# C-SCAD: Assessing Security Flaws in C-SCAD WebX Client

Introducing C-SCAD!

• Overview
  C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.

Release

• C-SCAD is released at BlackHat USA Arsenal 2014, Las Vegas.
• https://www.blackhat.com/us-14/arsenal.html#Sood.
• This tool has been as an effort to serve the security community and enhancing the sphere of open-source support for penetration testers and security researchers!
• Special thanks to ToolsWatch
• Event details: ToolsWatch Commentary!

Presentation !

Version 0.1 - Functionality !

• Enumerates active users configured for the WebX access!
• Enumerates configured databases and SQL lists for the ClearSCADA!
• Performs complete configuration check for exposed components!
• Verifies access to diagnostic page and dumps required information!
• Executes dictionary attacks for checking weak credentials!
• Triggers Shodan search queries for exposed ClearSCADA WebX client on the Internet!

Documentation - Usage Examples:

• Detailed examples have been shown here: C-SCAD Usage.

Download !

• [Git Hub]https://github.com/adityaks/c-scad

Bugs !

• Send all bugs and queries to : contact [no spam] secniche.org