A few weeks ago I asked people on Twitter what sort of new ports/ services they’d like me to add to Shodan. I received a lot of awesome feedback which resulted in Shodan now crawling for more than 170 ports (!!!). One of those requests was for the FINS protocol created by Omron:
By the way, I’m always looking to add more ports to Shodan so if there’s something you’d like to see me add just let me know which port and protocol you’re interested in! Anyways, I did some quick Google-ing to learn more about this FINS protocol and I stumbled across the following advice in the official Omron documentation (PDF):
Just to reiterate: they’re saying that because their device (Omron PLC) isn’t a Windows-based operating system that makes it impenetrable to the standard hacking methods. And I’m not sure what they mean with the following sentence about not responding to “standard ethernet protocol commands”, since the FINS protocol in this case operates over UDP and/ or TCP. Either way, this is a good example of why many control systems can be found on the Internet. This document is a few years old now (released in 2009) so Omron as a company might’ve improved their stance on Internet-security, but control systems are a slow-moving world and this sort of mentality has lingered around for a long time.
So what about the initial request to add Omron FINS to Shodan? After reviewing the pcaps for Wireshark and trying to find a simulator, I hit a road block and stopped making progress. Fortunately, Stephen Hilt picked it up as a challenge and within a few days was able to create fully-working Nmap scripts for both TCP and UDP versions of the Omron FINS protocol. If you’re interested in doing ICS analysis with Nmap, that should be your goto location for getting started. Thanks to Stephen’s work, I was able to convert the NSEs into Python scripts for my crawler and it’s now possible to find Omron FINS devices on the Internet via Shodan:
The data is still flowing in so the results are on the lower-bound at the moment, but it’s been added to the list of services that Shodan permanently crawls for to keep track of how the exposure of these devices changes over time.
PS: If there is a port/ protocol that you’d like to see in Shodan please email me the information to email@example.com 🙂
The first Shodan search that I remember people sharing like wildfire on Twitter was for an HP LaserJet printer. In the early days of Shodan, before all the SCADA devices came to light, the majority of searches were for consumer devices such as printers, routers and webcams (the latter are still widely popular). Inspired by a cool new tool from @info_dox I decided to start crawling the Internet specifically for printers using the Printer Job Language protocol on port 9100. Obviously there aren’t as many of these devices out there as web servers, but within a few hours I had gathered enough to start analyzing the data and see what sort of cool stuff I can learn.
1. Global Map of Public Printers
To give you an idea for where these printers are located I’ve created the map below, where each red dot indicates an instance of a printer that is connected to the Internet and allows connections from anywhere in the world. The breakdown by country is:
- United States: 2692
- South Korea: 494
- Taiwan: 336
- Canada: 266
- Germany: 203
The surprise standouts in that list are South Korea and Taiwan, I expected the devices to follow the general distribution as for other services (i.e. United States > China > Mexico > Russia > Germany).
2. Overexposed Universities
Not surprisingly Universities have a lot of printers, but they appear to be more exposed than one would anticipate. Out of the top 100 organizations running public printers, 58 of them are universities and another 4 are academic institutions. That means roughly 2/3 of all publicly exposed printers so far operate on an academic network.
The above explains why Taiwan is so high on the list of countries that have publicly available printers: the Taiwan Academic Network and its Information Center have nearly 100 printers online. It looks like they’re single-handedly putting Taiwan on the map! It’s also interesting that there are so many devices on Korea Telecom’s network, I don’t have a good explanation for that. If anybody has any explanation for why there are so many in South Korea and on Comcast, please let me know.
3. Need Toner?
An interesting side-effect of the crawling is that I can determine via Shodan which organizations are low on toner and are likely due for a refresh. Many printers advertise in their banner whether they’re running low and the user needs to order new toner. Note that no authentication is required to obtain this information. So here I present the top 10 organizations that will be needing new toner very soon 🙂
At the time of writing the top position was shared between the University of California San Francisco and University of Pennsylvania with 4 printers needing toner each. They were narrowly followed by University of California Santa Cruz with 3 printers. There is a very long tail of organizations that need to replace the ink on 2 printers, with a total of 137 printers that need a replacement.
I will be watching these numbers develop over time (using a Google Spreadsheet), and I could theoretically also determine when the toner has been replaced which I might do in a follow-up post. Until then, enjoy the data and let me know if you discover anything interesting!