{"id":1598,"date":"2024-11-29T17:44:13","date_gmt":"2024-11-29T14:44:13","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1598"},"modified":"2024-12-09T12:34:07","modified_gmt":"2024-12-09T09:34:07","slug":"unveiling-the-risks-of-exposed-t5-plcs-vulnerable-routers-and-rtsp-misconfigurations","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2024\/11\/29\/unveiling-the-risks-of-exposed-t5-plcs-vulnerable-routers-and-rtsp-misconfigurations\/","title":{"rendered":"Unveiling the Risks of Exposed T5 PLCs, Vulnerable Routers, and RTSP Misconfigurations"},"content":{"rendered":"\n<p>Welcome to the 21st installment of <strong>\u201c<a href=\"https:\/\/zerontek.com\/zt\/category\/ot-hunt\/\" target=\"_blank\" rel=\"noreferrer noopener\">OT Hunt<\/a>\u201d<\/strong> where we dive into the challenges and opportunities within the realm of ICS\/OT devices connected to the internet. This series aims to raise awareness among asset owners and ICS vendors, encouraging them to proactively secure their infrastructures.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Discovery: T5 PLCs on the Internet<\/h2>\n\n\n\n<p>One day, I was exploring <a href=\"https:\/\/www.zoomeye.hk\" target=\"_blank\" rel=\"noreferrer noopener\">ZoomEye<\/a> using the query <code>device:\"plc\"<\/code>, searching for new PLC brands or types. To my surprise, a more refined search with the filter <code>device:\"plc\" +app:\"T5\"<\/code> revealed almost 2,500 online T5 PLC devices. These were predominantly located in Italy, with smaller distributions across other countries.<\/p>\n\n\n\n<p>This discovery piqued my curiosity. What exactly is the T5 PLC? After some digging, I found that it originates from a French vendor, <strong>COPALP (now COPA-DATA France)<\/strong>, which specializes in industrial products like historian and PLCs. Learn more about them at <a href=\"https:\/\/www.copadata.com\/en\" target=\"_blank\" rel=\"noreferrer noopener\">COPA-DATA<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Observations on Security: The Weak Links<\/h2>\n\n\n\n<p>Unfortunately, my findings revealed significant security lapses, particularly in China, where many T5 PLCs were exposed with weak configurations. Here\u2019s what stood out:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. <strong>Open FTP Ports with Anonymous Login<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Several hosts had FTP ports open with anonymous login enabled, granting unauthorized users access to files and data.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. <strong>Open Telnet Ports<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The presence of open Telnet ports further amplified the risks, as attackers could potentially gain control over the devices using plaintext credentials.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. <strong>Vulnerable Cermate Routers<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Many of these devices were connected via <strong><a href=\"https:\/\/www.cermate.com\" target=\"_blank\" rel=\"noreferrer noopener\">Cermate<\/a> routers<\/strong>, which act as HMI gateways to the internet. Shockingly, most of these routers had their web management interfaces exposed with default credentials (<code>admin\/admin<\/code>), leaving them wide open to attackers.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"132\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-admin-1024x132.png\" alt=\"\" class=\"wp-image-1604\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-admin-1024x132.png 1024w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-admin-300x39.png 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-admin-768x99.png 768w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-admin-1536x198.png 1536w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-admin-2048x265.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"458\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-1024x458.png\" alt=\"\" class=\"wp-image-1602\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-1024x458.png 1024w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-300x134.png 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-768x344.png 768w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-1536x687.png 1536w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/cermate-2048x917.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4. <strong>RTSP Ports (554) Exposed<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>Real-Time Streaming Protocol (RTSP)<\/strong> was also commonly exposed. RTSP is used for controlling streaming media servers but, when misconfigured, can increase the attack surface dramatically.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">The Risks of Exposed RTSP Ports:<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Discover Internal Camera Streams:<\/strong> Attackers can access internal camera feeds.<\/li>\n\n\n\n<li><strong>HMI Access:<\/strong> Some HMIs receive data from cameras, creating an indirect pathway to the ICS network.<\/li>\n\n\n\n<li><strong>Pivoting into ICS Networks:<\/strong> Exploiting RTSP can provide a foothold for lateral movement.<\/li>\n\n\n\n<li><strong>URL Brute Force Attacks:<\/strong> Attackers can discover stream URLs via brute force.<\/li>\n\n\n\n<li><strong>Credential Brute Force Attacks:<\/strong> Tools like Hydra can be used to brute force RTSP credentials.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Testing RTSP Configurations: Tools and Techniques<\/h2>\n\n\n\n<p>If you&#8217;re dealing with RTSP exposure, testing its configuration can help identify vulnerabilities. Here are some tools and methods to try:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. <strong><code>curl<\/code> Command<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -i -X DESCRIBE rtsp:\/\/10.10.14.30\/Streaming\/Channels\/101\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This command reveals details about the media being streamed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. <strong><code>nmap<\/code> with RTSP Scripts<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>nmap -sV --script \"rtsp-*\" -p 554 10.10.14.30\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Useful for finding:\n<ul class=\"wp-block-list\">\n<li>RTSP server version<\/li>\n\n\n\n<li>Available streams and channel URLs<\/li>\n\n\n\n<li>Supported RTSP methods<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. <strong>Hydra Brute Force<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>hydra -s 554 -l admin -P \/path\/to\/wordlist.txt rtsp:\/\/10.10.14.30\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Discovers media\/channel paths using brute force with wordlists.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4. <strong>VLC for Stream Viewing<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>vlc rtsp:\/\/10.10.14.30\/live\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"631\" height=\"502\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/vlc.png\" alt=\"\" class=\"wp-image-1605\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/vlc.png 631w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/11\/vlc-300x239.png 300w\" sizes=\"auto, (max-width: 631px) 100vw, 631px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open unauthenticated streams in VLC to view media. This could expose facility videos and images, providing attackers with critical insights.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Summary: The Cost of Exposure<\/h2>\n\n\n\n<p>When industrial devices like PLCs are exposed to the internet, the risks are high. My research found that many T5 PLCs also had <strong>open Modbus ports (502)<\/strong>, which attackers could exploit using open-source tools to pull data. Combining this with vulnerable services like FTP, Telnet, and RTSP creates multiple entry points for attackers.<\/p>\n\n\n\n<p>The critical question is: <strong>Who knows what&#8217;s behind these exposed devices?<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion: Stay Vigilant<\/h2>\n\n\n\n<p>This article highlights critical security vulnerabilities in T5 Programmable Logic Controllers (PLCs) and routers utilizing the Real-Time Streaming Protocol (RTSP).These weaknesses can be exploited by cyber criminals to disrupt industrial control systems, leading to potential operational failures and safety hazards. The article underscores the importance of implementing robust security measures, such as regular firmware updates, network segmentation, and stringent access controls, to safeguard these systems against cyber threats.<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/www.icsrank.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">ICSRank<\/a><\/strong> is here to help you discover, assess, and secure your ICS\/OT systems. Stay tuned for more insights in future <strong>OT Hunt<\/strong> installments. Together, we can defend critical infrastructure against evolving cyber threats.<\/p>\n\n\n\n<p>Let\u2019s make security a priority. Your vigilance matters.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to the 21st installment of \u201cOT Hunt\u201d where we dive into the challenges and opportunities within the realm of ICS\/OT devices connected to the internet. This series aims to raise awareness among asset owners and ICS vendors, encouraging them to proactively secure their infrastructures. The Discovery: T5 PLCs on the Internet One day, I [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1608,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,45,3,252,81,168,48,106,67,207,277,238],"tags":[275,274,7,13,6,12,169,47,276,273,278],"class_list":["post-1598","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security","category-ics-protocols","category-ics-security","category-ics-ot-osint","category-osint","category-ot-hunt","category-ot-security","category-penetration-testing","category-plc","category-router","category-rtsp","category-zoomeye","tag-copa-data-france","tag-copalp","tag-cyber-security","tag-ics","tag-ics-security","tag-ot","tag-ot-hunt","tag-ot-security","tag-rtsp","tag-t5-plc","tag-vlc"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1598"}],"version-history":[{"count":6,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1598\/revisions"}],"predecessor-version":[{"id":1610,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1598\/revisions\/1610"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media\/1608"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}