
Team SecurityFirst won the challenge and got the prize. Girls will proceed to PHDays IV CTF without qualification round.

After the event we joined Drinking Hell and it looked like Yury and Alexander shared the victory with  Hugo Fortier @hugofortier  from Recon conference.

Conference was awesome and very well organized, but because we had to operate Choo Choo PWN we were not able to visit all the good talks. Hope organizers will share slides and videos.

Thanks everybody and see you!

PS. POC 2012 review

1 comment:

  1. Really it was good news for ICS SCADA security. I am bit relaxed after reading your post. Thanks for sharing.