Class 8 Lab 1 ‐ Searching Shodan - Justin-Boyd/CIT-Class GitHub Wiki
- Browse to https://shodan.io and click SIGN UP NOW.
- Click Register and fill in the necessary details. After completing the account information, click CREATE.
- Open your email, look for a message from Shodan, and click the link to activate the account.
- After clicking the link, you will be automatically logged in to Shodan. Click SHODAN in the top left corner to go to the homepage.
- In Shodan, search for plc city:"shanghai" to find a PLC in Shanghai, China.
- Select a device to inspect it further and click its IP. You should notice the open ports, CVEs, protocols, module type, services, and versions. You can gather a lot of information here.
- What are the possible risks to a factory if a PLC becomes compromised?
Answer
A compromised PLC can lead to actual damage if targeted by a cyberattack. The first case of this was the Stuxnet worm, which was designed to damage an Iranian uranium-enrichment facility. Another case was the 2015 German steel mill attack, which resulted in an unresponsive blast furnace that could not be shut down, causing massive damage.
- In Shodan, search for rte country:"DE" to find a remote terminal unit in Germany.
- Select one of the IP addresses for further inspection. You should notice the open ports, CVEs, protocols, module type, services, and versions. You can gather a lot of information here to exploit the device.
- What are the potential risks to a factory if an RTU is compromised?
Answer
An RTU is often used to monitor and control equipment at remote locations and locations with extreme environmental conditions. If an RTU is compromised, it may lead to extensive damage since it may take a lot of time for someone to arrive and mitigate the attack.
- In Shodan, search for port 8883, which is Message Queuing Telemetry Transport (MQTT). This is used for communication with IIoT devices and human-machine interfaces (HMIs).
- Select an IP to further inspect the device. (This may differ from the image shown.) Again, note the information that can be seen here, such as open ports, ISP, and services.
Answer
Attackers target HMI components because they serve as the main hubs for managing critical infrastructure. If an HMI is compromised, the entire SCADA environment may be compromised as well, and all the information that passes through it can be sniffed.