Reconnaissance
Supervisory Control and Data Acquisition (SCADA) is a system for remote monitoring and control of industrial processes. Industrial Control Systems (ICS) refer to various types of control systems used in industrial settings, including SCADA systems. They are used to automate and optimize industrial processes.
There are multiple communication protocols used in SCADA or Industrial Control Systems (ICS). Unlike Ethernet or Internet Protocols (IP), the industrial control industry uses multiple protocols, often unique to the manufacturer of the programmable logic controllers (PLC). Although there are many protocols, some of the more popular communication protocols within these systems are:
Protocol | Ports |
BACnet/IP | UDP/47808 |
DNP3 | TCP/20000, UDP/20000 |
EtherCAT | UDP/34980 |
Ethernet/IP | TCP/44818, UDP/2222, UDP/44818 |
FL-net | UDP/55000 to 55003 |
Foundation Fieldbus HSE | TCP/1089 to 1091, UDP/1089 to 1091 |
ICCP | TCP/102 |
Modbus TCP | TCP/502 |
OPC UA Binary | Vendor Application Specific |
OPC UA Discovery Server | TCP/4840 |
OPC UA XML | TCP/80, TCP/443 |
PROFINET | TCP/34962 to 34964, UDP/34962 to 34964 |
ROC PLus | TCP/UDP 4000 |
1. Google Hacking
Some of the major manufacturers in this industry are: Seimens, Rockwell Automation, Schneider Electric, General Electric, and many more.
Here is a short list of some Google dorks by company and specific product:
Vendor | Product | Product Version | Google Dork(inurl:) |
ABB | RTU500 | RTU560 | ABB RTU560 |
ABB | Generic | Generic | ABB Webmodule |
ACKP | Generic | Generic | AKCP Embedded Web Server |
Adcon Telemetry | A850 Telemetry Gateway | Generic | A850 Telemetry Gateway |
Adcon Telemetry | addUPI-OPC Server | Generic | addUP Server |
Adcon Telemetry | Generic | Generic | title:adcon |
Allen-Bradley | Generic | Generic | Allen-Bradley |
Allen-Bradley | Generic | Generic | Series C Revision |
Beck IPC | IPC@CHIP | Generic | IPC@CHIP |
BroadWeb | Generic | Generic | BroadWeb |
BACnet | Modicon | Generic | Quantum BACnet |
Cimetrics | Eplus B/IP to B/WS Gateway Firewall | Generic | Cimetrics Eplus Web Server |
Clorius Controls | Generic | Generic | ISC SCADA Service HTTPserv:00001 |
Codesys | WebVisu | Generic | Webvisu |
Delta Controls | enteliTOUCH | Generic | DELTA enteliTOUCH |
Echelon | i.LON 600 | Generic | i.LON |
Electro Industries GaugeTech | Generic | Shark 200/200T | MicroRTU |
Electro Industries GaugeTech | Generic | Generic | EIG Embedded Web Server |
Elster EnergyICT | Generic | Generic | EnergyICT |
Elster EnergyICT | RTU | Generic | EnergyICT RTU |
Elster EnergyICT | eiPortal | Generic | eiPortal |
Fujitsu | ServerView | Generic | serverview |
General Electric | Cimplicity | Generic | CIMPLICITY-HttpSvr |
General Electric | Cimplicity | Generic | CIMPLICITY WebView |
General Electric | Proficy | Generic | ProficyPortal |
Generic | Generic | Generic | "Server: VTS" -Apache -nginx 401 -Sitewatch -Apple -httpd -cpsrvd Ubicom -DCS-6620 |
Generic | Generic | Generic | --All-- |
Generic | Generic | Generic | GoAhead-Webs InitialPage.asp |
Generic | Generic | Generic | Jetty 3.1.8 (Windows 2000 5.0 x86) |
Generic | Generic | Generic | NET ARM Web Server/1.00 |
Generic | Generic | Generic | Modbus Bridge |
Generic | Generic | Generic | ModbusGW |
Generic | Generic | Generic | PLC |
Generic | Generic | Generic | Powerlink |
Generic | Generic | Generic | SCADA |
Generic | Generic | Generic | SLC-5 |
Generic | Generic | Generic | openerp server: CherryPy |
Generic | Generic | Generic | webSCADA-Modbus |
HMS | EtherNet/IP / Modbus-TCP Interface | Generic | HMS AnyBus-S WebServer |
Moxa | Generic | Generic | MoxaHttp |
Moxa | ioLogik | Generic | ioLogik Web Server |
Novatech | Generic | Generic | NovaTech HTTPD |
NRG Systems | WindCube | Generic | WindWeb |
Rabbit | Generic | Generic | Z-World Rabbit |
Rabbit | Generic | Generic | title:phasefale Z-World Rabbit |
Reliance | Reliance 4 SCADA/HMI system | Generic | Reliance 4 Control Server |
Rockwell Automation | Micrologix | Generic | Micrologix |
Rockwell Automation | Generic | Generic | Rockwell Automation |
RTS Services | Generic | Generic | RTS SCADA Server |
SAP | NetWeaver Application Server | Generic | SAP NetWeaver Application Server |
Schleifenbauer | SPbus gateway | Generic | Schleifenbauer SPbus gateway |
Schneider Electric | CitectSCADA | Generic | CitectSCADA |
Schneider Electric | Generic | Generic | ClearSCADA |
Schneider Electric | PowerLogic EGX | EGX100MG | HMI, XP277 |
Schneider Electric | Modicon | M340 | Modicon M340 |
Schneider Electric | Modicon | M340 | Modicon M340 CPU |
Schneider Electric | Generic | Generic | Power Measurement Ltd |
Schneider Electric | PowerLogic ION | ION8650 | Power Measurement Ltd ION8650 |
Schneider Electric | PowerLogic PM | PM800 | PowerLogic PM800 |
Schneider Electric | PowerLogic PM | PM820SD | S7-200 |
Schneider Electric | PowerLogic PM | PM820SD | S7-300 |
Schneider Electric | PowerLogic ECC | ECC21 | Schneider Electric ECC21 |
Schneider Electric | PowerLogic EGX | EGX100MG | Schneider Electric EGX100MG |
Schneider Electric | PowerLogic PM | PM820SD | Schneider Electric PM820SD |
Schneider Electric | PowerLogic PM | PM870SD | Schneider Electric PM870SD |
Schneider Electric | Generic | Generic | Schneider-WEB |
Siemens | Simatic S7 | Generic | Portal0000.htm |
Siemens | Simatic S7 | Generic | Portal0000 |
Siemens | Scalance S | Generic | Scalance S |
Siemens | Scalance W | Generic | Scalance W |
Siemens | Scalance X | Generic | Scalance X |
Siemens | Simatic HMI | Generic | SIMATIC HMI |
Siemens | Simatic NET | Generic | SIMATIC NET |
Siemens | Generic | Generic | Siemens |
Siemens | Simatic HMI | Generic | Simatic |
Siemens | Generic | Station 7-1200_1 | Portal/Portal.mwsl |
Siemens | Simatic S7 | Generic | Simatic S7 |
Siemens | Simatic HMI | Generic | Simatic -S7 HMI |
Siemens | Simatic HMI | Miniweb | Miniweb Start Page |
Siemens | Simatic HMI | Miniweb | Miniweb |
Siemens | Simatic HMI | Generic | Welcome to the Windows CE Telnet Service on HMI_Panel |
SoftPLC | Generic | Generic | SoftPLC |
Somfy | Generic | Generic | title:Somfy |
SpiderControl | Generic | Generic | SpiderControl |
Stulz | Generic | Generic | Stulz GmbH Klimatechnik |
THUS | Generic | Generic | THUS plc FTP server |
Trend | IQ3xcite | Generic | server: iq3 |
Tridium | Generic | Generic | Niagara Web Server |
Tridium | Generic | Generic | niagara_audit |
Tridium | Generic | Generic | niagara_audit-login |
Wago | Generic | Generic | WAGO |
Wind River | Generic | Generic | VxWorks |
Wind River | Generic | Generic | WindRiver-WebServer |
Example:
inurl:/Portal/Portal.mwsl
2. Shodan
Find SCADA Systems by port, example: port:502
Finding SCADA Systems by PLC Name, example: "Schneider Electric"
3. Censys
Examples:
If we were looking for SCADA systems where the PLC's were manufactured by the German industrial giant, Siemens (their PLC's were the target of the Stuxnet attack on Iran) we could create a search such as:
tags:scada AND metadata.manufacturer:siemens
tags:scada AND metadata.manufacturer:siemens AND location.country_code:DE
If I were looking for systems with the modbus protocol and had a tag of "SCADA", I would probably want to place a lot on more weight on the modbus protocol and less on Censys's SCADA tag. We could convey to Censys this unweighted importance by appending a "^" plus a number registering the weight you want to give to that field.
tags:scada AND protocols:"502/modbus"^3
4. Nmap and nmap scripts
nmap -sT {IP} -p {PORT}
nmap -sU {IP} -p {PORT}
nmap --script modbus-discover.nse --script-args='modbus-discover.agressive=true' -p {PORT} {IP}
Last updated