I've done some work looking into RedLion ICS HMI devices. They are beically touchscreen computers with networking capabilities.
I discovered how to fingerprint the devices using their control protocol running on port 789. These fingerprints ended up being used by Shodan. I don't have anything to do with Shodan, but they used these fingerprints to add to their product. Red Lion on Shodan (requires Shodan login).
I had put these on a different repository but have moved them over to my main github account.
This is a repository for nmap NSE scripts related to the ICS HMI touchpanels made by Red Lion Controls (http://redlion.net). These devices support updates over TCP port 789.
- cr3-fingerprint.nse : Hosts with TCP:789 open will be fingerprinted
Nmap scan report for redlion.example.com (127.0.0.1)
Host is up (0.14s latency).
Not shown: 1021 filtered ports
PORT STATE SERVICE
80/tcp open http
502/tcp open asa-appl-proto
789/tcp open unknown
| cr3-fingerprint:
| Manufacturer: Red Lion Controls
|_Model: G310C2
This is a repository for a Wireshark dissector for the Crimson v3 protocol related to the ICS HMI touchpanels made by Red Lion Controls (http://redlion.net). These devices support updates over TCP port 789. This minimal dissector is a starting point for understanding this protocol.