ACS-2010

Enumerating and Validating ICS Devices

SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference September 20-23, 2010

Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE

Creative Commons License v3.0. 1

Who and what is “Infracritical”?

• Leading industry and business in Critical Infrastructure Protection (CIP).

– Provides guidance and direction to both public and private sectors through information sharing and ‘best practices’.

– Established open public discussion forums on current and relevant topics and affairs.

– Defines strategic vision of ‘future thought’ in infrastructure development and support.

• Liaisons government and industry strategies. • Sponsor and founder of the SCADASEC e-mail list.

2

Presentation Agenda

• Outline results from ‘The Gathering’ (May 2010). • Reasons for having ‘The Gathering’. • Latest projects:

– Enumerate and validate industrial automation/control systems devices (fingerprint).

– Catalog based on genus, manufacturing type, make, model, and results found into a centralized data repository.

– Allow for variances of information found ‘in the wild’. – Enumeration is utilized using ‘open source’ security tools. – Currently performing validation tests against the

Hirschmann ICS firewall (Hirschmann EAGLE TX/TX).

3

Outline Results from ‘The Gathering’ (May 2010)

• Established in May, 2010, ‘The Gathering’ provided a common ground for representation from commercial interests, academia and law enforcement.

• Discussed security concepts, issues and vulnerabilities with ICS equipment that was brought and shared.

• Discussed and shared engineering methods to improve performance of said equipment, both operationally and securely.

4

Reasons for Having ‘The Gathering’

• Need based on a “show ‘n tell” principle.

• Allows participants to see, work and handle ICS equipment that would otherwise not be possible.

• Allow and share ideas, concepts, ideologies between participants.

• Discuss methods of improvement of performance of shared ICS equipment.

• Write recommendations for manufacturers.

5

Other Discoveries

• We are limiting public discussion on these discoveries.

• Schweitzer SEL-3620:

– SSL interface survived the overnight assault from the Mu Dynamics fuzzer device.

– No problems found.

• Another popular industrial switch TELNET interface:

– 158 problems found.

• Write recommendations for manufacturers.

6

Project ‘Enlightenment’

• Validate CSET/CS2SAT network maps.

• Develop and exercise controlled methods of enumerating ICS equipment and appliances.

• Acquire intelligence from ICS equipment supplied from ICS owner-operators and private donators.

• Enumerate through several methods: – IT protocols: HTTP/HTTPS, SSH, SSL certificates, SNMP, etc.

– control system protocols: Modbus, Profibus, DNP, EthernetIP, etc.

7

Project ‘NINJA’ Network INtelligence Joint Analysis

• Catalog intelligence acquired from ‘The Gatherings’ and from ‘Enlightenment’.

• Centralize data repository for public viewing (vetted).

• Provide sensitive intelligence for dissemination through encrypted methods.

– encrypted email (automatic)

– encrypted web portal(s)

• Website: www.thinklikeninja.com

8

http://www.thinklikeninja.com/

Current Enumeration: Hirschmann EAGLE TX/TX

9

• One of the more recognized industrial automation firewalls.

• Hirschmann Automation and Control (HAC) GmbH acquired by Belden Inc. (formerly Belden Wire & Cable, Inc.) in 2007.

• Hirschmann EAGLE and EAGLE mGuard firewalls’ software written by Innominate Security Technologies.

• Innominate Security Technologies acquired by Phoenix Contacts, Inc. in 2008.

image is actual model of device tested

Hirschmann Enumeration: Discoveries Found with Firewall

10

• Actual software from Hirschmann ICS firewall was written by Innominate Security Technologies.

• Software from Innominate can interchangeably be used between Hirschmann and Innominate versions.

• Software and firmware would be synchronized.

• Software after v4.2.3 required a ‘license upgrade’ (even though we had updates up to v7.0.1).

• Firmware after v4.2.3 had similar requirements.


11

• Actual ICS screen shot.

• Tests were performed against two (2) firewalls.

• Firewall #1: Innominate

• Firewall #2: Hirschmann


12

• F/W v3.0.1 (and including v3.1.1) caused ARP tables to be dropped during ‘normal’ port scans, requiring multiple attempts to connect to the firewall.

• F/W v4.0.4 (and higher) did not drop ARP tables.

• However -- F/W v4.0.4 while attacked using a vulnerability scan, produced inconsistent fingerprinting results, in most cases, no fingerprint.

• NMAP (as of v5.35DC1) thinks Hirschmann is a wireless access point / wireless router.


13

Partial output is from the following syntax: nmap -sS -v -O 1.1.1.1 –T3 -PN –v

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-16 19:15 CDT

…

Device type: WAP|specialized|print server|storage-misc|general purpose|broadband

router|firewall, Running (JUST GUESSING) : Linux 2.4.X|2.6.X (98%), HP embedded

(94%), Netgear RAIDiator 4.X (94%), MontaVista Linux 2.4.X (94%), Actiontec

embedded (93%), Fortinet embedded (91%), Google embedded (91%)

OS fingerprint not ideal because: Timing level 3 (Normal) used

Aggressive OS guesses: DD-WRT v23 (Linux 2.4.36) (98%), Linux 2.4.21 (embedded)

(95%), DD-WRT v23 (Linux 2.4.34) (95%), HP 4200 PSA (Print Server Appliance)

model J4117A (94%), Netgear ReadyNAS Duo NAS device (RAIDiator 4.1.4) (94%),

MontaVista embedded Linux 2.4.17 (94%), Actiontec GT701 DSL modem (93%), Linux

2.4.20 (92%), Fortinet FortiGate-60B or -100A firewall (91%), Google Mini search

appliance (91%)

No exact OS matches for host (test conditions non-ideal).

…


14

• Ports open on INTERNAL network interface include:

- 22 (SSH), 53 (DNS), 443 (HTTPS) and 1720 (H.323)

• Enumeration utilized for device included testing from: - SNMP and HTTPS connections

- Enumeration method utilizes an ‘open source’ tool.

- One tool that will be heavily utilized is NMAP v5 (and newer).

- NMAP (as of Version 4) allows integration of a scripting language.

- The NMAP Scripting Engine (NSE) utilizes the LUA language (www.lua.org) and tailors the code (www.nmap.org/nsedoc).

- Over 150 (and growing) common scripts available from Insecure.

http://www.lua.org/

http://www.nmap.org/nsedoc


15

• During one vulnerability scan, NMAP had difficulties fingerprinting its operating system (it is running an embedded Linux v2.4.36).

• Device is currently available for evaluation for the general public.

• Access has been granted to the INTERNAL network interface.

• Use the command-line (CLI) version of NMAP – Mac and UNIX/Linux versions appear to work better with NSE script.

• Script written specifically for enumerating the Hirschmann.

• Script is currently in ‘draft mode’, and is being finalized.

• Current version of enumeration script is ‘mguard-10091201.nse’.


16

If the Hirschman EAGLE mGuard TX/TX enumeration script is utilized, output will look something like this:

# nmap --script=./mguard-10091201.nse 1.1.1.1 -PN Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 12:48 CDT

Nmap scan report for xxx (1.1.1.1)

Host is up (0.0096s latency).

Not shown: 996 closed ports

PORT STATE SERVICE

22/tcp open ssh

53/tcp open domain

443/tcp open https

| mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE

| ** IF YOU REQUIRE MORE INFO, USE THE "-v" OPTION

| ............Flash ID : 420401db459c83e7

|_............Manufacturer of device : Hirschmann

1720/tcp filtered H.323/Q.931 Nmap done: 1 IP address (1 host up) scanned in 2.62 seconds

NOTE the flash ID number; ID obtained via SSL certificate.

http://nmap.org/


17

If the verbose feature of the Hirschman EAGLE mGuard TX/TX enumeration script is utilized:

# nmap --script=./mguard-10091201.nse 1.1.1.1 –PN –v

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 10:24 PDT

NSE: Loaded 1 scripts for scanning.

Initiating Parallel DNS resolution of 1 host. at 10:24

Completed Parallel DNS resolution of 1 host. at 10:24, 0.06s elapsed

Initiating Connect Scan at 10:24

Scanning xxxx (1.1.1.1) [1000 ports]

Discovered open port 53/tcp on 1.1.1.1



Completed Connect Scan at 10:24, 5.62s elapsed (1000 total ports)

NSE: Script scanning 1.1.1.1.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 10:24

Completed NSE at 10:25, 6.06s elapsed

...


18

(continued from p.17) Nmap scan report for xxx (1.1.1.1)

Host is up (0.096s latency).

Not shown: 992 closed ports

PORT STATE SERVICE

22/tcp open ssh

53/tcp open domain

135/tcp filtered msrpc

139/tcp filtered netbios-ssn

443/tcp open https

| mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE

| ** PHASE 1: TLS/SSL certificate verification

| ....Step 1: SSL certificate info : CONFIRMED

| ....Step 2: SSL certificate MD5 hash information

| ............Flash ID : 420401db459c83e7

| ............Organization name : Hirschmann Automation and Control GmbH

| ............SSL certificate MD5 : c93063872150383b879a69f65ab6d7e5

| ............SSL certificate version: 4.2.1 or newer


19

(continued from p.18) | ** PHASE 2: File presence verification

| ....Step 1: Existence of "/favicon.ico"

| ............File favicon.ico MD5 : 7449c1f67008cc3bfabbc8f885712207

| ............Server type/version : 4.2.1 or newer

| ....Step 2: Existence of "/gai.js"

| ............File gai.js MD5 : e7696a86648dcdb6efb2e497e5a8616b

| ............Server type/version : 4.2.1

| ....Step 3: Existence of "/style.css"

| ............File style.css MD5 : d71581409253d54902bea82107a1abb2

| ............Server type/version : 4.2.1

| ** PHASE 3: HTML pattern matching verification

| ....Step 1: Confirmation of HTML code per version

| ............HTML code verified : CONFIRMED

| ............HTML code variant : Hirschmann

| ....Step 2: Confirmation web server verification

| ............Web server verified : CONFIRMED

| ............Web server name/type : fnord

| ............Web server version : 1.6


20

(continued from p.19) | ** PHASE 4: Documentation

| ....Step 1: Documentation exist? : YES

|.............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_BAT54_SW_Rel754_en.pdf

|_............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_EAGLE_401_EN.pdf

Read data files from: /usr/local/share/nmap

Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds

The following is a sample taken from the startup log while connected to the console:

...

Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/i2c/i2c-adap-ixp425.o

Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/max6625.o

Warning: loading max6625 will taint the kernel: non-GPL license – Proprietary

See http://www.tux.org/lkml/#export-tainted for information about tainted modules

Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/power.o

Warning: loading power will taint the kernel: non-GPL license – Proprietary

Eagle: PHY sysctl directory registered.

See http://www.tux.org/lkml/#export-tainted for information about tainted modules

...

Thoughts about this?


21

Hirschmann Enumeration: Summary of the Unit

22

• This unit allows secured side to configure firewall. - Cross site scripting (XSS) and session hijacking vulnerable.

- Malware that gets inside secured networks can still cause damage.

- Other propagation methods for malware include USB, VLAN attacks/mistakes, operator errors, crossed cables, etc.

- Need out-of-band commands of the firewall.

• Licensing problems could make unit a deliberate target.

• ARP table ought to have hard-wired option.

• Not a stateful firewall; not aware of industrial protocols.

One More Thing… Interesting Coincidence?

23

• At the time of writing this presentation, the firewall was probed from several IP addresses from China; one of them is shown below: 2000-01-01_15:59:37.81412 user.debug: Jan 1 15:59:37 kernel: br0.0001: add 01:00:5e:00:00:01 mcast

address to master interface

2000-01-01_15:59:38.62232 auth.info: Jan 1 15:59:38 sshd[10730]: Did not receive identification

string from 202.116.160.75

2000-01-01_16:01:37.07397 user.debug: Jan 1 16:01:37 kernel: br0.0001: del 01:00:5e:00:00:01 mcast

address from master interface

2000-01-01_16:01:37.33267 user.info: Jan 1 16:01:37 kernel: IPSEC EVENT: KLIPS device ipsec0 shut

down.

• Here’s the WHOIS information for this IP address: inetnum: 202.116.160.0 - 202.116.175.255

netname: SCAU-CN

descr: ~{;*DOE)R54sQ'~}

descr: South China Agricultural University

descr: Guangzhou, Guangdong 510642, China

country: CN

Next Gathering:

24

• Mu Dynamics has been very supportive.

• Location and time. • SCADA CYBER SECURITY WORKSHOP

November 3-4, 2010, Southern Methodist University, Dallas, TX • http://www.nacmast.com/scada-workshop-registration

• Continue “Enlightenment” and “NINJA” programs. • Introduce and educate next generation of SCADA security specialists.

• Gather data on other user-provided devices.

• Work on CSET validation software.

• Discuss theoretical and practical issues with devices we test.

http://www.nacmast.com/scada-workshop-registration





Conclusion

25

• Combined between ‘The Gatherings’ and intelligence gathered from/through enumeration and validation tests, we feel that there will be more to come … much more.

• So far, we have a small suite of scripts for the following: • Hirschmann Automation Control GmbH (HAC)

• Allen-Bradley (aka Rockwell)

• Rockwell Automation

• Siemens

• Electro Industries / Gaugetech (EIG)

Questions? Bob Radvanovsky, (630) 673-7740

[email protected]

Jacob Brodsky, (443) 285-3514 [email protected]

Creative Commons License v3.0. 26

ACS-2010

Business

hirschmann enumeration

hirschmann automation

innominate firewall

firewall actual software

firewall fw v3

firewall actual icsscreen

current enumeration

security concepts