0x00 前言
- 下面的數(shù)據(jù)是根據(jù)Shodan搜索引擎總結(jié)出來的洗贰,做要用于識別工控設(shè)備和攝像頭污淋。如果要將攝像頭分為一類,則根據(jù)product叶洞、server字段的值進(jìn)行正則匹配鲫凶,匹配到的IP即可認(rèn)為是攝像頭。
- 另一項(xiàng)比較全面的總結(jié)是工控協(xié)議的總結(jié)衩辟,每一項(xiàng)工控協(xié)議都有Shodan對其的介紹螟炫,介紹完之后,第一行數(shù)據(jù)是通過Shodan搜索引擎進(jìn)行搜索所使用的搜索語句艺晴;第二行數(shù)據(jù)是數(shù)據(jù)庫中module字段的值昼钻,在數(shù)據(jù)庫中搜索即可發(fā)現(xiàn)使用工控協(xié)議的IP,進(jìn)而將這些IP打上工控協(xié)議/工控設(shè)備等這種樣子的IP财饥。
- 至于如何獲取這些數(shù)據(jù)换吧,這些數(shù)據(jù)是通過Shodan API獲取的折晦,API中的host函數(shù)可以返回傳入的IP的信息钥星,對返回信息進(jìn)行解析,保存我們需要的信息即可满着。
0x01 這些數(shù)據(jù)需要通過正則進(jìn)行匹配
product 攝像頭
DVR
D-Link
Avtech
Netwave
GeoVision
Vivotek
Axis 207W Network Camera ftpd
product字段 路由器
DD-WRT
Cisco
Linksys
server字段 攝像頭
NVR Webserver
Hikvision-Webs
SQ-WEBCAM
Avtech
IPCamera_Logo
U S Software Web Server
yawcam
Yawcam
MJPG-Streamer/0.2
go1984
UBNT Streaming Server v1.2
Pan/Tilt
BlueIris-HTTP/1.1
IP Webcam Server
i-Catcher Console
GeoHttpServer
Android Webcam Server
GoAhead-Webs
ADH-Web
VB100
Linux/2.x UPnP/1.0 Avtech/1.0
Camera Web Server
Cam
webcamXP
server字段 scada系統(tǒng)
Scada
scada
SCADA
0x02 這些可以直接查找準(zhǔn)確的module名稱進(jìn)行匹配
工控協(xié)議
The following protocols are some of the languages that the industrial control systems use to communicate across the Internet. Many of them were developed before the Internet became widely used, which is why Internet-accessible ICS devices dont always require authentication - it isnt part of the protocol!
- Modbus
Modbus協(xié)議是應(yīng)用于電子控制器上的一種協(xié)議谦炒。通過此協(xié)議設(shè)備間可以通信。它已成為一通用工業(yè)標(biāo)準(zhǔn)风喇。
Modbus is a popular protocol for industrial control systems (ICS). It provides easy, raw access to the control system without requiring any authentication.- port:502
- module modbus
- Siemens S7
s7協(xié)議是SIEMENS s7協(xié)議族的標(biāo)準(zhǔn)通信協(xié)議宁改,使用s7-應(yīng)用接口的通信不依賴特定的總線系統(tǒng)。
S7 (S7 Communication) is a Siemens proprietary protocol that runs between programmable logic controllers (PLCs) of the Siemens S7 family.- port:102
- module: s7
- DNP3
DNP(Distributed Network Protocol魂莫,分布式網(wǎng)絡(luò)規(guī)約)是一種應(yīng)用于自動(dòng)化組件之間的通訊協(xié)議还蹲,常見于電力、水處理等行業(yè)。SCADA可> 以使用DNP協(xié)議與主站谜喊、RTU潭兽、及IED進(jìn)行通訊。
DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems. Its main use is in utilities such as electric and water companies.- port:20000 source address
- module: dnp3
- Niagara Fox
Fox協(xié)議是Tridium公司開發(fā)的Niagara框架的一部分斗遏,廣泛應(yīng)用于樓宇自動(dòng)化控制系統(tǒng)山卦。
The Fox protocol, developed as part of the Niagara framework from Tridium, is most commonly seen in building automation systems (offices, libraries, Universities, etc.)- port:1911,4911 product:Niagara
- module: fox
- BACnet
樓宇自動(dòng)控制網(wǎng)絡(luò)數(shù)據(jù)通訊協(xié)議(BACnet)是針對采暖、通風(fēng)诵次、空調(diào)账蓉、制冷控制設(shè)備所設(shè)計(jì),同時(shí)也為其他樓宇控制系統(tǒng)(例如照明逾一、安保铸本、消防等系統(tǒng))的集成提供一個(gè)基本原則。
BACnet is a communications protocol for building automation and control networks. It was designed to allow communication of building automation and control systems for applications such as heating, air-conditioning, lighting, and fire detection systems.- port:47808
- module: bacnet
- EtherNet/IP
Ethernet/IP是一個(gè)面向工業(yè)自動(dòng)化應(yīng)用的工業(yè)應(yīng)用層協(xié)議嬉荆。它建立在標(biāo)準(zhǔn)UDP/IP與TCP/IP協(xié)議之上归敬,利用固定的以太網(wǎng)硬件和軟件,為配置鄙早、訪問和控制工業(yè)自動(dòng)化設(shè)備定義了一個(gè)應(yīng)用層協(xié)議汪茧。
EtherNet/IP was introduced in 2001 and is an industrial Ethernet network solution available for manufacturing automation.- port 44818
- module: ethernetip, ethernetip-udp
- GE-SRTP
GE-SRTP協(xié)議由美國通用電氣公司開發(fā),GE PLC可以通過GE-SRTP進(jìn)行數(shù)據(jù)通信和數(shù)據(jù)傳輸限番。
Service Request Transport Protocol (GE-SRTP) protocol is developed by GE Intelligent Platforms (earlier GE Fanuc) for transfer of data from PLCs.- port:18245,18246 product:"general electric"
- module: general-electric-srtp
- HART-IP
HART協(xié)議是美國Rosement公司于1985年推出的一種用于現(xiàn)場智能儀表和控制室設(shè)備之間的通信協(xié)議〔瘴郏現(xiàn)已成為全球智能儀表的工業(yè)標(biāo)準(zhǔn) 。
The HART Communications Protocol (Highway Addressable Remote Transducer Protocol) is an early implementation of Fieldbus, a digital industrial automation protocol. Its most notable advantage is that it can communicate over legacy wiring.- port:5094 hart-ip
- module: hart-ip-udp
- PCWorx
PCWorx協(xié)議由菲尼克斯電氣公司開發(fā)弥虐,目前廣泛使用于工控系統(tǒng)扩灯。PCWORX3.11是菲尼克斯電氣公司的專用協(xié)議。
PCWorx is a protocol and program by Phoenix Contact used by a wide range of industries.- port:1962 PLC
- module: pcworx
- MELSEC-Q
MELSEC-Q系列設(shè)備使用專用的網(wǎng)絡(luò)協(xié)議進(jìn)行通訊霜瘪,該系列設(shè)備可以提供高速珠插、大容量的數(shù)據(jù)處理和機(jī)器控制。
MELSEC-Q Series use a proprietary network protocol for communication. The devices are used by equipment and manufacturing facilities to provide high-speed, large volume data processing and machine control.- port:5006,5007 product:mitsubishi
- module: melsec-q-tcp
- OMRON FINS
歐姆龍PLC使用網(wǎng)絡(luò)協(xié)議FINS進(jìn)行通信颖对,可通過多種不同的物理網(wǎng)絡(luò)捻撑,如以太網(wǎng)、控制器連接等缤底。
FINS, Factory Interface Network Service, is a network protocol used by Omron PLCs, over different physical networks like Ethernet, Controller Link, DeviceNet and RS-232C.- port:9600 response code
- module: omron-tcp
- Crimson v3
協(xié)議被Crimson桌面軟件用于與Red Lion G306工控系統(tǒng)的HMI人機(jī)接口顾患。
The protocol the Crimson v3.0 desktop software uses when communicating with the Red Lion Controls G306a human machine interface (HMI).- port:789 product:"Red Lion Controls"
- redlion-crimson3
- Codesys
CoDeSys編程接口在全球范圍內(nèi)使用廣泛,全球上百個(gè)設(shè)備制造商的自動(dòng)化設(shè)備中都是用了該編程接口个唧。
Over 250 device manufacturers from different industrial sectors offer automation devices with a CODESYS programming interface. Consequently, thousands of users such as machine or plant builders around the world employ CODESYS for automation tasks.- port:2455 operating system
- module: codesys
- IEC 60870-5-104
IEC 60870-5-104是國際電工委員會(huì)制定的一個(gè)規(guī)范江解,用于適應(yīng)和引導(dǎo)電力系統(tǒng)調(diào)度自動(dòng)化的發(fā)展,規(guī)范調(diào)度自動(dòng)化及遠(yuǎn)動(dòng)設(shè)備的技術(shù)性能徙歼。
IEC 60870 part 5 is one of the IEC 60870 set of standards which define systems used for SCADA in electrical engineering and power system automation applications.- port:2404 asdu address
- module: iec-104
- ProConOS
ProConOS是德國科維公司(KW-Software GmbH)開發(fā)的用于PLC的實(shí)時(shí)操作系統(tǒng)犁河,它是一個(gè)高性能的PLC運(yùn)行時(shí)引擎鳖枕,目前廣泛使用于基于嵌入式和PC的工控系統(tǒng)。
ProConOS is a high performance PLC run time engine designed for both embedded and PC based control applications.- port:20547 PLC
- module: proconos
- moxa-nport
Moxa 串口服務(wù)器專為工業(yè)應(yīng)用而設(shè)計(jì)桨螺。不通配置組合的串口服務(wù)器更能符合不同工業(yè)現(xiàn)場的需求耕魄。NPort系列串口服務(wù)器讓傳統(tǒng) RS-232/422/485設(shè)備立即聯(lián)網(wǎng),提供您基于IP的串口聯(lián)網(wǎng)解決方案彭谁。- port:4800
- moxa-nport
附上Mongdb中存儲的Shodan數(shù)據(jù)結(jié)構(gòu)以供參考
{
"_id" : ObjectId("5a40aee51f7920c866d75f84"),
"ip_str" : "58.152.101.254",
"region_code" : "00",
"ip" : 983066110,
"postal_code" : null,
"country_code" : "HK",
"city" : "North Point",
"dma_code" : null,
"last_update" : "2017-12-24T23:00:12.582766",
"vulns" : [
"!CVE-2014-0160"
],
"latitude" : 22.3,
"status" : "200",
"tags" : [],
"timestamp" : "2017-12-25 15:55:16",
"area_code" : null,
"country_name" : "Hong Kong",
"hostnames" : [
"n058152101254.netvigator.com"
],
"org" : "Netvigator",
"banner" : [
{
"product" : "nginx",
"devicetype" : null,
"module" : "http-simple-new",
"tags" : null,
"timestamp" : "2017-12-24T23:00:12.582766",
"port" : 5000,
"transport" : "tcp",
"server" : "nginx"
},
{
"product" : null,
"devicetype" : null,
"module" : "http",
"tags" : null,
"timestamp" : "2017-12-21T04:50:11.716715",
"port" : 80,
"transport" : "tcp",
"server" : null
},
{
"product" : "OpenSSH",
"devicetype" : null,
"module" : "ssh",
"tags" : null,
"timestamp" : "2017-12-20T14:48:02.597978",
"port" : 22,
"transport" : "tcp",
"server" : null
},
{
"product" : "nginx",
"devicetype" : null,
"module" : "https",
"tags" : null,
"timestamp" : "2017-12-19T17:23:49.953396",
"port" : 443,
"transport" : "tcp",
"server" : "nginx"
},
{
"product" : null,
"devicetype" : null,
"module" : "https-simple-new",
"tags" : null,
"timestamp" : "2017-12-08T19:51:10.994940",
"port" : 5001,
"transport" : "tcp",
"server" : "nginx"
}
],
"asn" : "AS4760",
"isp" : "Netvigator",
"longitude" : 114.2,
"country_code3" : "HKG",
"os" : null,
"ports" : [
5000,
80,
22,
443,
5001
]
}
