This course delves into the security aspects of Schneider Modicon PAC controllers, focusing on the private communication protocol and password protection mechanisms. Participants will learn about the security vulnerabilities in the UMAS protocol, how to develop fuzzing tools to discover zero-day vulnerabilities, and methods to bypass password protection to gain unauthorized access. The teaching method includes detailed demonstrations of attacks and defensive strategies. This course is designed for industrial control system security professionals and individuals interested in PLC and SCADA vulnerability exploitation and security enhancement.
Overview
Syllabus
Intro
About GEWU Lab
About Modicon PAC
Scenarios and Network PAC concept Top to bottom standard Ethernet network & Open architecture with direct Ethernet connection on backplane
Architecture & Functions
Enhanced cyber security Cybersecure-ready
Attack surface of PAC
What we focus on Weak private protocols are often the best way to breaking
Research setup
What is UMAS?
UMAS message format
UMAS function code
FUZZ UMAS Protocol
Select FUZZ samples
How to build FUZZ
UMAS FUZZ demo
Modicon PAC Application Password
How to bypass application passwor
How the password is stored Reverse UnityEncrypter.dll, the password hash algorithm is SHA-256
Authorization algorithm analysis
Leaked password hash in traffic
UMAS security function code 0x38
0x38 integrity check
0x38 message format
Summary the Authentication Bypas
Replay attack bypassing authorizat
Ransomware attack targeting level 1
Ransomware attack for M580?
Bypass authorization to replace ap
0x29 function code RCE
Ox29 RCE attack demo
How to protect
Taught by
Hack In The Box Security Conference
