Information Gathering

Information gathering is one of the most important stages of an attack on a network system. It's about collecting a huge amount of basic information about the target system. The more information you can gather, the higher is the probability of a successful attack.

high amount of information => higher probability of successful attack

One way to gather information about a target system or network is open service information gathering. In the following I'll introduce an HTTP fingerprinting technique to find out information about SCADA/ICS devices by disclosing information of their open services.

HTTP Fingerprinting

Knowing the type or version of a running open service is a crucial information for an attacker or penetration tester. As a consequence, it is possible to determine known vulnerabilities and available exploits. For that reason, fingerprinting of exposed industrial devices by its front-ends and server-site components through application level protocols is one of the most popular remote attack vectors on SCADA/ICS systems.

One fingerprinting technique is sending HTTP requests to the target web server. This technique is referred to as HTTP fingerprinting. Plenty industrial devices have a web server onboard, so they can be fingerprinted the server's HTTP response.

In order to send a HTTP request you can use the netcat (or nc) Unix utility. Netcat establishes a TCP connection to a server listening on the passed address. In our example, netcat connects to the server in our local network listening on 192.168.170.35 and port 80. After doing so, the GET request is passed to netcat using a pipe.

$ echo "GET / HTTP/1.0

" | nc 192.168.170.35 80

An example HTTP response message looks like this:

HTTP/1.1 200 OK Server: CIMPLICITY-HttpSvr/1.0 Date: Sat, 14 Feb 2015 17:47:58 GMT Cache-Control: no-cache, max-age=0, must-revalidate Content-Type: text/html Content-Length: 779 Location: /Default.aspx

As you can see, information about an industrial device are revealed (the signature: Server: CIMPLICITY-HttpSvr/1.0). To show, how important this little peace of text can be, we pursue the example.

A next step would be to find out more detailed information about the signature Server: CIMPLICITY-HttpSvr/1.0. Basic information like the vendor and product details can be easily found, and search engines are a perfect resource for that.

Signature Product Vendor Product Name CIMPLICITY-HttpSvr/1.0 GE Intelligent Platforms Proficy HMI/SCADA CIMPLICITY

With the help of the product name and the product vendor it's possible to search for security vulnerabilities of the product. The CVE-Details database is a reliable data-source for security vulnerabilities of specific products. In our case it reveals a long list of vulnerabilities. The following screenshot gives some details.

GE Proficy HMI/SCADA CIMPLICITY CVE Details

The CVE IDs (e.g.: 2014-0750) from the above screenshot can be used to query The Exploit Database (EDB), an exploit database provided by Offensive Security. For the CVE ID 2014-0750, the search returns a Remote Code Execution exploit, which allows remote attackers to execute arbitrary code via a crafted HTTP request, written for metasploit Framework (a tool for executing exploit code), like shown below.

Exploit Database CVE 2014-0750

Conclusion

If this would be a real attack, the next step is the exploit execution. So this preceding example shows how important the simple technique of HTTP-fingerprinting is for information gathering and what kind of serious consequences may result.

A cheat sheet provided by the Open Web Application Security Project (OWASP) includes the signatures for the most popular SCADA/RTU/PLC products of known vendors. A few signatures covered in this cheat sheet are shown in the following tables:

Signature Vendor Product Server: ISC SCADA Service HTTPserv:00001 Clorius Controls ISC SCADA System Server: ClearSCADA/6.72.4644.1 ClearSCADA ClearSCADA/6.72.4644.1 Server: INDAS WEB SCADA INDAS INDAS WEB SCADA Server: CIMPLICITY-HttpSvr/1.0 GE Intelligent Platforms Proficy HMI/SCADA CIMPLICITY Location: /Scada/Default.aspx Socate SCADA - Vielha

Mitigation

To prevent HTTP fingerprinting, network administrators should analyze what information is leaked and consider the following steps:

Limit the information provided by the web server by adding directives to their configurations. Example: ServerTokens ProductOnly and Server Signature Off for Apache web server server_tokens off for nginx web server

Changing the HTTP web server banner string (Obfuscation). This can be realized by patching the web server binary, or by recompilation of the source (if available).

Customize error code pages (e.g. 404, 500)

Re-order HTTP-header fields

Change cookie names

Use tools such as IIS Lockdown or Servermask

Further Reading