{"id":1123,"date":"2023-02-01T11:12:18","date_gmt":"2023-02-01T08:12:18","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1123"},"modified":"2023-02-01T11:12:18","modified_gmt":"2023-02-01T08:12:18","slug":"ot-hunt-opc","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2023\/02\/01\/ot-hunt-opc\/","title":{"rendered":"OT Hunt: OPC"},"content":{"rendered":"\n

This is the 4th topic of \u201cOT Hunt<\/a>\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces.<\/p>\n\n\n\n

\"\"
What is OPC ? (ChatGPT)<\/figcaption><\/figure>\n\n\n\n

The following keywords\/dorks I used to search for OPC on Shodan search engine, please check out my ICS dorks project<\/a> at GitHub:<\/p>\n\n\n\n

opc-ua<\/code><\/pre>\n\n\n\n
This search yielded 404 online OPC devices. The results also showed \u201cICS\u201d tag for each device (based on Shodan) . Many OPC devices are linked to CodeSys software. I found 1 OPC device that interacts with profinet protocol, for example “Phoenix Contact Software PROFINET”. It connects OPC server with Profinet protocol . The results showed that some OPC servers have many open ports\/surfaces such as  22  , 80 , 443 , 1883 (MQTT) , cpanel, container management , 102 (S7)  , 502 (Modbus). The common port for OPC is:<\/p>\n\n\n\n
4840 TCP<\/code><\/pre>\n\n\n\n
I found an interesting platform called “Wiren Board<\/a>” its a Russian software. Its used for home and industrial automation and monitoring. Could it be liked to an OPC server in any way ? Its hosted on the same OPC machine by the way.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I also found WAGO PFC200 hosted with an OPC server . WAGO PFC200 is programmable automation controller (PAC) and is used with Codesys<\/a> software , to create and run control programs, monitor and control industrial automation processes, and integrate the PFC200 into a larger automation system (source: ChatGPT). It has a web interface (attack surface !) .<\/p>\n\n\n\n
http://ip-address\/wbm\/index.php<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
WAGO PFC200 is vulnerable and is listed on US-Cert ICS advisory<\/a>. There is a risky vulnerability (Improper authentication) with a CVSS v3 score of 9.8. This vulnerability allows an attacker to change operation  settings due to a vulnerability in CoDeSys Runtime application<\/p>\n\n\n\n
ICSA-18-044-01<\/code><\/pre>\n\n\n\n
Some OPC servers are hosting MQTT (iIoT ?)<\/p>\n\n\n\n
\"\"
What is MQTT ? (ChatGPT)<\/figcaption><\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I was shocked when i saw an OPC server (ICS device) that is hosting Guacamole<\/a> , this software is  used to access remote desktops , the port was 1234 . I played a little with it and I managed to see the \/etc\/passwd file content. Use your imagination and figure out what you can accomplish with the Linux xterm command line. <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
This is the 4th topic of \u201cOT Hunt\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces. The following keywords\/dorks […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[170,178,198,4,45,3,76,149,150,192,81,168,48,67,193,23,5,174],"tags":[197,7,195,6,90,190,47,194,196,191],"class_list":["post-1123","post","type-post","status-publish","format-standard","hentry","category-attack-surface","category-chatgpt","category-codesys","category-cyber-security","category-ics-protocols","category-ics-security","category-icsrank","category-iiot","category-industry-4-0","category-opc","category-osint","category-ot-hunt","category-ot-security","category-plc","category-profinet","category-shodan","category-vendors","category-wago","tag-codesys-runtime","tag-cyber-security","tag-guacamole","tag-ics-security","tag-linux","tag-mqtt","tag-ot-security","tag-phoenix-contact-software-profinet","tag-wago-pfc200","tag-wiren-board"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1123"}],"version-history":[{"count":37,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1123\/revisions"}],"predecessor-version":[{"id":1168,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1123\/revisions\/1168"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}