hacktricks/network-services-pentesting/pentesting-modbus.md
2024-02-10 13:03:23 +00:00

87 lines
5.4 KiB
Markdown

<details>
<summary><strong>Impara l'hacking di AWS da zero a eroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Altri modi per supportare HackTricks:
* Se vuoi vedere la tua **azienda pubblicizzata su HackTricks** o **scaricare HackTricks in PDF** Controlla i [**PIANI DI ABBONAMENTO**](https://github.com/sponsors/carlospolop)!
* Ottieni il [**merchandising ufficiale di PEASS & HackTricks**](https://peass.creator-spring.com)
* Scopri [**The PEASS Family**](https://opensea.io/collection/the-peass-family), la nostra collezione di [**NFT**](https://opensea.io/collection/the-peass-family) esclusivi
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo Telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Condividi i tuoi trucchi di hacking inviando PR ai repository di** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) su GitHub.
</details>
# Informazioni di base
Nel 1979, il **Protocollo Modbus** è stato sviluppato da Modicon, servendo come struttura di messaggistica. Il suo uso principale consiste nel facilitare la comunicazione tra dispositivi intelligenti, operando secondo un modello master-slave/client-server. Questo protocollo svolge un ruolo cruciale nel consentire ai dispositivi di scambiare dati in modo efficiente.
**Porta predefinita:** 502
```
PORT STATE SERVICE
502/tcp open modbus
```
# Enumerazione
## Modbus Enumeration
Modbus is a widely used protocol in industrial control systems (ICS) and is often found in SCADA (Supervisory Control and Data Acquisition) environments. It is important to enumerate Modbus devices in order to identify potential targets for exploitation.
### Modbus TCP Enumeration
To enumerate Modbus TCP devices, you can use tools like `nmap` or `modscan`. These tools can help you discover Modbus devices on a network and gather information about them, such as IP addresses, ports, and device IDs.
#### Nmap
Nmap is a powerful network scanning tool that can be used to enumerate Modbus TCP devices. You can use the following command to scan for Modbus devices:
```bash
nmap -p 502 --script modbus-discover <target>
```
Replace `<target>` with the IP address or range of IP addresses you want to scan. This command will scan for devices on port 502, which is the default port for Modbus TCP.
#### Modscan
Modscan is a popular Modbus enumeration tool that can be used to scan for Modbus devices. You can download Modscan from the internet and run it on your machine. Once you have Modscan installed, you can enter the IP address of the target device and scan for Modbus devices.
### Modbus RTU Enumeration
To enumerate Modbus RTU devices, you can use tools like `mbpoll` or `qModMaster`. These tools can help you communicate with Modbus RTU devices and gather information about them.
#### mbpoll
Mbpoll is a command-line tool that can be used to communicate with Modbus RTU devices. You can use the following command to scan for Modbus RTU devices:
```bash
mbpoll -a <device_id> -t 0x03 -r <register> -c <count> -b <baud_rate> <serial_port>
```
Replace `<device_id>` with the ID of the target device, `<register>` with the register you want to read, `<count>` with the number of registers to read, `<baud_rate>` with the baud rate of the device, and `<serial_port>` with the serial port connected to the device.
#### qModMaster
qModMaster is a graphical user interface (GUI) tool that can be used to communicate with Modbus RTU devices. You can download qModMaster from the internet and run it on your machine. Once you have qModMaster installed, you can enter the serial port settings and scan for Modbus RTU devices.
## Conclusion
Enumerating Modbus devices is an important step in the process of pentesting industrial control systems. By identifying and gathering information about Modbus devices, you can better understand the network and identify potential vulnerabilities for exploitation.
```bash
nmap --script modbus-discover -p 502 <IP>
msf> use auxiliary/scanner/scada/modbusdetect
msf> use auxiliary/scanner/scada/modbus_findunitid
```
<details>
<summary><strong>Impara l'hacking di AWS da zero a eroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Altri modi per supportare HackTricks:
* Se vuoi vedere la tua **azienda pubblicizzata su HackTricks** o **scaricare HackTricks in PDF** Controlla i [**PIANI DI ABBONAMENTO**](https://github.com/sponsors/carlospolop)!
* Ottieni il [**merchandising ufficiale di PEASS & HackTricks**](https://peass.creator-spring.com)
* Scopri [**The PEASS Family**](https://opensea.io/collection/the-peass-family), la nostra collezione di esclusive [**NFT**](https://opensea.io/collection/the-peass-family)
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo Telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Condividi i tuoi trucchi di hacking inviando PR ai repository github di** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>