0x00 前言
- 下面的数据是根据Shodan搜索引擎总结出来的,做要用于识别工控设备和摄像头。如果要将摄像头分为一类,则根据product、server字段的值进行正则匹配,匹配到的IP即可认为是摄像头。
- 另一项比较全面的总结是工控协议的总结,每一项工控协议都有Shodan对其的介绍,介绍完之后,第一行数据是通过Shodan搜索引擎进行搜索所使用的搜索语句;第二行数据是数据库中module字段的值,在数据库中搜索即可发现使用工控协议的IP,进而将这些IP打上工控协议/工控设备等这种样子的IP。
- 至于如何获取这些数据,这些数据是通过Shodan API获取的,API中的host函数可以返回传入的IP的信息,对返回信息进行解析,保存我们需要的信息即可。
0x01 这些数据需要通过正则进行匹配
product 摄像头
DVR
D-Link
Avtech
Netwave
GeoVision
Vivotek
Axis 207W Network Camera ftpd
product字段 路由器
DD-WRT
Cisco
Linksys
server字段 摄像头
NVR Webserver
Hikvision-Webs
SQ-WEBCAM
Avtech
IPCamera_Logo
U S Software Web Server
yawcam
Yawcam
MJPG-Streamer/0.2
go1984
UBNT Streaming Server v1.2
Pan/Tilt
BlueIris-HTTP/1.1
IP Webcam Server
i-Catcher Console
GeoHttpServer
Android Webcam Server
GoAhead-Webs
ADH-Web
VB100
Linux/2.x UPnP/1.0 Avtech/1.0
Camera Web Server
Cam
webcamXP
server字段 scada系统
Scada
scada
SCADA
0x02 这些可以直接查找准确的module名称进行匹配
工控协议
The following protocols are some of the languages that the industrial control systems use to communicate across the Internet. Many of them were developed before the Internet became widely used, which is why Internet-accessible ICS devices dont always require authentication - it isnt part of the protocol!
- Modbus
Modbus协议是应用于电子控制器上的一种协议。通过此协议设备间可以通信。它已成为一通用工业标准。
Modbus is a popular protocol for industrial control systems (ICS). It provides easy, raw access to the control system without requiring any authentication.- port:502
- module modbus
- Siemens S7
s7协议是SIEMENS s7协议族的标准通信协议,使用s7-应用接口的通信不依赖特定的总线系统。
S7 (S7 Communication) is a Siemens proprietary protocol that runs between programmable logic controllers (PLCs) of the Siemens S7 family.- port:102
- module: s7
- DNP3
DNP(Distributed Network Protocol,分布式网络规约)是一种应用于自动化组件之间的通讯协议,常见于电力、水处理等行业。SCADA可> 以使用DNP协议与主站、RTU、及IED进行通讯。
DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems. Its main use is in utilities such as electric and water companies.- port:20000 source address
- module: dnp3
- Niagara Fox
Fox协议是Tridium公司开发的Niagara框架的一部分,广泛应用于楼宇自动化控制系统。
The Fox protocol, developed as part of the Niagara framework from Tridium, is most commonly seen in building automation systems (offices, libraries, Universities, etc.)- port:1911,4911 product:Niagara
- module: fox
- BACnet
楼宇自动控制网络数据通讯协议(BACnet)是针对采暖、通风、空调、制冷控制设备所设计,同时也为其他楼宇控制系统(例如照明、安保、消防等系统)的集成提供一个基本原则。
BACnet is a communications protocol for building automation and control networks. It was designed to allow communication of building automation and control systems for applications such as heating, air-conditioning, lighting, and fire detection systems.- port:47808
- module: bacnet
- EtherNet/IP
Ethernet/IP是一个面向工业自动化应用的工业应用层协议。它建立在标准UDP/IP与TCP/IP协议之上,利用固定的以太网硬件和软件,为配置、访问和控制工业自动化设备定义了一个应用层协议。
EtherNet/IP was introduced in 2001 and is an industrial Ethernet network solution available for manufacturing automation.- port 44818
- module: ethernetip, ethernetip-udp
- GE-SRTP
GE-SRTP协议由美国通用电气公司开发,GE PLC可以通过GE-SRTP进行数据通信和数据传输。
Service Request Transport Protocol (GE-SRTP) protocol is developed by GE Intelligent Platforms (earlier GE Fanuc) for transfer of data from PLCs.- port:18245,18246 product:"general electric"
- module: general-electric-srtp
- HART-IP
HART协议是美国Rosement公司于1985年推出的一种用于现场智能仪表和控制室设备之间的通信协议。现已成为全球智能仪表的工业标准 。
The HART Communications Protocol (Highway Addressable Remote Transducer Protocol) is an early implementation of Fieldbus, a digital industrial automation protocol. Its most notable advantage is that it can communicate over legacy wiring.- port:5094 hart-ip
- module: hart-ip-udp
- PCWorx
PCWorx协议由菲尼克斯电气公司开发,目前广泛使用于工控系统。PCWORX3.11是菲尼克斯电气公司的专用协议。
PCWorx is a protocol and program by Phoenix Contact used by a wide range of industries.- port:1962 PLC
- module: pcworx
- MELSEC-Q
MELSEC-Q系列设备使用专用的网络协议进行通讯,该系列设备可以提供高速、大容量的数据处理和机器控制。
MELSEC-Q Series use a proprietary network protocol for communication. The devices are used by equipment and manufacturing facilities to provide high-speed, large volume data processing and machine control.- port:5006,5007 product:mitsubishi
- module: melsec-q-tcp
- OMRON FINS
欧姆龙PLC使用网络协议FINS进行通信,可通过多种不同的物理网络,如以太网、控制器连接等。
FINS, Factory Interface Network Service, is a network protocol used by Omron PLCs, over different physical networks like Ethernet, Controller Link, DeviceNet and RS-232C.- port:9600 response code
- module: omron-tcp
- Crimson v3
协议被Crimson桌面软件用于与Red Lion G306工控系统的HMI人机接口。
The protocol the Crimson v3.0 desktop software uses when communicating with the Red Lion Controls G306a human machine interface (HMI).- port:789 product:"Red Lion Controls"
- redlion-crimson3
- Codesys
CoDeSys编程接口在全球范围内使用广泛,全球上百个设备制造商的自动化设备中都是用了该编程接口。
Over 250 device manufacturers from different industrial sectors offer automation devices with a CODESYS programming interface. Consequently, thousands of users such as machine or plant builders around the world employ CODESYS for automation tasks.- port:2455 operating system
- module: codesys
- IEC 60870-5-104
IEC 60870-5-104是国际电工委员会制定的一个规范,用于适应和引导电力系统调度自动化的发展,规范调度自动化及远动设备的技术性能。
IEC 60870 part 5 is one of the IEC 60870 set of standards which define systems used for SCADA in electrical engineering and power system automation applications.- port:2404 asdu address
- module: iec-104
- ProConOS
ProConOS是德国科维公司(KW-Software GmbH)开发的用于PLC的实时操作系统,它是一个高性能的PLC运行时引擎,目前广泛使用于基于嵌入式和PC的工控系统。
ProConOS is a high performance PLC run time engine designed for both embedded and PC based control applications.- port:20547 PLC
- module: proconos
- moxa-nport
Moxa 串口服务器专为工业应用而设计。不通配置组合的串口服务器更能符合不同工业现场的需求。NPort系列串口服务器让传统 RS-232/422/485设备立即联网,提供您基于IP的串口联网解决方案。- port:4800
- moxa-nport
附上Mongdb中存储的Shodan数据结构以供参考
{
"_id" : ObjectId("5a40aee51f7920c866d75f84"),
"ip_str" : "58.152.101.254",
"region_code" : "00",
"ip" : 983066110,
"postal_code" : null,
"country_code" : "HK",
"city" : "North Point",
"dma_code" : null,
"last_update" : "2017-12-24T23:00:12.582766",
"vulns" : [
"!CVE-2014-0160"
],
"latitude" : 22.3,
"status" : "200",
"tags" : [],
"timestamp" : "2017-12-25 15:55:16",
"area_code" : null,
"country_name" : "Hong Kong",
"hostnames" : [
"n058152101254.netvigator.com"
],
"org" : "Netvigator",
"banner" : [
{
"product" : "nginx",
"devicetype" : null,
"module" : "http-simple-new",
"tags" : null,
"timestamp" : "2017-12-24T23:00:12.582766",
"port" : 5000,
"transport" : "tcp",
"server" : "nginx"
},
{
"product" : null,
"devicetype" : null,
"module" : "http",
"tags" : null,
"timestamp" : "2017-12-21T04:50:11.716715",
"port" : 80,
"transport" : "tcp",
"server" : null
},
{
"product" : "OpenSSH",
"devicetype" : null,
"module" : "ssh",
"tags" : null,
"timestamp" : "2017-12-20T14:48:02.597978",
"port" : 22,
"transport" : "tcp",
"server" : null
},
{
"product" : "nginx",
"devicetype" : null,
"module" : "https",
"tags" : null,
"timestamp" : "2017-12-19T17:23:49.953396",
"port" : 443,
"transport" : "tcp",
"server" : "nginx"
},
{
"product" : null,
"devicetype" : null,
"module" : "https-simple-new",
"tags" : null,
"timestamp" : "2017-12-08T19:51:10.994940",
"port" : 5001,
"transport" : "tcp",
"server" : "nginx"
}
],
"asn" : "AS4760",
"isp" : "Netvigator",
"longitude" : 114.2,
"country_code3" : "HKG",
"os" : null,
"ports" : [
5000,
80,
22,
443,
5001
]
}
