ICS
🦾 ICS/SCADA Enumeration Techniques for Effective Scanning, Network Reconnaissance, and Tactical Host Probing:
General Enumeration:
Siemens S7
Enumerates Siemens S7 PLC Devices and collects their device information. This script is based off PLCScan that was developed by Positive Research and Scadastrangelove (https://code.google.com/p/plcscan/). This script is meant to provide the same functionality as PLCScan inside of Nmap. Some of the information that is collected by PLCScan was not ported over; this information can be parsed out of the packets that are received.
Usage:
Output:
For scalable scanning and reconnaissance, utilize masscan for faster enumeration:
Stopping S7 CPUs with Python:
Modbus Scanning
Bacnet
Enip
nmap -Pn -sU -p44818 --script enip-info <target>
Niagara fOX
nmap -Pn -sT -p1911,4911 --script fox-info <target>
Omron
nmap -Pn -sU -p9600 --script omrom-info <target>
PCWorx Devices
PCWorx devices allow unaunthenticated requests that query for system information.
nmap -Pn -sT -p1962 --script pcworx-info <target>
Shodan.io Queries
PLCs
Shodan one-liner for enumerating Siemens PLCs, SCADA software, and HMI web pages
HMI Screenshots
Siemens S7-1200 PLC
Siemens APOGEE Building Systems
Siemens Desigo CC Building System Workstations
Omron CJ2 PLCs
Schneider Electric PLCs
Schneider Electric PowerLogic Series 800 Power Meter
Schweitzer Engineering Laboratories Power Quality and Revenue Meter
Maritime
Subsea Mission Control Panels
K4 Edge Routers and Maritime VSAT
KVH Commbox Terminals
Cobham Sailor VSAT
Pepwave Cellular Routers
Miscellaneous
Nordex Wind Turbine Farms
DICOM Medical X-Ray Machines
TeamViewer
Yealink T49G VOIP Phones
Search for devices vulnerable to CVE-2022-22954:
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
Exposed DICOM Servers
Count patient names in US exposed DICOM medical servers with no authentication
Zyxel Firewall Unauthenticated Remote Command Injection
Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device.
SDT-CW3B1 1.1.0 - OS Command Injection (CVE-2021-46422)
Setting Up Shodan for Target Monitoring
Determine your home IP or target of interest's IP address
Create network alert
Confirm that alert is generated
Turn on notification
ICS Common File Extensions
Python script to search for common ICS file extensions
Automated Tank Gauge (ATG) Remote Configuration Disclosure:
In 2015, HD Moore, the creator of Metasploit, published an article disclosing over 5,800 gas station Automated Tank Gauges (ATGs) which were publicly accessible. Besides monitoring for leakage, these systems are also instrumental in gauging fluid levels, tank temperature, and can alert operators when tank volumes are too high or have reached a critical low. ATGs are utilized by nearly every fueling station in the United States and tens of thousands of systems internationally. They are most commonly manufactured by Veeder-Root, a supplier of fuel dispensers, payment systems, and forecourt merchandising. For remote monitoring of these fuel systems, operators will commonly configure the ATG serial interface to an internet-facing TCP port (generally set to TCP 10001). This script reads the Get In-Tank Inventory Report from TCP/10001 as a proof of concept to demonstrate the arbitrary access.
Video PoC:
https://www.youtube.com/watch?v=HkO4cs95erU&t=818s
Last updated