Finding ICS/OT (Industrial Control Systems/Operational Technology) Assets with Shodan

hi everybody and welcome to this video on finding an industrial control systems with Showdown I uh this is a subject that I'm very passionate about anything around industrial control systems and and operational technology or when we talk about ICS OT or or Control Systems I'm very passionate about and you can see here a couple examples of the environments that run these specialized different types of of systems so whether it's a power plant or a railroad like here we have light commuter rail a Subway in in the city you can see a water treatment facility or a type of Refinery or here there's a an open pit mine the idea is that all of these different environments have specialized

systems or control systems that are used to make things move in the the real world so to generate power to to move a train to get people to to work in the morning and get them home at the end of the day to make sure we have clean water to drink to make sure we have uh different chemicals that make our life better uh in in every way shape or form and and the minds that that bring us different materials so I've actually been very fortunate to work in in all these environments except for water treatment it's not something that I do in my day job uh but but definitely in refineries and power plants and and

commuter rail and and even in open pit mining which is really interesting so um why I wanted to put this video together was I think it's very important to understand that these environments are are very special they're very special in their own unique ways and if by chance one of them gets connected to the internet by having one of its internal systems exposed that an attacker could use to to take advantage of you know perhaps a vulnerability in that system take control over that host or that asset and then use that as a foothold on the network to then gain further control over that power plant or that Subway or the water treatment facility or so on and so forth

and so when we start talking about industrial Control Systems we're really talking about physical safety making sure everybody on site is is safe and imagine you know what if somebody could potentially poison the water or we look at the safety of the environment around these facilities we want to make sure that nothing happens to the facility to where it's going to have an impact to the environment and then we also want to make sure those environments stay up and running if I have a power plant we want to make sure it's up running 24 7 365 generating power right we want to make sure the subway is up and running and so on and so forth

because we can live without power for let's say half hour and we could probably live without power for three four five six hours but as a blackout gets extended what if that power plant is down for 24 hours or multiple days or multiple weeks or multiple months and you start to get the idea so we look at when these different types of environments are impacted right there's a real world consequence that comes with it and that's why for me that industrial control system security is important so let's go ahead and jump into the the rest of the the presentation and the idea is we're going to take a real quick look at the more common ways that attackers get into

these different types of environments and then the rest of the section we're just going to look at how we can find these different types of systems that are connected or exposed to the internet using The Showdown search engine so there's a couple of main different ways that attackers can get into control system environments and one of the more common ways like we saw in the colonial pipeline breach about two years ago now is the attackers which were was a common ransomware group they got a employee in the back office to click on a link or open up a malicious attachment infect their system and then that infection probably was starting to spread into the control

system that were at Colonial pipeline I think if the only people that really know what happened or are those that work at Colonial pipeline or if you're the you know the FBI or the NSA or whichever incident response team we're helping the colonial pipeline folks recover right but that's that's a very common way for attackers to get in is to start on the I.T Network and then use the connections from the IIT Network to move into the OT Network it's also common to see that things like malware are brought into the environment by what they call in the ICS World transitory cyber assets or really these are USB drives and laptops so it's a fancy way of saying yes somebody can

bring in a USB drive that's infected and plug it into one of your systems on the OT Network or also look at bringing in a laptop like you have a vendor coming in to do maintenance on one of your systems so they bring in their laptop what is that laptop is is infected right and then they plug that into the OT Network and then that that infection is able to spread potentially another way to give an attacker a foothold on on that note of course we talk about why we're really here is Control Systems can actually get exposed directly to the internet whether somebody does this on purpose which is really concerning or if it was by

accident but it does happen and we can see that by using a search engine like like Showdown which again is why we're here and there's other ways worth mentioning like remote access because a lot of OT environments give remote vendors access to their environment so they don't have to come on site and work in a dangerous environment they can do operations and maintenance like upgrades to systems remotely and then we also have malicious Insiders which we can see in these specialized types of environments as well where somebody wants to do harm to the company and maybe they sell access or they are going to infect a system and then use that for their own nefarious purposes

so so those are some of the ways that attackers the some of the more common ways attackers you know get into the environment again we're really here to talk about when control systems get exposed directly to the internet so we have Showdown and if you're not familiar with Showdown it acts as a search engine very much like how Google's a search engine where it indexes web pages on different websites all over the the internet ideas showdan also scans the entire internet but it's not looking just for web pages like Google is it actually is looking for things that are connected to the internet it was just really what it was was started as as a tool by John

matherly was starting that build Showdown to scan the entire internet to find not just computers that are connected to the internet but interesting things that were exposed to the internet and that you could see so that they scan the entire internet now they don't scan for all 65 535 TCP ports and all 65 535 UDP ports that would take way too long when you talk about scanning the entire internet but they do scan the entire internet for a few dozen popular ports right common ports that different systems use and we can look at the common ports that are used by industrial control protocols is one way to find different industrial control systems that are exposed to the internet and

they are there even though a lot of these environments don't think their systems are exposed but they are and so you can find showdan at showdan.io it's not.com I think.com got registered by a malicious group I'm not sure if it's still malicious or not but if you're trying to visit showdan.com from a lot of especially Windows systems uh the windows will actually automatically block you from from going there it'll stop you give you one of those nice big red warning banners so so go to showdan.io and you'll get an interface that looks like this and so you can see we're showed and again it's very similar to Google as far as acting like a search engine now what

we do with the search engine that's a little bit different and that's what a big part of what we're going to focus on in this video all right um and so you can see and I did put together a quick start guide if you want you can download it from my GitHub you can see github.com utilsek and then the repositories there you can find the quick start guide for icsot there's also one for General it as well and then a quick start guide for another similar search engine called census but you can see here's the one for icsotn this is really what we're going to walk through during the rest of the the video and going through and looking at the

different ways that we can find industrial control systems that are exposed to internet especially if you are doing a pen and test for an organization or what if you work on the cyber security team for an organization you want to make sure that you're doing this type of reconnaissance to make sure that your client or your own company don't have exposed systems to the internet and it it works great for for all types of systems not just in control systems or operational Technologies even though that's what we're talking about about here right so you have the quick start guide as a little cheat sheet to help you and if you want to go back and

you don't have to listen to the video again you can just pull out the cheat sheet and use these different Search terms and so we start looking at using Showdown okay when I first really started getting into industrial control security Showdown was one of the first places I had come across and I was already a little bit familiar with it doing uh penetration tests and and oceans right and and doing reconnaissance on different client environments and the main companies that I worked for so I was already aware of of showdan but if you go to The Showdown page and you can actually get a free account the free account is a little limited so it does limit you to two

pages of results so I do have a slightly better account like this one that I'm using for this so we can see more results but you can still use a free free account and still get a lot of great use out of it so you don't have to pay but anyways so if you go to The Showdown and this is the same interface as it was 10 years ago when I started looking at it from an industrial control security perspective where I click on the explore option the first thing you see and then the first thing you see from there is industrial Control Systems which you know you can see it looks there's a picture of a mine right you can see

there's a mind and some some other types of uh kind of facilities that are crammed in there and what we're actually seeing here is they talk about yeah there's there's some terms there's a lot of new acronyms in ICS ot to learn if you're new to that world so things like scada and PLC and TCS and all things like ICS and OT could be even do new terms to you but the ideas are different types of systems within that world you can still think of them as computers Engineers hate it when I say that but but they're they're devices with memory and processors and and network connectivity and so if they get connected to the

internet with a publicly exposed IP address or or exposed somehow between behind something like that right we can see them through showdan and we're not doing the scanning ourselves showdan is but what we can see here on this page is they're actually showing us a number of common protocols and services that are used by industrial Control Systems so the most popular control system protocol you'll see is called modbus and the really interesting thing with modbus is there's old school modbus which was its own protocol just like TCP is its own protocol and now there's a version of modbus that runs on top of TCA pip which is which is where the danger is because if you had old modbus that

wasn't communicating over tcpip someone since they had to be local to that Network to be able to communicate with that device but that's just at a high level now in this case though we see modbus running over TCP which of course is the main protocol that we use on the internet and so we can see these different types of devices same thing with S7 which is you can see a cement right Siemens is one of the largest fenders in the ICS OT space especially if you're in the western hemisphere of the world and so S7 is is the protocol that they use you can see dmp3 tritium I don't really come across tritium a lot but I

bacnet which is for building automation control systems we talk about ethernet over IEP and and there's the list goes on and on so it's a great resource if you're just even starting to to look into industrial control Securities because you can start to look at some of these different protocols and then you can go and research them and so you can go through and and look through the the list of of what's there which is really what we're starting to see here it's a great way to start learning at least that it worked great for me and so when we want to look at well how do I find these systems in Showdown now if you have a paid for Enterprise

account an Enterprise account now is I think it's like 11 or 1200 a month so I don't know necessarily there's that many people that have those accounts readily available you can use the option of like what you can see here is of attack and so what the tag is is as Showdown finds different systems it can label them it can tag them as different types of systems meaning so what we'll do is we're just going to go ahead and jump into one of these first so if I click on explore modbus what will actually end up seeing is a list of all of the modbus modbus systems that Showdown has found exposed to the internet you can see there's 388 424.

you can see right in the upper left hand corner and you can see the vast majority of those are in the United States based off of the IP address and then you can see there's 22 000 in China Canada and Korea and France and and the list goes on and on and on and so we can look at these are the different systems that are running or appear to be running modbus now we won't say they all are and really what it's seeing is there's a system that has Port TCP 502 open which is the port we use by default associated with with modbus I'm trying to find a good example in here because what I'm

looking for is a system that's running legitimately running modbus and that's exposed and here's actually one so this system at 192.150.249.250 right and you can see it's located in Thailand and you can see it's tagged as ICS so Showdown found the system exposed to the internet it found the modbus port was open it also connected to that port and tried to gain additional pieces of information I tried to do some basic communication to get it just to talk back to then understand well what's running on that Port is it really modbus running on TCP 502 and in this case it looks like it does because we can start to see this ID or you can see the unit ID response so

unit ID 0 unit id1 unit ID and then going up all the way to 255. and so we see that there's this modbus service that's actually running there and that it retrieved at least a basic piece of information and we'll see some more examples of this but for now I wanted to look at how we use the the tag so I can do if I have one of those fancy paid for Enterprise accounts I could say tag colon ICS and it would show me all of the systems that Showdown has found that has been tagged as industrial control systems and there's going to be a lot more than just these 388 thousand remember these are just

those systems that appear to be running modbus which is a protocol and service that's associated with control systems right but there's also all those other protocols and services that we started to look at like S7 and tmp3 and bacnet right so that's one way you can find things in Showdown but again most of us probably don't have a fancy paid for Enterprise account and that's okay because there's some workarounds that we have but again it's a great way also just to learn those protocols like modbus and get start to get an idea of how it communicates and when we look at in this case you can see how it updated the search and Showdown to Port 502 which is

what we were mentioning earlier so that's the port that oddbus commonly runs on TCP 502 so that's tag so again they're great if you have an Enterprise account but if you don't have them that's okay right so we don't have to necessarily it would be nice if we did right here's an example of another modbus system that you can see is from Schneider Electric and it's funny because I actually recognized this one because I actually have this one set up in my homeland which which was pretty funny so it's actually called a modicon PLC or programmable logic controller and this is so we can see as it as showdan found the device running on tcpi

to TCP 502 it found the service exposed it ran some additional communication to see if it could get the device to respond and determine is this really a PLC running modbus or not in this case it looks like it really is so it got labeled as ICS and then we can also see the vendor Schneider Electric which is one of the most common vendors in the ICS world and then you can also see the model of that PLC so we can actually Google for that to see what it actually is and then we can even see the version of firmware that it's running so if there's known vulnerabilities with that firmware we could use those potentially to

exploit the system and gain a foothold on that Network because that system is exposed directly to the internet but if you're curious to see what this Fang this PLC actually looks like this is this is actually it so again this is it was actually interesting when I found this one it was one of the first results that had come up and it was like oh I that looks very familiar because this is actually what it looks like sitting uh in my house so so that's what this PLC looks like if you want to see a lot more interesting plcs obviously you can Google or if you're a big Reddit fan you can look at the Reddit for the slash plc and there's

a lot of Engineers out there that post a lot of the pictures of their PLC installs in the field which is which is really I I find really fascinating so you'll have to definitely check that out if you're interested in more but that's again the idea of the the tag is that showdan when it finds different systems connected to the internet it tries to enumerate them right it tries to do additional tests to figure out hey what is really there what is in this case what's really sitting at 218.62.117.154 and in this case right it found modbus open on TCP 502 it did the additional queries and found out it really is modbus and it's a Schneider Electric

modicon and it's even running this specific version of firmware so yeah we're going to label it ICS and so if you have that that corporate Enterprise account you can just look up those tags but moving on from the the tax okay um so before we do that I did want to mention uh there is a really interesting tag as well for honey pots and so if you're not familiar with honeypots so so honey pots are systems that are set up to be hacked idea is that you can you create these systems you expose them to the internet or you use them internally which they're great from an intrusion detection perspective but the idea is you can expose them to

the internet and then you can sit and you can watch as attackers find the system and try to access it right they try to attack it and then you can learn about the attacker methodology are you going to start to see what are attackers doing when they find your system right and then you can start to also especially in the industrial control world you can start to realize is it a generic attacker that has no idea of what they're doing with industrial control system or is it a more advanced type of attacker and that's typically going to be either nation-state attackers or what I like to talk about is like a top-tier uh hackers you know

or attackers that have a sense and an understanding of control systems and how they work and they're seeking out these systems that are directly exposed to the internet so honey pots are really fascinating and that could be its entire class and in and of itself right but I I love deploying them to the internet when I can from time to time just to sit there and watch when people find them you know from scanning on the internet which is which is almost instantaneously these days and then as they start to start poking and prodding just you know to get to get an idea of what's actually there maybe it's just Showdown doing a scan and trying to figure out what's there

but and then also mentioned that that it's great from an intrusion detection perspective if you deploy them internally because if you have somebody hit your internal honey pot then it's what we call a very high fidelity alert which means it's an attacker right if you've set it up correctly and that the only reason somebody would hit that is if they're trying to attack your network then it's one of those great methods you can use from an intrusion detection perspective to to find an attacker on the network right you get a hit boom there's an attacker on the network period of the end all right so it's a great defensive mechanism right but so that's one of the other

tags that I find really fascinating that pops up from time to time so you'll see them from from time to time so it's you know this idea where they fingerprinted right they figured out that there's a the honey pot sitting there and here's an example of a honey pot that you can see that was that's sitting in in Warsaw in in Poland and it has a very distinct uh fingerprint if there was a lot of these in in Showdown but Showdown realized based off of this one signature yeah it's it's a fake system that was designed to be attacked and watch what the attacker does with it of course showdance tipping off the attackers in this point which I'm sure

the advanced attack attackers or top tier or even probably maybe the the middle tier attackers they're already probably going to realize it's a Honeypot and and move on to bigger and better things but but you'll definitely see some script kitties and and new new attackers um you know sitting there and trying to to hack away at these boxes that's always is still kind of funny funny to to watch so all right so the rest of the presentation again let's move past tags and Enterprise accounts and what can we do with a free account or a you know uh the the lower cost uh tier if you do want to get a paid for account so you

can get more than just two pages of results so one of the things we can do is we can run searches for common icsot terms and you can search for ICS and OT and they will actually return results ICS is much more specific than OT so you know what you get with OT is you can take it or leave it probably it's a little bit more generic but ICS is still a very valid string to look for scada also is one of those ICS related terms so scada and ICS OT are basically three terms for all the same thing but I remember Rob Lee who's concerned these days the kind of The Godfather of industrial control Security in the world

um he taking his class at Sands he had mentioned the only difference between scada and icsot Escada is like a Wan and icsot is like a lan right it's an icsot all of your systems are on the local network whereas in scada right those devices are communicating over a whan so if I have a power company and I'm let's say I'm monitoring uh hundreds of power stations or let's say just dozens of power stations that are spread out across the region all right I have some systems that said I you think think of the main operations center and then it goes out over some type of Wan connection to check in with the control systems

right at those remote sites and pull that information back what they call supervisory control and data acquisition and so we can do that over the WAN so that's what skate is that's the difference between scada and ICS OT and so when we look at running a search right if I go back to Showdown and just run a search for scada still a little slow might be my internet connection today I'm not sure eventually I should have done these searches ahead of time apparently drum roll place there it goes so we can actually so you can see there's 1584 systems that have scada in the text that's communicated back from the system meaning when Showdown finds this system

connected to the internet and it sends out those additional requests right it tries to talk more and interrogate essentially or enumerate the system right it's sending additional commands trying to get responses back like nmap enumerate systems if you're familiar within men and so in this case the idea is that some of the texts came back and it had the word scada in it so it doesn't necessarily mean it's a scada system but it has scada in the information that's been returned and so you can see and here's a couple of Honeypot tags right so we know those are probably systems that were created to be hacked now here's an interesting one you can see at

110.93.215.54 it actually looks like it has SNMP Exposed on this system and then the name on it actually you can see is ke Dash DHA Dash scada so there could be some type of scada system that is actually sitting there and then they even give us this uh contact email address so if we want to reach out and let them know hey you have a control system connected to the internet you might not want that exposed so that's one way you can look for these different types of systems right so if we look for scada or again you can do ICS ICS actually does come up with some really interesting results uh oops um I guess it won't say credit card

apparently interesting let's run that search again there you go so now we run ICS and then you can see it comes back with a number of different interesting findings not a ton you're going to say 2 800 and change but you can see in this case it looks like oh maybe there's a web page and it says overbite ICS TCP server I could Google that to see you know is this really some type of ICS system or or maybe it's some type of application that just happens to have the acronym ICS and if we're doing the lookups by these names right Showdown is just looking for where it sees these acronyms returned in strings it doesn't

necessarily mean these are always industrial control systems it just means that there's a service there that responds back and it has ICS in the text somewhere so you do have to do some some filtering through but you do you do find some interesting ICS systems for sure now the great thing about Showdown is I want to get additional information about these I can just click on the IP address it's not taking me out to the system it's taking me to the details that Showdown has about that system and so you can see it found Port 6887 Port 9000 import nine thousand two were open on that system and then you can see that where it found

that over by IC ICS TCP server right it was running on Port 8887 and if I want to find out what that is right we can just go to Google I know I can just type it in the the browser there but um there's reasons why we don't like to do that but that's a whole forensics conversation and then we can look to see and it says oh yeah here's over buy it says ICS is a free internet component library and it's like oh okay well is it still really related to Industrial control security or as ICS stand for something else and in this case it stands for internet component Suite right so it's not industrial control

systems like we're looking for right but if we go back and we look at some of these other pages right if we go to these actual different websites that are pulled up then there could be some type of industrial control system there and so we're gonna kind of put a pause on that for just a second because we're going to come back in and look at some of those examples from a different method but I did want to highlight that because again I think it stresses the point in this case we're doing a lookup for just the term ICS it's not a tag it's not worth Showdown saying this is an industrial control system it's just

we saw the text ICS in a response from the machine and it's got picked up in our our search right in our show dancer so again those are some common Search terms that we can look for now you can do and we talked about again scada we uh also can look at iiot which actually can turn up some interesting results so iiot is the industrial internet of things so we're we're actually purposely taking industrial control systems and connecting them to the power of the cloud right or to the internet so you can think of an example where let's say as a very popular example with GE GE makes these locomotives you know for trains and they want to be able to

take sensor data from that locomotive so that they wrap the entire locomotive in in sensors so they can take all that data and then they can look at it over time so that way they can proactively address issues so they can see that a part is going to wear down using predictive analysis they can go ahead and they can replace that part ahead of time before it breaks and then causes you know downtime with the low locomotive or or potentially even cause a physical issue which could also lead to somebody getting hurt or passengers could be killed either they're substant There's real world consequences that could happen the problem is you can't have a computer large enough or powerful

enough sitting on the train to take in all that data and process it but if I take the data send it out over the Internet maybe from a train on a satellite connection send it out to the internet and then I can use a power of the cloud where I have the large systems that can bring in the data and they can crunch the numbers and do the Predictive Analytics so that's the idea of iiot so we actually do see the Control Systems Expo or connected to the internet but they shouldn't be exposed to internet right so we shouldn't see these systems pop up and and Showdown but you can still find them so I mentioned you can see ICS OT again

ICS and OT can be very generic like the example we can you know that we were looking at earlier now you can also look at vendor names so Schneider Electric's an example that we looked at earlier when we looked at that modicon it was just that that programmable logical logic logic controller that I have in my my home lab you can see you know Rockwell Automation is a also another popular uh popular vendor of control systems and plcs I used to work in San Diego right next door to Rockwell so yeah I've always been a big fan and Siemens was actually right right down the street as well but you can start to see if I do

Rockwell Automation which is also related to an older company called Alan Bradley you can see oh yeah this system right here just on 166.136.164.22. right it actually found a connection right it resp it did the additional query and got the response back from the system and said hey I am a Rockwell Automation Allen Bradley plc and here's my serial number here's my internal IEP address so we know their internal network is using a 192.168.100 numbering scheme and then it also gives us the product name right so we could Google this right to actually see well what type of system is this and then you can see I always like to just uh to jump to images real quick and

you can see that's what we're looking at so this PLC that looks just like this which is sitting in some type of environment has two IP addresses more than likely or at least it has an internal IP address right of 192.168.100.2 and then somehow it gets out to the internet as 166.136.164.22 and Showdown found it and indexed it for us to find and so that's how one way right you can look at another way you can find things like plcs connected to Internet by looking at these these common vendor names right which is what we're looking at there so you also have to see Alan Bradley was also there so Alan Bradley got bought by Rockwell so we saw in that

case both of them right Siemens we mentioned is also another large industrial control provider so those are some great ways to find some really interesting systems and you can see how they're very talkative right because it's oh yeah hi I'm I'm a PLC right here's my serial number here's my internal IP address here's there's my product type right I mean it just it goes on and on and on so they give you if you're an attacker right they give you everything you're looking for essentially to be able to Target that system including the version of the operating system or the firmware that's running on on that PLC so you would know potentially if it has the

vulnerabilities or not now we can also look for things like you can see device uh type names so in the example we were just looking at remember it actually looked said programmable logic controller so you can spell it out just like that or you can try PLC like and as like kind of using ICS you can find some things might take you a little bit to uh to to dig through there's HMI or human management interface if you're not familiar HMI is basically like a little screen that you can use to interact with a control system it's like if you've ever seen you know a digital thermostat like nest and it has a little video screen and you

can see what they calls a set point right where your your temperature is said and then if the temperature gets too whole cold right it's able to turn on the heater if the temperature gets too warm it can turn off the heater or if it needs to it can turn on the air conditioner so that's an idea of a human management interface we're actually going to look at some some real world examples in just a minute there's also the idea of DCs right which we see in larger environments that are used to control multiple industrial control systems we can also look at the brand type so we mentioned earlier that PLC that we saw a

screenshot of that's called a modicon from from Schneider Siemens has somatic there's not semantic but but somatic and so on and so so forth so there's a lot of different brand types you can look for specific models as well so those are some of the examples that we are seeing uh earlier so you can look up those models of course there you have to be very specific but it is a way to find those industrial Control Systems Beyond just using especially tags if you don't don't have that expensive account one of the other really interesting things I find really fascinating with showdan is Showdown also indexes services that Expo that can be um that they like to take screenshots of

meaning I'll just show you because it probably will help if you go to and I'll just type in images.shodan dot oops IO remember not.com

you can see it actually takes a screenshot anytime it finds a service of Interest so you can see in this case it actually takes screenshots of you can see camera feeds so webcams essentially and then remote desktop instances right which which neither of these are necessarily good we definitely don't want remote desktop sessions exposed to internet because somebody could use those to gain access to your system and you probably don't even think or you're aware of that camera being exposed to the internet or sometimes people do set up a camera at home they want to see it from work right so they knowingly expose it to internet but they don't think anybody is going to be able

to find it and yet Showdown does and Showdown will let you go through and and find all these if I want to narrow it especially down to just those web servers I can just type in http so it takes out all the remote desktop sessions and then it'll limit to just the webcams that are available over web services so over HTTP so you can see there's an airport there's somebody's junk room there's a garage there's uh it almost looks like a solar farm right down there so that would be a an a example of a industrial control environment because there are systems that control those those panels and the electricity that's generated and how it

flows and how it's pushed out to the grid so that's interesting because what if this camera is connected to the control system now if it's an asset on the control system Network and it's exposed to the internet and if it's a webcam it's probably a really easy to to break into system and if I take control over that and it's on the control system Network I have a foothold into that control system Network and I can then use that to take further control of that Network but that's I I find the image is fascinating I can sit there and just flip through pages you know all day long just to see what's what's actually there

you see some really really neat things I just kind of the you know a trip around the world in in five or ten minutes and so we can see those those different aspects again we looked at the remote desktop sessions right those are dangerous because not only is that system exposed it's not behind some type of device like a VPN Appliance right it's exposed directly to the internet in this case we can also see they didn't rename the default administrator account and then we can also see there's three users on the account so or the system so we see alicio dukia probably butchering the pronunciation and Ricardo all right so all we need is a password

for any of those four accounts and boom we're in or what if the system hasn't been updated and it's vulnerable there's been several well-known vulnerabilities that are very easy to exploit through metasplay to allow you to gain access to that system and whether it's on the it or the OT Network once you have that foothold right you can use that to spread to those different types of Networks so having remote desktop exposed internet is very dangerous especially if that machine is on the control system Network right we mentioned web cameras I found you know found these really quick I always find it really interesting when you find a dashboard with lots of cameras in it so you can see there's

multiple rows with with all these different cameras looks like they're just watching over like different aspects of of freeway somewhere I didn't get into it too much and then I thought this was interesting as well because here's a water treatment facility that's exposed it has a webcam exposed to Internet it's an example just like the solar farm that maybe this cameras Standalone is connected to the internet it's not connected to the water treatment plant Network and so you know what that's okay but what if it is exposed and it is connected to the water treatment Network in that case if I take over that camera right which is typically just a Windows machine or a Linux machine might take

control over that camera then I have that foothold into that control system Network and then I can spread control right I can move laterally and take further control over that water treatment facility all right so that's a real world concern and so that's why organizations right or if we're pin testing for our clients we need to make sure they don't have exposed systems whether it's remote desktop whether it's webcams whether it's anything if it's exposed we need to understand oh yeah it's a web server and it's meant to be but what about all those other systems and services and and Industrial control systems that are exposed that aren't supposed to be right that's the beauty

of Showdown it allows us to find those and here's an example of one of those human management interfaces or those hmis that I was talking about that's available over a web page which a lot of these can be exposed just this read-only so it allows you to look and not you see buttons but you can try and click them and nothing happens but what if you find the ones that that are Interactive and so it's interesting when you find like in this case oh we have this tank and it stores some type of of liquid and there's oh there's a blower uh and then there's a you can see the different pumps right to be able to move liquid

right out of out of the tank right and and all the different uh Valves and I mean it just we don't want anybody you know sitting here especially to see chemical drum right I don't want anybody sitting there able to make changes right it's just I always find it fascinating when you find control systems through Showdown and you find these interfaces and basically it's a big error message like fault and it makes you wonder if somebody actually was screwing around with it from from from the internet right and like in this case you can see a potentially um it looks like well the system's off I guess at the moment so um but it's uh I think it's fascinating

when you find these and you can see them just by going to that images page limited to http and then you can flip through and it doesn't usually take more than maybe nine or ten Pages at the most to be able to start finding you know hmis for for industrial control systems but again it's another way to find these systems connected and expose the internet that they're not supposed to be even even if they're just for read-only access put them at least behind a VPN so you're not giving attackers a potential foothold on the network and then the last thing to look at is one of the generic uses of Shodan is let's go ahead and run a search for

a IP range so if I know my company has let's say this network range of 153.156.22 right Class C address or what if that's my my client I'm doing a penetration test form the idea is I can go ahead and do a lookup and this was just one that I picked it at random based off of one of the systems I found right but if I go back to the search I can just do net well let's go back to the normal page so we can do net and then go back and look at that number so 153 156 222.0 24. so we use the cider notation right for that classy and it's going to

Showdown is going to come back and it's going to give us a list of any of the IP addresses in that range that it found active right it can have up to 254. and you can see I actually found 79 different systems in that one range so let's say this was my client I was doing a pen test for or a company I was working for again I want to use Showdown to go back through find all the systems and expose services and make sure are these really expected and supposed to be exposed to the internet or not and if they're not right we want to shut them off we want to firewall them off or

at least put them behind a VPN so that way attackers that are out on the internet can't get directly to that because remember every service every application that's exposed to the internet is a potential route for an attacker to get into the network or it's just like the attackers you know they're driving through your neighborhood looking to see if the garage door is open or how many doors do you have how many windows and then they might go up to the door and see if it's locked or not or try to to see if the window is open or not so we want to make sure we close all those off or you know if we

don't have a door to the house the attackers can't get in at least that way right if there's no windows they can't get in through a window right disable right turn off all those services and I don't have them directly exposed to the internet so that's a great thing to do when can doing a search against your own range or against your clients if you're doing a pin test but anyways I just wanted to wrap up with that and and you could use that to potentially find if you had let's say you worked in a control system environment like a power plant or one of those water treatment facilities that that we're talking about you can work

with your network Services team with with it or Telecom to to ask them hey what what public IP ranges do we have hopefully they have a complete list but you can take that list and go to Showdown and Run a search and see what services are exposed and and hopefully at least for the purposes of this conversation make sure that you don't actually have control systems that are exposed to the internet because that's one way again that attackers they find that system they take control over it and then they now have that foothold on the control system Network and they can use that to spread further control and and take over that facility they can take over that

power plant that water treatment facility that that Subway that Refinery the the open pit mine and any other industrial control environment there's serious consequences if they do right so that in a nutshell though is is using Showdown to find industrial control systems and then hopefully found that helpful and and worth the time so I appreciate you taking the time to check out the video if you have any questions comments concerns that come up down the road if you want to reach out and connect on LinkedIn here's the information where you can find me or my email address you can reach me at Michael utilsac.com it's one of my my side email addresses away from my day

job and then you can find me at LinkedIn at Mike Holcomb so and I will talk to you then thanks again and take care thank you