OT Hunt: Finding ICS/OT with FOFA

Welcome to the 11th topic of “OT Hunt,” a series dedicated to exposing ICS/OT devices connected to the internet, aimed at building awareness within the ICS community. This research serves as a warning to asset owners and ICS/OT vendors, urging them to secure their assets’ attack surfaces. In this installment, we delve into a comparative analysis of FOFA and Shodan, two pivotal tools in the cybersecurity landscape. Developed by Beijing Huashun Xin’an Technology Co., Ltd. FOFA is tailored for penetration testers and security researchers, offering advanced functionalities to search for assets, identify vulnerabilities, detect Indicators of Compromise (IOCs), and perform open-source intelligence (OSINT) gathering. This article not only highlights FOFA’s features but also contrasts them with Shodan, providing insights into their respective strengths and applications in ICS/OT cybersecurity research.

Supported ICS/OT Protocols

What sets FOFA apart from similar platforms like Shodan is its extensive support for a broad spectrum of protocols and products, such as Vertx Edge and Lantronix UDP. This wide-ranging support renders FOFA an invaluable asset for professionals engaged with ICS/OT, enabling precise searches via specific parameters like protocol, application, or product.

Data presentation

Something noteworthy in the comparison between FOFA and Shodan is how they handle and display data from tools like Nmap, particularly scripts targeting ICS devices. Shodan presents detailed outputs from Nmap ICS scripts, offering extensive information about the device’s vendor, product, and firmware. On the other hand, FOFA takes a different approach by filtering and summarizing the information, making it more digestible. This approach is particularly beneficial for beginners, as it simplifies the complexity of the data and saves time for users who need quick insights rather than exhaustive details.

Subscription

It’s noteworthy, however, that FOFA operates on a monthly subscription basis, a factor that might influence user preference over Shodan, which offers a variety of free features.

Search capabilities

Despite this, the unique search capabilities of FOFA, including operators like “||”, “&&”, “body=”, “title=”, and “icon_hash=”, offer a level of specificity that can justify the investment for many.

Navigation

FOFA simplifies the navigation and identification of relevant ICS assets by categorizing them, akin to Shodan. This categorization can be explored at FOFA’s subject categories page.

User Interface

A particularly user-friendly feature of FOFA is its interface, which offers autocomplete suggestions for search queries. This is a significant advantage over Shodan, as it not only expedites the search process but also aids in uncovering potential search terms that might not have been initially considered.

FOFA auto-completion

FOFA product Suggestions

ICS/OT Tags

Shodan restricts its “ics” tag for ICS/OT device searches to enterprise users, often making it a costly option. Conversely, FOFA offers a similar capability through its product=”Industrial-Control-Products” filter, accessible to all users.

Here’s an example showcasing FOFA’s capability to provide detailed information on a device, including IP address, product name, protocol information … etc. For a complete and updated list of filters for FOFA , check out my ICS-OT-iIoT dorks project at GitHub.

Web Interface

In addition to the aforementioned features, it’s worth highlighting a unique spec of FOFA that is not available in Shodan: the ability to search specifically for web interfaces. This functionality is not just a technical advantage; it’s a critical component of cybersecurity hygiene. The presence of web interfaces on ICS/OT devices can pose significant risks, often stemming from misconfiguration that leave systems vulnerable to unauthorized access and exploitation. Below is an example on how to find a WAGO web interface.

Case Study 1: Identifying ICS/OT Protocols A practical demonstration of FOFA’s capabilities can be seen in how it facilitates the discovery of specific ICS/OT protocols. By employing the search parameter protocol=, users can efficiently find the protocols they are interested in, such as:

protocol="s7"

• modbus
• moxa
• lantronix
• vertx
• HART-IP
• codesys
• gesrtp
• s7
• omron
• fox
• ethernetip
• dnp3
• bacnet
• melsecq
• pcworx
• proconos
• redlion
• iec
• smux
• secure-fox
• lantronix_config

Case Study 2: Discovering ICS/OT Products Further research within FOFA allows for the compilation of a list of supported protocols and OT products essential for cybersecurity professionals in the ICS/OT sector. Utilizing the product= and app= filters facilitates searches for specific products or software names, including:

product="MOXA-NP5110A"

app="Schneider-CitectSCADA"

• Honeywell-XL-Web-Controller
• RA-Allen-Bradley-1766-L32BWA
• RA-MicroLogix-1400
• RA-SCADA-PLC
• RA-1766-L32BXB
• Yokogawa-Device-CA
• Yokogawa-Electric-DX1000/2000
• PHOENIX_CONTACT-PLC
• WAGO-Web-Based-Management
• SIEMENS-SIMATIC-PCS7
• Schneider-CitectSCADA
• Schneider-TM221CE16R
• Industrial-Control-Products
• PHOENIX_CONTACT-PLC
• 3S_Smart_Software-Products
• Automated_Logic-Company-Products
• MOXA-Nport-Devices
• SIEMENS-SIMATIC series

Conclusion

In conclusion, after years of researching and gathering OSINT for ICS/OT using various search engines like Shodan, Censys, and Google, I’m thrilled to have discovered FOFA. Its comprehensive features and user-friendly interface make FOFA a valuable addition to my arsenal of tools for conducting ICS/OT OSINT. As a final note, I invite you to check out ICSrank, my own OSINT tool designed specifically for finding ICS/OT devices. Stay tuned, as integration with more OSINT resources on the horizon, promising to enhance ICSrank’s capabilities and provide even more value to those in the field of cybersecurity.