Scanning Internet-exposed Modbus devices for fun & fun

There is a French expression that says (translation is mine) “you don’t shoot at an ambulance”. Well, I do. Shooting at ambulances is fun. Plus it has a lot of advantages:

  • It’s less risky than shooting at a tank.
  • As my friend Renzo likes to say, ambulances are easy to spot in the jungle and they bear cross-shaped targets.
  • There are often other easy targets hanging around (casualties, doctors, etc.).

Anyway, here is a scan I have run against the whole IPv4 address space, looking for Internet-exposed Modbus services.

Get the results

Download

Creative Commons BY-SA 4.0 The results are available under the Creative Commons BY-SA 4.0 license.

First release

Before downloading those files, please read the update section below.

Update [2015-08-19]

A lot of updates, with new features, have been integrated in IVRE, some of them require an update of the results.

You can download the updated files:

You can also update the data yourself if you have already downloaded an older version and integrated it in your database, by adding the new indexes and updating the documents schema:

$ scancli --update-schema
$ scancli --archives --update-schema

Using the results

If you do something with these results (research, world domination program, etc.), I’d appreciate it if you let me know!

Import

The results can be used with anything that understands JSON. I would recommend using IVRE’s Web UI, but my opinion might be biased!

First step is to install IVRE and configure it (including the steps with ipdata). You need a recent version with JSON import support. Using Docker (and optionally Vagrant) should make that step easy.

Then import the results by running nmap2db [/path/to/modbus-scan.json[.bz2]] (from the ivreclient container if you have used Docker).

Have fun

Overview

Point your browser to the Web UI, and maybe have a look at the help.

../../../_images/ivre-world.png

To have an idea of the data set, I often start with some “top values” (the input box under “explore” in the left panel).

A good start is to ask for port:open (obviously 502, the port used by Modbus services, is number one here), then countports:open, and then portlist:open. These values make good references to compare with filtered results and make it possible to answer the question “how does the Modbus exposed devices from one country or one AS compare to the global results?”.

Next step is to ask for top country and as values. I like to know how those top values are affected when adding filters (like “hosts with TCP/80 open”).

Now it’s time to filter the results.

  • We can filter according to the country, the AS or the IP address, and see how top values like port:open compare to the unfiltered results.
  • Or we can filter according to a characteristic of the scan results (say, hosts with TCP/80 port open) and see how that affect the top AS and top country rankings.

Dig into the data: a basic example

Say we have been surprised by the rank of TCP port 10001 in top port:open values (532 out of 12160 results, 4.375%, while this port has an open frequency of 0.1292% according to Nmap) and we want to know if there is something to learn about it.

Add a filter with 10001 alone and look at the probedservice:10001 top values:

../../../_images/ivre-top-services-10001.png

We can see that this port is often use as an alternative port for various services (maybe used to reach equipment behind NAT) including remote access services (such as Telnet, SSH, and occasionally VNC and RDP) and HTTP.

If we look at the port:open top values while keeping the filter 10001, we see that ports 10000 to 10012 at least are also used quite often in this set, which tends to confirm our guess of alternative port usage for port 10001.

Let’s now exclude hosts with ports 10000 or 10002 open (add a filter -10000,10002), and look at the probedservice:10001 top values again:

../../../_images/ivre-top-services-10001-wo-10000-10002.png

Here we see the papouch-tme service is important. Click that line to add a filter for hosts with that service on port 10001, then remove the filter -10000,10002 which is now useless. We have identified that one cause of the important number of hosts with port 10001 open are some “Papouch TME Ethernet thermometer” devices exposed on the Internet (0.485% of the whole data set, 11% of the hosts with port 10001 open).

../../../_images/ivre-papouch-screenshot.jpg

This example illustrates how one can browse the data with IVRE, by adding filters and looking at the effect on some top values (or least common values, using - before the value name).

Usual suspects

IVRE comes with some “preset” filters accessible from the menus. While some of them are not useful with this data set, I encourage you to try them, and to propose new ones you often use or would like to have.

Screenshots

One can add screenshots to scan results in IVRE, and I have done so for this scan, for some services. You can browse them by choosing “Screenshots” from the “Fun” menu.

Here are some examples of screenshots in the database:

SCRWEB01 SCRWEB02 SCRWEB03

SCRWEB04 SCRRDP01 SCRRDP02

Yes, do this at home

The methodology used here is quite simple. You need to have IVRE, Zmap and Nmap installed.

  • Run a Zmap scan against the routable IPv4 address space for open TCP/502 ports:
    • Use IVRE’s command runscans --output=ListCIDRs --routable to generate ZMap whitelist, and use /dev/null as the blacklist.
  • Run a first Nmap scan with TCP SYN Ping against port 502, TCP Syn scan against port 502 with the script modbus-discover. Keep only addresses with port 502 identified as a Modbus service.
  • Run Nmap against the 1000 most common TCP ports plus some missing ports often used on industrial systems, with version scan, some NSE scripts, traceroute, etc.
  • (Optional) Add screenshots for some services.

I have run the scan from a Linode host; the guys there have really been great and helpful.

Q & A

Why did you publish this scan result?

I wanted to have a publicly available data set to show how IVRE works and what one can do with it. I also though it would be nice to have a kind of census of Internet-exposed Modbus. So I ran this scan and published the results.

By making these results available to everyone, and showing how easy it is to obtain equivalent results, I hope people will understand the danger of letting weak devices reachable from the Internet.


Have you been annoyed by abuse mails?

No.


Is this scan result comprehensive?

No it’s not. For a host to be present in this scan result, it needs:
  • To have answered with a SYN-ACK packet to the SYN packet sent by Zmap to its port 502.
  • To have answered again during the first Nmap scan on the same port 502 in such a way that Nmap’s script modbus-discover recognizes it as a Modbus service.
  • To have been kind enough to let Nmap terminate its scan (1k ports + some NSE scripts) within a reasonable time.

If you cannot find your Modbus-enabled, Internet-exposed device, please drop me a mail with the IP address so that I can add it.


How can I contact you about IVRE or about this scan?

Use the email alias ivre on the domain droids-corp.org, or use Twitter (@pi3rre). You can also join #ivre on Freenode (I’m pl- there).