{"id":1426,"date":"2024-03-18T11:51:49","date_gmt":"2024-03-18T08:51:49","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1426"},"modified":"2024-03-18T12:27:43","modified_gmt":"2024-03-18T09:27:43","slug":"ot-hunt-finding-ics-ot-with-censys","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2024\/03\/18\/ot-hunt-finding-ics-ot-with-censys\/","title":{"rendered":"OT Hunt: Finding ICS\/OT with Censys"},"content":{"rendered":"\n<p>Welcome to the 14th installment of \u201c<a href=\"https:\/\/zerontek.com\/zt\/category\/ot-hunt\/\" target=\"_blank\" rel=\"noreferrer noopener\">OT Hunt<\/a>\u201d, a series that has become a beacon for those navigating the murky waters of Industrial Control Systems\/Operational Technology (ICS\/OT) security. Our journey is more than a quest; it\u2019s a mission to illuminate the hidden corners of the internet where ICS\/OT devices dwell, often unnoticed and vulnerable. This exploration is not just about discovery; it\u2019s a clarion call to action for asset owners and ICS\/OT vendors, emphasizing the paramount importance of fortifying their digital fortresses.<\/p>\n\n\n\n<p>Today&#8217;s article unveils the methodology of utilizing the <a href=\"https:\/\/search.censys.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Censys<\/a> search engine to unearth ICS\/OT devices. With a few strategic queries, known as dorks, we can expose the digital footprints of critical infrastructure components that span across various industries.<\/p>\n\n\n\n<p>To begin your exploration, start with the following dorks in Censys:<\/p>\n\n\n\n<p>For a broad search, use <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>labels: `ics`\n<\/code><\/pre>\n\n\n\n<p>or<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>labels: `scada`\n<\/code><\/pre>\n\n\n\n<p>For those interested in identifying specific ICS\/OT protocols, Censys facilitates this with targeted filters. For example, to find devices using the Modbus protocol, apply the following filter . This approach has revealed a comprehensive list of ICS\/OT protocols within my searches, including:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><code>services.service_name=<\/code> `modbus`<\/code><\/pre>\n\n\n\n<p>Here&#8217;s a list of ICS\/OT protocols I discovered on Censys:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ATG<\/li>\n\n\n\n<li>BACNET<\/li>\n\n\n\n<li>CITRIX<\/li>\n\n\n\n<li>CODESYS<\/li>\n\n\n\n<li>DIGI<\/li>\n\n\n\n<li>DNP3<\/li>\n\n\n\n<li>EIP<\/li>\n\n\n\n<li>FINS<\/li>\n\n\n\n<li>FOX<\/li>\n\n\n\n<li>GE_SRTP<\/li>\n\n\n\n<li>IEC61850_5_104<\/li>\n\n\n\n<li>MODBUS<\/li>\n\n\n\n<li>PCWORX<\/li>\n\n\n\n<li>PRO_CON_OS<\/li>\n\n\n\n<li>S7<\/li>\n\n\n\n<li>WDRPC<\/li>\n<\/ul>\n\n\n\n<p>Vendor-specific searches are equally insightful. By applying this filter , for instance, one can unearth devices from notable ICS\/OT manufacturers. My findings have included products from Bosch, Schneider Electric, Siemens, and Tridium, to name a few.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><code>services.software.vendor=<\/code> `siemens`<\/code><\/pre>\n\n\n\n<p>Censys also shines in its capability to search for ICS\/OT product names. For example, using this dork, led me to discover several variations of the Niagara 4 products.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><code>services.software.product= <\/code>`niagara` <\/code><\/pre>\n\n\n\n<p>Exploring specific ports or services? Censys accommodates this need. A search for GE SRTP protocol hosts with FTP access can be conducted using <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><code>(services.service_name=`GE_SRTP`) and services.service_name=<\/code> `ftp`<br><\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"387\" height=\"936\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/03\/image-1.png\" alt=\"\" class=\"wp-image-1445\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/03\/image-1.png 387w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/03\/image-1-124x300.png 124w\" sizes=\"auto, (max-width: 387px) 100vw, 387px\" \/><\/figure>\n\n\n\n<p>For those seeking the latest <a href=\"https:\/\/github.com\/selmux\/ICS-Security\/blob\/main\/ICS-OT-IoT%20dorks\/ICS-censys\" target=\"_blank\" rel=\"noreferrer noopener\">ICS\/OT dorks<\/a> using Censys, I invite you to follow my GitHub account: <a href=\"https:\/\/github.com\/selmux\/ICS-Security\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/selmux\/ICS-Security<\/a>.<\/p>\n\n\n\n<p>A noteworthy mention is Censys&#8217;s foray into artificial intelligence with &#8220;<a href=\"https:\/\/gpt.censys.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">CensysGPT<\/a>,&#8221; a beta feature that allows users to interact with a bot for generating search filters. While promising, it&#8217;s worth noting that this tool is in its infancy and may occasionally produce non-functional filters.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"641\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/03\/image-1024x641.png\" alt=\"\" class=\"wp-image-1443\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/03\/image-1024x641.png 1024w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/03\/image-300x188.png 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/03\/image-768x481.png 768w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/03\/image.png 1515w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Conclusion<\/h3>\n\n\n\n<p>After extensive research and leveraging various OSINT tools for ICS\/OT, Censys has proven to be an indispensable resource. Its exhaustive database and intuitive interface make it a vital tool for anyone conducting ICS\/OT OSINT. The introduction of CensysGPT, despite its current limitations, showcases the potential for more interactive and intelligent search capabilities in the future.<\/p>\n\n\n\n<p>As the field of ICS\/OT security research evolves, the significance of comprehensive and user-friendly tools like Censys cannot be overstated. In parallel, I am committed to further developing <a href=\"https:\/\/www.icsrank.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">ICSrank<\/a>, my dedicated OSINT tool designed for discovering ICS\/OT devices and assessing their cybersecurity posture. The future of ICS\/OT security research is bright, with continuous advancements that promise to bolster the cybersecurity landscape significantly. Stay engaged with our journey as we delve deeper into the nexus of technology and security, making the digital world a safer place for all.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to the 14th installment of \u201cOT Hunt\u201d, a series that has become a beacon for those navigating the murky waters of Industrial Control Systems\/Operational Technology (ICS\/OT) security. Our journey is more than a quest; it\u2019s a mission to illuminate the hidden corners of the internet where ICS\/OT devices dwell, often unnoticed and vulnerable. This [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1431,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[246,178,4,45,3,46,76,81,168,48],"tags":[247,248,7,13,6,75,12,169,47,27],"class_list":["post-1426","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-censys","category-chatgpt","category-cyber-security","category-ics-protocols","category-ics-security","category-ics-tools","category-icsrank","category-osint","category-ot-hunt","category-ot-security","tag-censys","tag-censysgpt","tag-cyber-security","tag-ics","tag-ics-security","tag-icsrank","tag-ot","tag-ot-hunt","tag-ot-security","tag-zerontek"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1426"}],"version-history":[{"count":22,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1426\/revisions"}],"predecessor-version":[{"id":1451,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1426\/revisions\/1451"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media\/1431"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}