OT Hunt: Finding ICS/OT with ZoomEye
Welcome to the 12th installment of “OT Hunt,” a series dedicated to uncovering Industrial Control Systems/Operational Technology (ICS/OT) devices connected to the internet. This initiative aims to heighten awareness within the ICS/OT community about the importance of securing these devices. Through this research, I issue a cautionary message to asset owners and ICS/OT vendors about the critical need to safeguard their assets’ attack surfaces. Today, I delve into the capabilities of ZoomEye, a search engine developed by Beijing Zhichuangyu Information Technology Co., Ltd., also known as KnownSec. This exploration is intended to shed light on the vast number of exposed ICS/OT devices and the potential risks they pose.
ZoomEye: A Gateway to Discovering ICS/OT
ZoomEye stands out as a search engine crafted by the Chinese company Beijing Zhichuangyu Information Technology Co., Ltd., marking a significant tool for ICS/OT cybersecurity researchers. Its development underscores the growing need for specialized search capabilities in identifying vulnerable ICS/OT devices online.
User Interface: Navigating with Ease
The user interface of ZoomEye features suggestions and autocomplete functionalities. This intuitive design facilitates a smoother search experience, allowing users to quickly find the information they need.
Explorer Page: A Catalog of Industrial Devices
ZoomEye’s component page is a treasure trove for researchers, listing supported industrial devices along with corresponding filters. This feature is instrumental in pinpointing specific types of ICS/OT equipment, streamlining the research process.
Discovering ICS Devices: A Three-Pronged Approach
ZoomEye offers three methods for searching ICS devices, each providing unique insights:
- By Device Type: Utilizing ZoomEye’s device type filter, such as
device:"plc", users can uncover a wide array of PLC brands, with search results revealing around 60,000 entries. This significant figure highlights the extensive exposure of PLC devices, a crucial insight for researchers focusing on the security of these systems. Notably, ZoomEye supports filters for various ICS/OT devices, including Human Machine Interfaces (HMI), indicated by the filterdevice:"HMI". However, it’s important to mention that a direct filter for SCADA systems is not available. This distinction is valuable for researchers aiming to explore specific device types within the ICS/OT landscape, offering a targeted approach to uncovering potential vulnerabilities and security exposures. - By ICS/OT Protocol Name: Searching by protocol name with filters like
service:"protocol_name"allows for a comprehensive exploration of ICS/OT protocols within ZoomEye. This method is particularly effective for identifying devices operating under specific communication standards, offering a granular view of the network’s protocol landscape. - By Product Name and Version: Filters targeting specific products and versions, such as
app:"Wago ethernet controller http config", demonstrate the precision with which ZoomEye can identify devices, offering insights into their web interfaces and potential vulnerabilities.
device:"plc"service:"protocol_name"app:"Wago ethernet controller http config"
Misconfigurations and Vulnerabilities: A Path to Enhanced Security
ZoomEye excels not only in uncovering ICS/OT devices but also in identifying potential misconfigurations and vulnerabilities. It offers specialized filters to search for devices with open services or ports, such as FTP, Telnet, SSH, and web interfaces, enhancing the ability to pinpoint security gaps. Furthermore, ZoomEye integrates with a vulnerability database hosted by Knownsec.com, named seebug.org, which is accessible in both Chinese and English. This integration is instrumental in presenting related vulnerabilities for each scanned target. While ZoomEye aims to provide relevant security insights, it’s important to note that the accuracy of the vulnerability matching might not be precise — it should be considered more as an indicator of potential vulnerabilities rather than a definitive list. This feature underscores ZoomEye’s role in the proactive identification of security vulnerabilities, albeit with the caveat that its suggestions are possibilities that require further verification.
The use of the word “config” in a filter suggests that ZoomEye is targeting devices with web interfaces. This functionality is particularly useful for identifying configurations exposed to the internet. For instance, when using a web config filter, ZoomEye retrieves information from the robots.txt file hosted on the device’s server. This file often contains directives that tell web crawlers which parts of the site can or cannot be scanned, inadvertently revealing the location of web interfaces. ZoomEye leverages this information to construct a filter that not only identifies these interfaces but also provides direct links to them. An example of this in action is the filter app:”3M Filtrete 3M-50 thermostat http config”, which specifically targets “3M Filtrete thermostat” devices with web configuration interfaces.
app:"3M Filtrete 3M-50 thermostat http config"
Conclusion
After extensive research and the utilization of various OSINT tools for ICS/OT, ZoomEye emerges as a standout resource. Its comprehensive features and user-friendly interface make it an essential addition to the toolkit of anyone conducting ICS/OT OSINT. As I continue to explore and integrate more resources, the future of ICS/OT security research looks promising. I encourage you to explore ICSrank, my own OSINT tool tailored for discovering ICS/OT devices and evaluating their cybersecurity posture. Stay tuned for further developments that promise to enhance the capabilities of ICSrank and contribute significantly to the ICS/OT cybersecurity field.
Notes:
The following protocols are among those that can be found using ZoomEye:
- DNP3
- ethernetip-1
- ge-srtp
- HART-IP
- iec 60870–5–104
- lantronix
- lantronix-config
- Modbus
- niagara-fox
- pcworx
- proconos
- s7
- smux
- vertx-edge
Here are a few products supported by ZoomEye, with the rest available on my GitHub:
- 3M Filtrete 3M-50 thermostat http config
- ADT sightcube ics device httpd
- Advantech ADAM-4570 ics device httpd
- Advantech ADAM-4571L ics device httpd
- Ambient Weather ObserverIP http config
- ASI Controls ics device httpd
- ATOP Serial Server ics device httpd
- Bachmann M1 PLC httpd
