Xanda's Blog !~!

Default SCADA Ports

Jun
14

Just re-mirror for http://pastebin.com/EwCibKgc

# Default Scada Ports
 
- xflix
 
+-------+---------------------------------------+
| Port  | Description                           |
+-------+---------------------------------------+
| 502   | Modbus                                |
| 1089	| Foundation Fieldbus HSE               |
| 1090	| Foundation Fieldbus HSE               |
| 1091	| Foundation Fieldbus HSE               |
| 1541	| Foxboro/Invensys Foxboro DCS Informix |
| 1883  | MQ Telemetry Transport                |
| 2222	| EtherNet/IP                           |
| 3480	| OPC UA Discovery Server               |
| 4000	| Emerson/Fisher ROC Plus               |
| 4592  | Project/SCADA Node Primary Port       |
| 5050  | Telvent OASyS DNA                     |
| 5052	| Telvent OASyS DNA                     |
| 5065	| Telvent OASyS DNA                     |
| 5450	| OSIsoft PI Server                     |
| 10307	| ABB Ranger 2003                       |
| 10311	| ABB Ranger 2003                       |
| 10364 | ABB Ranger 2003                       |
| 10407	| ABB Ranger 2003                       |
| 10409 | ABB Ranger 2003                       |
| 10412	| ABB Ranger 2003                       |
| 10414 | ABB Ranger 2003                       |
| 10428	| ABB Ranger 2003                       |
| 10431 | ABB Ranger 2003                       |
| 10447	| ABB Ranger 2003                       |
| 10449 | ABB Ranger 2003                       |
| 12316	| ABB Ranger 2003                       |
| 12645	| ABB Ranger 2003                       |
| 12647 | ABB Ranger 2003                       |
| 13722	| ABB Ranger 2003                       |
| 11001	| Johnson Controls Metasys N1           |
| 12135 | Telvent OASyS DNA                     |
| 13724	| ABB Ranger 2003                       |
| 13782 | ABB Ranger 2003                       |
| 14592 | SCADA Node Secondary Port             |
| 18000	| Iconic Genesis32 GenBroker (TCP)      |
| 19999 | DNP                                   |
| 20000 | DNP3                                  |
| 34962	| PROFINET                              |
| 34963	| PROFINET                              |
| 34964	| PROFINET                              |
| 34980	| EtherCAT                              |
| 38589	| ABB Ranger 2003                       |
| 38593	| ABB Ranger 2003                       |
| 38000 | SNC GENe                              |
| 38011 | SNC GENe                              |
| 38014 | SNC GENe                              |
| 38200	| SNC GENe                              |
| 38210	| SNC GENe                              |
| 38301	| SNC GENe                              |
| 38400	| SNC GENe                              |
| 38600	| ABB Ranger 2003                       |
| 38700	| SNC GENe                              |
| 38971	| ABB Ranger 2003                       |
| 39129	| ABB Ranger 2003                       |
| 39278	| ABB Ranger 2003                       |
| 44818	| EtherNet/IP                           |
| 45678	| Foxboro/Invensys Foxboro DCS AIMAPI   |
| 47808	| BACnet/IP                             |
| 50001 | Siemens Spectrum Power TG             |
| 50018 | Siemens Spectrum Power TG             |
| 50020 | Siemens Spectrum Power TG             |
| 50025 | Siemens Spectrum Power TG             |
| 50110 | Siemens Spectrum Power TG             |
| 55000 | FL-net Reception                      |
| 55003	| FL-net Transmission                   |
| 55550	| Foxboor/Invensys Foxboro DCS FoxAPI   |
| 56001 | Telvent OASyS DNA                     |
| 62900	| SNC GENe                              |
| 62911	| SNC GENe                              |
| 62924	| SNC GENe                              |
| 62930	| SNC GENe                              |
| 62938	| SNC GENe                              |
| 62956 | SNC GENe                              |
| 62963	| SNC GENe                              |
| 62981 | SNC GENe                              |
| 62985	| SNC GENe                              |
| 62992	| SNC GENe                              |
| 63012	| SNC GENe                              |
| 63027 | SNC GENe                              |
| 63041	| SNC GENe                              |
| 63075	| SNC GENe                              |
| 63079	| SNC GENe                              |
| 63082 | SNC GENe                              |
| 63088 | SNC GENe                              |
| 63094 | SNC GENe                              |
| 65443 | SNC GENe                              |
+-------+---------------------------------------+

Find Vulnerable SCADA Systems with Shodan

Nov
10

Here are some useful queries:

  • http://www.shodanhq.com/?q=port:161+country:US+simatic
  • http://www.shodanhq.com/?q=PLC
  • http://www.shodanhq.com/?q=allen+bradley
  • http://www.shodanhq.com/?q=fanuc
  • http://www.shodanhq.com/?q=Rockwell
  • http://www.shodanhq.com/?q=Cimplicity
  • http://www.shodanhq.com/?q=Omron
  • http://www.shodanhq.com/?q=Novatech
  • http://www.shodanhq.com/?q=Citect
  • http://www.shodanhq.com/?q=RTU
  • http://www.shodanhq.com/?q=Modbus+Bridge
  • http://www.shodanhq.com/?q=modicon
  • http://www.shodanhq.com/?q=bacnet
  • http://www.shodanhq.com/?q=telemetry+gateway
  • http://www.shodanhq.com/?q=SIMATIC
  • http://www.shodanhq.com/?q=hmi
  • http://www.shodanhq.com/?q=siemens+-…er+-Subscriber
  • http://www.shodanhq.com/?q=scada+RTS
  • http://www.shodanhq.com/?q=SCHNEIDER
  • http://www.shodanhq.com/?q=port%3A161+simatic
  • http://www.shodanhq.com/?q=telemetry+gateway
  • http://www.shodanhq.com/?q=%22cisco-ios%22%20%22last-modified%22

Erk.. How to exploit?

  1. Default password (uhukk uhukk WinCC)
  2. http://reversemode.com/index.php?option=com_content&task=view&id=65&Itemid=1
  3. http://www.elladodelmal.com/2010/05/shodan-y-sistemas-scada.html
  4. [..]

What else to exploit ?