Professional Documents
Culture Documents
SCADA Hacking (PDFDrive)
SCADA Hacking (PDFDrive)
Presented by:
Francis Brown
Bishop Fox, LLC
www.bishopfox.com
Agenda
OVERVIEW
• Introduction/Background
• Defenses
2
Introduction/Background
G E T T I N G UP T O S P E E D
3
Stuxnet Virus
BORN IN THE U.S.A. Jun 2010
4
SCADA Vulnerabilities
EXPLOIT RELEASES Jan 2012
5
SCADA Vulnerabilities
MAJOR SCADA VENDORS Jan 2012
6
SCADA Vulnerabilities
EXPLOIT RELEASES Jan 2012
7
Project Basecamp
SCADA VULNERABILITIES
Jan 2012
8
SCADA Vulnerabilities
MASS TARGETING Jan 2012
9
San Diego Blackout
PHYSICAL SAFEGUARDS FAIL
10
Electric Grid Blues
WHEN THE LIGHTS GO OUT May 2013
11
Electric Grid Blues
WHEN THE LIGHTS GO OUT May 2013
12
Iran Hacker Threat
RETURN FIRE May 2013
13
Targeting SCADA Systems
T RY N O T T O T RI P O V E R A L L T H E S Y S T E M S
14
Diggity Tools
SEARCH ENGINE HACKING
15
Google Diggity
DIGGITY CORE TOOLS
16
SCADA and Google
GOOGLE HACKING
17
SCADA and Google
GOOGLE HACKING
18
Bing Diggity
DIGGITY CORE TOOLS
19
SCADA and Bing
BING HACKING
20
NEW GOOGLE HACKING TOOLS
SHODAN Diggity
21
SHODAN Popularity
MASS TARGETING OF SCADA
22
SHODAN
HACKER SEARCH ENGINE
• Indexed service banners for whole Internet for HTTP (Port 80), as well
as some FTP (21), SSH (22) and Telnet (23) services
23
SHODAN
FINDING SCADA SYSTEMS
24
SHODAN Diggity
FINDING SCADA SYSTEMS
25
Target SCADA
CRITICAL INFRASTRUCTURE SECURITY
26
Target SCADA
CRITICAL INFRASTRUCTURE SECURITY
27
ADVANCED DEFENSE TOOLS
SHODAN Alerts
28
SHODAN Alerts
SHODAN RSS FEEDS
29
Internet Census 2012
NMAP OF ENTIRE INTERNET
• ~420k botnet used to perform NMAP against entire IPv4 addr space!
• ICMP sweeps, SYN scans, Reverse DNS, and Service probes of 662 ports
• Free torrent of 568GB of NMAP results (9TB decompressed NMAP results)
30
HD’s Serial Offenders
DATA MINING CENSUS
31
HD’s Serial Offenders
DATA MINING CENSUS
32
SNMP Scan for SCADA
SCANNING FOR SCADA
33
Internet Census 2012
SNMP RESULTS
34
Internet Census 2012
SNMP RESULTS
35
Internet Census 2012
SNMP RESULTS
36
Port Scanning for SCADA
SCANNING FOR SCADA
37
Port Scanning for SCADA
SCANNING FOR SCADA
38
Metasploit’n Scada
POINT N CLICK SCARY
39
Metasploit’n Scada
POINT N CLICK SCARY
40
Metasploit’n Scada
POINT N CLICK SCARY
41
Metasploit’n Scada
POINT N CLICK SCARY
42
Metasploit’n Scada
POINT N CLICK SCARY
43
Metasploit’n Scada
POINT N CLICK SCARY
44
Metasploit’n Scada
POINT N CLICK SCARY
45
Metasploit’n Scada
POINT N CLICK SCARY
46
Default Passwords
SCADA PASSWORD ATTACKS
47
Hard Coded Passwds
SCADA PASSWORD ATTACKS
48
Passwd Bruteforcing
SCADA PASSWORD ATTACKS
49
Passwd Bruteforcing
SCADA PASSWORD ATTACKS
50
Password Cracking
SCADA PASSWORD ATTACKS
51
Password Cracking
SCADA PASSWORD ATTACKS
52
Wireless Attacks
SCADA WIRELESS ATTACKS
53
TOOLS
54
Badge Basics
Name Frequency Distance
Low Fequency (LF) 120kHz – 140kHz <3ft (Commonly under 1.5ft)
High Frequency (HF) 13.56MHz 3-10 ft
Ultra-High-Frequency (UHF) 860-960MHz (Regional) ~30ft
55
Typical Attack
A$$ GRABBING METHOD
56
Programmable Cards
Cloning to T55x7 Card using Proxmark 3
• HID Prox Cloning – example:
57
Pwn Plug
MAINTAINING ACCESS
Defenses
P RO T E CT YO N E CK
59
Defenses
SCADA PROTECTION
60
Defenses
SCADA PROTECTION
Snort and SCADA
61
Defenses
SCADA PROTECTION
62
Defenses
SCADA PROTECTION
NIST and other guidance docs:
63
Thank You
Bishop Fox
www.bishopfox.com
64