Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-modbus.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

111 lines
4.6 KiB
Markdown
Raw Permalink Blame History

<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
# Basic Information
In 1979, the **Modbus Protocol** was developed by Modicon, serving as a messaging structure. Its primary use involves facilitating communication between intelligent devices, operating under a master-slave/client-server model. This protocol plays a crucial role in enabling devices to exchange data efficiently.
**Default port:** 502
```
PORT STATE SERVICE
502/tcp open modbus
```
# QaDagh
## Port Scanning
### nmap
The first step in enumerating Modbus services is to perform a port scan using `nmap`. This will help identify open ports on the target system.
```bash
nmap -p 502 <target_ip>
```
### Metasploit
Metasploit also provides modules for scanning Modbus services. The `auxiliary/scanner/modbus/modbusclient` module can be used to scan for Modbus devices.
```bash
use auxiliary/scanner/modbus/modbusclient
set RHOSTS <target_ip>
run
```
## Modbus Enumeration
Once the Modbus service is identified, the next step is to enumerate the available Modbus units and their associated registers.
### Modscan
Modscan is a popular tool for Modbus enumeration. It can be used to scan for Modbus devices and retrieve information about their registers.
```bash
modscan32.exe <target_ip>
```
### Metasploit
Metasploit also provides modules for Modbus enumeration. The `auxiliary/scanner/modbus/modbus_read` module can be used to read Modbus registers.
```bash
use auxiliary/scanner/modbus/modbus_read
set RHOSTS <target_ip>
run
```
## Modbus Exploitation
Once the Modbus units and registers are enumerated, it is possible to exploit vulnerabilities in the Modbus implementation.
### Modbus Client
Modbus Client is a tool that can be used to interact with Modbus devices. It allows sending custom Modbus requests and analyzing the responses.
```bash
modbusclient.exe <target_ip>
```
### Metasploit
Metasploit provides modules for exploiting Modbus vulnerabilities. The `exploit/windows/scada/indusoft_web_studio_exec` module can be used to exploit InduSoft Web Studio vulnerabilities.
```bash
use exploit/windows/scada/indusoft_web_studio_exec
set RHOSTS <target_ip>
run
```
## Conclusion
Enumeration is a crucial step in the Modbus pentesting process. By identifying open ports, enumerating Modbus units and registers, and exploiting vulnerabilities, it is possible to gain unauthorized access to Modbus devices.
```bash
nmap --script modbus-discover -p 502 <IP>
msf> use auxiliary/scanner/scada/modbusdetect
msf> use auxiliary/scanner/scada/modbus_findunitid
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Reference in a new issue View git blame Copy permalink