OT Hunt: Nordex NC2
This is the 7th topic of “OT Hunt”. These topics expose ICS/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS/OT vendors to secure their their assets’ attack surfaces.
In this article, my target is Nordex Control 2 (NC2). NC2 is a web-based SCADA system for wind power plants. Nordex is a company based in Germany and is used by many countries worldwide.
The following keywords/dorks I used to search for Nordex’s NC2 Wind Farm Portal application on Shodan search engine, please check out my ICS-OT-iIoT dorks project at GitHub:
http.title:"Nordex Control"The search for NC2 yielded 525 devices. There are web severs for the devices for managing settings and controlling wind farms. They are on ports:
80 TCP
443 TCPNC2 can also be found in Google using the following dorks:
intitle:Nordex Controlintitle:Nordex Control inurl:/index_en.html
You can also tell the name of the wind plant and its technical information without logging in.
http://ip-address/indexdataThe path /indexdata gives you information about NC2 application version , farm name ..etc. The version number can help you know if the application is vulnerable or not. Nordex Control 2 (NC2) SCADA V16 and prior versions are vulnerable to cross-site scripting (XSS). The exploit can be found in this link.
ICSA-15-286-01Happy hacking !
