Welcome back, my aspiring cyber warriors!
Previously, I wrote a tutorial on using Shodan--the world's most dangerous search engine--to find unprotected web cams. As you know, Shodan simply scans the world's IP addresses and pulls the banner and then indexes those banners. We can then search through Shodan for the parameters revealed in those banners to find IP addresses of a particular type of device.
In this tutorial, we will be looking for SCADA devices. SCADA or Supervisory Control and Data Acquisition are systems that are used for such things as electrical transmission systems, nuclear power plants, chemical plants, water treatment plants, HVAC systems, home heating, etc. All of these systems have digital controls which are all vulnerable to attack. SCADA systems are a huge concern for national defense agencies as a nation that has its SCADA systems disabled or compromised would likely have a hard time waging a successful war. This is why organizations such as the U.S. Homeland Security are SO concerned about SCADA security. Most cyber war experts expect that all future wars will have a SCADA cyber attack element.
Just this year, the security researchers at Fire Eye found a piece of malware that specifically targets these Industrial Control Systems (ICS). That named it Irongate. It has many features similar to the infamous Stuxnet that NSA sent against the Iranian uranium-enrichment facility.
SCADA Communication Protocols
There are multiple communication protocols used in SCADA or Industrial Control Systems (ICS). Unlike Ethernet or Internet Protocols (IP), the industrial control industry uses multiple protocols, often unique to the manufacturer of the programmable logic controllers (PLC). Although there are many protocols, some of the more popular communication protocols within these systems are;
modbus port 502
dnp port 19999
dnp3 port 20000
fieldbus port 1089-91
ethernet/IP port 2222
etherCAT port 34980
profinet port 34962-64
Knowing the ports these systems operate on, may help us identify these vulnerable SCADA systems.
Although we will look at other protocols in future tutorials, here we will focus upon finding modbus enabled SCADA systems that are Internet-facing. Modbus is one of the most common protocols in ICS and SCADA systems. Since we know that modbus uses port 502, this should not be hard to find.
Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Modbus has become a de facto standard communication protocol in SCADA/ICS systems. Modbus has become the standard because it was;
developed with industrial applications in mind
openly published and royalty-free
easy to deploy and maintain
moves raw bits or words without placing many restrictions on vendors
Modbus enables communication among many devices connected to the same network, for example a system that measures temperature and humidity and communicates the results to a computer. Modbus is often used to connect a supervisory computer with a remote terminal unit (RTU) in supervisory control and data acquisition (SCADA) systems. Many of the data types are named from its use in driving relays: a single-bit physical output is called a coil, and a single-bit physical input is called a discrete input or a contact.
Without going to additional technical details of the modbus protocol, it will suffice to say that many SCADA systems still use this popular protocol.
Shodan enables us to search the banners and the information or parameters they reveal. Since we know that modbus runs over port 502, we could simply search Shodan for any IP's that have that port open to the Internet. If they do, they likely are running modbus and are part of some company's SCADA infrastructure.
Let's open Shodan and search for IP's with port 502 open. In the Shodan search window, type;
Note that in Shodan, we first type the parameter we are searching for (port), followed by the colon (:) and finally the value (502). When we do so, we find over 13,000 results! Although there is no guarantee that all these IP's are running modbus, it is likely most are, as port 502 is not a popular port.
We can see the first page of results from our Shodan search below.
Note the very first result has an IP address 126.96.36.199. Beneath the IP we can see that it is based in France and is connected through the Orange (formerly France Telecom) telecommunication system. When we click on the IP, it takes us directly to the admin interface of this device using modbus.
With a little Internet research, we can that this PLC is manufactured by SAIA-Burgess, a Swiss-based company. They primarily manufacture field programmable PLC's for the heating and cooling markets.
When we click on the login, we come to a PCD Web-Server Login. If we can login in here, we will have access to the controls of this PLC and control the temperature and energy efficiency of this facility. Although the consequences of such a breach might seem minor, Elliot Alderson (the main character in the Mr. Robot TV series) and f/society would have loved this access when they were trying to render useless E Corp's backup tapes at the Steel Mountain facility.
After several attempted logins, I continued to receive this login page, indicating that there is no lockout of this page, making it susceptible to brute force attempts on its password.
In addition, since we know that this device is using port 502 for modbus communication, it is likely susceptible to modbus spoofing and/or DoS attack on that port (look for coming tutorials on both of those attacks on SCADA systems).
This is a good example of how SCADA systems can be identified by Shodan. Often their defenses are weak and limited and simple attacks such as brute force password cracking and DoS attacks are easily executed against them. Although this system was simple and relatively inconsequential, I have identified the GUI admin interface of nuclear power plants and hydroelectric plants via Shodan. These security engineers had better get up to speed before they become the victims of the next cyber attack.
You should be able to find other SCADA devices by searching for ports 19999, 20000, 1089-1091, 2222, 34980, and 34962-34964.
Finding SCADA Systems by PLC Name
Sometimes, you can find SCADA systems by the manufacturer or PLC name and version number number. Remember, with Shodan we are looking for the content of the systems web banner. In most cases, these systems display and banner detailing the manufacturer name, the PLC and the version. let's look at one example.
Schneider Electric of Paris , France, is now the parent of the company that first developed the modbus protocol, Modicon. They produce a wide variety of ICS systems most of which use the modbus protocol.
Let's begin looking for those systems by simply entering the company name "Schneider Electric" into Shodan's search engine enclosed in double quotes. This should find all the systems that have that name in their banner.
As you can see, Shodan identified almost 3000 systems around the world with the name "Schneider Electric" in their banner. This strongly implies, of course, that the system is among the family of Schneider Electric products.
We may want to be even more specific. Schneider Electric builds an automated building system they call SAS or Schneider Automated Server. It is used to automate the heating, colling and security of high-tech buildings. If we include that additional term into our Shodan search, we should get a subset of our original search
A you can see above, our search has been narrowed to just 176 IP addresses on the planet.
In a following article, I'll introduce to some Google dorks to find other SCADA and ICS devices, so keep coming back my rookie hackers!