Warning
Penetration testing in Operational Technology (OT) environments is inherently dangerous and can pose significant risks. Executing such tests may lead to process disruptions, system crashes, or even the complete destruction of critical infrastructure.
If you intend to conduct penetration testing in an OT environment, ensure you have a comprehensive
understanding of the entire system and the potential impact of the tests. It is strongly recommended to conduct these tests only on simulated Industrial Control Systems (ICS) to avoid any real-world consequences.
Proceed with extreme caution !
PENETRATION TESTING ON MODBUS
In this demonstration, we assume that the attacker is already within the system, meaning they have access to the network.
Understanding the modbus protocol
Modbus is a non-proprietary protocol, created in 1979 by the company Modicon. Originally, it operated
on serial networks using RS232/422/485. Due to growing needs, Modbus has evolved to use TCP mode
(Ethernet and Wifi), allowing today for a large quantity of equipment to communicate with each other. In this topic, we will focus on Modbus TCP.
In Modbus, data is organized into different memory areas called coils and registers, each serving a specific purpose. Coils are single-bit values that can be either read or written by the master, and they typically
represent binary output states, such as turning a device on or off. Another type of data point, known as discrete inputs, is also single-bit but is read-only. Discrete inputs are used to indicate the state of an
external device, such as a switch or sensor.
In addition to coils and discrete inputs, Modbus uses registers to store more complex data. Holding
registers are 16-bit memory locations that can be both read and written by the master. They are used to store important values like configuration settings, sensor readings, or control parameters. On the other
hand, input registers are also 16-bit but are read-only. These registers usually contain data from field devices, such as temperature measurements.
The protocol defines various function codes that allow the master to interact with these data points. For instance, there are function codes to read the state of coils or discrete inputs, read and write values to
holding registers, and read input registers. This structured approach enables efficient data exchange and control over industrial devices
TOP VULNERABILITIES
All these fields make up a complete Modbus TCP/IP frame, which is encapsulated in a TCP segment for
transmission over IP networks. This allows Modbus to leverage the robustness and ubiquity of TCP/IP
networks, while maintaining the simplicity and efficiency that have made the protocol renowned.
MITM (Man-In-The-Middle)
MITM attacks exploit communication between two parties:
- Spoofing : This involves posing as another device or user on the network to intercept or modify data before it reaches its intended recipient, often without either the sender or the recipient realizing it.
- Illegal Interception : This attack occurs when unsecured (unencrypted) communications are intercepted by an attacker. The lack of encryption in Modbus TCP facilitates these interceptions, allowing attackers to read or modify data in transit (Veridify Security).
We will see later how to use this type of attack.
Configuration errors
These vulnerabilities result from incorrect or insufficient configurations of devices or networks:
- Sending Sensor Values and Read Value: Incorrect configurations can allow attackers to send erroneous sensor values or read sensitive values, thus manipulating the system’s operation or disclosing confidential information.
- Illegal Connection: This can occur when devices allow unauthorized connections due to insufficient security settings, such as weak or default passwords, or ports unnecessarily open to the Internet.
ATTACK MODELING
During this demonstration, we will examine the use of two types of attacks: one involving an illegitimate
anonymous connection and another using spoofing to alter the values in the registers.
To represent the attack, we will use the purdue model. The Purdue Model is a framework used to organize
industrial control system (ICS) architecture into distinct layers, ranging from physical equipment to
enterprise management. It consists of levels that separate different functions:
- Levels 0-2 handle real-time process control (physical equipment, controllers, and monitoring).
- Levels 3-4 focus on production management and business systems (operations management,
planning, and logistics).
This separation helps improve security, network segmentation, and integration between IT (Information
Technology) and OT (Operational Technology) and in our case, to pinpoint the location of our attack.
Now, we can see that our attack occurs between layers one and zero, as it takes place between an S7-1200 PLC and sensors. However, it could also occur between layers one and two if the supervisory system were connected to the PLC via Modbus.
DEMONSTRATION
Required tools
- RustScan
- Ettercap
- Wireshark
- Python
- Pymodbus
- Argparse
- Scapy
- Time
Attack
First step
The first step in the analysis of the Modbus protocol begins with a comprehensive network scan using RustScan. This procedure allows for the collection of data such as the range of IP addresses and the status of network ports.
For Modbus, our goal is to find an IP with port 502 open.
> rustscan -a 192.168.0.0/24 -ulimit 5000
The main objective of this step is to achieve a comprehensive understanding of the network topology and its potentialy vulnerable assets (PLC, workstations etc)
Now, several options are available to us: either we connect directly to the Modbus server if it does not
have an authentication process, or we proceed with spoofing.
Alternative 1: Attack via illegitimate connection
Warning : this attack may cause a denial of service. Be cautious about the number of requests sent per
second.
Once the target was identified, an anonymous connection attempt was successfully made, requiring only the IP and port of the server. The absence of a Unit Identification (Unit_ID) simplified the process, although in more complex networks, a Unit_ID scanner might have been necessary. Using a read function in Python, two registers with decimal values were detected. Repeated manipulation of these values caused a denial of service, rendering the server unable to determine the correct value and leading to a system overload.
[Find the connection and modification code here]()
This attack highlights the vulnerability of Modbus registers to continuous data modifications, a situation
exacerbated by the absence of security measures such as authentication.
For better understanding, here is a graphical modeling of the attack:
Alternative 2: Man in the midle attack
The server is identified by the open port 502, but the function of clients remains uncertain. The first
approach that might come to an attacker’s mind would be to use a network analysis tool like Wireshark to observe communications, but this would have limited results.
Now the goal is to redirect all network communications to pass through our system, allowing us to observe and potentially modify the exchanges between devices.
To achieve this, we will use a method called ARP poisoning, as it allows intercepting network traffic by
spoofing the MAC address associated with an IP address, redirecting packets intended for another machine to the attacker. This enables the attacking machine to sniff the traffic and analyze the data exchanged on the network.
To carry out this attack, I have developed a script using Scapy [Available here]().
With this script, we move from passive observation to active interaction, allowing us to see all frames
passing through the network. This opens up the possibility of intercepting and analyzing Modbus frames
circulating between devices.
By applying a filter for Modbus communications in Wireshark, we observe the exchanges between two
machines. This identification helps in pinpointing our targets.
The examination of Modbus frames on the network is particularly revealing when it comes to
understanding the interactions between client and server devices. The capture below illustrates a Modbus frame where the client sends a write request to the server. Notably, the communication is in plain text, thus exposing the specific details of the command sent..
Now, it is important to dissect and analyze this frame. It contains all the parameters sent to the server; the first two represent the session identifier, which we only need to duplicate.
- Length: 6: This field specifies that the length of the Modbus frame data, following the header, is 6 bytes.
- Unit Identifier: 0: The unit identifier, set here to 0 (default), identifies the slave device recipient in configurations where only one device is queried via a TCP connection. In our case, it is set to 0, the default value when no Unit_ID is defined.
- Function Code: Write Single Register (6): This function code, 6, corresponds to a command allowing a single value to be written into a register of the slave device.
- Reference Number: 0: The reference number is used to specifically designate the target register in the slave device. Here, a reference number of 0 indicates that the modification should be applied to the first available register, often used for critical configurations or controls.
- Data: 001c: The value ‘001c’ in hexadecimal, equivalent to 28 in decimal, is the data that the client wishes to write into the designated register.
In summary, the client sends a request to the server, indicating that they wish to write the value 28 (001c) to register 0. For educational purposes, we will assume that these values correspond to the outputs of a temperature sensor.
Our goal now is to intercept this frame, analyze it, and falsify it to send a value of 1000 degrees Celsius,
which is 03 E8 in hexadecimal, to trigger an alert in the system. The temperature register typically contains values ranging from 25 to 30 degrees Celsius.
To perform spoofing, we specifically need to monitor frames containing values within the identified ranges.
Here is an example of frames collected in hexadecimal on Wireshark.
When a matching frame is detected, the plan is to replace the value in the Data field with 03 E8,
corresponding to 1000 in decimal. To validate the effectiveness of this technique, I use Ettercap, an open source network interception tool capable of conducting ‘man-in-the-middle’ attacks.
We have developed an Ettercap module (Available here), which allows for network traffic monitoring,
capturing Modbus frames, and analyzing the data they contain. By using predefined criteria, particularly frames showing temperatures between 25 and 30 degrees Celsius, the module intervenes by modifying the value in the Data field as soon as these conditions are met. To do this, it utilizes Ettercap’s replace function to make the necessary modifications.
Implementation Process :
- Network Sniffing: The module begins with passive listening to traffic to identify specific Modbus frames.
- Condition Detection: It checks each frame to ensure it matches the defined criteria for temperature.
- Data Modification: When an eligible frame is detected, the Data field is altered to reflect a temperature value of 1000 degrees.
Here are the commands to use the module :
- etterfilter -o “file path to prepare (/tmp/filename.ef)” “ettercap module”
- sudo ettercap -T -i “network interface (eth0)” -F “file path to prepare (/tmp/filename.ef)” -q -M
arp /”client IP”// /”server IP”//
The success of these tests demonstrates the possibility of dynamically and legitimately altering values
within network frames.
How to prevent to these attacks ?
The results of this analysis demonstrate that the Modbus protocol, while widely used, has vulnerabilities, particularly its lack of built-in security mechanisms. Denial of Service (DoS) and Man-in-the-Middle (MITM) attacks illustrate the risks to critical systems, such as safety systems or industrial controls, which can be dangerously compromised.
- Network Segmentation: It is essential to implement effective network segmentation,
including using network control systems such as firewalls. This measure isolates industrial
networks from other networks, reducing the risk of unauthorized access and limiting the
potential impact of attacks. - Adopt Modbus Secure: Where possible, adopt Modbus Secure to benefit from encrypted
communications between devices. This enhanced version of the Modbus protocol ensures
that exchanged data is protected against interception and tampering, thus strengthening the
security of industrial control systems. Data encryption in an industrial environment is
complex, so don’t hesitate to consult experts in the field to implement this type of solution. - Keep Equipment Updated: Ensure that devices are kept up to date with the latest patches
and security updates. This practice is crucial to avoid known vulnerabilities and reduce the risk
of early exploitation by attackers. These updates can also cause damage, so they should be
deployed only after being tested outside of the production environment and according to an
appropriate update and vulnerability management policy. - Implement Detection Solutions: Installing network monitoring systems is recommended if possible to detect and prevent Man-in-the-Middle (MITM) attacks. These systems allow for
the monitoring of traffic anomalies and intrusion attempts, facilitating a rapid and effective response in the event of an incident.
If you want to enhance your protection, Serma Safety & Security can supports you in deploying tailored
security solutions for your industrial environments, regardless of the type of systems in place. With our expertise and know-how, we offer customized services to ensure the resilience and protection of your
infrastructure against IT/OT current threats.