Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED
From: Benji <me () b3nji com>
Date: Sun, 17 Apr 2011 14:28:16 +0100

Interesting, as @reversemode on twitter has pointed out

74.50.135.51 is the ip for the scada system as pointed out, and found by
SHODAN

http://www.shodanhq.com/?q=Ft.+Sumner+SCADA

Not the 160.x.x.x IP as indicated in the original email.

On Sun, Apr 17, 2011 at 12:41 PM, Benji <me () b3nji com> wrote:

so wait? Let me humor you..


SSH was running and publically accessible so it was actually legal for me
to login to <something>,gov, as if they didnt want me to connect it wouldnt
be a publically accessible service?


On Sun, Apr 17, 2011 at 12:39 PM, Jeffrey Walton <noloader () gmail com>wrote:

so how long do you give yourself before you're in prison?
lol....

To pay devil's advocate here: FPL placed those hosts on a public internet.
In addition, FPL also configured the hosts to advertise services. If FPL did
not want the services accessed, the company would have removed the hosts
from the public internet, shut down the services, or used leased [private]
lines. Where's the leap to a criminal offense?

Jeff

On Sun, Apr 17, 2011 at 6:29 AM, Benji <me () b3nji com> wrote:

so how long do you give yourself before you're in prison?

On Sat, Apr 16, 2011 at 4:22 PM, Bgr R <bgr_24423 () yahoo com> wrote:

Here comes my revenge for illegitimate firing from Florida Power & Light
Company (FPL)
   ... ain't nothing you can do with it, since your electricity is
turned off !!!

Secure you SCADA better! Leaked files are attached ...

1) http://img838.imageshack.us/i/49986845.png/
2) http://img718.imageshack.us/i/24380855.png/
3) http://img24.imageshack.us/i/58868342.png/
4) http://img228.imageshack.us/i/85258364.png/
5) http://img163.imageshack.us/i/90736853.png/
6) http://img217.imageshack.us/i/55439027.png/
7) http://img40.imageshack.us/i/87526089.png/
8) http://img864.imageshack.us/i/94061747.png/
------------------------------------------------------------

161.154.232.65

HTTP/1.0 401 Unauthorized
Date: Sat, 05 Feb 2011 23:43:13 GMT
Server: VTS 9.0.05
Content-Type: text/html
Content-Length: 622
Cache-Control: no-cache
WWW-Authenticate: Basic realm="Ft. Sumner SCADA"
Cache-control: no-cache="set-cookie"
Cache-control: private
Set-Cookie: VTS=9.0005;Version=1;Path=/
Set-Cookie: SessionID=0;Version=1;Path=/Ft. Sumner
SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c3576a
Set-Cookie:
SessionID=0;Version=1;Path=/Ft%2e%20Sumner%20SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c..

NetRange:       161.154.0.0 - 161.154.255.255
CIDR:           161.154.0.0/16
OriginAS:
NetName:        FPL2
NetHandle:      NET-161-154-0-0-1
Parent:         NET-161-0-0-0-0
NetType:        Direct Assignment
RegDate:        1992-12-17
Updated:        2008-10-10
Ref:            http://whois.arin.net/rest/net/NET-161-154-0-0-1

OrgName:        Florida Power & Light Company
OrgId:          FFPL-1
Address:        700 Universe Blvd
Address:        P.O. Box 14000
City:           Juno Beach
StateProv:      FL
PostalCode:     33408-0420
Country:        US
RegDate:        1997-06-03
Updated:        2007-06-29
Ref:            http://whois.arin.net/rest/org/FFPL-1

OrgAbuseHandle: INFOR40-ARIN
OrgAbuseName:   Information Security
OrgAbusePhone:  +1-305-552-3727
OrgAbuseEmail:  information_security () fpl com
OrgAbuseRef:    http://whois.arin.net/rest/poc/INFOR40-ARIN

OrgTechHandle: DHE37-ARIN
OrgTechName:   Hertzog, Dean
OrgTechPhone:  +1-305-552-4080
OrgTechEmail:  FPLNOC () fpl com
OrgTechRef:    http://whois.arin.net/rest/poc/DHE37-ARIN

OrgNOCHandle: DHE37-ARIN
OrgNOCName:   Hertzog, Dean
OrgNOCPhone:  +1-305-552-4080
OrgNOCEmail:  FPLNOC () fpl com
OrgNOCRef:    http://whois.arin.net/rest/poc/DHE37-ARIN


-------------------------------------------------------------------------------
Configuration file from the central Cisco Router and Security Device
Manager: 161.154.232.2 (FPL - FFPL-1)

Building configuration...

Current configuration : 8467 bytes
!
! Last configuration change at 18:01:57 UTC Mon Oct 25 2010 by ro5810
! NVRAM config last updated at 18:01:59 UTC Mon Oct 25 2010 by ro5810
!
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname cpr622i00bct
!
logging buffered 65000 debugging
logging rate-limit all 10 except critical
enable secret 5 $1$7uN5$Ok9fYku/HC/KNqWQkHoWP.
!
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
ip subnet-zero
no ip source-route
ip routing
!
no ip domain-lookup
ip host cs00noc 172.16.0.132
ip host cs01noc 172.16.0.133
ip host cs00noc-pub 209.215.34.12
ip host cs01noc-pub 209.215.34.11
ip name-server 205.152.132.23
ip name-server 205.152.144.23
vtp domain Core
vtp mode transparent
!
mls qos
no mpls traffic-eng auto-bw timers frequency 0
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
vlan 1578
 name FPL
!
policy-map SHAPER1
  class class-default
   shape average 250000000
!
!
!
interface FastEthernet1/0/1
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/1/1
 switchport trunk allowed vlan 1578
 switchport mode trunk
 switchport nonegotiate
 ip access-group 112 in
 service-policy output SHAPER1
 load-interval 30
 speed nonegotiate
!
interface GigabitEthernet1/1/2
 no switchport
 ip address 161.154.232.2 255.255.255.0
 ip access-group 115 in
 load-interval 30
 keepalive 10
 speed nonegotiate
 mls qos trust dscp
 no cdp enable
 no clns route-cache
 hold-queue 100 in
 hold-queue 100 out
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan1578
 ip address 65.14.117.30 255.255.255.252
 load-interval 30
 no clns route-cache
!
ip classless
ip route 0.0.0.0 0.0.0.0 65.14.117.29
ip route 155.109.5.0 255.255.255.0 161.154.232.1
ip route 155.109.19.0 255.255.255.0 161.154.232.1
ip route 155.109.29.0 255.255.255.0 161.154.232.1
ip route 155.109.29.204 255.255.255.255 65.14.117.29
ip route 155.109.29.214 255.255.255.255 65.14.117.29
ip route 155.109.66.0 255.255.255.0 161.154.232.1
ip route 155.109.88.0 255.255.255.0 161.154.232.1
ip route 155.109.95.0 255.255.255.0 161.154.232.1
ip route 161.154.0.0 255.255.0.0 161.154.232.1
ip route 170.55.0.0 255.255.0.0 161.154.232.1
ip route 204.238.236.0 255.255.255.0 161.154.232.1
no ip http server
ip http secure-server
!
!
!
access-list 98 permit 205.152.144.226
access-list 98 permit 205.152.132.250
access-list 98 permit 205.152.132.226
access-list 98 permit 205.152.144.250
access-list 98 permit 205.152.144.165
access-list 98 permit 205.152.37.19
access-list 98 permit 205.152.37.20
access-list 98 permit 205.152.144.163
access-list 98 permit 205.152.37.26
access-list 98 permit 205.152.37.27
access-list 98 permit 205.152.132.163
access-list 98 permit 205.152.132.165
access-list 98 permit 205.152.37.250
access-list 98 permit 205.152.37.226
access-list 98 permit 205.152.132.27
access-list 98 permit 205.152.132.26
access-list 98 permit 205.152.144.20
access-list 98 permit 205.152.37.163
access-list 98 permit 205.152.37.165
access-list 98 permit 205.152.144.19
access-list 98 permit 205.152.144.27
access-list 98 permit 205.152.144.26
access-list 98 permit 139.76.53.0 0.0.0.255
access-list 98 permit 139.76.68.0 0.0.3.255
access-list 98 permit 139.76.88.0 0.0.1.255
access-list 98 permit 139.76.228.0 0.0.3.255
access-list 98 permit 139.76.240.0 0.0.1.255
access-list 98 permit 172.16.0.0 0.0.1.255
access-list 98 permit 205.152.6.0 0.0.0.255
access-list 98 permit 205.152.66.0 0.0.0.255
access-list 98 permit 205.152.204.0 0.0.0.255
access-list 99 permit 68.153.6.0 0.0.1.255
access-list 99 permit 172.16.0.0 0.0.1.255
access-list 99 permit 139.76.53.0 0.0.0.255
access-list 99 permit 139.76.68.0 0.0.3.255
access-list 99 permit 139.76.88.0 0.0.1.255
access-list 99 permit 139.76.228.0 0.0.3.255
access-list 99 permit 139.76.240.0 0.0.1.255
access-list 99 permit 205.152.6.0 0.0.0.255
access-list 111 permit ip 65.14.117.28 0.0.0.3 any
access-list 111 permit ip 74.175.105.64 0.0.0.31 any
access-list 111 permit ip 205.152.17.0 0.0.0.255 any
access-list 111 permit ip 155.109.0.0 0.0.255.255 any
access-list 111 permit ip 161.154.0.0 0.0.255.255 any
access-list 111 permit ip 205.152.161.0 0.0.0.255 any
access-list 111 permit ip 204.238.236.0 0.0.0.255 any
access-list 111 permit ip 170.55.0.0 0.0.255.255 any
access-list 112 deny   ip 204.0.0.0 0.0.255.255 any
access-list 112 deny   ip 204.1.0.0 0.0.255.255 any
access-list 112 deny   ip 204.3.0.0 0.0.255.255 any
access-list 112 deny   ip 69.22.0.0 0.0.192.255 any
access-list 112 permit ip any any
access-list 115 deny   53 any any
access-list 115 deny   55 any any
access-list 115 deny   77 any any
access-list 115 deny   pim any any
access-list 115 permit ip any any
no cdp run
snmp-server community Ty#Qr53b RO 98
snmp-server community R5t3bF5c RW 98
tacacs-server host 172.16.0.132
tacacs-server host 209.215.34.12
tacacs-server host 172.16.0.133
tacacs-server host 209.215.34.11
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key 7 010703174F
!
radius-server source-ports 1645-1646
!
control-plane
!
banner motd ^CC
######################################################################
#                                                                    #
#                    ***PRIVATE/PROPRIETARY***                       #
#                                                                    #
#       ANY UNAUTHORIZED ACCESS TO, OR MISUSE OF BELLSOUTH           #
#       SYSTEMS OR DATA MAY RESULT IN CIVIL AND/OR CRIMINAL          #
#       PROSECUTION, EMPLOYEE DISCIPLINE UP TO AND INCLUDING         #
#       DISCHARGE, OR THE TERMINATION OF VENDOR/SERVICE CONTRACTS.   #
#                                                                    #
#       BELLSOUTH MAY PERIODICALLY MONITOR AND/OR AUDIT SYSTEM       #
#       ACCESS/USAGE.                                                #
#                                                                    #
#                                                                    #
######################################################################
#                                                                    #
#             <VERSION TEMPLATE DATE () TIME>                           #
######################################################################
^C
privilege exec level 1 traceroute
privilege exec level 1 ping
privilege exec level 1 terminal monitor
privilege exec level 1 terminal
privilege exec level 1 show line
privilege exec level 1 show snmp
privilege exec level 1 show arp
privilege exec level 1 show accounting
privilege exec level 1 show service-module
privilege exec level 1 show version
privilege exec level 1 show reload
privilege exec level 1 show debugging
privilege exec level 1 show controllers
privilege exec level 1 show users
privilege exec level 1 show sessions
privilege exec level 1 show access-lists
privilege exec level 1 show privilege
privilege exec level 1 show interfaces
privilege exec level 1 show startup-config
privilege exec level 1 show
privilege exec level 1 clear line
privilege exec level 1 clear counters
privilege exec level 1 clear
!
line con 0
 exec-timeout 5 30
 password 7 070C285F4D06
line vty 0 4
 access-class 99 in
 exec-timeout 30 0
 password 7 03075218050061
line vty 5 15
 access-class 99 in
 exec-timeout 30 0
 password 7 03075218050061
!
end

----------------------------------------------------
Fort Sumner wind turbines:
http://www.flickr.com/photos/30325073 () N02/4113855086/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]