Welcome back, my tenderfoot hackers!
Google Hacking and Dorks
As most of you know, Google crawls the globe and stores and indexes the information it finds on nearly every web site and page. Saying this involves a lot of information is an significant understatement. Few people, though, understand that Google has a proprietary language to extract that information beyond looking for keywords.
For a full explanation of Google hacking, please read my article on Google hacking here.
This capability of searching through all the pages that Google has indexed is a great convenience, but with a little knowledge of Google's keywords, you can find more information than you ever imagined.
Developing Google Dorks for SCADA
In this article, we will use this knowledge to find SCADA systems with web interfaces. There is no single Google dork that will reveal each and every SCADA interface, instead we need to know a bit about the manufacturer and the products being used. Each company creates their own embedded systems to do things such as manage water systems, manufacturing systems, heating and cooling systems, chemical process systems, nuclear power plants, etc. They share common protocols and procedures, but in general, they are unique.
Some of the major manufacturers in this industry are;
Seimens
Rockwell Automation
Schneider Electric
General Electric
and many more.
In addition, each of these companies makes multiple products. To find these products being used in the SCADA industry with Google, we will need to develop separate Google dorks for each.
Here is a short list of some Google dorks by company and specific product.
Using The Google Dorks
Now that we have a few sample Google dorks to find specific SCADA systems, let's try some out and see what we can find. Let's start with the first one on the list, the dork for the Siemens S7 series of PLC controllers.These are almost the exactly same controllers that were the target of the infamous Stuxnet attack against the Iranian uranium-enrichment facility in 2010, probably THE most sophisticated SCADA attack at the time and a milestone in cyber war fare.
The Google dork for that controller is:
inurl:/Portal/Portal.mwsl
When we use it in a Google search, we get the results displayed below.
If we click on the first result above (Station S7-1200_1), it opens web portal as seen below.
This appears to be an admin portal to this Siemens S7 PLC controller somewhere on Earth. If we put the IP address into Shodan, we can see that it is located at Champ-is-Luc in France.
When we click on the identification tab to the left, the PLC identifies itself as a Station S7-1200_1/PLC_1. It addition, it gives us its serial number and version of the firmware.
Finally, if we click on the Communications tab to the left, this portal gives us its MAC address (useful for spoofing), IP address, netmask, default router and physical properties all without logging in!
SCADA system security is still in its infancy, relying primarily on security by obscurity. These simple Google dorks though, can change those systems from obscure to easy visible to anyone on the planet. Even a hacker with rudimentary skills can now find these systems and if they have malicious intent, access these control systems and wreak havoc.
Keep coming back my tenderfoot hackers as we explore the scary world of SCADA and the most valuable skills of the 21st century--hacking!