MODBUS Protocol Attacks

MODBUS PROTOCOL

After creation of ICS Lab it's time to do some pentesting. I will start with Modicon Communication Bus - MODBUS. It's old, open, widely supported and unsecured protocol - best place to start from for newbie ICS cybersecurity enthusiast like me. I don't see a point in writing here history and specification of MODBUS, because it is easily avaible on internet(links below). But still I will write some notes-style informations for me to help with remembering and for reader for quick summary.

• Application layer messaging protocol
• Based on "request/reply" methodology
• Uses three protocol data units(PDU)
  • Modbus Request
  • Modbus Response
  • Modbus Exception Response
• Master-Slave or Server-CLient based model
• No authentication
• No authorization
• No encryption
• Uses function codes which can be abused

SCENARIO

I'm using virtualized ICS lab descripted in a previous post.
Let's assume that hacker has a access to cabled network via switch (without locked free ports) but nothing else. Attacker has a laptop with Kali Linux OS. No hardware sniffing tools/network taps.
GOAL: Disrupt the work of the assembly line

ATTACK #1

1. Use nmap to find a machine with open MODBUS port 502
2. ...or maybe some other suspicius uncommon port like 2225?
   
3. Use Metasploit's ModbusDetect module to check if port is using MODBUS protocol
   
   Bingo!
4. Use Metasploit's modbus_findunitid module to see which unit ids are legit
   
   Only #1
5. Use Metasploit's modbusclient module read PLC's inputs and coils
   
   In my example I see that first coil's state 1 means that conveyor is up
6. Using the same module try to write registers and inputs to disrupt work of factory
   
   ...and that's it? Moving the production line by an inch?
   Yep, that's it. Unauthorized coil override causing sensor input to be ignored and work against to programmed logic. In other cases, the effects can be more serious than moving the box a inch.