Project Address
https://github.com/enddo/smod
Project Introduction
Based on SCADA (Supervisory Control and Data Acquisition) systems, proprietary closed network protocols have developed towards open-source solutions and TCP/IP network protocols in recent years. This makes them vulnerable to the same security flaws as traditional computer networks. The Modbus/TCP protocol is one such solution that provides free public utility implementations for smart grid applications and is widely used in power systems.
Usage and Installation
Smod is developed in Python and uses the Scapy module, so it can easily run on most Linux/OSX systems.
root@kali:~/smod# python smod.py
_______< SMOD >——-
\ ^__^\
(xx)_______(__)\ )\/\U ||—-w ||| ||–=[MODBUS Penetration Test FrameWork–+–=[Version : 1.0.1–+–=[Modules : 14–+–=[Coder : Farzin Enddo–=[github : www.github.com/enddo
SMOD >helpCommand Description——- ———–back Move back from the current context exit Exit the console exploit Run module help Help menu show Displays modules of a given type, or all modules set Sets a variable to a value use Selects a module by name SMOD >show modules Modules Description——- ———– modbus/dos/galil RIO DOS Galil RIO-47100 modbus/dos/writeSingleCoils DOS With Write Single Coil Function modbus/dos/writeSingleRegister DOS Write Single Register Function modbus/function/readCoils Fuzzing Read Coils Function modbus/function/readDiscreteInput Fuzzing Read Discrete Inputs Function modbus/function/readExceptionStatus Fuzzing Read Exception Status Function modbus/function/readHoldingRegister Fuzzing Read Holding Registers Function modbus/function/readInputRegister Fuzzing Read Input Registers Function modbus/function/writeSingleCoils Fuzzing Write Single Coil Function modbus/function/writeSingleRegister Fuzzing Write Single Register Function modbus/scanner/discover Check Modbus Protocols modbus/scanner/getfunc Enumeration Function on Modbus modbus/scanner/uid Brute Force UID modbus/sniff/arp Arp Poisoning SMOD >
Brute Force Modbus UID
SMOD >use modbus/scanner/uidSMOD modbus(uid) >show optionsName Current Setting Required Description—- ————— ——– ———–Function 1 False Function code, Default: Read Coils.Output True False The stdout save in output directoryRHOSTS True The target address range or CIDR identifierRPORT 502 False The port number for modbus protocolThreads 1 False The number of concurrent threadsSMOD modbus(uid) >set RHOSTS 192.168.1.6SMOD modbus(uid) >exploit[+] Module Brute Force UID Start[+] Start Brute Force UID on : 192.168.1.6[+] UID on 192.168.1.6 is : 10SMOD modbus(uid) >
Enumerate Modbus Functions
SMOD >use modbus/scanner/getfuncSMOD modbus(getfunc) >show optionsName Current Setting Required Description—- ————— ——– ———–Output True False The stdout save in output directoryRHOSTS True The target address range or CIDR identifierRPORT 502 False The port number for modbus protocolThreads 1 False The number of concurrent threadsUID None True Modbus Slave UID.SMOD modbus(getfunc) >set RHOSTS 192.168.1.6SMOD modbus(getfunc) >set UID 10SMOD modbus(getfunc) >exploit[+] Module Get Function Start[+] Looking for supported function codes on 192.168.1.6[+] Function Code 1(Read Coils) is supported.[+] Function Code 2(Read Discrete Inputs) is supported.[+] Function Code 3(Read Multiple Holding Registers) is supported.[+] Function Code 4(Read Input Registers) is supported.[+] Function Code 5(Write Single Coil) is supported.[+] Function Code 6(Write Single Holding Register) is supported.[+] Function Code 7(Read Exception Status) is supported.[+] Function Code 8(Diagnostic) is supported.[+] Function Code 15(Write Multiple Coils) is supported.[+] Function Code 16(Write Multiple Holding Registers) is supported.[+] Function Code 17(Report Slave ID) is supported.[+] Function Code 20(Read File Record) is supported.[+] Function Code 21(Write File Record) is supported.[+] Function Code 22(Mask Write Register) is supported.[+] Function Code 23(Read/Write Multiple Registers) is supported.SMOD modbus(getfunc) >
Fuzz Testing Read Coils Function
SMOD >use modbus/function/readCoilsSMOD modbus(readCoils) >show optionsName Current Setting Required Description—- ————— ——– ———–Output True False The stdout save in output directoryQuantity 0x0001 True Registers Values.RHOSTS True The target address range or CIDR identifierRPORT 502 False The port number for modbus protocolStartAddr 0x0000 True Start Address.Threads 1 False The number of concurrent threadsUID None True Modbus Slave UID.SMOD modbus(readCoils) >set RHOSTS 192.168.1.6SMOD modbus(readCoils) >set UID 10SMOD modbus(readCoils) >exploit[+] Module Read Coils Function Start[+] Connecting to 192.168.1.6[+] Response is :###[ ModbusADU ]###transId = 0x2protoId = 0x0len = 0x4unitId = 0xa###[ Read Coils Answer ]###funcCode = 0x1byteCount = 1LcoilStatus= [0]SMOD modbus(readCoils) >
Article Source: Hacker Toolbox
You May Also Like
Industrial Control System Security Testing: Scanning
