Investigating the Vast World of ICS Coverage: Part 2
Last week, we discussed how we added standard port +/- 1 scanning, in order to increase our ICS coverage. We left off mentioning that we examined the three largest ports for each ICS protocol, expecting them to represent standard port, standard + 1 port, and standard – 1 port. Today, we talk about the follow up measurements that stemmed from this finding.
The World Expands – Scanning Port Tweaks
In investigating the top three ports for each ICS protocol, we found that one of the most populous ports for Modbus devices was 6502 (which is the number 6 prepended to the standard port of 502). This led us to think about applying this general methodology across the board, which we have named “port tweaking”: prepending numbers to the front of well-known ports (i.e., HTTPS hosts on 1443, 2443, 3443, and 4443).
Thus, we set out to test the existence of ICS protocols on port tweaks. Based on data in our platform already, we had a hunch that some ICS protocols were more likely to be responsive on port tweaks than others, so instead of picking one ICS protocol as a proof-of-concept analysis, we set out to investigate all of them.
That being said, we didn’t want to scan the entire internet for every possible port tweak – we strive to be responsible internet stewards – instead, we focused on hosts in Censys that were currently labeled as ICS (usually indicating that there is some sort of HTTP based interface) but lacked any ICS-specific protocols (like Modbus or DNP). We targeted these hosts because their ICS designation suggests a higher likelihood of ICS protocols being present, even though we don’t know the exact ports they are active on.
We then applied our port-tweaking method to scan these hosts, and the results revealed over two hundred hosts with previously undetected ICS protocols. Most of these ran Modbus and Fox, while a smaller number included newly identified services using other protocols.
This is great! Of course, there is no rest for the wicked, and these results led us to think even more outside of the box. We find port tweaks are popular for some of the ICS protocols and not for most of the others. What if there are other hot spots of ports that are popular for ICS protocols but aren’t port tweaks? What if some vendors default ship on some open port that has no relation to the standard port, and we are completely missing it?
The World Is Vast – 65K Port Scans
We launched a third and final experiment. Again, we scan all the hosts with ICS labeled but no ICS protocol across all 65k ports. Since we want to remain conservative and not slam these hosts with numerous requests, we filter out all hosts that are responsive on more than five services in our dataset (and thus likely to be responsive to many other ports) and also remove overtly popular ports (e.g. 80, 443, etc). We then run ICS scans against these host/port pairs, and examine for each protocol what are the most responsive ports.
| Protocol | Ports with high frequency of response |
| BACNET | 50123 |
| CMORE_HMI* | 81, 8686, 83, 34566 |
| DNP3* | 6626, 502, 10001 |
| EIP* | 4900, 3306, 44818 |
| FOX* | 8011, 3021, 1913, 103222 |
| MODBUS* | 552 |
| REDLION CRIMSON | 4866, 8310 |
| WDBRPC | 111, 10000, 7700, 20002 |
This table shows protocols that had a high concentration of responses on specific ports. Protocols with an asterisk (*) had a long tail of responsive ports.
We list only the protocols that had more than five responses, and also list the ports where they were most responsive (that we didn’t already know about before). While some of these results are less surprising (DNP3 on Modbus Standard Port 502, Modbus on 552), some completely threw us for a loop (WDBRPC on port 111). Remember, this was a limited scan with high probability responsive hosts, so this only scratches the surface of uncovering where ICS devices live.
Redefining the Standard for ICS Scanning
Let’s take a step back. These results are promising, and we are currently working on ways to implement the findings from measurement two and three into our pipeline. More importantly, these results point to a rich, unknown area of research around non-standard port scanning, and a need to update the state of the art. Many other ICS measurements and scanners focus on only the standard port. That cannot be the case if our goal is to have a comprehensive understanding of the Internet.
This brings us to our final conundrum: How do we more methodologically find ports of interest for different protocols, both in ICS and also generally? How can we continue to uncover the vastness of the Internet without constantly hitting every host with a 65k port scan? Stay tuned for more as we continue into the unexplored depths of the Internet.
