# 利用Metasploit找出SCADA服务器

# 注册账号

首先，我们在https://www.shodan.io上注册一个账号

# 获取API Key

注册账号成功之后，我们获取一个免费的API Key

# 在Metasploit中找出采用罗克韦尔自动化技术的SCADA系统

msfconsole
use auxiliary/gather/shodan_search
show options
set SHODAN_APIKEY 第2步获取的API Key
set QUERY Rockwell
run

1
2
3
4
5
6

具体操作如下：

msf > use auxiliary/gather/shodan_search
msf auxiliary(gather/shodan_search) > show options

Module options (auxiliary/gather/shodan_search):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   DATABASE       false            no        Add search results to the database
   MAXPAGE        1                yes       Max amount of pages to collect
   OUTFILE                         no        A filename to store the list of IPs
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   QUERY                           yes       Keywords you want to search for
   REGEX          .*               yes       Regex search for a specific IP/City/Country/Hostname
   SHODAN_APIKEY                   yes       The SHODAN API key
   SSL            false            no        Negotiate SSL/TLS for outgoing connections

msf auxiliary(gather/shodan_search) > set SHODAN_APIKEY  第2步获取的API Key
SHODAN_APIKEY => dRDBajzYMt9EPV2I5i87f3YWhfykY43p
msf auxiliary(gather/shodan_search) > set QUERY Rockwell
QUERY => Rockwell
msf auxiliary(gather/shodan_search) > run

[*] Total: 7351 on 74 pages. Showing: 1 page(s)
[*] Collecting data, please wait...

Search Results
==============

 IP:Port                City               Country             Hostname
 -------                ----               -------             --------
 104.169.148.106:44818  Lewiston           United States       
 107.85.58.132:44818    N/A                United States       
 107.85.58.184:44818    N/A                United States       
 108.95.125.62:44818    Excelsior Springs  United States       108-95-125-62.lightspeed.mssnks.sbcglobal.net
 124.199.70.151:44818   Tainan             Taiwan              124-199-70-151.HINET-IP.hinet.net
 129.24.204.161:44818   Albuquerque        United States       ssc-0006.unm.edu
 142.55.112.203:44818   Oakville           Canada              br-c147-plc03.ddi.sheridanc.on.ca
 166.130.151.114:44818  Atlanta            United States       mobile-166-130-151-114.mycingular.net
 166.130.155.138:44818  Atlanta            United States       mobile-166-130-155-138.mycingular.net
 166.130.174.51:44818   Atlanta            United States       mobile-166-130-174-51.mycingular.net
 166.130.71.137:44818   Atlanta            United States       mobile-166-130-71-137.mycingular.net
 166.130.72.51:44818    Atlanta            United States       mobile-166-130-72-51.mycingular.net
 166.131.38.86:44818    N/A                United States       mobile-166-131-38-86.mycingular.net
 166.139.173.118:44818  N/A                United States       118.sub-166-139-173.myvzw.com
 166.139.78.48:44818    N/A                United States       48.sub-166-139-78.myvzw.com
 166.141.166.213:44818  N/A                United States       213.sub-166-141-166.myvzw.com
 166.142.163.179:44818  N/A                United States       179.sub-166-142-163.myvzw.com
 166.142.214.167:44818  N/A                United States       167.sub-166-142-214.myvzw.com
 166.142.223.87:44818   N/A                United States       87.sub-166-142-223.myvzw.com
 166.148.138.164:44818  N/A                United States       164.sub-166-148-138.myvzw.com
 166.150.224.175:44818  N/A                United States       175.sub-166-150-224.myvzw.com
 166.150.235.165:44818  N/A                United States       165.sub-166-150-235.myvzw.com
 166.152.102.3:44818    N/A                United States       3.sub-166-152-102.myvzw.com
 166.152.146.81:44818   N/A                United States       81.sub-166-152-146.myvzw.com
 166.152.7.95:44818     N/A                United States       95.sub-166-152-7.myvzw.com
 166.152.86.244:44818   N/A                United States       244.sub-166-152-86.myvzw.com
 166.152.88.177:44818   N/A                United States       177.sub-166-152-88.myvzw.com
 166.155.192.83:44818   N/A                United States       83.sub-166-155-192.myvzw.com
 166.155.230.179:44818  N/A                United States       179.sub-166-155-230.myvzw.com
 166.155.244.192:44818  N/A                United States       192.sub-166-155-244.myvzw.com
 166.155.68.30:44818    N/A                United States       30.sub-166-155-68.myvzw.com
 166.156.252.231:44818  N/A                United States       231.sub-166-156-252.myvzw.com
 166.157.134.23:44818   N/A                United States       23.sub-166-157-134.myvzw.com
 166.157.180.145:44818  N/A                United States       145.sub-166-157-180.myvzw.com
 166.157.211.136:44818  N/A                United States       136.sub-166-157-211.myvzw.com
 166.165.60.50:44818    N/A                United States       50.sub-166-165-60.myvzw.com
 166.165.81.185:44818   N/A                United States       185.sub-166-165-81.myvzw.com
 166.165.81.188:44818   N/A                United States       188.sub-166-165-81.myvzw.com
 166.168.129.250:44818  N/A                United States       250.sub-166-168-129.myvzw.com
 166.168.68.40:44818    N/A                United States       40.sub-166-168-68.myvzw.com
 166.169.25.205:44818   N/A                United States       205.sub-166-169-25.myvzw.com
 166.211.227.248:44818  N/A                United States       248.sub-166-211-227.myvzw.com
 166.239.236.32:44818   N/A                United States       32.sub-166-239-236.myvzw.com
 166.239.24.87:44818    N/A                United States       87.sub-166-239-24.myvzw.com
 166.241.108.53:44818   N/A                United States       53.sub-166-241-108.myvzw.com
 166.246.171.53:44818   N/A                United States       53.sub-166-246-171.myvzw.com
 166.247.38.132:44818   N/A                United States       132.sub-166-247-38.myvzw.com
 166.247.38.228:44818   N/A                United States       228.sub-166-247-38.myvzw.com
 166.247.72.15:44818    N/A                United States       15.sub-166-247-72.myvzw.com
 166.247.72.26:44818    N/A                United States       26.sub-166-247-72.myvzw.com
 166.250.88.74:44818    N/A                United States       74.sub-166-250-88.myvzw.com
 166.254.18.72:44818    N/A                United States       72.sub-166-254-18.myvzw.com
 166.254.21.20:44818    N/A                United States       20.sub-166-254-21.myvzw.com
 166.255.248.118:44818  Bothell            United States       118.sub-166-255-248.myvzw.com
 173.241.180.88:44818   Dickinson          United States       mail.frontiertravelcenter.com
 174.79.107.66:44818    Rogers             United States       mail.our-klan.com
 174.90.225.57:44818    Beaumont           Canada              
 184.13.254.67:44818    Bruceton Mills     United States       static-184-13-254-67.clbg.wv.frontiernet.net
 184.159.33.72:44818    Osceola            United States       184-159-33-72.stat.centurytel.net
 184.188.189.102:44818  Littleton          United States       wsip-184-188-189-102.ks.ks.cox.net
 184.6.175.136:44818    Bassett            United States       tx-184-6-175-136.sta.embarqhsd.net
 185.183.222.174:44818  Ceuti              Spain               185.183.222.174.dyn.user.borecom.com
 187.201.128.237:44818  Zapopan            Mexico              dsl-187-201-128-237-dyn.prod-infinitum.com.mx
 192.186.64.242:44818   Windsor            Canada              d192-186-64-242.db.static.comm.cgocable.net
 192.199.57.83:44818    Red Earth          Canada              
 198.0.121.49:44818     N/A                United States       MAIL.GFMCORP.COM
 198.163.95.77:44818    N/A                United States       
 198.35.56.250:44818    N/A                United States       
 199.167.142.76:161     N/A                Canada              
 199.79.231.236:44818   Augusta            United States       
 2.143.95.44:44818      Perdices           Spain               44.red-2-143-95.dynamicip.rima-tde.net
 2.55.70.153:44818      Jerusalem          Israel              
 207.195.130.150:44818  Rexford            United States       207.195.130.150-st-tel.net
 208.98.195.106:44818   Calgary            Canada              
 211.75.65.156:44818    Dongning           Taiwan              211-75-65-156.HINET-IP.hinet.net
 213.3.8.120:44818      N/A                Switzerland         120.8.3.213.static.wline.lns.sme.cust.swisscom.ch
 216.115.198.94:44818   Rocky Gap          United States       
 24.111.213.227:44818   Dickinson          United States       24-111-213-227-static.midco.net
 24.86.129.129:44818    Vancouver          Canada              S01060030440868d3.vc.shawcable.net
 50.205.167.178:44818   Elkhart            United States       50-205-167-178-static.hfc.comcastbusiness.net
 50.247.170.211:44818   Melrose Park       United States       50-247-170-211-static.hfc.comcastbusiness.net
 58.246.115.189:161     Shanghai           China               
 59.20.136.91:44818     Busan              Korea, Republic of  
 63.88.122.58:44818     Richmond           United States       
 70.166.134.53:44818    Fayetteville       United States       wsip-70-166-134-53.fv.ks.cox.net
 70.186.236.43:44818    Lowell             United States       wsip-70-186-236-43.ks.ks.cox.net
 70.28.254.80:44818     Dundalk            Canada              
 70.62.46.230:44818     Columbus           United States       
 70.88.243.93:44818     N/A                United States       70-88-243-93-ma-nh-me-ne.hfc.comcastbusiness.net
 75.228.158.242:44818   N/A                United States       242.sub-75-228-158.myvzw.com
 76.70.223.14:44818     N/A                Canada              
 77.210.193.171:44818   Barcelona          Spain               
 77.211.19.36:44818     Salamanca          Spain               
 78.116.231.225:44818   Lombez             France              225.231.116.78.rev.sfr.net
 85.120.40.73:44818     N/A                Romania             
 91.149.55.49:44818     N/A                Norway              
 96.57.38.114:44818     Saint James        United States       ool-60392672.static.optonline.net
 96.70.239.109:44818    Boston             United States       96-70-239-109-static.hfc.comcastbusiness.net
 96.84.106.227:44818    Chicago            United States       96-84-106-227-static.hfc.comcastbusiness.net
 98.164.37.98:44818     Skiatook           United States       wsip-98-164-37-98.tu.ok.cox.net

[*] Auxiliary module execution completed

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

可以看到找到了很多的SCADA系统。

# 写在最后

如果你觉得冰河写的还不错，请微信搜索并关注「 冰河技术 」微信公众号，跟冰河学习高并发、分布式、微服务、大数据、互联网和云原生技术，「 冰河技术 」微信公众号更新了大量技术专题，每一篇技术文章干货满满！不少读者已经通过阅读「 冰河技术 」微信公众号文章，吊打面试官，成功跳槽到大厂；也有不少读者实现了技术上的飞跃，成为公司的技术骨干！如果你也想像他们一样提升自己的能力，实现技术能力的飞跃，进大厂，升职加薪，那就关注「 冰河技术 」微信公众号吧，每天更新超硬核技术干货，让你对如何提升技术能力不再迷茫！

← Metasploit清除渗透痕迹利用Metasploit渗透DATAC-RealWin-SCADA Server2.0 →