SCADA/ICS security is probably the most important and most overlooked field of cyber security. In an era where cyber warfare is an everyday occurrence and cyber terrorism is an ongoing threat, these huge industrial facilities have large bulleyes on their backs. In some cases, taking down or disrupting just one of these plants could cost billions of US dollars and many lives. That is why everyone in our industry needs to become conversant in this field. For more background in SCADA/ICS, check out my section on this increasing important field of information security.
PLC's, or programmable logic controllers, control nearly everything in the SCADA/ICS industry. These PLC's control everything from petroleum refineries, to manufacturing facilities, to waste and sewage plants and the electric grid. Schneider Electric, based in Paris, France, is one of the world's largest manufacturers of these devices and sells them to a variety of industries.
Schneider Electric makes a PLC known as the TM221 that is widely used by small-to-medium sized manufacturing facilities to automate their processes. These PLC's use multiple communication protocols, including the ubiquitous modbus/tcp. To learn more about this SCADA/ICS communication protocol, check out my article on modbus here and do the modbus simulation here. Without this understanding of modbus, what follows here will seem opaque.
It turns out that many of these PLC's are very easy to hack using multiple SCADA/ICS tools.
In this tutorial, I want o show you how to hack these PLC's using the hacking/pentesting tool modbus-cli.
Step #1:Finding the TM221 with Shodan
First, let's see if we can find any of these PLC's connected to the Internet by using Shodan. For more on using Shodan to find SCADA/ICS facilities, check out my article here.
We can simply type "TM221" into the search bar of Shodan and it will return all the IP addresses that contain that string in their banners. As you can see below, there are quite a few. Many of these are vulnerable systems.
Step #2: Install modbus-cli
Now that we have located some potentially vulnerable sites using the Schneider Electric TM221, lets see if we can exploit them. Here we will be using a tool dedicated to exploiting the modbus protocol called modbus-cli. Modbus-cli is a command line (cli) tool that enables us to read and write modbus/tcp (not serial modbus)
We can get this tool by typing;
kali >gem install modbus-cli
Now that have downloaded modbus-cli, we can begin to recon and exploit the sites found by using Shodan above.
Once we have located a site using these PLC's, we can put modbus-cli into action.
This command line tool uses simple syntax. To learn a bit of its syntax, let's display its help screen
kali > modbus --help
As you see, the basic synatx is;
kali > modbus [options] SUBCOMMAND [arguments]
Step #3: Address Terminology
Let's start by reading the values from one of these Schneider Electric sites (I have obscured the IP to protect the innocent and insecure). Before we do so though, we need to discuss ways to designate addresses on these Schneider Electric modbus devices.
We have at least two ways to address these devices and their values, the Schneider Electric mode and the modicon mode. As we can see in the table below, the Schneider Electric terminology begins with %M before the address. We will begin by using it this terminology and then progress to the modicon terminology.
Step#4: Reading the Registers with modbus-cli
So, if we want to read the first ten values beginning with address %MW100, we could simply enter;
kali> modbus read <IP> %MW100 10
As you can see, modbus-cli was capable of pulling the values from the specified 10 memory registers.
We can also use modicon terminology to do the same.
kali > modbus read <IP> 400101 10
If we want more info on the read subcommand, we can simply type --help after modbus then read, such as;
kali > modbus read --help
Step #5 Reading the Coils
Let's now try reading the values of the coils. These will be Boolean (ON/OFF) values. The coils are either ON or OFF with values of 0 or 1. Since we are reading coil values, we use the modicon address of 101 rather than the Schneider address and then read 10 values.
kali > modbus read <IP> 101 10
As we can see below, coils 101, 103 and 105 are all ON (1). The others are all OFF (0)
Step #6 Writing New Values to the Coils
Now, lets see if we can change those values in the coils. Let's try to turn them all ON. We can do this with the write subcommand. In this case, we will start with the Schneider address terminology %MW100 and place 1's in each coil, turning them all ON.
kali > modbus write <IP> %MW100 1 1 1 1 1 1 1 1 1 1
Now, when we go back to read those coils, we can see they have all been activated!
kali > modbus read <IP> %MW100 10
Step #7 Reading the Values into an Output File
Finally, we can read all the values into a text file. We may want to do this for later analysis or as a backup. In this case, lets read 100 coil values into file named scadaoutput.txt.
kali > modbus read --output scadaoutput.txt <IP> %MW100 100
Now, when we cat that file, we see that we have captured and saved all the values of 100 coils. Note that the first 10 are still all ON.
Modbus-cli is a powerful pentesting/hacking tool for the modbus/tcp protocol widely used in the SCADA/ICS industry. For more tools for hacking/pentesting SCADA/ICS check out my catalog of Metasploit SCADA/ICS tools here.
If you have any questions regarding modbus-cli or hacking SCADA/ICS, please feel free to email me at firstname.lastname@example.org
Also, consider my upcoming SCADA/ICS Security course by clicking here. SCADA/ICS security is THE cutting edge in cyber security!