.

PLC's / Control Networks Info

<<

SamoletMaj

User avatar

Newbie
Newbie

Posts: 8

Joined: Sun Jun 03, 2012 11:02 am

Post Mon Jun 25, 2012 2:24 pm

PLC's / Control Networks Info

Hello there Gents...

I am new to the business and i am looking to gain some knowledge specifically about exploiting PLC's and industrial control networks, i am a PLC programmer in the control systems industry and i have been tasked with identifying/exploiting vulnerabilities in our control systems.

I have already discovered several problems mainly dealing with UDP communication protocols.

I want to dig deeper and focus on two things, Buffer overflows on PLC's and exploits regarding crafting EIP/CIP messages. (Ethernet/IP)

What books/reading in general would you recommend? Any suggestions are welcome

Thanks!
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Jun 25, 2012 4:03 pm

Re: PLC's / Control Networks Info

In my experience you don't even need to go after the PLCs. The operating systems are typically so out of date and missing patches so exploitation is usually pretty trivial. Also, if you can pop the box that manages the PLCs you own everything.

Also, about 5 years ago when PLC manufacturers started adding web servers and snmp to their devices, they almost never password protected them or used hardcoded pws/snmp strings.

Finally, simple arp spoofing will usually yield tons of clear text passwords since most comm protocols are still modbus over tcp or telnet. As far as crafting CIP messages, I've never needed to do that. Total domination on ICS is usually less than a days work.

I have this book, and it is OK, not great: http://www.amazon.com/Industrial-Networ ... k+security
<<

SamoletMaj

User avatar

Newbie
Newbie

Posts: 8

Joined: Sun Jun 03, 2012 11:02 am

Post Tue Jun 26, 2012 8:05 am

Re: PLC's / Control Networks Info

I completely agree, part of my testing is with the SCADA which includes the PC's and yes, it was ridiculously easy so i am drafting some action plans to patch those up.

And you are correct on the clear text also, i found some via UDP.

All that being said i want to push the envelope a bit more and i want to learn or at least educate myself on attacking the PLC's directly. Appart from the comms protocol FTP is the only thing open on the controllers, no SNMP. and Ethernet/IP (CIP) is the protocol of choice.

I will look at the book you recommended, Thanks!

Any ideas on what would be good reading in terms of the controller hardware side? i cant find anything online.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Jun 26, 2012 8:19 am

Re: PLC's / Control Networks Info

Aside from an allen bradley manual, not really sure on what to read from the hardware side. However, you might want to search on Embedded Device Hacking or Firmware Hacking.

Just reading some of the spec on CIP, (couldnt find an RFC looks to be a manufacturer created protocol?) two things jump out:

-Transfer of basic I/O data via User Datagram Protocol (UDP)-based implicit messaging
-Uploading and downloading of parameters, setpoints, programs and recipes via TCP (i.e., explicit messaging.)

Obvious UDP security issues with the first bullet, spoofing etc.

The second bullet is very interesting. I suspect if you fiddled with the values in those packets you might be able to get the PLCs to crash, which might mean exploitation is possible. I doubt they have much bounds checking implemented, especially if they are old. It would seem, the most malicious of intent would want to exploit this because success equals changing values or device compromise. I'm totally speculating on this attack vector, but it might be worth a look.

The hardest part would be debugging the crash. It's not like you could just open Immunity and debug the crashes. This part is out of my league.

Looks like there has already been some work done here: http://www.digitalbond.com/tools/baseca ... t-modules/
http://www.digitalbond.com/tools/baseca ... trollogix/
Last edited by cd1zz on Tue Jun 26, 2012 8:24 am, edited 1 time in total.
<<

SamoletMaj

User avatar

Newbie
Newbie

Posts: 8

Joined: Sun Jun 03, 2012 11:02 am

Post Fri Jul 13, 2012 9:11 am

Re: PLC's / Control Networks Info

Well, i went the UDP route and wow... let just say i have my work cutout trying to secure the control system against fairly simple attacks.

And i'm also proud to say i wrote my first metasploit module in ruby :D

The only built in security options on the controller are basically write protect the entire thing, which turns into an admin nightmare in order to do software updates remotely, or, restrict rights based on IP's. however, a simple sniff and spoof would defeat that.

Return to Hardware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software