Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/auxiliary/scanner/scada/modbus_banner_grabbing.md
Views: 11623
Vulnerable Application
This module will perform banner grabbing on devices that use the Modbus protocol by sending a payload with the function code 43 to read the target device's identification information. For more technical information, you can refer to this link: https://en.wikipedia.org/wiki/Modbus#Available_function/command_codes.
By default the service is running on port 502, so any device with this port open could be a potential target.
Verification Steps
Do:
use auxiliary/scanner/scada/modbus_banner_grabbingDo:
set RHOST <IP>where IP is the IP address of the target.Do:
run
The response from the target device may contain several objects. Some of these objects can be seen below:
vendor name, product code, revision number (in *major version*.*minor version* format), vendor url, product name, model name
If the target was unable to process the Modbus message, a Modbus exception message will be returned from the target, which will then be output to the screen.
Successful results from the scan will be stored as a note in the framework. You can access these notes by typing note in the console.
Options
There are no non-default options for this module.
Scenarios
The following scenarios describe some of the responses you may receive from the target:
Schneider Electric BMX NOE 0100 - Successful Response
Schneider Electric BMX NOE 0100 - No Reply
The target never replied to the attacker's request.
Schneider Electric BMX NOE 0100 - Network Error
Some network error occurred, such as a connection error, a network timeout, or the connection was refused. Alternatively, the host may be unreachable.