<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>


# Basic Information

In 1979, the **Modbus Protocol** was developed by Modicon, serving as a messaging structure. Its primary use involves facilitating communication between intelligent devices, operating under a master-slave/client-server model. This protocol plays a crucial role in enabling devices to exchange data efficiently.

**Default port:** 502
```
PORT    STATE SERVICE
502/tcp open  modbus
```
# QaDagh

## Port Scanning

### nmap

The first step in enumerating Modbus services is to perform a port scan using `nmap`. This will help identify open ports on the target system.

```bash
nmap -p 502 <target_ip>
```

### Metasploit

Metasploit also provides modules for scanning Modbus services. The `auxiliary/scanner/modbus/modbusclient` module can be used to scan for Modbus devices.

```bash
use auxiliary/scanner/modbus/modbusclient
set RHOSTS <target_ip>
run
```

## Modbus Enumeration

Once the Modbus service is identified, the next step is to enumerate the available Modbus units and their associated registers.

### Modscan

Modscan is a popular tool for Modbus enumeration. It can be used to scan for Modbus devices and retrieve information about their registers.

```bash
modscan32.exe <target_ip>
```

### Metasploit

Metasploit also provides modules for Modbus enumeration. The `auxiliary/scanner/modbus/modbus_read` module can be used to read Modbus registers.

```bash
use auxiliary/scanner/modbus/modbus_read
set RHOSTS <target_ip>
run
```

## Modbus Exploitation

Once the Modbus units and registers are enumerated, it is possible to exploit vulnerabilities in the Modbus implementation.

### Modbus Client

Modbus Client is a tool that can be used to interact with Modbus devices. It allows sending custom Modbus requests and analyzing the responses.

```bash
modbusclient.exe <target_ip>
```

### Metasploit

Metasploit provides modules for exploiting Modbus vulnerabilities. The `exploit/windows/scada/indusoft_web_studio_exec` module can be used to exploit InduSoft Web Studio vulnerabilities.

```bash
use exploit/windows/scada/indusoft_web_studio_exec
set RHOSTS <target_ip>
run
```

## Conclusion

Enumeration is a crucial step in the Modbus pentesting process. By identifying open ports, enumerating Modbus units and registers, and exploiting vulnerabilities, it is possible to gain unauthorized access to Modbus devices.
```bash
nmap --script modbus-discover -p 502 <IP>
msf> use auxiliary/scanner/scada/modbusdetect
msf> use auxiliary/scanner/scada/modbus_findunitid
```
<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>