Featured reads
Security Research
Security research and analysis with Netlas.io
white paper
Fast one-shot passive recon script with Netlas.io
blog post
How to find online cameras with Netlas.io?
blog post
Threat hunting
Non-intrusive security assessment
OSINT investigations
Reputation scoring
Security analysis
Security of IoT and Industrial devices
Vulnerable devices search
Uncover shadow IT and phishing threats
Attack surface identification
3-4 times per year
Please, sign in to manage newsletter subscription
Please, sign in to manage newsletter subscription
Important updates, sales and promos
1-2 posts per week
Newest CVE, featured search queries
updates and announcements
updates and announcements
Connect
Swagger UI
Handy web tool for testing Netlas API
Tools
Official Python SDK and command line utility
Netlas SDK
Netlas Blog
In-depth features overview & case studies
Netlas Cookbook
An ultimate guide on how to make the most of Netlas.io
Scripts & Code Samples
Useful scripts to create you own automations
Learn
Featured queries
Search queries for IoT, routers, IP cameras & more
Documentation
Netlas usage, API specification, SDK & CLI installation
Netlas For security RESEARCH
Security of IoT & industrial devices
with Netlas.io
Any devices accessible via the Internet have most likely already been scanned by Netlas many times.
Today, a significant amount of research in the field of cybersecurity is dedicated to the security of the Internet of Things (IoT) and ensuring the security of critical infrastructure objects. This trend is due to many reasons. Partly because the protection of critical infrastructure objects falls under the close attention of state/national security authorities. Partly because there are some well-known cases of successful attacks where smart devices served as entry points in an organization's network. And so on.
By using Netlas, you can identify some of the critical infrastructure objects as well as many types of IoT devices. If these devices are accessible via the internet, there is a high likelihood that Netlas has already scanned them. This makes Netlas a valuable tool that can be successfully used in conducting research on the security of critical infrastructure objects and the Internet of Things.
Let's consider a general algorithm for investigating the security of critical infrastructure objects.
Search for critical infrastructure enterprises
The first approach is to move from general to specific. The algorithm would be as follows:
1
Using publicly available information directories, the researcher compiles a list of enterprises of interest in the region.
2
Utilizing the Netlas attack surface discovery tool, the researcher identifies the network perimeters of the enterprises of interest. These are often named network ranges, occasionally autonomous systems, and less frequently individual IP addresses.
3
The researcher analyzes the results of the scanning conducted in the second step, focusing on the attack surfaces identified. At this stage, filtering based on ports, protocols, or specific protocol fields may be applied to highlight objects whose security will be further assessed.
4
The researcher conducts a more detailed examination of the objects identified in the previous step. By using the scanning results, it is often possible to determine the software version, search for known vulnerabilities, assess the validity of authentication procedures, evaluate the cryptographic algorithms used, and assess the reliability of the management protocols. As a result, conclusions can be drawn about the risks of exposing these objects to the Internet.
5
Results are summarized and compiled into a report.
Here is an example query to Netlas that returns the scanning results of one of the critical infrastructure enterprises in Germany:
At the time of writing, Netlas finds two networks with the same name. In the "description" field of both networks, the following information is provided:
This Space is statically assigned TPPA Turbine Power Plant Automation GmbH
An OpenVPN service and a couple of devices for remote access made by Synology were published on the TPPA-NET attack surface.
Search for SCADA and other types industrial devices
The second option is to move from the specific to the general. It involves searching for published SCADA and other industrial devices based on frequently used equipment. The algorithm in this case will be as follows:
1
The researcher compiles a list of devices whose security needs to be investigated.
2
Search queries are created and a search is conducted in the area of interest.
3
If possible, using the WHOIS data provided by Netlas, the researcher identifies the owners of the critical infrastructure objects found.
4
The researcher conducts a more detailed examination of the identified critical infrastructure objects, drawing conclusions about the risks of exposing these objects on the Internet.
5
Results are summarized and compiled into a report.
Similarly, you can search for IoT devices and other types of devices. Devices with web interfaces are particularly well-suited for this approach. The "http.title" field may contain information such as the device model, manufacturer's name, software title, and more. However, many industrial devices can be discovered in scanning results using specialized protocols such as Modbus or S7.
Here are a few examples of search queries for finding industrial devices:
modbus.mei_response.objects.product_code:BMX
# Schneider Electric BMX series controllers
http.title:"WinCC"
# Siemens WinCC Series WebUI
\*.banner:Siemens
# Siemens Equipment by any protocol
Indeed, one of the challenges in conducting such research is determining device ownership. Often, using WHOIS data, you can only identify the internet service provider rather than the ultimate owner of the device. However, in some cases, even this problem can be addressed.
As an example, here is a response from one of the Siemens Advanced S7-300 series controllers collected using the S7 protocol somewhere in Romania:
If you google the value of the "plant_id" field, you will find a web page dedicated to a hydroelectric power station called Tomsani1 on the website of the Institute of Hydroenergy Studies And Projects (ISPH S.A.).
Get your free Netlas.io account!
Sign up to get up to 50 requests/day for free.
Related articles