Skip to main content

In our bid to take over the world we hunt ICS devices using Maltego.

In continuing our discussions of our Defcon talk (see previous post [here]) in this section we are going to look at ICS devices and what we can do with them in Maltego.

[Shodan] is a mass Internet scanner – much like [Censys]. The core idea is – find all the machines that are alive on the Internet, extract as much data as we can from them, put it all in a database and make that available to the world to query. Pretty neat actually.

We’ve developed transforms querying Shodan for a while – you can read about it [here]. When we started looking at ICS devices we saw that Shodan actually has a page devoted to it. It looks like [this]:

On every ‘Explore’ button you’ll see that it translates to a Shodan query string. For instance – for instance finding PCWorx device the query will be “port:1962 PLC”. In other words – look for devices that has the word ‘PLC’ somewhere in the response as well as having port 1962 open. This search term will find all of these devices that Shodan has seen on the Internet… much like searching Google for ‘intitle:index of’ will look for indexable directories. The analogy of this combination of searches on Shodan is thus close to ‘Google hacking’ search terms – only it’s not on Google but on Shodan and the result is devices, not websites.

Our next step was naturally to build a transform that searched Shodan for all the ICS search terms and combined it with whatever the user wanted to add to the query. We wanted to keep the ICS terms dynamic so that the user can update/ change it at any time – therefore we made the terms a transform setting. The format we use is Shodan_query_1#Description_1|Shodan_query2#Description_2 etc. Adding all the queries we ended up with a transform setting as such:

This transform could now be used with any of the other Shodan search parameters – and the ICS search terms would be appended to it. To get a list of Shodan search terms you can click [here]:

This means we can start doing some cool stuff – like finding all ICS devices in a city – say Amsterdam:

Shodan finds 98 devices that match any of the ICS search terms and with city set to Amsterdam.

One of the Shodan search parameters that caught our eye was the ‘geo’ parameter. It meant we could give a long/lat to Shodan and find ICS devices around the precise point. A BIG caveat here is that we’re relying on Shodan to do this accurately – and they rely on other databases (like MaxMind etc.) IP to geolocation is a bit finicky – and a discussion for another time. The bottom line is that it can be pretty good in densely populated areas and pretty bad in remote areas.

The next few hours we spend browsing Google Maps, trying to find places that would likely have ICS devices but that were remote enough to not include too many false positives. For this we’d go to Wikipedia and find the location of (for instance) power stations in various countries. We would then take the coordinates from Google Maps, enter it in Maltego, set a radius of around 2 or 3 kilometer and see if anything showed up:

This resulted in the following queries to Shodan:

In this case – no ICS devices found open on the Internet in a 3km radius around the Unimar Marmara Ereğlisi Power Plant in Turkey.  Which is a good thing!

We spend a while doing this and it quickly became clear that it was going to be time consuming. Surely there was a way to automated it? There was. Geonames is:

Better still – they have a friendly API. You could ask Geonames things like ‘what are the GPS coordinates of all power stations in Japan?’. In Maltego it looks like this:

The country is passed as a transform parameter. We send the country code ‘jp’ – and get back the GPS coordinates of 51 power stations in Japan:

I think you can see where we’re going with this? Right?... RIGHT? 😉

No? OK – let’s do this step by step. Let’s assume we have 0day for some ICS device and we’re a nation state and we want to attack a country’s power infrastructure. We cannot do proper attribution on the devices as they are not located on power companies networks and they don’t have forward or reverse DNS names that point to the company. So unless we have boots on the ground we simply don’t know what to hit.  So we decide to target IPs that match ICS device characteristics, are open on the Internet and that are physically located close to these power station. We know we’re going to have collateral damage (e.g. devices that are within the physical range of the target power stations but do not actually belong to the station), but that’s OK because those might be secondary targets anyhow.

Here’s the process in pictures. As a country we chose Poland.  It’s not because we don’t like people from Poland. It’s because they’re understanding people. They understand this is not about them.  We actually really like Polish people - that's why we blurred out the IP addresses. 

Baby seals,

PS: currently the ICS Shodan transforms are not publicly available but with the right motivation we'll release them!