Understanding how SCADA systems work

How does SCADA systems work? How do hackers hack them and get access to a countries dangerous assets?

There is public malware available on github that specifically targets SCADA systems. Not directly sure how they work but I’m assuming if you can get said malware too execute on a SCADA system. Then the malware mentioned above will do all the hard work for you and provide you with a UI for yourself to control it.

Not what I was referring too but similar: https://github.com/hslatman/awesome-industrial-control-system-security

But this requires a hacker to hack into a SCADA system prior to uploading a malware on the system. I want to know that way as hacking SCADA is not an easy task.

Oh that can be done in a multitude of ways, spear phishing would be the easiest way to go about it

any other method than phishing? What if the person doesn’t fall for phishing attack? I think a person handling a SCADA system would not fall for this.

Of course, If you got information on the system you can use public CVE’s. But even the dop email leak a few years ago was because they got spear phished.

1 Like

Shodan is the best bay to finding scada systems
And some time they use default passwds like admin and admin
So shodan is the best choice.

I am using shodan only to find out SCADA systems. I tried default passwords but they seemed to be changed. Will now go for vulnerability assessment.

Hi, I am studing Scada and ICS for my bachelor degree , the best way to infiltrate or abuse one is by creating a testbed and playing around with get to know the different industrial protocols (MODBUS , OPC-UA …) and how they work , then you can start vulnerability assesment.

You mean exploiting an existing protocol ?

Sorry but i didnt understand what you mean by your question.
To reiterate , whats kind of scada are willing to exploit ( power grids, nuclear plants or transport
systems …) what kind of protocols working in Ethernet and TCP/IP, such as Ether-
net/IP, Ethernet POWERLINK, from fieldbus proto-
cols (eg HART, wirelessHART, etherCAP, IO-Link)
CANopen, PROFINET, Modbus / TCP or HART / IP.
In addition to these, there are others designed for the
management and control of all industrial equipment,
such as the CIP, OPC UA, and MTConnect protocols,
without forgetting existing, open source alternatives
such as Woopsa or REST-PCA.
In addition to this what are the defence mecanics implemented IDS , Honeypots … .
All these points that i explaned briefly should be considered in you vulnerability assesment.

powergrids and its using Modbus protocol. More recom i need to do for it. Can you suggest me anyway script for automated task if available ?

Well this is the issue i am finding with industrial protocols ( Especially OPC-UA there aren’t many scripts out there for it you have to write your own) , but for Modbus is think there is a script for nmap to use in recon (nmap --script modbus-discover.nse --script-args=‘modbus-dis-cover.aggressive=true’ -p 502 ) i am not sure of the name of the script you can look it up but the rest is pretty obvious .
For exploitation you will need modpoll to do some command injections or dos ,
I advice you to use SamuraiSTFU ( like kali linux but it is a SCADA oriented attack toolkit and It contains several classic SCADA attack tools including ModScan )

1 Like

@Rootsec Hi yes ring0 already gave the Holy Grail of ICS + SCADA. When he posted this

Tons of fantastic information/tools/labs.

1 Like

@cavaN @MoNsTeRThis feels so “GRAND” . I will surely have a look on it. Hope they accept my list of vulns when i give them :wink: