Contents

CEH-Module18 - IoT and OT Hacking

Website Visitors:

IOT or IOE

IoT or IoE stands for Internet of Things or Internet of Everything. Here are some key things to know about IoT/IoE:

  • IoT refers to the network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and network connectivity which enables these objects to connect and exchange data.

  • IoE expands on IoT to include not just “things” but people, processes and data as well. It connects all things, people, processes and data to enable new forms of communication between humans and things and things to things.

  • IoT devices collect data with their built-in sensors and share it with other devices over the internet. This data can provide insights into how the product is being used and help improve operations and services.

  • Common examples of IoT devices include smart home devices like smart lights, thermostats, security cameras, smart TVs/appliances. Also fitness trackers, smart watches, connected cars with sensors, industrial machines etc.

So in summary, IoT/IoE refers to the network of physical objects connected to the internet which allows them to generate, exchange and analyze data to deliver insights, automation and improved operations.

Operational Technology

Operational technology (OT) refers to hardware and software that detects or causes a change through the direct monitoring and/or control of industrial equipment, assets, processes and events like water grids, power grids, transportation like traffic signals, surveillance cameras, healthcare industry devices like ECG machine, MRI scanners..

Some key things to know about operational technology:

  • OT is used in industrial control systems and manufacturing plant floors to monitor and control physical equipment. Examples include PLCs, DCS, SCADA systems.

  • It differs from traditional IT systems which are used for general business functions like ERP, finance etc. OT focuses on real-time control of physical processes.

  • Common OT devices include sensors, actuators, HMIs, industrial network switches and routers used for data collection and machine/process control.

  • OT systems are found across industries like oil & gas, manufacturing, mining, utilities, transportation, critical infrastructure etc.

  • OT networks often use specialized industrial protocols like Modbus, Profibus, Ethernet/IP for real-time communication with devices.

  • Security of OT is more challenging due to real-time requirements, legacy systems, lack of patching and heterogeneous environments.

  • OT vulnerabilities can be exploited to disrupt industrial processes, cause physical damage or safety issues if production systems are hacked.

  • With growing convergence of IT/OT, security best practices need to be adopted for OT without impacting availability, reliability of control systems.

So in summary, operational technology refers to hardware and software components that monitor and control physical equipment and processes primarily found in industrial automation and critical infrastructure settings.

Gathering information using Shodan

Shodan provides information about all the internet- connected devices such as routers, traffic lights, CCTV cameras, servers, and smart home devices. Attackers can utilize this tool to gather information such as IP address, hostname, ISP, device’s location and the banner of the target lot device. Attackers can gather information on a target device using filters given below:

  • Search for webcams using geolocation: webcamxp country: “US”

  • Search using city: Webcamxp city: “streetsboro”

  • Find webcams using longitude and latitude: Webcamxp geo:" -50.81,201.80"

  • search using port numer: port 502

Vulnerability Scanning using Nmap

Attackers use vulnerability scanning tools like nmap to identify all IOT devices connected to network along with their open ports and services.

Scanning for Vulnerabilities using Nmap

To scan for a specific IP address:

  • nmap -n Pn -sS -pT: 0-65535 -v -A -ox

To check for open TCP and UDP services and ports

  • nmap -n Pn -SSU -pT: 0-65535,U:0-65535 -v -A -oX

To identify the IPv6 capabilities of a device

  • nmap -6 -n Pn -SSU -PT:0-65535,U:0- 65535 -v -A -oX

Attackers can also get information using wireshark and telnet (got through shodan) and exploiting firmware.

We also have a framework for ICS.

Scanning ICS/SCADA Systems using Nmap

  • Identifying Open Ports and Services
    • nmap -Pn -ST –scan-delay 1s –max-parallelism 1 -p
  • Identifying HMI Systems
    • nmap -Pn -ST -p 46824
  • Scanning Siemens SIMATIC S7 PLCs
    • nmap -Pn -sT -p 102 –script s7-info
  • Scanning Modbus Devices
    • nmap -Pn -sT -p 502 –script modbus-discover
  • Scanning BACnet Devices
    • nmap -Pn -SU -p 47808 –script bacnet-info
  • Scanning Ethernet/IP Devices
    • nmap -Pn -SU -p 44818 –script enip-info
  • Scanning Niagara Fox Devices
    • nmap -Pn -sT -p 1911,4911 –script fox-info
  • Scanning ProConOS Devices
    • nmap -Pn -ST -p 20547 –script proconos-info
  • Scanning Omron PLC Devices
    • nmap -Pn -sT -p 9600 –script omron-info
  • Scanning PCWorx Devices
    • nmap -Pn -ST -p 1962 –script pcworx-info

Vulnerability Scanning Using Nessus

Nessus is a vulnerability assessment tool that allows attackers to find vulnerabilities in ICS and SCADA systems. Attackers use the Nessus tool to discover and group all the vulnerabilities together to launch various attacks on target OT networks

Your inbox needs more DevOps articles.

Subscribe to get our latest content by email.