I have been using Shodan, “the world’s first search engine for Internet-connected devices”, since a long time. Recently I switched my free account to a membership account. A membership account allows you to do API queries with additional query filters (for example restricting search results to specific countries).
In this post I describe the results of querying the Shodan API for ICS (or related) devices in Belgium. These results are entirely based on what is available via Shodan without touching any of the affected devices.
Searching for IoT, SCADA and other stuff.
The developer API allows you to query the dataset and then parse the results offline with your own tools. I wrote a Python script that queried Shodan for a number of interesting ICS/SCADA/IoT strings, parsed the results and then stored them in a sqlite database. These are the queries that I ran with Shodan
Building Operation Automation Server Schneider Electric moxa eWON Sauter scada 3S - Smart Honeywell rockwell title:'xzeres wind' html:'PIPS Technology ALPR Processors' port:502 port:102 port:20000 source address port:789 product:'Red Lion Controls' port:1962 PLC port:5094 hart-ip port:18245,18246 product:'general electric' port:1911,4911 product:Niagara port:47808 port:44818 port:9600 response code port:5006,5007 product mitsubishi port:2455 operating system port:20547 PLC port:2404 asdu address port:161 simatic port:3011 port:1911 mitsubishi siemens
Because I was only interested in the results from Belgium I limited the search to country:BE.
The logic of the script was
- Perform the search query with api.search(expr);
- For every host, retrieve the details (hostname, open ports) with api.host(ip_str, history=False);
- If the host was not previously seen in the database, insert it in a host table and keep track of the associated domain and hostname;
- Parse the details of the host
- Add every open port to the database, but only if the combination of host+port+transport isn’t already there;
- Extract useful product and device information;
- Do this with the information available via Shodan or by simple banner parsing.
In total there were 654 unique hostnames.
This is not a “state of ICS in Belgium” but a snapshot of the ICS/SCADA/IoT information for Belgium that is available in Shodan. This is publicly available information.
Most popular domains
The majority of the hosts were located on the networks of Belgacom, Mobistar, Telenet and Proximus. This is to be expected as these are the largest ISPs in Belgium. Belgacom and Proximus are the same provider and Mobistar is now Orange. Also note the domain ‘telenet-ops’, which is the “OPS”-network of Telenet, and the results for Infrax, a utility company for gas, electricity and cable television.
Open ports per host
The majority of the hosts only had one or two open ports. Note that there are a lot of hosts that have 35 or more open ports.
Top 10 open ports
It is not a surprise to see that the most popular open ports are
- tcp/80 (http)
- tcp/8080 (most often http)
- tcp/443 (https)
Other ports that are returned as “open” are
- ModBus (tcp/502)
- Rockwell (tcp/44818)
- Moxa (tcp/4800)
- Niagara (tcp/1911)
Rockwell Automation, Moxa and Niagara provide ICS or IoT automation control systems. Typically these are the type of systems you do not want to be publicly available to the whole world.
The majority of the ports did not return a device type according to Shodan.
Similar to the device type, the majority of the ports did not return a vendor ID according to Shodan.
I had to do some extra parsing for extracting the product names.
- Try the product name provided by Shodan
- If still empty, if it’s http, return the HTTP banner
- Or extract the first string that’s returned in the data object from Shodan
Despite extra parsing efforts a lot of the open ports did not return a product name. Nevertheless there are some interesting product names to observe like the devices from Siemens, Moxa (automation) and eWON (Industrial VPN Routers: Remote Access & Data Services).
I also made use of the Shodan feature to retrieve the screenshots captured by Shodan. Only one screenshot was found in the result set. I did not made use of the ‘history’ feature of Shodan to retrieve older screenshots.
Retrieving the result set for ICS/SCADA/IoT related queries in Belgium returned some interesting results
- A lot of Rockwell, Moxa and Niagara ICS devices are publicly available. A lot of these devices had their fair share of problems, as reported by ICS-CERT; Based on the network port (this isn’t conclusive but still a good indicator) and product name there are
- 109 ModBus devices
- 97 Rockwell automation devices
- 95 Moxa embedded devices
- 88 eWON ICS remote access devices
- 87 Niagara ICS control systems
- 72 Siemens S7 devices (the overview by product name revealed 116 Siemens devices)
- 54 3S remote management ICS devices
- It seems none of these devices had proper filtering rules (ACLs) in front of them, otherwise Shodan would not be able to track them; There might be other protection measures involved but having these devices wide open makes them vulnerable for further vulnerability testing.
Interesting post. Could you please share the script code?
You can use the code at Github