Posts Tagged ‘SCADA’

NOVUS SuperView New Application Default Admin Account

February 3, 2016

NOVUS Automation makes software called SuperView that “is a Supervisory Control and Data Acquisition software (SCADA) that brings to the user a visual development model to create applications. Besides communication with Modbus RTU and Modbus TCP devices, also is posible to use SuperView stations operating in Client or Server modes allowing distributed supervision of a process or system.” When creating a new application in the software a default admin account is also created:

novus-superview

NOVUS AirGate-3G Dual SIM Industrial Cellular VPN Router Default Admin Credentials

February 2, 2016

NOVUS Automation makes a variety of products for ICS and SCADA management. The NOVUS AirGate-3G Dual SIM Industrial Cellular VPN Router installs with a default admin account according to the manual:

novus-airgate

Falcon USHA UPS SNMP HTTP Agent Default Admin Credentials

January 28, 2016

Falcon UPS devices use a SNMP HTTP agent for remote administration. According to the manual it comes with default admin credentials.

Click the Become Administrator button at the bottom of the screen. Enter USHA as the login name and admin as the password. (Case sensitive)

usha-config

DEIF Wind Power Technology AWC 500 Wind Turbine Multiple Default Accounts

May 15, 2015

DEIF Wind Power Technology makes the model AWC 500 wind turbine that allows remote access via telnet, SSH and HTTP. According to the manual (dated 2013-06-25) there are default accounts:

deif-awc_500-defaults

With these you can log into the web interface and access a few menu items:

deif-menu

deif-access

deif-status

Accessing via telnet works even if the root password has been changed. The system runs on BusyBox:

df:~ # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

deif-00-B0-49 login: root
Password:
Login incorrect
deif-00-B0-49 login: default
warning: cannot change to home directory
$ ls

You can also fingerprint the device via TCP port 44818 (EtherNetIP) which gives:

Product name: DEIF ML-2)
Vendor ID: 1284
Serial number: 0xcadb00c8
Device type: Communications Adapter
Device IP: 1.2.3.4

MODBUS Application Protocol 1.1b System Information Remote Disclosure

May 7, 2015

According to Wikipedia:

Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Simple and robust, it has since become a de facto standard communication protocol, and it is now a commonly available means of connecting industrial electronic devices.

This protocol is used by a lot of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. Version 1.1b of the MODBUS Application Protocol, maintained by the Modbus Organization, outlines “Read Device Identification” functionality. This lets a remote client query a system for information and does not require authentication.

6.21 43 / 14 (0x2B / 0x0E) Read Device Identification

This function code allows reading the identification and additional information relative to the physical and functional description of a remote device, only.

Some systems may not give up much information but others give up the vendor, device, version, project information (which can include full path disclosure), and more. Shodan already uses this method to fingerprint systems:

modbus0

modbus1

modbus2

Xzeres 442S Wind Turbine Web Interface Default Credentials

May 3, 2015

xzeres01

The Xzeres 442SR wind turbine has a web management interface. Fortunately for hacker but unfortunate for the owner it also provides the user documentation:

xzeres02-documentation

The admin manual has the default credentials for the turbine:

xzeres03-defaults

Fortunately you can only see and change a few network settings and get statistics on the turbine. It doesn’t appear you can shut it down or harm it:

xzeres04-internal_ip

Niagara AX Tridium Fox Protocol Remote Information Disclosure

April 29, 2015

The NiagaraAX platform supports the Tridium Fox tunneling protocol to communicate between two stations. By default the Fox tunneling protocol will be found on TCP port 1911 for NiagaraAX (version 3.3 and likely most others) which is the proxy server component. While using Shodan I saw that the port gives up system information without authenticating. When searching for information on how the protocol works I found that Digital Bond already wrote a NMAP NSE script to interface with the port and enumerate information! This saved a lot of time! This port will give up the protocol version, internal IP address (sometimes), Niagara-AX application name and version, Java client and version, OS, a host ID and VM UUID. Some systems can also give up time zone, brand ID, and other system information.

df:/tmp/ # nmap -p 1911 –script fox-info.nse 87.195.99.249

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-17 15:37 MDT
Nmap scan report for 1.2.3.4 (1.2.3.4)
Host is up (0.22s latency).
PORT STATE SERVICE
1911/tcp open Niagara Fox
| fox-info:
| Fox Version: 1.0.1
| Host Name: 192.168.1.222
| Host Address: 192.168.1.222
| Application Name: Station
| Application Version: 3.7.106.8
| VM Name: Java HotSpot(TM) Client VM
| VM Version: 1.5.0_34-b28
| OS Name: QNX
| Host ID: Qnx-NPM6E-0000-15F8-5632
| VM UUID: 11d4ee1b-e043-31a8-0000-000000008605
|_ Brand ID: webeasy.products

Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds
df:/tmp/ #

Advantech WebAccess Default Credentials

April 26, 2015

advantech

Advantech WebAccess is a “browser-based HMI and SCADA software” that controls many of their products. According to the manual, it has default administrative credentials:

3.1.1 Default Login – Name and Password
1. In the Login Name field type: admin
2. Leave Password field blank (i.e. no password).

Carlo Gavazzi PowerSoft Multiple Default Accounts

December 23, 2014

Carlo Gavazzi PowerSoft is a SCADA system for energy management. According to the vendor page:

Carlo Gavazzi is an international group active in designing, manufacturing and marketing electronic equipment.

The Group’s products (sensors, monitoring relays, timers, energy management systems, solid state-relays, safety devices, fieldbus systems) provide automation solutions for the global markets of industrial and building automation.

The manual shows that it has several default accounts:

2.4 USERS AND PASSWORDS
The installing program sets two default users on the system:
User 1:
Name: admin
Password: admin
Level: Administrator
User 2:
Name: user
Password: user
Level: User
These default users can access all the PowerSoft functions (according to the relevant level, see below) but, for safety reasons, it is suggested to create at least a new “Administrator” user (or more of them and the required simple “Users”= and then delete both the default users.
The “User” can access all the data, acknowledge the alarms, and ask for any report, also via web-server.
The “Administrator” can access all the “User’s functions and, in addition, can configure Powersoft and all the relevant modules
A user without the password can only access the real-time values and display the active alarms list.

Schneider Modicon M340 for Ethernet Multiple Default Credentials

December 8, 2013

The Schneider Electric Modicon M340 for Ethernet (identifies as BMX P34 CPU B via HTTP, Shodan search) contains multiple default credentials according to the manual.

This device is marked as Schneider Electric and Telemecanique:

modicom-banner1

modicom-banner2

From the manual:

Using an FTP client, store your rules in the file:
/FLASH0/wwwroot/conf/NTP/customrules
user ID: ntpupdate
password: ntpupdate

Default FTP Setup page via HTTP
1 Enter the new username. (The default is USER.)
2 Enter the new password. (The default is USER.)

Default HTTP credentials
1 Enter the new username (default is USER).
2 Enter the new password (default is USER)

The BMX NOE 0110 and BMX NOR 0200H also have the default USER / USER account.

modicom