Foreword

The reconnaissance phase is often the first step in an audit or simply to get an idea of the exposed surface area.

Personally, the time spent on Shodan and other public IP search engines (Fofa, Zoomeye, Censys, etc.) now amounts to tens of hours, even a hundred or so.

The goal here is to save time for people who are more visual, and to offer a process for automating certain tasks that I find promote distraction.

Introductions

From time to time, I want to retrieve statistics on the number of specific pieces of equipment or equipment with certain services/properties that are available on the internet to see what changes have been made to their interface, etc.

In this article, we will focus on The equipment was created by GUDE System, a company based in Germany.

NOTE: The two tools we will use here (nuclei and gowitness) are available as packages via apt in the Kali Linux source list to install these dependencies.

Once the dependencies are installed, you can install the tools.

apt update 
apt install nuclei gowtiness

What we searching for ?

To redefine the need, we are looking for several things here:

• To have an up-to-date overview of what equipment is available and accessible or not.
• To determine whether the systems are all visually identical.

As explained above, we will search using public IP search engines, but how will we search?

How will we search?

For example, let's start with a simple observation: what element is common to all web pages?

There are far too many possible answers, but the one we are going to use is the favicon.

Because yes, we can retrieve the MD5 hash of the favicon to search for all devices containing it in public IP search engines.

So if you go to one of the pieces of equipment (if you have it, the challenge is to find one)

Once uploaded, the site gives you a clickable link for Shodan and Censys. We will use Shodan here because its API is less limited in terms of usage on the member version than Censys (long story short, Shodan is not as good as Censys but less expensive).

Wow, great, so we have 349 results, but of course we're not going to query them manually, especially since many web interfaces are on somewhat exotic ports.

API

To automate the query and retrieve the information we need (the IP address and port associated with the favicon), we will use the Shodan API.

NOTE: you can found your shodan api key here https://account.shodan.io/

Fortunably, there is a Python module for this.

Here is an example of retrieving the IP address and port, which writes the results to a file.

import shodan

SHODAN_API_KEY = 'API'
FAVICON_HASH = 1490525349 

api = shodan.Shodan(SHODAN_API_KEY)
LIMIT = 400

def search_by_favicon_hash(favicon_hash, limit=400):
    query = f'http.favicon.hash:{favicon_hash}'
    count = 0
    servers = []
    for result in api.search_cursor(query):
        if count >= limit:
            break
        ip = result['ip_str']
        port = result['port']
        servers.append((ip, port))
        count += 1
    return servers

if __name__ == '__main__':
    servers = search_by_favicon_hash(FAVICON_HASH, LIMIT)
    with open('ip_port_shodan.txt', 'w') as f:
        for ip, port in servers:
            f.write(f'{ip}:{port}\n')

NOTE: I have limited the number of results to 400 because there are only 349 displayed, but if you have several thousand results, I recommend testing with small batches first to avoid burning through your monthly credit.

Interlude : nuclei.

If this is the first time you've read one of my articles, you may not know that I particularly like Nuclei, the project discovery tool. I'm going to talk about it extensively here, so I suggest you read the documentation and an article I wrote about creating templates.

The one who still alive

One of the major problems with public IP search engines is the latency between the different scans that feed the search engine. To be honest, we cannot guarantee that a device displayed on the search engine is still accessible, so it is necessary to verify that it is still up and running.

There are many ways to confirm that a site is still available. A simple CURL request can do the job, but nuclei is so cool that we'll stick with it.

Here a simple nuclei template could allow us to do this.

id: HTTP_200_code

info:
  name: Http request that return 200 OK code
  author: biero_el_corridor
  severity: low
  tags: HTTP_200


http:
  - method: GET
    path:
      - "http://{{Hostname}}"
    matchers:
      - type: status
        status:
          - 200

NOTE: The hostname tag is quite important here because it takes into account the IP address and port.

nuclei -l target_list/ip_port_shodan.txt -t tempaltes/HTTP_200_code.yaml

Once you have done this, you should have a list of IP addresses and ports that come up. This is the list of responding IP addresses (i have put them in a file called ip_port_retchable).

screenshoot to have a good view

So now we have a list of IP addresses and ports that we know are accessible. But the problem is that there are several hundred of them, and in our case we want to see them visually. Wouldn't it be great if there was a tool that took screenshots of each web page so we could compare them?

Fortunately, there is a tool for that.

Once the tool is installed, you just need to add "http://" at the beginning of each line of the IP+port retrieved. A simple awk command should do the trick.

awk '{print "http://" $0}' target_list/url_ip_port_retchable.txt > target_list/url_ip_port_retchable.txt

Once you've done that, just launch gowitness and wait a little while.

gowitness scan file -f ./target_list/url_ip_port_retchable.txt

gowitness will automatically create a folder named screenshots and store all the screenshots taken.

Here we see an example of several captures made by gowitness (I blurred it because the name of the capture corresponds to the IP address).

So here we have proof that there is not only a login password page request, but also a panel to represent the status of the different I/O.

Diging deeper.

Great, we have a way to recover them en masse, but now we can narrow down the search. If you paid close attention to the last screenshot, you will have seen "Expert Power Control NET 8x 8210/8211 — v.3.0.0."

That's the model and its versions. With that, we could maybe create a template that will search for certain specific models.

As explained at length in the last series of articles, "Setup and Tune an OT SOC," I have a Gude 2301 at my disposal, so let's try to see if there are many of them.

id: gude_2301_detections

info:
  name: GUDE 2301 login portal detections
  author: anonymous
  severity: low
  tags: gude_2301
  metadata:
    shodan-query: http.favicon.hash:1490525349


http:
  - method: GET
    path:
      - "http://{{Hostname}}"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
        condition: and
      - type: word
        words: 
          - "Expert Net Control 2301"
        part: body

I'll give it a shot, and indeed, there are a few.

Conclusions

In this article, we saw how to chain the Shodan API, Nuclei, and Gowitness to accelerate asset discovery.

Thanks for reading.

About the Author

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — I am a freelance ICS security consultant and a teacher available for assignments in this field.

If you are interested, DM me on LinkedIn. https://www.linkedin.com/in/erwan-cordier/