Today while reading ITSEC news (we publish only a fine selection of them on www.metasploit.it) an article caught our interest: it was a television reportage about a live-hacking session performed by a security company called Compass Security AG (http://www.csnc.ch/en/) for one of their SCADA customers. This type of marketing material is always entertainment but this was more entertainment than the average! The video is available at the URL http://media.hacking-lab.com/movies/10-vor-10-hacking-wasserkraftwerk/ and has already been broadcasted. Take a look at the following frame.
Noticed nothing? Err.. Is that public address space?
Well, it’s clearly not a wise move to publish a routable IP address, belonging to a customer infrastructure and probably the command center for their SCADA gears, together with it’s open port information (5900/tcp open VNC)! It seems a clear call to army for the random cracker who wants to burn some bits over his internet pipe! For the most careful watchers: surely you noticed the Siemens logo in a background browser window and below a “Servlet login” link.
The nmap terminal is a journalism classic, as seen in movies, unreadable green characters on a dark background, is able to make the ITSEC illiterate’s fantasies run wild. But a security company leaking data? In it’s own marketing video? Leaking data is a customer role!
$ whois 46.14.XXX.XX % Information related to '220.127.116.11 - 18.104.22.168' % Abuse contact for '22.214.171.124 - 126.96.36.199' is 'email@example.com' inetnum: 188.8.131.52 - 184.108.40.206 netname: CH-CYBERNET-20100928 descr: Swisscom (Schweiz) AG country: CH org: ORG-CA5-RIPE admin-c: SG7777-RIPE admin-c: CHCN1-RIPE tech-c: CHCN1-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: SUNWEB-MNT mnt-routes: SUNWEB-MNT mnt-domains: SUNWEB-MNT source: RIPE # Filtered
The IP belongs to a /16 netblock managed by Swisscom AG and a reverse tell us that they are static IP customers (perhaps single IP ADSLs?).
$ nmap 46.14.XXX.XX -p 5900-6000 -PN Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-03 14:25 CEST Nmap scan report for cust.static.46-14-XXX-XX.swisscomdata.ch (46.14.XXX.XX) Host is up (0.091s latency). Not shown: 100 filtered ports PORT STATE SERVICE 5900/tcp open vnc Nmap done: 1 IP address (1 host up) scanned in 3.60 seconds
The VNC service is still there, so now we have a better idea about the technique used to penetrate that SCADA dashboard.
$ vncviewer 46.14.XXX.XX Connected to RFB server, using protocol version 3.3 Performing standard VNC authentication Password:
Better to stop here :)
Thanks for leaking our data!
We have no idea if that IP is of an actual customer or belongs to an honeypot.. In the first case the Penetration Test was not very successful as the customer did not follow the remediation plan by fixing it’s vulnerability correctly; exposing administrative interfaces, especially VNC services to the Internet is a really bad idea. In the second case we are happy to throw more data to the analyst!