Free & Open Source Modbus/TCP tools

If you're interested in playing around with the Modbus protocol, you probably want to start with free, or preferably, open source tools. Here are the ones I've found useful:

Linux

• Metasploit - Everyone's favourite penetration testing tool has by default a bunch of modules which are helpful for analyzing Modbus services. I often use the modbusdetect and modbusclient modules for checking to see if a service is actually a valid Modbus service and triggering IDS' like Snort which are using Modbus rules.
• Modscan - This basic tool allows you to check if a service is an actual Modbus service, like the Metasploit modules, but is a simple, self-contained Python script so you don't need to install the entire Metasploit framework to see if a service is an actual Modbus service or not. I can also reliably crash my test PLC hardware with a couple of scans from this script, so be careful! :-)
• PLCscan - This script allows you to also probe a Modbus service to see if it's genuine, but I found it personally to not be as useful as the previous two tools. It does have some specific, non-Modbus, functionality for Siemens PLCs which may be of use to you, however.
• Wireshark - The best network sniffer around, bar none. Contains modbus decoding modules.
• Nmap - The best port scanner around, bar none. Useful if you need to quickly check for open ports.

Windows

• Modscan64 (not to be confused with the Modscan tool above) - This tool is free, but could be more accurately classified as nagware. It's great for dumping all the registers of a Modbus service and seeing what is laid out in the memory of PLC, but it's a bit awkward to use.
• CAS Modbus Scanner - This tool is completely free but I personally found to not be as useful at revealing the internals of a Modbus service as Modscan64.

Honeypots

• Digital Bond SCADA HoneyNet - The good folks at Digital Bond have created a SCADA Honeypot which emulates Modbus, HTTP, FTP and SNMP for a Modicon PLC. The instructions that come with it are for the old version of VMWare Server, so if you want to run it with the new VMWare Server, be prepared for a struggle. However, you can just extract the protocol simulators (like Modbus) which are just standard Java programs and run them yourself. The system that you can download provides you with an emulated PLC and the networking infrastructure around it for you to monitor any potential attacks. It is not being actively developed, AFAICT.
• ConPot - A new SCADA/ICS honeypot which currently emulates Modbus and SNMP. It is much simpler to setup than the Digital Bond SCADA HoneyNet but has pretty much the same functionality. It is currently under active development.

Obviously: only use these tools against a network that you are authorized to assess!