How Google Can Be Used in ICS/OT OSINT

Welcome to the second installment of our series “ICS/OT OSINT” where we delve into the use of Open Source Intelligence (OSINT) to boost cybersecurity within Industrial Control Systems (ICS) and Operational Technology (OT). This series offers insights into practical strategies, highlights unique challenges, and shares breakthroughs that shape how OSINT is utilized in these crucial sectors. As a personal and experimental endeavor, I acknowledge the potential for errors or oversights in my analysis.

In my previous topic “OT Hunt: Moxa Nport” I demonstrated how to locate Moxa Nport devices using Shodan. This time, I’ll show you how to access their web interface via Google and extract various types of OSINT-related information on ICS devices. This technique can be applied to any ICS/OT device, provided you know what you’re looking for. My project, ICSRank, aims to guide you in initiating OSINT activities related to ICS/OT and discovering them on the internet. This feature will be available in future releases.

Today’s case study focuses on the Moxa Nport web console. Moxa Nport has numerous models, such as 5150, 5210, 5387, 5250, 5110, and 5130. To find a specific model, like 5130, simply append “A” after the digits. Thus, the Google dork would be:

intitle:"Nport Web Console" intext:"5130A"

If you’re searching by local IP address, the dork becomes:

intitle:"Nport Web Console" intext:192.168.0.250

This can also reveal its public IP, which might expose internal details about the ICS network.

Finding an ICS device by its MAC address is another crucial piece of information:

intitle:"Nport Web Console" intext:00:90:E8:58:DB:7B

You can also list existing Nport devices with specific firmware versions:

intitle:"Nport Web Console" intext:"1.2 Build 15041515"

This is particularly important because many attackers look for vulnerable devices based on their firmware. Hence, this dork can be very useful, and I encourage you to use your creativity to build on this information.

As you can see, you can target specific hosts like MAC address or local IP, or scan the internet to find information such as model name and build version. This OSINT technique is crucial in OT cybersecurity. We’re not just determining if a device is online; we’re accessing a login portal and gathering detailed device information (IP, Model, Firmware, MAC address). If these details are crafted and researched well, the targeted device can be compromised. This technique should also be seriously considered by defenders to secure and take appropriate steps towards protecting their devices if they are exposed.

In closing, I invite you to explore our project, ICSRank — a unique tool tailored for the ICS/OT domain, exemplifying our commitment to enhancing ICS/OT cybersecurity. With its capabilities to Discover, Assess, and Secure, ICSRank stands as a vital resource in fortifying ICS/OT environments against cyber threats.