Modbus - Port 502

Modbus is a communication protocol used in industrial automation to allow devices like programmable logic controllers (PLCs) to talk to each other.

Become VeryLazyTech member! 🎁

Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

Basic info

Modbus is a communication protocol used in industrial automation to allow devices like programmable logic controllers (PLCs) to talk to each other. It operates in a master-slave setup, where the master queries and controls multiple slave devices. Port 502 is typically used for Modbus TCP/IP, making it a key target for penetration testing to find security weaknesses.

Worflow

Scan for Devices: Use Nmap to find devices listening on port 502.
Fingerprint the System: Use tools like Metasploit’s Modbusdetect module to learn about the Modbus version and capabilities.
Check Security Features: Test if the system requires authentication, as many Modbus implementations do not, allowing anyone to issue commands.
Test Function Codes: Explore Modbus function codes (like 0x01 for Read Coils) to see if they can read or write sensitive data.
Look for Exploits: Check for buffer overflows by sending oversized requests and test for man-in-the-middle attacks, given Modbus traffic is often unencrypted.

Unexpected Detail: Lack of Encryption

An interesting point is that Modbus communication is usually unencrypted, meaning an attacker can easily intercept and modify messages, increasing the risk in industrial settings.

Scanning for Devices

Start by using Nmap to scan for Modbus devices on port 502. Run this command:

nmap -p 502 --script modbus-discover <IP_RANGE>

This will help identify devices and gather initial information.

Initial Reconnaissance

Use Metasploit for deeper reconnaissance. First, detect the Modbus service:

msf > use auxiliary/scanner/scada/modbusdetect 
msf auxiliary(modbusdetect) > set RHOSTS <IP_ADDRESS> 
msf auxiliary(modbusdetect) > run

Then, enumerate unit IDs:

msf > use auxiliary/scanner/scada/modbus_findunitid 
msf auxiliary(modbus_findunitid) > set RHOSTS <IP_ADDRESS> 
msf auxiliary(modbus_findunitid) > run

Interacting with Devices

Install and use Smod for detailed interaction. Clone and run it:

git clone https://github.com/enddo/smod 
cd smod 
python smod.py

Connect to the device:

connect -ip <IP_ADDRESS> -port 502

Enumerate function codes and read/write registers, e.g.:

enum_func read_holding_register -addr 0 -count 1 
write_holding_register -addr 0 -value 100

Exploiting Vulnerabilities

Check for buffer overflows by sending oversized requests in Smod. For man-in-the-middle attacks, capture traffic with Wireshark:

wireshark -i <INTERFACE>

Then, use Scapy to modify and resend packets:

from scapy.all import * 
modbus_packet = Ether() / IP() / TCP() / Raw(load='<modified_data>') 
sendp(modbus_packet)

Learn & practice For the OSCP.

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁

Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousIPsec/IKE VPN - Port 500/UDP NextRexec - Port 512

Last updated 2 months ago

Was this helpful?