YoVDO

Process Control Through Counterfeit Comms - Using and Abusing Built-In Functionality to Own a PLC

Offered By: 0xdade via YouTube

Tags

ShmooCon Courses Cybersecurity Courses SCADA Courses Industrial Control Systems Courses SNMP Courses

Course Description

Overview

Explore the vulnerabilities of Programmable Logic Controllers (PLCs) in industrial settings through this conference talk. Delve into the methodologies used to discover security flaws in a well-known PLC, and learn how combining seemingly minor vulnerabilities can lead to complete device takeover. Gain insights into the MicroLogix 1400 PLC, its communication protocols, and configuration processes. Understand the steps involved in enabling SNMP, rebooting the PLC, and manipulating the memory module. Discover techniques for creating and flashing modified firmware, including the use of SNMP backdoors and TFTP. Assess the potential impact of these vulnerabilities and explore recommended mitigation strategies. Benefit from the expertise of Jared Rittle, a security researcher with Cisco Talos, as he shares his findings on embedded systems in Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and Internet of Things (IoT) devices.

Syllabus

Intro
INTRODUCTION
PROJECT ORIGIN
PROJECT GOALS
PLC - MICROLOGIX 1400
PLC - KEYSWITCH STATES
PLC - COMMUNICATION PROTOCOLS
PLC - PCCC STRUCTURE
PLC - PROTOCOL RESOURCES
PLC - DEVICE CONFIGURATION
ENABLING SNMP - REASONS & REQUIREMENTS
ENABLING SNMP - RSLOGIX
ENABLING SNMP - GET CURRENT CONFIG
ENABLING SNMP – PROTOCOL BITFIELD
ENABLING SNMP – CRC ERRORS
ENABLING SNMP – REBUILD CONFIG
ENABLING SNMP – WRITE CONFIG
ENABLING SNMP - SUCCESS INDICATOR
REBOOTING THE PLC - REASONS & REQUIREMENTS
REBOOTING THE PLC - BASIC FUZZING
REBOOTING THE PLC - E8FF CRASH
REBOOTING THE PLC - CRASH RECOVERY
MEMORY MODULE - REASONS & REQUIREMENTS
MEMORY MODULE - LOAD ON ERROR PCCC Protected Typed Logical Write with Three Address Fields
MEMORY MODULE - WRITE NEW CONFIG
MEMORY MODULE - CONFIG VERIFICATION
MEMORY MODULE - STORE PROGRAM
ATTACK SO FAR
MODIFIED FIRMWARE - CREATION
FLASHING FIRMWARE - SNMP BACKDOOR
FLASHING FIRMWARE - SNMP REBOOT
FLASHING FIRMWARE - TFTP
FLASHING FIRMWARE - UPDATE PROCESS
FLASHING FIRMWARE - SUCCESS
IMPACT
MITIGATION - RECOMMENDATIONS
MITIGATION - SPECIAL RECOMMENDATIONS
ADDITIONAL RESOURCES


Taught by

0xdade

Related Courses

Chip Decapping on a Budget
0xdade via YouTube Adventures in Hardware Hacking or Building Expensive Tools on a Budget
0xdade via YouTube Whitelisting LD PRELOAD for Fun and No Profit
0xdade via YouTube 5G Protocol Vulnerabilities and Exploits
0xdade via YouTube Real World Zero Trust Implementation
0xdade via YouTube