Metasploit Modbus

search modbus

1. Confirm that our target is running modbus

use auxilary/scanner/scada/modbusdetect

2. Find Unit ID's

Now that we have confirmed that the target is actually running the modbus protocol, the next step is to enumerate the Unit ID's of the connected devices. This is similar to a ping sweep in TCP/IP, but the results are slightly less reliable. Modbus allows for up to 254 connected devices. To manipulate or communicate with any modbus device, we must have its UNIT ID, not dissimilar to using IP addresses in TCP/IP.

use auxilary/scanner/scanner/modbus_findunitid

3. Reading and Writing the Modbus Devices

use auxiliary/scanner/scada/modbusclient

This module requires several variables to be set. Most important is the ACTION. This variable can be set as;

1. READ_REGISTERS

2. WRITE_REGISTERS

3. READ_COILS

4. WRITE_COILS

Also note the default setting for the UNIT_NUMBER is 1 and NUMBER is 1. This means that by default, it will take its action only on the first UNIT ID and only the first unit. To increase the number of units the ACTION will act on, simply change the variable NUMBER. For example, setting the NUMBER variable to 100, means that it will start with UNIT ID number 1 and read 100 registers.

Next, let's try writing to the coils. In SCADA/ICS terminology, coils are devices on the network that are either ON or OFF. Their settings are either 1 or 0. By changing the values of a coil, you are switching it on or off.

First, we need to change the ACTION to WRITE_COIL.

set ACTION WRITE_COIL

Next, set the DATA equal to 1(only 1 or 0 are valid values).

set DATA 1

To check whether the value actually changed, we can now go back and read the coils.

set ACTION READ_COILS

Now, let's try to change the values in the registers. These are memory areas that hold values used within the device to set such things as how long to run a pump or at what pressure should a valve open. Changing these values could have dire repercussions.

Let's first write the values in the registers.

set ACTION WRITE_REGISTERS

Then, provide the data we want written to the registers. We set the data values by using the DATA variable and multiple values must be added separated by commas. For example, let's add 5 (five) 27's to the first five registers.

set DATA 27,27,27,27,27

In this example, after we hit exploit, Metasploit returns that 5 values have been written.

To check to see whether the values have actually changed, we can change the ACTION to READ_REGISTERS.

set ACTION READ_REGISTERS

As you can see, the first 5 register value shave been changed to 27. This could be very dangerous.

4. Download the PLC Ladder Logic

Within a SCADA/ICS network, PLC's are the brains behind the actions taking place inside the network. These small computers are programmed to control the devices connected to them. The software program is referred to as "Ladder Logic".

An attacker would likely want to download and analyze the PLC's ladder logic to illuminate what the PLC is controlling and how. By understanding the logic, values can then be changed that might have devastating impact on the facility.

The first step is to load the proper module.

use auxiliary/admin/scada/modicon_stux_transfer

We only need toset our MODE variable to receive (RECV) and our RHOST to that of our target.

When we enter exploit, if the ladder logic is unprotected, it will begin to download the program as we successfully did.