{"id":1314,"date":"2023-09-29T15:52:17","date_gmt":"2023-09-29T12:52:17","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1314"},"modified":"2023-09-29T15:54:53","modified_gmt":"2023-09-29T12:54:53","slug":"ot-hunt-schneider-electric-scadapack","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2023\/09\/29\/ot-hunt-schneider-electric-scadapack\/","title":{"rendered":"OT Hunt: Schneider Electric SCADAPack"},"content":{"rendered":"\n<p>This is the 9th topic of \u201c<a rel=\"noreferrer noopener\" href=\"https:\/\/zerontek.com\/zt\/category\/ot-hunt\/\" target=\"_blank\">OT Hunt<\/a>\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces.<\/p>\n\n\n\n<p>In this article, my targets are SCADAPack and SCADAPack RemoteConnect. SCADAPack is an industrial controller (RTU) used for monitoring and controlling industrial processes in SCADA systems. SCADAPack RemoteConnect  provides secure and reliable remote access and communication capabilities. <\/p>\n\n\n\n<p>The following keywords\/dorks I used to search for SCADAPack and SCADAPack RemoteConnect on Shodan search engine simultaneously  , please check out my <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/selmux\/ICS-Security\/blob\/main\/ICS-OT-IoT%20dorks\/schneider-shodan\" target=\"_blank\">ICS-OT-iIoT dorks project<\/a> at GitHub:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SCADAPack<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>RemoteConnect RTU<\/code><\/pre>\n\n\n\n<p>The search for SCADAPack yielded 21 devices. Shodan didn&#8217;t tagged  them as &#8220;ICS&#8221;.  While SCADAPack RemoteConnect yielded 3 devices and tagged as &#8220;ICS&#8221;. The common port for SCADAPack RTU is:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>17185 \/ UDP<\/code><\/pre>\n\n\n\n<p>SCADAPack RemoteConnect  has a  web server for configuration and system control, accessible on the following port:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>10443 TCP<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"810\" height=\"679\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/09\/scadapack.jpg\" alt=\"\" class=\"wp-image-1321\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/09\/scadapack.jpg 810w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/09\/scadapack-300x251.jpg 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/09\/scadapack-768x644.jpg 768w\" sizes=\"auto, (max-width: 810px) 100vw, 810px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\nhttp:&#47;&#47;ip-address\/cgi-bin\/webif\/system-info.sh\n<\/code><\/pre>\n\n\n\n<p>Many SCADApack hosts have 2 industrial ports Modbus 502 and\/or Dnp3 20000. The OS of SCADApack RTU is VxWorks. VxWorks  is an embedded real-time operating system (RTOS) , used in SCADApack controllers and other industrial devices. However there are  issues with previous VxWorks versions &#8211; which run on a UDP port: 17185 &#8211; such as:  debug service enabled by Default, which  could result in information disclosure or denial-of-service attack.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ICSA-10-214-01<\/code><\/pre>\n\n\n\n<p>SCADAPack RemoteConnect  also has some issues for previous versions such as buffer overflow and path traversal. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ICSA-22-223-03\n\nICSA-21-259-02<\/code><\/pre>\n\n\n\n<p>That\u2019s it  for today\u2019s topic. Happy hacking !<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is the 9th topic of \u201cOT Hunt\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces. In this article, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[170,4,45,3,76,81,168,48,201,220,219,23,5],"tags":[7,13,6,75,12,169,47,221,222,20,223],"class_list":["post-1314","post","type-post","status-publish","format-standard","hentry","category-attack-surface","category-cyber-security","category-ics-protocols","category-ics-security","category-icsrank","category-osint","category-ot-hunt","category-ot-security","category-recon","category-rtu","category-schneider-electric","category-shodan","category-vendors","tag-cyber-security","tag-ics","tag-ics-security","tag-icsrank","tag-ot","tag-ot-hunt","tag-ot-security","tag-scadapack","tag-scadapack-remoteconnect","tag-shodan","tag-vxworks"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1314","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1314"}],"version-history":[{"count":15,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1314\/revisions"}],"predecessor-version":[{"id":1331,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1314\/revisions\/1331"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1314"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}