Hacking SCADA Systems With the discovery of stuxnet and all the subsequent interest in industrial control systems it's worthwhile to learn a bit on how to exploit these for our own purposes. For now it's a copypaste of various information on ICS products. Eventually I will rewrite it as a fluent tutorial, but until then you can use this article as a starting point in your own research. Contents [hide] 1 Terminology 2 Default Passwords 3 Google Dorks 4 Vulnerabilities and Other Resources Terminology PLC: Programmable Logic Controller RTU: Remote Terminal Unit HMI: Human-Machine Interface Default Passwords These should always be your first try if you come across an HMI listed. Due to the fact that the amount of attention these systems have received has only been true recently many of these HMIs still have their defaults. These can be accessed using a web panel, telnet, or VNC. Links to support documents have been provided to familiarize yourself with these systems. Schneider Electrics pcfactory:pcfactory loader:fwdownload ntpupdate:ntpupdate sysdiag:factorycast@schneider test:testingpw USER:USER USER:USERUSER webserver:webpages fdrusers:sresurdf nic2212:poiuypoiuy nimrohs2212:qwertyqwerty nip2212:fcsdfcsd ftpuser:ftpuser noe77111_v500:RcSyyebczS AUTCSE:RybQRceeSd AUT_CSE:cQdd9debez target:RcQbRbzRyc [1] Siemens Simatic Administrator:100 [2] Siemens WinCC WinCCConnect:2WSXcder WinCCAdmin:2WSXcder [3] WAGO admin:wago [4] Google Dorks These will be added to as I go along, but are just a couple you can try out to search for HMIs. inurl:/plc/webvisu.htm "Miniweb on" "Control Functions" -filetype:pdf Vulnerabilities and Other Resources Vulnerabilities in some SCADA server softwares Metasploit Modules for SCADA-related Vulnerabilities SIMATIC HMI panels - some default Simatic HMIs you can play around with