Laika BOSS

Last summer Lockheed Martin open-sourced one of their tools for intrusion detection, Laika BOSS. The whitepaper can be found here.

The tool approaches detection of malicious activity differently from say Snort or Suricata.  Instead of looking at the entire traffic stream, it looks at elements within the traffic, individual files and programs. For instance if an email is received, it will look at the body of the email, then the attachment, break out the sub-components of the attachment and analyze them separately.

Laika BOSS has been internally tested at Lockheed for several years now and most of the bugs should be worked out. They have open sourced it in the same spirit that they released the now famous kill chain paper, hoping to promote more advances in network defense.

A copy can be found at their github: https://github.com/lmco/laikaboss.

The install instructions are pretty straight forward, there are a fair bit of dependencies to be installed first:

apt-get install yara python-yara python-progressbar
pip install interruptingcow

apt-get install libzmq3 python-zmq python-gevent python-pexpect

apt-get install python-ipy python-m2crypto python-pyclamd liblzma5 libimage-exiftool-perl python-msgpack libfuzzy-dev python-cffi python-dev unrar
pip install fluent-logger olefile ssdeep py-unrar2 pylzma
wget https://github.com/smarnach/pyexiftool/archive/master.zip
unzip master.zip
cd pyexiftool-master
python setup.py build
python setup.py install
wget http://pefile.googlecode.com/files/pefile-1.2.10-139.tar.gz
tar vxzf pefile-1.2.10-139.tar.gz
cd pefile-1.2.10-139
python setup.py build
python setup.py install

I had no trouble installing any of this on a fully updated debian box, on an older CentOS machine (5.7) I had to manually search google for a lot of things and install from source.

Next, grab a copy of the laika source from github:

wget https://github.com/lmco/laikaboss/archive/master.zip
unzip master.zip
cd laikaboss-master

Laika has several parts, a standalone scanner, a distributed client-server framework, and an integration with MTA's.  Usage of the standalone instance is fairly simple:

Just point it at a file and go. It returns a wealth of information in JSON format, so it can easily be parsed by other applications or sent to a SIEM. 

I haven't played around with the networked instances yet, but I probably will in the near future. Someone also pointed me to REbus, which looks like a similar application I'm going to have to take a look at in the future. 

f3n3s7ra

ICS Challenge part 3

Apologies for the long delay between posts, between getting my wisdom teeth taken out and classes starting up again I was busier than I expected.

The third part of the challenge starts out by giving us this hash:  392afaed9e68dd857d15072d8646c51a

• What type of file is this, what campaign was using this malware, what 0-day was used in this campaign, what is another hash associated with this campaign, what are at least C2 addresses observed as part of this campaign. 

The obvious place to start researching is virus total. Putting the hash in we get that it's a Windows executable, specifically WINCC_SCADA file for  Siemens AG. The files name is CCProjectMgr. Is this starting to sound familiar? Siemens, SCADA, CCmgr....it should. It's part of Stuxnet. Stuxnet used multiple 0-days to spread, but one of the more famous ones was the .lnk vulnerability which it used to spread through USB drives. One of the hashes also associated with stuxnet is 0x758240613C362BB1FD13E07D19F357B7F8A6DA from the malicious driver. Some of the IP's used in the Stuxnet campaign are 69.195.129.72 and 211.24.237.226.

Next we are asked to conduct another analysis of the pcap.

• There is an obvious ICS protocol being used, what are the status codes it is using. At one point this protocol communicates about tags set on the system, what are these tags? There is an indication of an ICS protocol in use on another segment of this network. what is this protocol?

Opening up the pcap in wireshark immediately we can see that Modbus is being used.

Then looking farther down at the actual content of one of the packets we can see one of the status codes the question asks about.

So now we can go and look for the rest of these status codes, there are in total: Read Holding Registers (3), Read Input Registers (4), Read Coils (1), Unknown Function (103), Unknown Function (104), Unknown Function (105), Unknown Function (120), Unknown Function (121), and Unknown Function (122). 

Now we need to find the tags. Most of the modbus packets are either Read Holding Function or Read Input Registers, neither of which carry much in the way of data that we'd be interested in. However the Unknown Function packets have a large blob of data, let's start looking through those. And bingo!

We see the status codes GREEN and RED. Upon more digging we see the codes OPEN and CLOSE as well. 

As I was going through the packet capture, some NBNS requests stood out to me. 

These are NetBIOS Name Service lookups for sites like Netflix and Amazon. Leaving aside the issue of employees trying to visit those sites, this points to another interesting fact. NBNS is used to try to resolve a domain, AFTER a DNS lookup fails. Now I didn't see any DNS packets in the capture, meaning it's probably not running in the environment. However this provides an opportunity for malicious attackers on the network to employ NBNS spoofing, without even having to go through the trouble of exhausting the UDP ports to block DNS first. 

I do not know enough about ICS protocols to try to discern what the other protocol being used on a different network segment is. 

The next set of questions is about internet connected ICS. 

• How many modbus devices are currently connected to the internet in North America. How many BACNet clients are currently connected to the internet in the US. How many IEC-104 devices are online currently. Document a feature of Shodan that you find interesting. 

Now the premier search engine for ICS devices is Shodan. I am already familiar with this service, so it's a simple matter to head to the site and query for modbus devices. It shows 2,152 modbus internet connected devices in the US.

Now we do the same thing for BACNet:

And we see that there are 4,663 BACNet devices connected to the internet. And then we do this once more for IEC-104:

Which returns 109 currently connected devices. Lastly we are to document a feature of Shodan that we  find interesting. To me, that would be the Shodan API, which let's you utilize the power of Shodan in your own applications. 

That was the final 300 level question. 

f3n3s7ra

VMWare's workstation and the layoffs

This news came out yesterday about VMWare. The company is laying off 800 people, and this includes the entirety of the Workstation and Fusion teams. This is disconcerting news to say the least. Much of the networking and security community uses Fusion/Workstation on a regular basis for testing.

I use Workstation personally to virtualize various operating systems almost daily. I do all my development inside of VM's so if something happens I can just restore from a snapshot, I don't have to worry about my laptops actual hard drive being trashed. If I read about a new vulnerability and want to test it out, I can just spin up the relevant operating system and go for it.

I will keep using workstation as long as it is viable for my needs, but I will have start shopping around for alternatives, probably either VirtualBox or QEMU.

Thanks VMWare.

f3n3s7ra

CybatiWorks ICS pi image on windows

As part of my research concerning ICS, I stumbled across CybatiWorks, which is a ICS simulator. From their website:

The CybatiWorks™ scalable academic and professional control system cybersecurity platform enables educational institutions, industrial asset owners / operators, researchers and supporting entities to understand control system environments and cybersecurity risks.   The portable and complete training platform has been validated by hundreds of industry practitioners and educators.  The educational platform engages the participant in understanding, enumerating, penetrating and mitigating the engineering workstation, HMI, OPC, Historian, PLC/PAC/IED/R(M)TU/DCS and protocol communications.

Now actually getting a kit will cost you money, however they provide the VM and Raspberry Pi image on their google+ page. (You will have to be approved to join the group to download it). I don't have a Raspberry Pi at the moment, and I decided I would like to test this out before spending the money on a Pi.

Unfortunately, the Pi is ARM based, and my favorite virtualization tool, VMWare workstation doesn't support ARM. So we'll have to find another option. I settled on QEMU. Now QEMU runs natively on linux, but I don't want the overhead of running a vm inside of a vm. So first you need to install QEMU for windows which you can grab a copy of here (or you can go grab a copy from the qemu website and build from source). I used version 2.4.0, as it's a standalone executable, no install needed.

Next, we will need a ARM kernel, which can be download from here. I used the 'kernel-qemu-3.10.25-wheezy' image. Download that and put it in the same folder as QEMU.

Now we need the CybatiWorksPI.img file from their google drive. Download this and put it in the folder you installed QEMU. Warning, it's a rather large file at 7 GB.

Now we can boot the vm. Open up a command prompt and navigate to the folder where you installed QEMU and type:

qemu-system-arm.exe -M versatilepb -m 256 -cpu arm1176 -no-reboot -serial stdio -kernel kernel-qemu-3.10.25-wheezy -hda CybatiWorksPI.img -append "root=/dev/sda2 panic=1 rootfstype=ext4 rw init=/bin/bash"

This will boot the Pi image and drop us into bash:

f3n3s7ra

ICS Challenge part 2

These are my attempts at the level 200 questions of the SANS ICS Challenge.

The first question is about ICS Security models.

• In the Purdue Enterprise Reference Architecture, what level is an Operations network or manufacturing zone found at, and what level are sensors and actuators found at. 

The Purdue reference model looks like the image above. The Operations network exists at level 3, and the actual sensors and actuators are on level 0. 

• For the Defense in Depth model, what zone should always exist at a minimum between control systems and the internet, and unauthenticated internet accessible control systems are what?

Defense in Depth is a traditional approach to security-although there is an argument to be made that it is a flawed model. At a minimum there should always be a firewall between the control systems and the internet, even better would be a full fledged DMZ with IDS and IPS systems. Unauthenticated internet accessible control systems are a terrible idea and should be considered compromised.

• What are the 4 phases of the Active Cyber Defense Cycle (ACDC), and what phase has been noted to excel in ICS networks. 

The ACDC model consists of 4 stages:

The first stage, Asset Identification and Network Security Monitoring is easy for ICS networks. Unlike a standard enterprise IT environment with hundreds of users on the web going out to thousands of websites, ICS networks are very static and stable, so identifying and monitoring changes is easier. 

• In stage 1 of the ICS Cyber Kill Chain, what category would "Delivery, Exploit, and Install" fall into, and what is the second step in stage 2. 

The ICS kill chain is an application of Lockheed Martin's widely known threat model to control systems. The first stage looks like this:

As we can see, "Delivery, Exploit, and Install falls into the Cyber Intrusion category. However, with an ICS compromise, landing malware on a target is often only part of the end goal, which is why there is a second stage to the kill chain. 

The second step of stage 2 is the test stage. 

• In the provided pcap, how many non broadcast and non multicast devices are on the network? Give MAC and IP addresses. What ICS protocol is being used, and what TCP and UDP ports are being used. 

So we fire up wireshark and take a look.

We can take a look at the protocol hierarchy to get a better idea of what's going on in the network. 

So we can see multiple protocols in use-NBNS, NBDS, SMB, but the only ICS protocol being used is Modbus.  Going further we can look at the list of conversations and endpoints to come up with the MAC address and IP addresses: 00:C0:82::01:0C:C2/192.168.1.3, 00:0F:73:00:76:FC:/192.168.1.200, 00:0D:9D:8D:F5:DA/192.168.1.20, 00:A0:45:C0:56:70/192.168.1.1.

The ports used in the pcap are: 80, 443, 502, 1059, 1083, 1084, 1085, 1086, 1087, 1088, 1089, 1090, 1091, 1092, 1093, 1094, 1095, 1096, 1097, 1098, 1100,1101, 1102, 1103, 1104, 1105, 1106, 1107, 1108, 1109, 1110, 1111, 1112, 1113, 1114, 1115, 1116, 1117, 1118,20562, 21811, 52340. And on UDP, 137, 138, 502,1048, 1947, 52339. 

The next set of questions revolves around the Federal Energy Regulatory Commission. 

• What action granted the FERC the authority to impose mandatory regulations on the electric system owners and operators as well as assess penalties. Which organization did the FERC designate as the Electric Reliability Organization. Which FERC order created the ERO CIPR standards. 

The Federal Energy Policy Act of 2005 gave the FERC the authority to impose regulations. The North American Electric Reliability Corporation was desginated as the ERO. The Critical Infrastructure Protection Reliability standards were established with FERC order 706.

We are then asked about more specifics of ICS operation.

• A control room operator interfaces with an ICS through what? Which of the following would probably make use of large scale SCADA systems: chemical plant, electric grid operation, manufacturing, warehouse distribution facility. What's the difference between SCADA and DCS. What's the difference between PLC and RTU. What's the difference between discrete, continuous, and batch processing. 

An operator would interface with an ICS through a Human-Machine Interface (HMI),  And the electric grid would most likely use a large SCADA system.

The differences between SCADA and DCS arose back when bandwidth and network capacity were scarce. SCADA implied data acquisition, while DCS just implied control. However now with high speed networking the line is very blurred. 

An RTU uses wireless to communicate and can be spread out across a large area They do not support control loops and algorithms. PLC's use physical media to communicate. 

Continuous processing runs without interruption, typically making things like fuel, chemicals, etc. Batch processing is to make a batch of something at once, typically small to medium amounts. Could conceivable be used for drinks, medicine, food. Discrete processing is to make components of a product, like parts for cars or robots. 

The next questions talk about the NERC regulations.

• What is the report filing requirement for notifying E-ISAC in the event of a reportable computer security incident. How often does the incident response plan need to be tested. How often does the identification of a bulk electric system asset need to be reviewed. How often must transmission owners perform a risk assessment. 

According to CIP-800-5-Incident Response and Report Planning, the E-ISAC has to be notified within 1 hour. The same CIP also defines that the incident response plan for medium and high impact business systems has to be tested every fifteen calendar months. 800-5 also states that the identification of a bulk electric system needs to be reviewed every fifteen calendar months. CIP-014-1 states that risk assessments have to be performed every 30 months.

The last question is about what to bring for an incident response:

• What should an incident response jump kit contain?

Contact information for other members of the incident response team is a must. Team members must also have a way of communicating out of band from the on site network as it may be compromised, so both walkie-talkies and cell phones would be good. A flashlight is a must, as is a pad and pen for taking notes. Various cables-ethernet, serial, usb, firewire, anything you could be expected to run into. Clean USB and hard drives. A network tap, bootable CDs/USBs, and spare networking cables both crossover and straight through should also be included.

This concludes the level 200 questions for the ICS challenge. 

f3n3s7ra

ICS Holiday Challenge

I was a bit late to the party for the SANS ICS Challenge, I found out about it on the last day before it closed. SANS will be posting on their ICS blog about questions people had a lot of trouble with, but this is my attempt at the challenge. Bear in mind that since I came late to the challenge, these are not officially verified as correct.

The first question was to list 5 kinds of ICS besides SCADA. I am not an ICS expert although I am learning, so I had to research it. Although SCADA (Supervisory Control And Data Acquisition) is often used as an umbrella term for all industrial control systems, it is only one subset. The other kinds most often mention are Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC).  However, SANS themselves has a document on ICS, which describes several other types of control systems: Building Management Systems (BMS), Instrumentation and Control (I&C), and Safety Instrumented System (SIS). The differences between all of these categories is a little vague to me, but my best guess for question one is:

• BMS
• I&C
• DCS
• PLC/PCS
• SIS

The next question asks us for 10 protocols which are used by ICS, and one has to be ethernet, one has to be wireless, and one has to be serial. I could name Modbus and DNP3 off the top of my head, as they are the most well known protocols. Shodan is an excellent resource for ICS, and has a list of several common protocols. EtherNet/IP is listed as an ethernet protocol and Modbus/TCP can communicate over ethernet also-the original Modbus was a serial protocol. Siemens S7, BACNet, Tridium, HART-IP, and ISO-TSAP are several more ICS protocols, but we need a wireless one. It turns out HART has a wireless implementation called WirelessHART. This covers all ten protocols. My answers to question 2 are:

• Modbus
• DNP3
• EtherNet/IP
• ISO-TSAP
• HART-IP
• Modbus/TCP
• WirelessHART
• Tridium
• S7
• BACNet

The third question asks about a secure version of a common ICS protocol, and the common attack scenarios it attempted to address with the added features. I was having a little trouble coming up with an answer for this. I found out that DNP3 has modifications for Secure Authentication, so I'm going to assume that is the correct answer.  The secure version of DNP3 was designed to handle spoofing, modification, and replay attacks.

The next is about the stages of testing conducted between ICS vendors and customers. This would be the Factory Assessment Test (FAT) and Site Assessment Test (SAT). A FAT is conducted by the vendor prior to shipping the product, and they test it to make sure it meets the customers specifications. A SAT is conducted on site to make sure everything is working properly and in accordance to the specifications.

Then we are asked about the first presidential directive addressing critical infrastructure protection, and when it came out. That would be the Presidential Directive PDD-63, from May 1998.

Next we are asked to identify the information sharing organization established, how many members there are, and two of the members. The Information Sharing and Analysis Center (ISAC) is the organization, there are 24, and they include the Electricity Sector ISAC and the Emergency Management and Response ISAC.

The seventh question is identify 4 standards or regulations. These would be:

1. Nuclear Sector Regulation/NSR 5.71
2. United States Nuclear Regulatory Commission/10 CFR US 73 and 73.54
3. NERC CIP Standards/CIP 001-009
4. NEI 13-10

Another question asks for three examples of ICS targeted malware. The obvious one is Stuxnet, the malware which caused the destruction of Iran's nuclear centrifuges. A second example is the BlackEnergy2 malware which was used in the attacks on Ukraine's power grids. A third piece of malware would be HAVEX, which I read about in F-Secure's report.


That concludes all of the 100 point questions in the challenge.

f3n3s7ra

UDP exhaustion

While I was reading through this excellent article on windows privesc, I noticed that the exploit relied on exhausting all the ports to block a DNS request. As this is something I have had to do myself on occasion, I wrote up a quick script for binding to all the ports and dropped it on my github.

F3n3s7ra