Informazioni di base

Nel 1979, il Protocollo Modbus è stato sviluppato da Modicon, servendo come struttura di messaggistica. Il suo uso principale consiste nel facilitare la comunicazione tra dispositivi intelligenti, operando secondo un modello master-slave/client-server. Questo protocollo svolge un ruolo cruciale nel consentire ai dispositivi di scambiare dati in modo efficiente.

Porta predefinita: 502

PORT    STATE SERVICE
502/tcp open  modbus

Enumerazione

Modbus Enumeration

Modbus is a widely used protocol in industrial control systems (ICS) and is often found in SCADA (Supervisory Control and Data Acquisition) environments. It is important to enumerate Modbus devices in order to identify potential targets for exploitation.

Modbus TCP Enumeration

To enumerate Modbus TCP devices, you can use tools like nmap or modscan. These tools can help you discover Modbus devices on a network and gather information about them, such as IP addresses, ports, and device IDs.

Nmap

Nmap is a powerful network scanning tool that can be used to enumerate Modbus TCP devices. You can use the following command to scan for Modbus devices:

nmap -p 502 --script modbus-discover <target>

Replace <target> with the IP address or range of IP addresses you want to scan. This command will scan for devices on port 502, which is the default port for Modbus TCP.

Modscan

Modscan is a popular Modbus enumeration tool that can be used to scan for Modbus devices. You can download Modscan from the internet and run it on your machine. Once you have Modscan installed, you can enter the IP address of the target device and scan for Modbus devices.

Modbus RTU Enumeration

To enumerate Modbus RTU devices, you can use tools like mbpoll or qModMaster. These tools can help you communicate with Modbus RTU devices and gather information about them.

mbpoll

Mbpoll is a command-line tool that can be used to communicate with Modbus RTU devices. You can use the following command to scan for Modbus RTU devices:

mbpoll -a <device_id> -t 0x03 -r <register> -c <count> -b <baud_rate> <serial_port>

Replace <device_id> with the ID of the target device, <register> with the register you want to read, <count> with the number of registers to read, <baud_rate> with the baud rate of the device, and <serial_port> with the serial port connected to the device.

qModMaster

qModMaster is a graphical user interface (GUI) tool that can be used to communicate with Modbus RTU devices. You can download qModMaster from the internet and run it on your machine. Once you have qModMaster installed, you can enter the serial port settings and scan for Modbus RTU devices.

Conclusion

Enumerating Modbus devices is an important step in the process of pentesting industrial control systems. By identifying and gathering information about Modbus devices, you can better understand the network and identify potential vulnerabilities for exploitation.

nmap --script modbus-discover -p 502 <IP>
msf> use auxiliary/scanner/scada/modbusdetect
msf> use auxiliary/scanner/scada/modbus_findunitid