Introduce two industrial ethernet switches used in ICS deployments. The GE Multilink ML800 and the Siemens Scalance X200. I will bring these switches to the venue and wire them up. I can bring a few other ICS switches if desired, but I have vulns for these two so far.
Hand out a pcap file of the Multilink ML800 firmware upload. This comprises a mix of HTTPS and FTP traffic. We use TCPtrace to pull out the firmware from the FTP session, and then begin some light firmware analysis. This will involve using strings to learn part of the firmware is compressed inflate. We do some file carving with DD to pull the compressed blob out, and then we extract it by concatenating the GZIP magic bytes on the front. Once we have the firmware we extract some hardcoded RSA Private Keys. One of those keys can be used to decrypt the HTTPS session and recover the switch password and username in the very same pcap file. We discuss key management in ICS devices, and any other vulns from here to now. This key has been reported to GE Energy, but no fix is available yet (exclusive vuln for 44Con). This affects not only this switch but 7/9 in the switch family, and since it is made by Garretcom, it impacts their switches too.
There is a second RSA Private key with a password I have currently been brute-forcing. I expect to have more to say about that by the workshop date. (Exclusive vuln for 44Con)
We present 3 older vulnerabilities in the Siemens Scalance X200 family. Session hijack, bruteforcing of MD5+Nonce, and last but not least: Auth bypass for firmware, configuration, and logfile, upload/download. These vulns are hilariously bad, but show the audience the art of session ID analysis, cracking, and light firmware analysis in embedded/ICS devices. Lastly, while these vulns are old, they will be present in the wild for another 2-5 years because of ICS lifecycles. We finish with a brand new vulnerability on the Siemens newest firmware. A hardcoded private key once again (exclusive vuln for 44con).
We finish with a discussion of key management in industrial ethernet switches, and how MITM is effective in ICS because of poor protocol security. We also explain how MITM is sometimes hindered by the real time constraints of an ICS system.