# Modbus - Port 502 {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ## Basic info Modbus is a communication protocol used in industrial automation to allow devices like programmable logic controllers (PLCs) to talk to each other. It operates in a master-slave setup, where the master queries and controls multiple slave devices. Port 502 is typically used for Modbus TCP/IP, making it a key target for penetration testing to find security weaknesses. ### Worflow * **Scan for Devices**: Use Nmap to find devices listening on port 502. * **Fingerprint the System**: Use tools like Metasploit’s Modbusdetect module to learn about the Modbus version and capabilities. * **Check Security Features**: Test if the system requires authentication, as many Modbus implementations do not, allowing anyone to issue commands. * **Test Function Codes**: Explore Modbus function codes (like 0x01 for Read Coils) to see if they can read or write sensitive data. * **Look for Exploits**: Check for buffer overflows by sending oversized requests and test for man-in-the-middle attacks, given Modbus traffic is often unencrypted. #### Unexpected Detail: Lack of Encryption An interesting point is that Modbus communication is usually unencrypted, meaning an attacker can easily intercept and modify messages, increasing the risk in industrial settings. *** ## Scanning for Devices Start by using Nmap to scan for Modbus devices on port 502. Run this command: ``` nmap -p 502 --script modbus-discover ``` This will help identify devices and gather initial information. ### Initial Reconnaissance Use Metasploit for deeper reconnaissance. First, detect the Modbus service: ``` msf > use auxiliary/scanner/scada/modbusdetect msf auxiliary(modbusdetect) > set RHOSTS msf auxiliary(modbusdetect) > run ``` Then, enumerate unit IDs: ``` msf > use auxiliary/scanner/scada/modbus_findunitid msf auxiliary(modbus_findunitid) > set RHOSTS msf auxiliary(modbus_findunitid) > run ``` ### Interacting with Devices Install and use Smod for detailed interaction. Clone and run it: ``` git clone https://github.com/enddo/smod cd smod python smod.py ``` Connect to the device: ``` connect -ip -port 502 ``` Enumerate function codes and read/write registers, e.g.: ``` enum_func read_holding_register -addr 0 -count 1 write_holding_register -addr 0 -value 100 ``` ## Exploiting Vulnerabilities Check for buffer overflows by sending oversized requests in Smod. For man-in-the-middle attacks, capture traffic with Wireshark: ``` wireshark -i ``` Then, use Scapy to modify and resend packets: ``` from scapy.all import * modbus_packet = Ether() / IP() / TCP() / Raw(load='') sendp(modbus_packet) ``` *** {% hint style="success" %} Learn & practice [**For the OSCP.**](https://shop.verylazytech.com/)
Support VeryLazyTech πŸŽ‰ Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/network-pentesting/modbus-port-502.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.