Zeroska
  • 🐱Zeroska - The Bold
  • Computer/Cyber Security
    • ⭐Fresh off the boat - for new Blue Teamer/ SOC Analyst
    • 💀Necromancer (DFIR)
      • 🕵️DFIR and DFIR case
        • 🗃️Case Files
          • Misconfiguration 0x01
      • 📔My own DFIR notes
        • The Mark of The Web (MOTW)
        • LNK Shortcut
        • Prefetch, AmCache, ShimCache in Windows
        • Malicious Document (VBA, Office, PDF, ...)
        • SRUM (System Resource Usage Monitor)
        • Volatility notes
        • Understand Logon Session in Windows
        • "Very" Hidden sheets in Excel
        • Hidden Processes
      • 📔Notes
        • Useful Resources
        • Useful Resources DFIR
        • Saved Content (Backup for the OG content get deleted)
          • How to be best SOC analyst ever
    • 🧙‍♂️Defense Witchcraft
      • Data Analysis as a Defender
      • Active Directory
      • Windows Event Logs
        • Authentication (Windows Account Life Cycle Events)
      • MS Exchange
      • Windows
    • 💙My Current Blue Team Operation
      • VLAN Monitoring Template
      • Daily Monitoring Report
      • General Playbook
      • JupyterHub Configuration Guide
      • How to train your Blue Team
    • 🏭ICS/OT
      • Setup ICS/OT Simulation Learning Lab
      • Smart Grids
      • Learning Modbus TCP
      • Learning DNP3
      • Resources/Blogs/Links
    • 🥷Threat Intelligence
      • Small Cyber Threat Intelligence Program
      • Intelligence Analysis [VN]
      • OSINT Information Monitoring
        • Telegram Info-Stealer Monitoring
      • C2 Tracker
      • Fake Website Tracker
      • Dark Web Investigation Attempt
      • Threat Intelligence Quick Win
      • Resources/Blogs/Links
  • 😒Computer and Technology
    • My Home Lab Setup
    • 🐴ELK Stack
      • Useful Resources
      • ELK Stack - Container - Docker Compose - AWS ECS
      • ECS - Elastic Common Schema
      • Elasticsearch
      • Logstash
      • Troubleshooting and Problems
    • 🐧Linux
      • Setting up good SSH Authentication
      • Configure Auditd and how to leverage it
      • ELF Format
      • Useful Links
    • 📦Containers
      • Docker container logs is quite big
      • Worth Reading
    • 🪠Splunk Learning Experience
      • Splunk Test Lab
      • Data Collection Tier (How to get the data)
      • SC4S Custom Filter For Windows Event Log in Syslog Format (NXLog)
      • Useful Resources
  • Threat Hunting
    • Hunting for Implant
    • Using STRIDE and DREAD
    • 🐳Predators and Preys (Computing)
      • Tracks or Hunting Artifacts
    • 📦Network Packet Analysis
      • The Basic
      • Tshark | Zeek Copy & Paste
      • Network Analysis Resources
    • Grep | Powershell Search | Regex
    • Hunting Resources
  • 🎵In my remains
    • Choices
    • The Art of Facing Unknown Problems
    • Build the best DFIR team
    • Reverse Engineering - Đồ án hướng ngành A "Hụt" của tôi
Powered by GitBook
On this page
  • Tshark command to analyse Modbus TCP traffic
  • Modbus TCP
  • What are slave_id, register, coil, and addresses?
  • Modbus Packet Structure
  • How to control PLC using Modbus
  • Refs

Was this helpful?

  1. Computer/Cyber Security
  2. ICS/OT

Learning Modbus TCP

I play a CTF of HTB (Hack The Box) and learning Modbus TCP

PreviousSmart GridsNextLearning DNP3

Last updated 1 year ago

Was this helpful?

By using (umodbus) I have learned to interact with the devices that use Modbus, learn to alter bits and bytes, and understand some function code of Modbus

There are numerous Modbus clients so it is not tight to use umodbus, but I would love to use python so I decide to go with umodbus.

  • emodbus

I have learned:

  • What are coil, register, slave_id, and starting_address?

  • Client and Server Modbus

  • How to analyze Modbus TCP traffic using Wireshark

Tshark command to analyse Modbus TCP traffic

Please change the stream number or just delete it for your own usage

tshark -r Plant1.pcap -qz io,stat,1,"COUNT(mbtcp.trans_id)mbtcp.trans_id && tcp.stream==3","MIN(mbtcp.trans_id)mbtcp.trans_id && tcp.stream==3","MAX(mbtcp.trans_id)mbtcp.trans_id && tcp.stream==3","AVG(mbtcp.trans_id)mbtcp.trans_id && tcp.stream==3","MIN(modbus.func_code)modbus.func_code && tcp.stream==3","MAX(modbus.func_code)modbus.func_code && tcp.stream==3","AVG(modbus.func_code)modbus.func_code && tcp.stream==3"
tshark -r Plant1.pcap -q -T fields -e modbus.func_code "tcp.stream==3 && modbus.func_code" | tr , \n | sort | uniq -c | sort -nr 
tshark -r Plant1.pcap -q -T fields -e modbus.bitnum "tcp.stream==3 && modbus.bitnum" | tr , \n | sort | uniq -c | sort -nr 
tshark -r Plant1.pcap -q -T fields -e modbus.bitval "tcp.stream==3 && modbus.bitval" | tr , \n | sort | uniq -c | sort -nr
tshark -r Plant1.pcap -q -T fields -e modbus.regnum16 "tcp.stream==3 && modbus.regnum16" | tr , \n | sort | uniq -c | sort -nr
tshark -r Plant1.pcap -q -T fields -e modbus.regval_uint16 "tcp.stream==3 && modbus.regval_uint16" | tr , \n | sort | uniq -c | sort -nr

Modbus TCP

Very simple protocol, and no security built-in (no authentication, anyone can send a Modbus command if they are on the same network)

Notes:

  • Field devices can't initiate communication

  • The coil is meant for digital output, the register is for analog

  • No security built-in

  • Slave and Master model (in the real world there will be a Server that will poll every 2s to read the data on the Slave) Modbus Client will use some software to send Modbus command to Modbus Server

  • IMPORTANT: Most Modbus traffic on the control system is very flat and highly predictable -> you can do baseline monitoring or anomaly detection to defend the network traffic

  • While everybody can send Modbus commands, Modbus doesn't support context or tag names which means -> you will have no idea what value to send or what address to send the Modbus command to the PLC (Client) which will likely increase your chance of mess up thing up and blow you cover when attacking the Modbus System. So mostly the Attacker will find the HMI or Engineer Workstation which will have the file that has the schema or the manual for which address or command refs for those PLC

  • There are no encryption between Modbus client and server

What are slave_id, register, coil, and addresses?

What is in the PLC that uses Modbus?

There are

Slave ID:

Register

Coil

Addresses

Modbus Packet Structure

The data is where you use your code to control the Modbus devices -> by choosing which function code to send and what are the Modbus data (register, coil, address, and slave id)

How to control PLC using Modbus

After I have familiarized myself with the Modbus packet, I now use umodbus to communicate with the Modbus server

# Create a socket to send umodbus command 
import socket
from umodbus import conf
from umodbus.client import tcp

HOST = 'localhost' # Change this into ip address or domain name
PORT = 502

# Connect 
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, PORT))

message = tcp.write_multiple_coils(slave_id=1, starting_address=1, values=[1, 0, 1, 1])
 
# Response depends on Modbus function code. This particular returns the
# amount of coils written, in this case it is.
response = tcp.send_message(message, sock)

print(response)
 
sock.close()

Refs

(Understanding Modbus TCP)

🏭
https://umodbus.readthedocs.io/en/latest/
https://libmodbus.org/
https://www.youtube.com/watch?v=oVDYaG2HInU&ab_channel=BlackHat
https://www.daviteq.com/blog/en/modbus-protocol-and-its-applications-in-iot/