type: guide
title: "08-modbus_plc_sim"
source: "Inbox import"
tags:
  - topic/techint
  - topic/osint
  - method/review
processed: true
status: seedling

08-modbus_plc_sim

Nota importada desde Inbox durante consolidacion bulk.

Modbus PLC Simulation - Part 1

MOSTLY - the process, methods, and command are similar if not identical to previous section covered. So from here on we will only introduce new material and just mention previously covered materials [p] in Petest Platform.

Config

Change mac address of ubuntu VM [p]

Shodan [p]

search for

port:502
[VENDOR] Schneider Electric
[MODEL-no] TM221CE16

Google Dorks [p]

intitle:"Schneider Electric Telecontrol - Industrial Web Control"

Default Credentials [p]

within ICS_OSINT.xlsx filter on Schneider Electric and their default credentials

Start Conpot Simulation

On ubuntu VM start conpot with
conpot -f --template default

This start modbus server on port 5020

Host Discovery [p]

Use netdiscover to find Schneider Electric hosts

NMAP [p]

Use nmap to discover ports using port range.

Ports 22, 2121, 5020, 8800, 10201, 44818 are discovered as open.

Metasploit [p]

Run msfconsole and search for modbus modules [p] with
search modbus

The results in which we are interested are: Modbus Client Utility, Modicon_Stux_Transfer [ladder logic upload/download], and Modicon Remote START/STOP Command

Steps:

detect modbus
find unit ID
grab banners

Modbus Detect

use 4 -> Modbus Detect

setg RHOSTS 10.1.0.11 and
setg RPORT 5020

Then run

Detected modbus module

Banner Grabbing

use 1 -> Banner Grabbing

Enter run to start banner grabbing

This function not supported by honeypot- conpot

Find Unit ID

use 3 -> funding unit ID

run

Finds multiple unit ID for the honeypot

Starting the Modbus simulation

On Kali run sudo java -jar ModbusPal.jar

Once ModbusPal starts, add a modbus slave device with:

address 1
name ModbusSim
holding register 1-10 and add some random numbers

NMAP [p]

run nmap scan[p] for all tcp ports

find scripts with find /usr/share/nmap -name modbus*.nse

finds the modbus-discover.nse script

run this with sudo nmap -Pn 10.1.0.11 -p 502 --script modbus--discover.nse

Metasploit

launch metasploit framework [p] and run search modbus

use modbus detect [p]
use find unit ID [p]
could use modbus client [p] but rather use the modbus command line utilities

Modbus Command Line Utility - Read Memory Blocks

On Kali VM run modbus --help or modbus read --help

Run modbus read 10.1.0.11 %MW0 10 -> Read the first 10 memory blocks

Modbus Command Line Utility - Write Memory Blocks

Run modbus write 10.1.0.11 %MW0 0000000000 -> Write the first memory block with ten 0

Next Section -> Pentesting Real Modicon Hardware

Back to Table of Contents

Themes

tema-curso-ics-pentesting