Nessus OPC Checks
Similar to my 2nd blog on Nessus ICCP Checks, here are some screen shots from the OPC checks we’ve been developing with Tenable for Nessus 3.
The first shows the output of the base OPC Detection plugin that identifies OPC applications and CLSIDs installed on the host. The security note would show up along side any RPC vulnerabilities (for example) on an unpatched system under TCP/135. This sort of crude correlation that is now possible between “IT” vulnerabilities and “SCADA” vulnerabilities.
This next one shows the output of the output of two plugins. One that determines whether an OPC DA server is present on the host, and the second which looks for the OPC Server Browser (OPCEnum.exe).
All of the OPC checks were “local” Nessus Windows checks that require Windows host/domain credentials to be entered into Nessus and used the formidable SMB API that is built into NASL3 that allow us to query the Windows filesystem and registry to gather information about installed applications.
We can (and did) use the same techniques to look for windows applications that are associated with ICCP servers (such as Osill2d.exe used by Sisco OSI stack) in addition to sending valid ICCP protocol messages.
But back to OPC, given the difficulty of locking down OPC/DCOM servers there is obviously a lot more that can be done given potential issues in OPC and the APIs that are at our disposal within NASL.
Author: Matt Franz
Posted: November 8th, 2006 under Nessus SCADA Plugins, OPC.
Comments: 2
Comments
Comment from Seidl Johannes
Time: November 24, 2006, 5:36 am
Hello Matt Franz,
I read your blog for a long time. I’m very interested in the OPC Plug-INs. Is it possible to get these plugins?
I’m also creating an test field for automation systems. At the moment I am testing an ABB AC800 F System because I know this system very well. Do you know Mr. Sefan Lüders? He worte an Article in the “The Industrial Ethernet Book” November 2006 Issue 35. He also tested different PLCs with NETWOX and also with NESSUS. A very interesting output was, that 18% of the PLSs lost completely the communication. Nessus found serious vulnerabilities in the remaining 16% of the PLSs.
I’m testing the nessus scan on the Operating and Engineerings-Stations. The very interesting, but for me normal effect was, that the systems are open. I attacked these Sytems (in my office only) with the freeware “Metasploit” and found some expoits that work on these systems. With some exploits I get admin rights.
Is it is possible to get an account on digitalbond?
Johannes Seidl
Comment from Dale Peterson
Time: November 24, 2006, 10:32 am
The Nessus Plugins will be released in Tenable’s Direct Feed. We will have additional information and tips as part of our Subscriber Only content.
I do know Stefan, and he is also doing some good work on SCADA Honeynets. The results you mention are not surprising given the TCP/IP stacks the vendors are using.
Write a comment