Modbus Version Scanner

2012-06-05T18:50:53
ID MSF:AUXILIARY/SCANNER/SCADA/MODBUSDETECT
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module detects the Modbus service, tested on a SAIA PCD1.M2 system. Modbus is a clear text protocol used in common SCADA systems, developed originally as a serial-line (RS232) async protocol, and later transformed to IP, which is called ModbusTCP.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'        => 'Modbus Version Scanner',
      'Description' => %q{
          This module detects the Modbus service, tested on a SAIA PCD1.M2 system.
        Modbus is a clear text protocol used in common SCADA systems, developed
        originally as a serial-line (RS232) async protocol, and later transformed to IP,
        which is called ModbusTCP.
      },
      'References'  =>
        [
          [ 'URL', 'http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx' ],
          [ 'URL', 'http://en.wikipedia.org/wiki/Modbus:TCP' ]
        ],
      'Author'      => [ 'EsMnemon <esm[at]mnemonic.no>' ],
      'DisclosureDate' => 'Nov 1 2011',
      'License'     => MSF_LICENSE
      )

    register_options(
      [
        Opt::RPORT(502),
        OptInt.new('UNIT_ID', [true, "ModBus Unit Identifier, 1..255, most often 1 ", 1]),
        OptInt.new('TIMEOUT', [true, 'Timeout for the network probe', 10])
      ])
  end

  def run_host(ip)
    # read input register=func:04, register 1
    sploit="\x21\x00\x00\x00\x00\x06\x01\x04\x00\x01\x00\x00"
    sploit[6] = [datastore['UNIT_ID']].pack("C")
    connect()
    sock.put(sploit)
    data = sock.get_once

    # Theory: When sending a modbus request of some sort, the endpoint will return
    # with at least the same transaction-id, and protocol-id
    if data
      if data[0,4] == "\x21\x00\x00\x00"
        print_good("#{ip}:#{rport} - MODBUS - received correct MODBUS/TCP header (unit-ID: #{datastore['UNIT_ID']})")
      else
        print_error("#{ip}:#{rport} - MODBUS - received incorrect data #{data[0,4].inspect} (not modbus/tcp?)")
      end
    else
      vprint_status("#{ip}:#{rport} - MODBUS - did not receive data.")
    end

    disconnect()
  end
end