NOVUS Automation makes software called SuperView that “is a Supervisory Control and Data Acquisition software (SCADA) that brings to the user a visual development model to create applications. Besides communication with Modbus RTU and Modbus TCP devices, also is posible to use SuperView stations operating in Client or Server modes allowing distributed supervision of a process or system.” When creating a new application in the software a default admin account is also created:
Posts Tagged ‘SCADA’
With these you can log into the web interface and access a few menu items:
Accessing via telnet works even if the root password has been changed. The system runs on BusyBox:
df:~ # telnet 184.108.40.206
Connected to 220.127.116.11.
Escape character is ‘^]’.
deif-00-B0-49 login: root
deif-00-B0-49 login: default
warning: cannot change to home directory
You can also fingerprint the device via TCP port 44818 (EtherNetIP) which gives:
Product name: DEIF ML-2)
Vendor ID: 1284
Serial number: 0xcadb00c8
Device type: Communications Adapter
Device IP: 18.104.22.168
Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Simple and robust, it has since become a de facto standard communication protocol, and it is now a commonly available means of connecting industrial electronic devices.
This protocol is used by a lot of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. Version 1.1b of the MODBUS Application Protocol, maintained by the Modbus Organization, outlines “Read Device Identification” functionality. This lets a remote client query a system for information and does not require authentication.
6.21 43 / 14 (0x2B / 0x0E) Read Device Identification
This function code allows reading the identification and additional information relative to the physical and functional description of a remote device, only.
Some systems may not give up much information but others give up the vendor, device, version, project information (which can include full path disclosure), and more. Shodan already uses this method to fingerprint systems:
The admin manual has the default credentials for the turbine:
Fortunately you can only see and change a few network settings and get statistics on the turbine. It doesn’t appear you can shut it down or harm it:
The NiagaraAX platform supports the Tridium Fox tunneling protocol to communicate between two stations. By default the Fox tunneling protocol will be found on TCP port 1911 for NiagaraAX (version 3.3 and likely most others) which is the proxy server component. While using Shodan I saw that the port gives up system information without authenticating. When searching for information on how the protocol works I found that Digital Bond already wrote a NMAP NSE script to interface with the port and enumerate information! This saved a lot of time! This port will give up the protocol version, internal IP address (sometimes), Niagara-AX application name and version, Java client and version, OS, a host ID and VM UUID. Some systems can also give up time zone, brand ID, and other system information.
df:/tmp/ # nmap -p 1911 –script fox-info.nse 22.214.171.124
Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-17 15:37 MDT
Nmap scan report for 126.96.36.199 (188.8.131.52)
Host is up (0.22s latency).
PORT STATE SERVICE
1911/tcp open Niagara Fox
| Fox Version: 1.0.1
| Host Name: 192.168.1.222
| Host Address: 192.168.1.222
| Application Name: Station
| Application Version: 184.108.40.206
| VM Name: Java HotSpot(TM) Client VM
| VM Version: 1.5.0_34-b28
| OS Name: QNX
| Host ID: Qnx-NPM6E-0000-15F8-5632
| VM UUID: 11d4ee1b-e043-31a8-0000-000000008605
|_ Brand ID: webeasy.products
Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds
Advantech WebAccess is a “browser-based HMI and SCADA software” that controls many of their products. According to the manual, it has default administrative credentials:
3.1.1 Default Login – Name and Password
1. In the Login Name field type: admin
2. Leave Password field blank (i.e. no password).
Carlo Gavazzi is an international group active in designing, manufacturing and marketing electronic equipment.
The Group’s products (sensors, monitoring relays, timers, energy management systems, solid state-relays, safety devices, fieldbus systems) provide automation solutions for the global markets of industrial and building automation.
2.4 USERS AND PASSWORDS
The installing program sets two default users on the system:
These default users can access all the PowerSoft functions (according to the relevant level, see below) but, for safety reasons, it is suggested to create at least a new “Administrator” user (or more of them and the required simple “Users”= and then delete both the default users.
The “User” can access all the data, acknowledge the alarms, and ask for any report, also via web-server.
The “Administrator” can access all the “User’s functions and, in addition, can configure Powersoft and all the relevant modules
A user without the password can only access the real-time values and display the active alarms list.
This device is marked as Schneider Electric and Telemecanique:
From the manual:
Using an FTP client, store your rules in the file:
user ID: ntpupdate
Default FTP Setup page via HTTP
1 Enter the new username. (The default is USER.)
2 Enter the new password. (The default is USER.)
Default HTTP credentials
1 Enter the new username (default is USER).
2 Enter the new password (default is USER)
The BMX NOE 0110 and BMX NOR 0200H also have the default USER / USER account.