Control Systems Digger digs into data found on Shodan.
Currently scanning via KNXnet/IP (Tunneling) is implemented via csdig-knx. csdig-knx is used for reconnaissance and mapping of KNX TP networks behind KNXnet/IP (Tunneling) controllers.
csdig-knx is a Bash script: csdig.sh.
Scanning with csdig-knx is more robust than scanning with KNXmap itself because intention of csdig-knx is to circumvent the weaknesses of communication over an unreliable protocol like UDP. Obstacles while scanning in the wild are:
- Missing compatibility (not all KNXnet/IP / KNX TP devices are certified and therefore do not stick to the definitions)
- High latencies (running into timeouts)
- Network congestions (loss of datagrams)
- KNXmap itself isn't perfect (knwon issues)
The intention of csdig-knx is also to go deeper into KNX networks than Shodan does.
KNXmap fork found at https://github.com/uwedisch/knxmap because of bug fixes that are currently not included in the original KNXmap.
python-shodan installed with sudo apt-get python-shodan.
csvtool installed with sudo apt-get csvtool.
Finally you also need an account with Shodan.
Called without any parameter csdig-knx searches on Shodan for the keyword knx and traverses thru all results. Each result, i.e. KNXnet/IP (Tunneling) aware controller, is scanned for reachable KNX TP devices on it's configured KNX TP line. Each reachable KNX TP device is also scanned. Together all output is written to the directory data.
Use arguments '-h' or '--help' for help on how to work with csdig-knx.sh.
Configuration is done via file csdig.conf.
Tested on Kali Linux 2020.1 Release and on Ubuntu 16.04 LTS. Tested in local environment against WAGO | Controller KNX IP (750-889), Viessmann Vitogate 200, type KNX and against knxd.
Please consult also the wiki for further details about csdig.