OpenSkillIndex← back to search

Hacktricks-skills network-services-pentesting-modbus

How to enumerate and pentest Modbus protocol services (port 502). Use this skill whenever the user mentions Modbus, SCADA systems, industrial control systems (ICS), port 502, or needs to assess Modbus-enabled devices. Trigger for any Modbus enumeration, vulnerability assessment, or penetration testing tasks involving industrial protocols.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-modbus/SKILL.MD
source content

Modbus Protocol Pentesting

A skill for enumerating and testing Modbus protocol services commonly found in industrial control systems (ICS) and SCADA environments.

Overview

Modbus is a messaging protocol developed in 1979 by Modicon for communication between intelligent devices. It operates under a master-slave/client-server model and is widely used in industrial automation.

Key characteristics:

  • Default port: 502/tcp
  • Architecture: Master-slave (client-server)
  • Common in: SCADA systems, PLCs, industrial sensors, building automation

When to Use This Skill

Use this skill when:

  • You discover port 502 open during network reconnaissance
  • You need to enumerate Modbus devices on a network
  • You're assessing industrial control system security
  • You're performing authorized penetration testing on SCADA infrastructure
  • You need to identify Modbus unit IDs and available registers

Enumeration

Nmap Discovery

Use Nmap's Modbus discovery script to identify Modbus services and gather initial information:

# Basic Modbus discovery
nmap --script modbus-discover -p 502 <target-ip>

# With verbose output
nmap --script modbus-discover -p 502 -v <target-ip>

# Scan multiple targets
nmap --script modbus-discover -p 502 <target-range>

Metasploit Framework

Metasploit provides several modules for Modbus enumeration:

# Start Metasploit
msfconsole

# Detect Modbus services
use auxiliary/scanner/scada/modbusdetect
set RHOSTS <target-ip>
run

# Find valid unit IDs
use auxiliary/scanner/scada/modbus_findunitid
set RHOSTS <target-ip>
run

Testing Workflow

Step 1: Initial Reconnaissance

  1. Confirm port 502 is open and accessible
  2. Run Modbus discovery to identify the service
  3. Document the target system and scope authorization

Step 2: Unit ID Enumeration

Modbus uses unit IDs to address individual devices on a network. Enumerate valid unit IDs:

  • Use 
    modbus_findunitid
    from Metasploit
  • Try common unit IDs (1-247 are valid)
  • Document which unit IDs respond

Step 3: Register Discovery

Once you have valid unit IDs, enumerate available registers:

  • Read holding registers (function code 3)
  • Read input registers (function code 4)
  • Read coils (function code 1)
  • Read discrete inputs (function code 2)

Step 4: Vulnerability Assessment

Check for common Modbus vulnerabilities:

  • No authentication: Modbus typically has no built-in authentication
  • Write access: Test if write operations are permitted
  • Information disclosure: Check what data is exposed in registers
  • Firmware version: Some devices expose version information

Safety Considerations

⚠️ Critical warnings for Modbus pentesting:

  1. Authorization required: Only test systems you have explicit permission to assess
  2. Physical safety: Modbus controls industrial equipment - unauthorized writes could cause physical damage or safety hazards
  3. Read-only first: Start with read operations only to understand the system
  4. Document everything: Keep detailed logs of all testing activities
  5. Coordinate with operators: Ensure industrial operations are aware of testing

Common Modbus Function Codes

Function CodeDescriptionRead/Write
1Read CoilsRead
2Read Discrete InputsRead
3Read Holding RegistersRead
4Read Input RegistersRead
5Write Single CoilWrite
6Write Single RegisterWrite
15Write Multiple CoilsWrite
16Write Multiple RegistersWrite

Tools Reference

ToolPurposeCommand
NmapService discovery
nmap --script modbus-discover -p 502 <ip>
MetasploitEnumeration & exploitation
msfconsole
modbus-tkPython library
pip install modbus-tk
Colasoft Modbus PollGUI testingCommercial tool

Next Steps

After enumeration:

  1. Document findings: Create a report of discovered devices and capabilities
  2. Assess risk: Evaluate the security implications of findings
  3. Recommend mitigations: Suggest network segmentation, authentication, monitoring
  4. Coordinate remediation: Work with industrial operations team on fixes

Related Skills

  • Network service enumeration
  • SCADA security assessment
  • Industrial control system hardening
  • Network segmentation strategies