A few weeks ago I asked people on Twitter what sort of new ports/ services they’d like me to add to Shodan. I received a lot of awesome feedback which resulted in Shodan now crawling for more than 170 ports (!!!). One of those requests was for the FINS protocol created by Omron:
By the way, I’m always looking to add more ports to Shodan so if there’s something you’d like to see me add just let me know which port and protocol you’re interested in! Anyways, I did some quick Google-ing to learn more about this FINS protocol and I stumbled across the following advice in the official Omron documentation (PDF):
Just to reiterate: they’re saying that because their device (Omron PLC) isn’t a Windows-based operating system that makes it impenetrable to the standard hacking methods. And I’m not sure what they mean with the following sentence about not responding to “standard ethernet protocol commands”, since the FINS protocol in this case operates over UDP and/ or TCP. Either way, this is a good example of why many control systems can be found on the Internet. This document is a few years old now (released in 2009) so Omron as a company might’ve improved their stance on Internet-security, but control systems are a slow-moving world and this sort of mentality has lingered around for a long time.
So what about the initial request to add Omron FINS to Shodan? After reviewing the pcaps for Wireshark and trying to find a simulator, I hit a road block and stopped making progress. Fortunately, Stephen Hilt picked it up as a challenge and within a few days was able to create fully-working Nmap scripts for both TCP and UDP versions of the Omron FINS protocol. If you’re interested in doing ICS analysis with Nmap, that should be your goto location for getting started. Thanks to Stephen’s work, I was able to convert the NSEs into Python scripts for my crawler and it’s now possible to find Omron FINS devices on the Internet via Shodan:
The data is still flowing in so the results are on the lower-bound at the moment, but it’s been added to the list of services that Shodan permanently crawls for to keep track of how the exposure of these devices changes over time.
PS: If there is a port/ protocol that you’d like to see in Shodan please email me the information to firstname.lastname@example.org 🙂
Telnet just doesn’t seem to die, and with millions of devices on the Internet still running it I don’t expect it to go away anytime soon. In fact, new products often use Telnet as an easy way to enable remote access to their device (see https://github.com/swisspol/GCDTelnetServer). To better keep track of which features the Telnet servers of the Internet support, the banners for Telnet now also include information about which options were negotiated during the initial connection:
In addition to the banner, you can now access the do, dont, will, wont options that the Telnet server supports. You’ll also be able to facet on these properties once the next API update comes out, which will make it easy to get a feel for how Telnet usage changes over time. Hopefully, more secure options will become easier to work with for the average developer and we’ll see fewer Telnet in the coming years.
SSH was one of the first protocols that I started crawling for 5 years ago because just connecting to the daemon already tells you what it’s running. I.e. you don’t have to send any data to SSH in order to get something interesting back. There have been some incremental improvements to add product and version detection but beyond that it’s stayed mostly the same.
Introducing the new, sexier SSH banner:
The crawlers now collect the key, key type, fingerprint, MAC and cipher used for each successful SSH connection! And alongside these changes the API has also been enhanced with 4 new facets for SSH:
I hope you enjoy the new banner and information that’s being gathered for SSH now! Let me know if there are other banners you’d like to see improved as well.