Saturday, June 8, 2013

Pwning Modbus/TCP

Well, to be honest, although I'm not talking about specific attacks here, any access to a Modbus/TCP service is effectively a "pwn" in my opinion.

Modbus/TCP has a number of function calls:
  • Function code 1 - Read Coils (read-write booleans)
  • Function code 2 - Read Discrete Inputs (read-only booleans)
  • Function code 3 - Read Holding Registers (read-write integers)
  • Function code 4 - Read Input Registers (read-only integers)
Each of these different data types are stored in a different area of memory, according to Modbus, so you can think of the different function codes as different offsets into the data registers of Modbus. For example, if you have a value in register 41001 which you wish to access via Modbus. You first need to work out which function code covers that area of memory. In this case, it is a Holding Register containing a read-write integer, so therefore you need to use Function code 3 to access it. Function code 3 immediately puts you into the 40000-49999 area of memory, so the memory address you need to supply is not 41001, but instead 1000 (as Modbus indexes from 0, register (4)1001 is represented as 1000 on the wire).

If you put it all together, in order to read an integer in register 41001, you need to send a Modbus/TCP read from the Master to the Slave with the Function Code 3 and the memory address 1000. If you use Wireshark, you should be able to see these exact values in the Modbus queries going from the Master to the Slave.

2 comments:

  1. What has your government done to help save you from your financial instability? you strive to survive and yet you hear stories of how your leaders have become terror in your entities... is time to make a different. for will have made money, and we have also come to help you out from your long time of financial suffering. clearing of credit card is made available, software for hacking ATM machines, bank to bank hacking and transfer, change your school grade and become something useful in the society. we also have other form of services such as Facebook hack, whats-app hack, twitter hack, i cloud hack, tracking of smart phones, hacking CCTV, installation of software on desktop and PC, snap-chat hack, Skype hack, wire wire, bitcoin account hack, erase your criminal record and be free for ever. database hack and many more. e-mail: cyberhackingcompany@gmail.com for your genuine hacking services and we shock we your findings.

    ReplyDelete
  2. Hello to all

    Fullz with good credit scores are available
    CC's with cvv & Dumps
    SSN DOB USA Fullz/Pros
    EIN Fullz
    COmbos/Logs

    Legit fullz with guarantee results
    Fresh spammed & valid info
    -----------------------------------------
    ICQ/Telegram @killhacks
    WA +92 317 2721122
    Email exploit dot tools4u @ gmail dot com
    Wickr/Skype @peeterhacks
    -----------------------------------------
    Tools & tutorials are also available
    Hacking Carding Spamming Scripting Stuff
    Mailers Senders C-panels
    Brutes Crackers

    Legit tools & tutorials
    Fresh & verified tools

    ReplyDelete