search

Learning Modbus TCP

I play a CTF of HTB (Hack The Box) and learning Modbus TCP

By using https://umodbus.readthedocs.io/en/latest/arrow-up-right (umodbus) I have learned to interact with the devices that use Modbus, learn to alter bits and bytes, and understand some function code of Modbus

circle-info

There are numerous Modbus clients so it is not tight to use umodbus, but I would love to use python so I decide to go with umodbus.

I have learned:

  • What are coil, register, slave_id, and starting_address?

  • Client and Server Modbus

  • How to analyze Modbus TCP traffic using Wireshark

hashtag
Tshark command to analyse Modbus TCP traffic

Please change the stream number or just delete it for your own usage

tshark -r Plant1.pcap -qz io,stat,1,"COUNT(mbtcp.trans_id)mbtcp.trans_id && tcp.stream==3","MIN(mbtcp.trans_id)mbtcp.trans_id && tcp.stream==3","MAX(mbtcp.trans_id)mbtcp.trans_id && tcp.stream==3","AVG(mbtcp.trans_id)mbtcp.trans_id && tcp.stream==3","MIN(modbus.func_code)modbus.func_code && tcp.stream==3","MAX(modbus.func_code)modbus.func_code && tcp.stream==3","AVG(modbus.func_code)modbus.func_code && tcp.stream==3"
tshark -r Plant1.pcap -q -T fields -e modbus.func_code "tcp.stream==3 && modbus.func_code" | tr , \n | sort | uniq -c | sort -nr 
tshark -r Plant1.pcap -q -T fields -e modbus.bitnum "tcp.stream==3 && modbus.bitnum" | tr , \n | sort | uniq -c | sort -nr 
tshark -r Plant1.pcap -q -T fields -e modbus.bitval "tcp.stream==3 && modbus.bitval" | tr , \n | sort | uniq -c | sort -nr
tshark -r Plant1.pcap -q -T fields -e modbus.regnum16 "tcp.stream==3 && modbus.regnum16" | tr , \n | sort | uniq -c | sort -nr
tshark -r Plant1.pcap -q -T fields -e modbus.regval_uint16 "tcp.stream==3 && modbus.regval_uint16" | tr , \n | sort | uniq -c | sort -nr

hashtag
Modbus TCP

Very simple protocol, and no security built-in (no authentication, anyone can send a Modbus command if they are on the same network)

Notes:

  • Field devices can't initiate communication

  • The coil is meant for digital output, the register is for analog

  • No security built-in

  • Slave and Master model (in the real world there will be a Server that will poll every 2s to read the data on the Slave) Modbus Client will use some software to send Modbus command to Modbus Server

https://www.daviteq.com/blog/en/modbus-protocol-and-its-applications-in-iot/arrow-up-right

  • IMPORTANT: Most Modbus traffic on the control system is very flat and highly predictable -> you can do baseline monitoring or anomaly detection to defend the network traffic

  • While everybody can send Modbus commands, Modbus doesn't support context or tag names which means -> you will have no idea what value to send or what address to send the Modbus command to the PLC (Client) which will likely increase your chance of mess up thing up and blow you cover when attacking the Modbus System. So mostly the Attacker will find the HMI or Engineer Workstation which will have the file that has the schema or the manual for which address or command refs for those PLC

  • There are no encryption between Modbus client and server

hashtag
What are slave_id, register, coil, and addresses?

hashtag
What is in the PLC that uses Modbus?

There are

Slave ID:

Register

Coil

Addresses

hashtag
Modbus Packet Structure

The data is where you use your code to control the Modbus devices -> by choosing which function code to send and what are the Modbus data (register, coil, address, and slave id)

hashtag
How to control PLC using Modbus

After I have familiarized myself with the Modbus packet, I now use umodbus to communicate with the Modbus server

hashtag
Refs

PreviousSmart GridsNextLearning DNP3

Last updated