0x00 前言

1. 下面的數據是根據Shodan搜索引擎總結出來的，做要用于識別工控設備和攝像頭。如果要將攝像頭分為一類，則根據product、server字段的值進行正則匹配，匹配到的IP即可認為是攝像頭。
2. 另一項比較全面的總結是工控協議的總結，每一項工控協議都有Shodan對其的介紹，介紹完之后，第一行數據是通過Shodan搜索引擎進行搜索所使用的搜索語句；第二行數據是數據庫中module字段的值，在數據庫中搜索即可發現使用工控協議的IP，進而將這些IP打上工控協議/工控設備等這種樣子的IP。
3. 至于如何獲取這些數據，這些數據是通過Shodan API獲取的，API中的host函數可以返回傳入的IP的信息，對返回信息進行解析，保存我們需要的信息即可。

0x01 這些數據需要通過正則進行匹配

product 攝像頭

DVR
D-Link
Avtech
Netwave
GeoVision
Vivotek
Axis 207W Network Camera ftpd

product字段 路由器

DD-WRT
Cisco
Linksys

server字段 攝像頭

NVR Webserver
Hikvision-Webs
SQ-WEBCAM
Avtech
IPCamera_Logo
U S Software Web Server
yawcam
Yawcam
MJPG-Streamer/0.2
go1984
UBNT Streaming Server v1.2
Pan/Tilt
BlueIris-HTTP/1.1
IP Webcam Server
i-Catcher Console
GeoHttpServer
Android Webcam Server
GoAhead-Webs
ADH-Web
VB100
Linux/2.x UPnP/1.0 Avtech/1.0
Camera Web Server
Cam
webcamXP

server字段 scada系統

Scada
scada
SCADA

0x02 這些可以直接查找準確的module名稱進行匹配

工控協議

The following protocols are some of the languages that the industrial control systems use to communicate across the Internet. Many of them were developed before the Internet became widely used, which is why Internet-accessible ICS devices dont always require authentication - it isnt part of the protocol!

• Modbus
  Modbus協議是應用于電子控制器上的一種協議。通過此協議設備間可以通信。它已成為一通用工業標準。
  Modbus is a popular protocol for industrial control systems (ICS). It provides easy, raw access to the control system without requiring any authentication.
  • port:502
  • module modbus
• Siemens S7
  s7協議是SIEMENS s7協議族的標準通信協議，使用s7-應用接口的通信不依賴特定的總線系統。
  S7 (S7 Communication) is a Siemens proprietary protocol that runs between programmable logic controllers (PLCs) of the Siemens S7 family.
  • port:102
  • module: s7
• DNP3
  DNP(Distributed Network Protocol，分布式網絡規約)是一種應用于自動化組件之間的通訊協議，常見于電力、水處理等行業。SCADA可> 以使用DNP協議與主站、RTU、及IED進行通訊。
  DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems. Its main use is in utilities such as electric and water companies.
  • port:20000 source address
  • module: dnp3
• Niagara Fox
  Fox協議是Tridium公司開發的Niagara框架的一部分，廣泛應用于樓宇自動化控制系統。
  The Fox protocol, developed as part of the Niagara framework from Tridium, is most commonly seen in building automation systems (offices, libraries, Universities, etc.)
  • port:1911,4911 product:Niagara
  • module: fox
• BACnet
  樓宇自動控制網絡數據通訊協議(BACnet)是針對采暖、通風、空調、制冷控制設備所設計，同時也為其他樓宇控制系統（例如照明、安保、消防等系統）的集成提供一個基本原則。
  BACnet is a communications protocol for building automation and control networks. It was designed to allow communication of building automation and control systems for applications such as heating, air-conditioning, lighting, and fire detection systems.
  • port:47808
  • module: bacnet
• EtherNet/IP
  Ethernet/IP是一個面向工業自動化應用的工業應用層協議。它建立在標準UDP/IP與TCP/IP協議之上，利用固定的以太網硬件和軟件，為配置、訪問和控制工業自動化設備定義了一個應用層協議。
  EtherNet/IP was introduced in 2001 and is an industrial Ethernet network solution available for manufacturing automation.
  • port 44818
  • module: ethernetip, ethernetip-udp
• GE-SRTP
  GE-SRTP協議由美國通用電氣公司開發，GE PLC可以通過GE-SRTP進行數據通信和數據傳輸。
  Service Request Transport Protocol (GE-SRTP) protocol is developed by GE Intelligent Platforms (earlier GE Fanuc) for transfer of data from PLCs.
  • port:18245,18246 product:"general electric"
  • module: general-electric-srtp
• HART-IP
  HART協議是美國Rosement公司于1985年推出的一種用于現場智能儀表和控制室設備之間的通信協議?，F已成為全球智能儀表的工業標準 。
  The HART Communications Protocol (Highway Addressable Remote Transducer Protocol) is an early implementation of Fieldbus, a digital industrial automation protocol. Its most notable advantage is that it can communicate over legacy wiring.
  • port:5094 hart-ip
  • module: hart-ip-udp
• PCWorx
  PCWorx協議由菲尼克斯電氣公司開發，目前廣泛使用于工控系統。PCWORX3.11是菲尼克斯電氣公司的專用協議。
  PCWorx is a protocol and program by Phoenix Contact used by a wide range of industries.
  • port:1962 PLC
  • module: pcworx
• MELSEC-Q
  MELSEC-Q系列設備使用專用的網絡協議進行通訊，該系列設備可以提供高速、大容量的數據處理和機器控制。
  MELSEC-Q Series use a proprietary network protocol for communication. The devices are used by equipment and manufacturing facilities to provide high-speed, large volume data processing and machine control.
  • port:5006,5007 product:mitsubishi
  • module: melsec-q-tcp
• OMRON FINS
  歐姆龍PLC使用網絡協議FINS進行通信，可通過多種不同的物理網絡，如以太網、控制器連接等。
  FINS, Factory Interface Network Service, is a network protocol used by Omron PLCs, over different physical networks like Ethernet, Controller Link, DeviceNet and RS-232C.
  • port:9600 response code
  • module: omron-tcp
• Crimson v3
  協議被Crimson桌面軟件用于與Red Lion G306工控系統的HMI人機接口。
  The protocol the Crimson v3.0 desktop software uses when communicating with the Red Lion Controls G306a human machine interface (HMI).
  • port:789 product:"Red Lion Controls"
  • redlion-crimson3
• Codesys
  CoDeSys編程接口在全球范圍內使用廣泛，全球上百個設備制造商的自動化設備中都是用了該編程接口。
  Over 250 device manufacturers from different industrial sectors offer automation devices with a CODESYS programming interface. Consequently, thousands of users such as machine or plant builders around the world employ CODESYS for automation tasks.
  • port:2455 operating system
  • module: codesys
• IEC 60870-5-104
  IEC 60870-5-104是國際電工委員會制定的一個規范，用于適應和引導電力系統調度自動化的發展，規范調度自動化及遠動設備的技術性能。
  IEC 60870 part 5 is one of the IEC 60870 set of standards which define systems used for SCADA in electrical engineering and power system automation applications.
  • port:2404 asdu address
  • module: iec-104
• ProConOS
  ProConOS是德國科維公司(KW-Software GmbH)開發的用于PLC的實時操作系統，它是一個高性能的PLC運行時引擎，目前廣泛使用于基于嵌入式和PC的工控系統。
  ProConOS is a high performance PLC run time engine designed for both embedded and PC based control applications.
  • port:20547 PLC
  • module: proconos
• moxa-nport
  Moxa 串口服務器專為工業應用而設計。不通配置組合的串口服務器更能符合不同工業現場的需求。NPort系列串口服務器讓傳統 RS-232/422/485設備立即聯網，提供您基于IP的串口聯網解決方案。
  • port:4800
  • moxa-nport

附上Mongdb中存儲的Shodan數據結構以供參考

{
    "_id" : ObjectId("5a40aee51f7920c866d75f84"),
    "ip_str" : "58.152.101.254",
    "region_code" : "00",
    "ip" : 983066110,
    "postal_code" : null,
    "country_code" : "HK",
    "city" : "North Point",
    "dma_code" : null,
    "last_update" : "2017-12-24T23:00:12.582766",
    "vulns" : [ 
        "!CVE-2014-0160"
    ],
    "latitude" : 22.3,
    "status" : "200",
    "tags" : [],
    "timestamp" : "2017-12-25 15:55:16",
    "area_code" : null,
    "country_name" : "Hong Kong",
    "hostnames" : [ 
        "n058152101254.netvigator.com"
    ],
    "org" : "Netvigator",
    "banner" : [ 
        {
            "product" : "nginx",
            "devicetype" : null,
            "module" : "http-simple-new",
            "tags" : null,
            "timestamp" : "2017-12-24T23:00:12.582766",
            "port" : 5000,
            "transport" : "tcp",
            "server" : "nginx"
        }, 
        {
            "product" : null,
            "devicetype" : null,
            "module" : "http",
            "tags" : null,
            "timestamp" : "2017-12-21T04:50:11.716715",
            "port" : 80,
            "transport" : "tcp",
            "server" : null
        }, 
        {
            "product" : "OpenSSH",
            "devicetype" : null,
            "module" : "ssh",
            "tags" : null,
            "timestamp" : "2017-12-20T14:48:02.597978",
            "port" : 22,
            "transport" : "tcp",
            "server" : null
        }, 
        {
            "product" : "nginx",
            "devicetype" : null,
            "module" : "https",
            "tags" : null,
            "timestamp" : "2017-12-19T17:23:49.953396",
            "port" : 443,
            "transport" : "tcp",
            "server" : "nginx"
        }, 
        {
            "product" : null,
            "devicetype" : null,
            "module" : "https-simple-new",
            "tags" : null,
            "timestamp" : "2017-12-08T19:51:10.994940",
            "port" : 5001,
            "transport" : "tcp",
            "server" : "nginx"
        }
    ],
    "asn" : "AS4760",
    "isp" : "Netvigator",
    "longitude" : 114.2,
    "country_code3" : "HKG",
    "os" : null,
    "ports" : [ 
        5000, 
        80, 
        22, 
        443, 
        5001
    ]
}