Thursday, November 28, 2013

BacNET - I watched a ShmooCon video and here are my notes

Brad Bowers [BradBowers@digitalintercept.com]

  • Also has a good youtube channel for Arduino and Zigbee security stuff: https://www.youtube.com/user/warezjoe5


BacNET Attack Framework

  • About BacNET networks and how to attack them
  • ShmooCon Video: http://www.youtube.com/watch?v=c4LMrKEO_t0
  • Code should be hosted here, but isn't: http://www.digitalintercept.com/bacnet
    • quips about someone helping him set up a github in ihs talk (what issues could he be having?)
    • also couldn't find code on google or github
    • sent him and email to: BradBowers@digitalintercept.com asking about if the code is public, but the email bounced, but I'll find an email.

BacNET

  • All over UDP (47808)
  • No MAC address for BacNET, just IP + port
    • so holy crap spoofable (in addition to it being UDP)
  • no authentication
  • universal moreso than many proprietary SCADA devices which run behind BacNET devices
  • Used in building temperature networks, elevators, SCADA systems, HVAC, others

What's the attack surface? - He found at least 62 internet exposed devices
-this number is growing
-Let's adapt his stuff for ZMAP or another one of the "whole internet scanning" tools.
-Maybe search the Internet Census 2012 if that port was scanned (unlikely - wasn't it just the top X ports?)

BacNET Attack Framework:

  • all in python
  • lots of scapy involved
  • BacNET_arpsweep.py
    • id all devices on a network (not just BacNET)
  • BacNET_scanner.py
    • id listeners listening on UDP/47808
    • this is the BacNET port
  • BacNET_Sniff.py - will only pull in BacNET IP packets
    • throws it in scapy which lets you pick it apart
    • lots of different settings possible with that
  • BacNET_Search.py - id BacNET based on a popular search engine
  • BacNET_IAMRouter.py
    • sends BVLL packet - send me everything you have current primary BacNET gateway device
    • can act as same router
    • can act as different router
  • BacNET_Confirmed_alarm.py
    • highpriority packet
    • ignores all other traffic and does whatever this packet wants
    • sometimes causes device to crap out
  • BacNET_Spoof.py
    • allows a form of fuzzing
    • lots of stuff falls over or has unintended consequences
  • BacNET_Flood.py
    • DoS a unique device (gateway, or sensor)
    • (My addition) Attack scenario: "This temperature sensor is gone, I'm that device, you only see my traffic because I'm flooding you with my data" It's 'cool'
  • BacNET devices can be CRUSHED by the packet production capabilities of a normal laptop, gotta scale it down sometimes or accidental DoS.
Posted by at 2 comments:
Subscribe to: Posts (Atom)