Re: Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 orS7

From: Nasir Farhat Khan (nasirat_private)
Date: Thu Sep 27 2001 - 22:52:18 PDT

Next message: PM Systems - Rick Woehler: "BO2k Port?"

Previous message: Bill Pennington: "Re: Opinions on ClicktoSecure's Hailstorm Product"
In reply to: Patrick Coomans: "Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 or S7"
Next in thread: Patrick Coomans: "Re: Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 orS7"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If the PLC is on TCP/IP you can check whether it supports SNMP. Some of the
PLCs use SNMP for management. We have seen Allen Bradley
devices popping up with SNMP management turned up on of our pentests.

One more possiblity is that you can get hold of the PC programs that are
used to program the PLCs i.e. the Loader or Ladder Logic/Graphic programming
since most of the PLCs have little or no authentication barriers in terms of
login names and passwords you can get hold of the running configuration etc.

IMPORTANT:

DO NOT TO TRY this in a production environment. PLCs are used to control
production equipment (machinery) and consequences can be very dangerous and
life
threatenting.

Nasir Farhat Khan
nasirat_private
Instec Digital Systems - PAKISTAN

www.instecdigital.com


----- Original Message -----
From: "Patrick Coomans" <Patrick.Coomansat_private>
To: ">" <@securityfocus.com <pen-testat_private>
Sent: Tuesday, September 25, 2001 11:14 PM
Subject: Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 orS7


I have a project for which I will have to pen-test Siemens PLC's that drive
production processes and do data aquisition.

Is there anyone who has literature on this or done this before?

The PLC's use TCP/IP so that will be the first thing I will go for, but most
of the PLC's are simply connected to a propriary bus system (e.g. Interbus)
which in turn is connected to a PC.  So attacking the "Data Aquisition and
Visualisation PC" as a backdoor to the PLC would be my second option.

Thanks,
Patrick



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: PM Systems - Rick Woehler: "BO2k Port?"
Previous message: Bill Pennington: "Re: Opinions on ClicktoSecure's Hailstorm Product"
In reply to: Patrick Coomans: "Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 or S7"
Next in thread: Patrick Coomans: "Re: Pen-testing Simatic Data Aquisition Periphery e.g. PLC S5 orS7"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 09:01:15 PDT