Modbus = Basics + Traffic + Attack

?? Introduction

Let’s talk about Modbus. It’s one of the most common communication protocols in industrial automation. It’s been around since 1979 and is still widely used to connect devices like PLCs, sensors, and actuators.

The thing is, Modbus was built for simplicity, not security. That makes it a potential risk in modern OT environments. If you’re working with OT systems, understanding how Modbus works - and how it can be exploited - is key to securing your environment.

In this article, I’ll walk you through:

• How Modbus works (theory and basics).
• How to read and write to coils and registers.
• Using Labshock to simulate Modbus devices.
• Analyzing network traffic during Modbus communication.
• Performing a Modbus write attack to understand real-world risks.
• How to interpret the results and mitigate vulnerabilities.

By the end, you’ll know Modbus inside out and have the tools to test, analyze, and secure systems using it. Whether you’re an engineer, security expert, or just getting started with OT, this guide will give you both theory and practical knowledge.

Check Demo Video – better to see it 1 than hear about it 100 times

?? Theory

let's talk

Let’s start with the basics of Modbus and how it works. It’s a communication protocol that allows devices in industrial systems to talk to each other. Think of it as a simple language used in OT environments.

[>] Modbus Basics

Different Types of protocol:

• Modbus RTU: Runs over serial communication. Common in older systems.
• Modbus TCP: Runs over Ethernet. Widely used in modern setups.
• Modbus ASCII: An older format, less common today.

Master-Slave Model:

• The master sends requests, and the slave responds.
• The slave only responds; it doesn’t send messages unless asked.

Lightweight and Simple:

• Modbus is designed to work fast in trusted environments.
• The downside: no built-in security (e.g., no encryption or authentication).

[>] Why Modbus is Still Used

Modbus sticks around because it’s:

• easy to implement
• open and free
• compatible with almost any device in industrial automation

However, its simplicity is also its weakness.

Understanding how it works will help you secure it.

?? Coils, Registers & Function Codes

what inside

Modbus organizes data into different types, and each type serves a specific purpose. Let’s break them down.

[>] Coils

What are they?

Coils are binary values: ON (1) or OFF (0).

Think of them like switches or relays you can control.

Use case:

• Turning on or off a motor, light, or other device.

Operations:

• Read: Check if the coil is ON or OFF.
• Write: Change the coil’s state (turn it ON or OFF).

[>] Registers

Registers store 16-bit data and come in two types:

Input Registers:

• Read-only: Typically used to get sensor data (e.g., temperature or pressure).
• Example: Reading the current temperature from a device.

Holding Registers:

• Read/Write: Used for device configuration or data exchange.
• Example: Setting a target temperature or reading the current speed of a motor.

[>] Function Codes

Function codes are like instructions for Modbus devices.

Here are the most common ones:

?? Practical Examples

network packets

Now that you know the basics of Modbus, let’s see it in action. We’ll use Labshock to simulate a Modbus environment and perform basic read/write operations on coils and registers.

[>] Setting Up Labshock

Getting Labshock up and running is simple. You only need Docker, Docker Compose, and optional Git installed on your system. No extra libraries or tools are required.

Readme can be found here: Github project

Full install guide here: Quickstart Guide

This article based on Labshock v1.3

[>] Requirements

What you need to crack Modbus:

[1] Python and one library:

sudo apt update
sudo apt install python3-pip
python3 -m pip install pymodbus --break-system-packages        

[2] modbus_client.py for 4 operations:

[>] Basic Operations

Once the setup is done, let’s perform some basic tasks:

Read Coils:

• Use the Modbus client to read the state of coils from the server.
• Example: Check if a pump (coil) is ON or OFF.

Read Registers:

• Read data from input or holding registers.
• Example: Get the temperature value from a sensor (input register).

Example of Packets to Read Coils & Registers, same as Wireshark output:

Let's explain what we get:

Write Coils:

• Change the state of a coil to turn a device ON or OFF.
• Example: Turn ON a simulated pump.

Write Registers:

• Update the value in a holding register.
• Example: Set a target speed for a motor.

Example of Packets to Write Coils & Registers, same as Wireshark output:

Let's explain what we get:

?? Modbus Attack

simple & devastating

In this section, you'll see a Modbus write attack step by step. This example will show how attackers can manipulate devices by exploiting the protocol’s lack of security. We’ll use Labshock to simulate a Modbus environment and standard tools to scan, modify, and analyze the traffic.

[>] Attack Overview

The goal of the attack is to:

1. Enumerate Modbus devices on the network.
2. Write to a coil to change its state.
3. Write to a register to modify critical data.
4. Monitor and analyze network traffic during the attack.

[>] Step 1: Scanning the Network

The first step is to discover Modbus-enabled devices on the network. Using a tool like nmap, we perform a scan to identify devices running the Modbus service (port 502). The scan reveals active devices, their Unit IDs, and additional device information.

[>] Step 2: Writing to a Coil

Once a Modbus device is identified, the next step is to manipulate a coil. Coils control binary operations, such as turning devices ON or OFF. Writing to a coil can

• stop a pump in the system.

[>] Step 3: Writing to a Register

Registers store critical data such as sensor readings or configuration values. By modifying a register:

• change pump speed to 6500

[>] Step 4: Monitoring Network Traffic

Using a Network Swiftness service like Wireshark, we capture and analyze the network traffic generated during the attack. The captured packets show:

• write Coil Request packets: turning pump ON/OFF.
• write Register Request packets: altering configuration and pump_1 speed.

These packets highlight how easy it is to execute a Modbus attack due to the lack of encryption or authentication in the protocol.

[>] Key Takeaways

This practical example demonstrates the inherent risks of using Modbus in OT environments without additional security measures. Attackers can exploit the protocol to:

• disrupt physical operations
• manipulate critical device data
• cause operational and safety hazards

To secure Modbus environments, it’s essential to use techniques like network segmentation, intrusion detection systems, and protocol gateways.

?? Conclusion

Modbus remains a cornerstone of industrial automation, but its simplicity comes at the cost of security. As demonstrated, a lack of authentication or encryption makes it easy for attackers to manipulate devices, disrupt operations, and compromise safety.

Understanding how Modbus works, from reading and writing data to analyzing network traffic, is critical for anyone working in OT environments. With tools like Labshock, you can safely simulate, test, and learn about these vulnerabilities in a controlled setting.

The takeaway is clear: while Modbus is efficient and widely supported, relying on it without additional security measures is risky. Implement solutions like network segmentation, secure gateways, and OT monitoring systems (e.g., OT SIEM) to protect your operations.

Security in OT isn’t just about knowing the risks - it’s about actively mitigating them.

You are at Level 3 Industrial Tree - Protocols 1/5 Skill

Don't forget to check your main Leveling Guide

And put ?? comments or ?? likes, it helps a lot to get your feedback!

Yours, Zakhar

?? please put Stars here ??