{"id":1280,"date":"2023-07-12T09:18:30","date_gmt":"2023-07-12T06:18:30","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1280"},"modified":"2023-07-12T09:18:30","modified_gmt":"2023-07-12T06:18:30","slug":"ot-hunt-nordex-nc2","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2023\/07\/12\/ot-hunt-nordex-nc2\/","title":{"rendered":"OT Hunt: Nordex NC2"},"content":{"rendered":"\n<p>This is the 7th topic of \u201c<a rel=\"noreferrer noopener\" href=\"https:\/\/zerontek.com\/zt\/category\/ot-hunt\/\" target=\"_blank\">OT Hunt<\/a>\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces.<\/p>\n\n\n\n<p>In this article, my target is Nordex Control 2 (NC2). NC2 is a web-based SCADA system for wind power plants. <a href=\"https:\/\/www.nordex-online.com\/en\/\" target=\"_blank\" rel=\"noreferrer noopener\">Nordex<\/a> is a company based in Germany and is used by many countries worldwide. <\/p>\n\n\n\n<p>The following keywords\/dorks I used to search for Nordex\u2019s NC2 Wind Farm Portal application on Shodan search engine, please check out my <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/selmux\/ICS-Security\/blob\/main\/ICS-OT-IoT%20dorks\/Wind-Farm-Shodan\" target=\"_blank\">ICS-OT-iIoT dorks project<\/a> at GitHub:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http.title:\"Nordex Control\"\n<\/code><\/pre>\n\n\n\n<p>The search for NC2 yielded 525 devices. There are web severs for the devices for managing settings and controlling wind farms. They are on ports:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>80 TCP\n443 TCP<\/code><\/pre>\n\n\n\n<p>NC2 can also be found in Google using the following dorks:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>intitle:Nordex Control<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>intitle:Nordex Control inurl:\/index_en.html<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"653\" height=\"502\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/07\/nc2.jpg\" alt=\"\" class=\"wp-image-1284\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/07\/nc2.jpg 653w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/07\/nc2-300x231.jpg 300w\" sizes=\"auto, (max-width: 653px) 100vw, 653px\" \/><\/figure>\n\n\n\n<p>You can also tell the name of the wind plant and its technical information without logging in.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"573\" height=\"620\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/07\/liverpool.jpg\" alt=\"\" class=\"wp-image-1285\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/07\/liverpool.jpg 573w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/07\/liverpool-277x300.jpg 277w\" sizes=\"auto, (max-width: 573px) 100vw, 573px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;ip-address\/indexdata\n<\/code><\/pre>\n\n\n\n<p>The path \/indexdata gives you information  about NC2 application version , farm name ..etc. The version number can help you know if the application is vulnerable or not. <a rel=\"noreferrer noopener\" href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-15-286-01\" target=\"_blank\">Nordex Control 2 (NC2) SCADA V16<\/a> and prior versions are vulnerable to cross-site scripting (XSS). The exploit can be found in this <a rel=\"noreferrer noopener\" href=\"https:\/\/seclists.org\/fulldisclosure\/2015\/Dec\/117\" target=\"_blank\">link<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ICSA-15-286-01<\/code><\/pre>\n\n\n\n<p>Happy hacking !<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is the 7th topic of \u201cOT Hunt\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces. In this article, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[170,4,214,212,3,76,211,81,168,201,23,210],"tags":[7,13,6,75,213,12,47,20,215],"class_list":["post-1280","post","type-post","status-publish","format-standard","hentry","category-attack-surface","category-cyber-security","category-exploits","category-google-dorks","category-ics-security","category-icsrank","category-nordex","category-osint","category-ot-hunt","category-recon","category-shodan","category-wind-farm","tag-cyber-security","tag-ics","tag-ics-security","tag-icsrank","tag-nordex-control-2","tag-ot","tag-ot-security","tag-shodan","tag-xss"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1280"}],"version-history":[{"count":11,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1280\/revisions"}],"predecessor-version":[{"id":1293,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1280\/revisions\/1293"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}