ICS Reconnaissance
Reconnaissance
Identifying ICS/OT systems requires specialized techniques. Many devices use unique protocols and appear differently than traditional IT assets on network scans.
Passive First
Start with passive reconnaissance. Active scanning of ICS networks can disrupt operations
or crash controllers. Never scan production ICS environments without explicit authorization.
Passive Reconnaissance
Shodan Queries
Shodan indexes internet-facing ICS devices. Use for identifying exposed systems and understanding the attack surface.
bash
# General ICS searches
port:502 # Modbus
port:102 # Siemens S7
port:44818 # EtherNet/IP
port:47808 # BACnet
port:20000 # DNP3
port:1911,4911 # Niagara Fox
# Vendor-specific
"Siemens" port:102
"Allen-Bradley" port:44818
"Schneider Electric"
"Rockwell Automation"
product:"Modicon"
# HMI/SCADA systems
"Wonderware"
"FactoryTalk"
"WinCC"
http.title:"SCADA"
# By country/region
country:US port:502
city:"Houston" port:44818
# Vulnerable systems
vuln:CVE-2015-1015 # Schneider Modicon
vuln:CVE-2019-12255 # VxWorksCensys Searches
bash
# Censys queries for ICS
services.port:502 and protocols:"modbus"
services.port:102 and services.banner:"*S7*"
services.port:47808 and protocols:"bacnet"
# Search by certificate
services.tls.certificates.leaf.subject.organization:"Siemens"
# Exposed HMIs
services.http.response.html_title:"*HMI*"
services.http.response.html_title:"*SCADA*"Google Dorking
bash
# Find exposed ICS documentation
site:target.com filetype:pdf "SCADA"
site:target.com filetype:pdf "PLC programming"
site:target.com filetype:dwg # AutoCAD drawings
# Exposed HMIs and dashboards
intitle:"Wonderware" inurl:portal
intitle:"FactoryTalk" inurl:login
inurl:"/portal/p/access" "Niagara"
# Configuration files
filetype:pcmp # RSLogix project files
filetype:L5K # Allen-Bradley export
filetype:xml "OPC" # OPC configuration
# Exposed documentation
"network diagram" filetype:pdf site:target.com
"control system" filetype:ppt site:target.comAsset Discovery
OSINT Sources
Public Filings
- • NERC compliance documents
- • Environmental permits
- • SEC 10-K filings (infrastructure)
- • County assessor records
- • Building permits
Technical Sources
- • Job postings (reveal tech stack)
- • Vendor case studies
- • Conference presentations
- • LinkedIn profiles (engineers)
- • GitHub repositories
ICS-Specific Search Engines
- Shodan -
shodan.io
Best for ICS device discovery - Censys -
censys.io
Certificate and service enumeration - FOFA -
fofa.info
Chinese search engine, good for ICS - ZoomEye -
zoomeye.org
Device and service fingerprinting
Active Reconnaissance
Caution Required
Active scanning can crash ICS devices. Use only in lab environments or with explicit authorization
and safety controls in place. Start with the lowest intensity scans possible.
Safe Scanning Techniques
bash
# Nmap - Use with extreme caution on ICS networks
# Never use -T4 or -T5 on production ICS
# Very slow, minimal impact scan
nmap -sS -T1 -p 102,502,20000,44818,47808 --max-retries 1 192.168.1.0/24
# Service detection (more intrusive)
nmap -sV -T2 -p 502 --script modbus-discover 192.168.1.100
# ICS-specific Nmap scripts
nmap --script bacnet-info -p 47808 192.168.1.100
nmap --script enip-info -p 44818 192.168.1.100
nmap --script s7-info -p 102 192.168.1.100
nmap --script modbus-discover -p 502 192.168.1.100
# List available ICS scripts
ls /usr/share/nmap/scripts/ | grep -E "modbus|s7|bacnet|enip|dnp3"Protocol-Specific Enumeration
bash
# Modbus enumeration
# Read device identification
python3 -c "
from pymodbus.client import ModbusTcpClient
client = ModbusTcpClient('192.168.1.100')
client.connect()
result = client.read_device_information()
print(result)
"
# Siemens S7 enumeration with s7scan
git clone https://github.com/klsecservices/s7scan
python s7scan.py 192.168.1.100
# BACnet enumeration
pip install BAC0
python3 -c "
import BAC0
bacnet = BAC0.lite()
devices = bacnet.whois()
for device in devices:
print(device)
"
# EtherNet/IP enumeration
python3 -c "
from pycomm3 import CIPDriver
with CIPDriver('192.168.1.100') as plc:
print(plc.get_plc_info())
"Common ICS Ports
| Port | Protocol | Common Vendors |
|---|---|---|
| 102 | S7comm (ISO-TSAP) | Siemens |
| 502 | Modbus TCP | Many (universal protocol) |
| 4840 | OPC UA | Modern ICS systems |
| 20000 | DNP3 | Utilities (power, water) |
| 44818 | EtherNet/IP | Allen-Bradley, Rockwell |
| 47808 | BACnet | Building automation |
| 1911/4911 | Niagara Fox | Tridium/Honeywell |
| 789 | Red Lion Crimson | Red Lion |
Identifying Vendors
bash
# Common ICS vendor MAC prefixes (OUI)
# Siemens: 00:1B:1B, 00:0E:8C
# Allen-Bradley/Rockwell: 00:00:BC
# Schneider Electric: 00:80:F4
# ABB: 00:21:99
# Honeywell: 00:40:84
# GE: 00:07:3E
# Find vendor from MAC
# Online: https://macvendors.com
# Or use arp-scan
sudo arp-scan -l | grep -i "siemens|schneider|rockwell|allen|abb"
# Identify by banner/response
# Siemens S7 returns specific identifiers
# Modbus device ID function
# BACnet device objectsNetwork Mapping
bash
# Passive network monitoring
# Capture traffic to identify ICS protocols
tcpdump -i eth0 -w ics_capture.pcap
# Analyze with Wireshark
# Filter for ICS protocols:
modbus
s7comm
enip
bacnet
dnp3
# Identify network architecture
# Look for:
# - VLANs and subnets
# - Firewall rules
# - Jump hosts/bastion hosts
# - Remote access points
# Document:
# - IP ranges by zone (Purdue level)
# - Protocol flows between zones
# - External connectionsReconnaissance Checklist
Passive Recon
- ☐ Search Shodan/Censys for exposed ICS
- ☐ Google dork for documentation and diagrams
- ☐ Review public filings and permits
- ☐ Analyze job postings for tech stack
- ☐ Check vendor case studies
Active Recon (Authorized Only)
- ☐ Slow port scan for ICS ports
- ☐ Protocol-specific enumeration
- ☐ Device identification
- ☐ Network architecture mapping
- ☐ Document vendor and firmware versions