OT 100: Modbus (30 pts + 50 extra)

What You Need

Purpose and Background

Modbus was originally published in 1979, for controlling industrial devices. It's based on a master-slave relationship. In a standard Modbus network, there is 1 master and up to 31 slaves.

For more background, see: Modbus Master-Slave Principle

Note: the terms "master" and "slave" were commonly used in the early days of computing, but they are now discouraged because they are offensive. Modbus is a very old protocol and still uses those old terms.

Modbus Insecurity

Modbus has no encryption or authentication. This means that anyone with access to the Modbus network can perform any desired read or write operations. Security must be provided externally, by limiting access to the Modbus network with a VPN concentrator or other device providing a security barrier.

Installing Java

In a Terminal window, execute this command: 
java --version
If you see a version number, as shown below, you have Java. If you don't, download and install the JDK from:
https://www.oracle.com/java/technologies/downloads/

Getting the ModbusPal Slave Simulator

In a browser, go to
https://modbuspal.sourceforge.net/
Click the "Download v1.6b" button.

Click the "Download Latest Version" button.

Save the ModbusPal.jar file in your Downloads folder.

Launching ModbusPal

Open an Administrator Terminal window. Then execute this command: 
java -jar Downloads\ModbusPal.jar
The ModbusPal graphical user interface (UI) opens, as shown below.

Adding a Slave

In the ModbusPal UI, in the "Modbus slaves" section, click the Add button.

In the "New slave" box, in the "Add Slave" field, enter a Slave ID of 2

In the "Slave name" field, enter slave2 as shown below.

In the "New slave" box, click the Add button.

Starting the Slave Running

In the ModbusPal UI, at the top, click the Run button, outlined in red in the image below.

This starts the slave running, listening on port 502 for signals from the master.

Adding Data to the Slave

Click the eye icon of your newly created slave, outlined in green in the image above.

A box opens titled "2slave2".

Here we can add data items to our slave.

In Modbus, there are only two types of data:

In the "2slave2" box, on the "Holding registers" tab, click the Add button.

In the "Add registers" box, change the "To" field to 5, as shown below.

In the "Add registers" box, click the Add button.

The "2slave2" box now shows five Holding registers, all with values of zero, as shown below.
In the "2slave2" box, click the Coils tab.

Click the Add button.

In the "Add coils" box, change the "To" field to 5 and click the Add button.

The "2slave2" box now shows five Coils, all with values of zero, as shown below.

Installing qModMaster

qModMaster simulates a Modbus Master.

In a Web browser, go to

https://sourceforge.net/projects/qmodmaster/
Download the Windows pre-compiled binary.

Open your Downloads folder.

Right-click the https://sourceforge.net/projects/qmodmaster/ file and click "Extract All...", Extract. Click Extract

Double-click the qModMaster folder to open it.

Double-click the qModMaster.exe file.

qModMaster opens, as shown below.

Connecting to the Slave

In the qModMaster window, click Options, "Modbus TCP...".

The default is the loopback address, which is correct, as shown below.

Click the OK button.

In the qModMaster window, set the Modbus Mode to TCP, outlined in red in the image below.
In the qModMaster window, click the Connect button, outlined in blue in the image above.

Reading Data from the Slave

In the qModMaster window, make these settings: Click the "Read/Write" button, outlined in green in the image below.

The data fills in in the lower pane, showing five zeroes.

Writing Data to the Slave

In the qModMaster window, make these settings: Click the "Read/Write" button, outlined in green in the image below.

Reading Data from the Slave

Read the five coils from the slave, as you did before.

The first coil is now set to 1, as shown below.

Installing Wireshark

In a Web browser, go to
https://www.wireshark.org/
Download the Windows x64 installer, and install it with the default options.

Launch Wireshark.

Double-click "Adapter for loopback traffic capture", outlined in red in the image below.

Flag OT 100.1: Read Request (10 pts)

In QModMaster, read the five coils from the slave again.

Wireshark shows four packets, as shown below: a Query, an Acknowledgement (ACK), a Response, and another Acknowledgement.

In the top pane, click the Response packet.

In the Details pane, expand the Modbus container.

The flag is covered by a green rectangle in the image below.

Adding a Windows Defender Exclusion

This is a risky action--you should only do this on machines with no personal data, such as a virtual machine intended for malware analysis.

From the Windows desktop, search for Virus. Click "Virus & threat protection".

In the Windows Security box, in the "Virus & threat protection settings" section, click "Manage settings".

Scroll to the bottom and click "Add or remove exclusions".

In the User Account Control box, click Yes.

Click the "Add an exclusion" button. Click Folder. Navigate to the C:\ drive anbd click it. Click the "Select Folder" button.

The C:\ drive should now appear in the list of Exclusions, as shown below.

Installing Metasploit

Don't use Edge. Install Firefox from
https://getfirefox.com/
In Firefox, go to
https://www.metasploit.com/
On the right side, in the "Get Metasploit" box, in the "OPEN SOURCE" section, click the Download button, as shown below.
On the next page, scroll down to the "Installing Metasploit on Windows" section, as shown below.
Click "view older builds".

Download metasploit-framework-6.3.47+20231212113358-1rapid7-1-x64.msi, as shown below.

(More recent versions will probably work also, but using the exact version I used is the easiest way to do the project.)

Firefox warns you that this file contains malware, as shown above.

In the little Downloads box, click the right-arrow. Click the "Allow download" button.

Open an Administrator Terminal window and execute these commands: 

cd Downloads
.\metasploit-framework-6.3.47+20231212113358-1rapid7-1-x64.msi
An installer box appears. Install the software with the default options.

Launching Metasploit

Open a new Administrator Terminal window, execute this command: 
msfconsole

Finding Modbus Attacks

At the msf6 > prompt, execute this command: 
search modbus
Several modbus attacks appear, as shown below.

Scanning for Active Slaves

At the msf6 > prompt, execute these commands: 
use auxiliary/scanner/scada/modbus_findunitid
show options
The module options appear, as shown below.

The only options we need to specify are RHOSTS (to tell it where the Modbus network is) and UNIT_ID_TO (to make the scan end more quickly).

At the msf> prompt, execute these commands: 
set RHOSTS 127.0.0.1
set UNIT_ID_TO 10
run
The module correctly finds StationID 2 as the only slave in use, as shown below.

Flag OT 100.2: Reading Data from the Slave (10 pts)

At the msf6 > prompt, execute these commands: 
use auxiliary/scanner/scada/modbusclient
show options
set DATA_ADDRESS 0
set NUMBER 5
set RHOSTS 127.0.0.1
set UNIT_NUMBER 2
run
The flag is covered by a green rectangle in the image below.

Installing Nmap

In a Web browser, go to
https://nmap.org/
Download and install the latest stable release self-installer.

Flag OT 100.3: Scanning for Modbus Slaves with Nmap (10 pts)

Open a new Administrator Terminal window, execute this command: 
nmap -Pn -sT -p502 --script modbus-discover 127.0.0.1
Nmap finds the first active sid.

The flag is covered by a green rectangle in the image below.

Analyzing Modbus Traffic

Analyze this file to answer the following three questions:
modbus.pcapng

Flag OT 100.4: Unit Identifier (5 pts)

What is the numerical unit identifier for the slave? Express your answer as a decimal number.

Flag OT 100.5: Holding Register (5 pts)

What is the largest value stored in a holding register before any write operations? Express your answer as a decimal number.

Flag OT 100.6: Unit Identifier (10 pts)

What value is written to a holding register? Express your answer as a decimal number.

Hint: Wireshark displayed this value in hexadecimal, not decimal, when I did it. Check the raw binary data to make sure.

Intalling Splunk

Download this file: splunk-9.0.3-dd0128b1f8cd-x64-release.msi Install the software as usual.

During the installation, you will be prompted to select a username and password, as shown below.

Use these values:

Log into Splunk Web

When the installation finishes, a Web browser will open, showing the "Splunk Web" page, as shown below.

Log in with the username and password you selected previously.

A box pops up saying "Helping You Get More Value...". Click "Got It!".

The main Splunk Web page appears, as shown below.

Install the Splunk App for Stream

Download this file: splunk-app-for-stream_811.tgz

In Splunk Web, at the top left, click splunk.

At the top left, next to "Apps", click the gear icon.

At the top right, click the "Install app from file" button.

Upload the splunk-app-for-stream_811.tgz file.

Install the Splunk Add-on for Stream Wire Data

Download this file: splunk-add-on-for-stream-wire-data_811.tgz

At the top right, click the "Install app from file" button.

Upload the splunk-add-on-for-stream-wire-data_811.tgz file.

Install Splunk Add-on for Stream Forwarder on a single instance

Download this file: splunk-add-on-for-stream-forwarders_811.tgz

At the top right, click the "Install app from file" button.

Upload the splunk-add-on-for-stream-forwarders_811.tgz file.

Restart Splunk Enterprise if prompted. It takes a few minutes to restart.

Set up data collection on the local machine

In Splunk Web, at the top left, click splunk.

On the left, click "Splunk Stream".

A "Setup Stream" page opens, as shown below.

Click the green "Let's get started" button.

Viewing Stream Data Types

In Splunk Web, at the top left, click splunk.

At the top left, click "Search & Reporting".

In the lower center, click the gray "Data Summary" button.

Click the Sourcetypes tab to see that Splunk Stream is monitoring five important protocols, as shown below.

However, it's not monitoring all traffic on those protocols. To see what it's actually doing, click the Sources tab.

All the traffic being monitored is internal traffic created by Splunk itself, as shown below.

Close the Data Summary box.

Monitoring General Traffic

In Splunk Web, at the top left, click splunk.

On the left, click "Splunk Stream".

In the top center, click Configuration, "Configure Streams", as shown below.

You see a list of protocols, with graphs of traffic on the right side, as shown below.

In the "dns" line, click the grayed-out word Enabled, outlined in red in the image above.

In the Please Confirm box, click Yes.

Repeat this process to enable these protocols:

Creating Traffic

Open a Command Prompt and execute this command: 
ping kittenwar.com

Viewing Stream Data Types

In Splunk Web, at the top left, click splunk.

At the top left, click "Search & Reporting".

In the lower center, click the gray "Data Summary" button.

Click the Sources tab.

Scroll to the bottom.

Now you can see some protocols being monitored for non-Splunk traffic, including stream:icmp, as shown below.

Monitoring Loopback Traffic

We still don't see MODBUS traffic in Splunk, because it's carried by the loopback adapter, which is not monitored by default.

To fix that, navigate to the streamfwd.conf file, as shown below. Right-click it and open it in Notepad.

After the first line, insert these two lines, as shown below. 

streamfwdcapture.0.interface = \Device\NPF_Loopback
streamfwdcapture.1.interface = Ethernet0

In Notepad, click File, Save.

Close Notepad.

Restarting Splunk

In the Splunk Web page, at the top, click Settings. In the SYSTEM section, click "Server controls".

Click the green "Restart Splunk" button.

Click OK.

Wait for Splunk to restart.

Log in again.

Creating MODBUS Traffic

In the qModMaster window, click the "Read/Write" button, outlined in green in the image below.

Viewing Stream Data Types

In Splunk Web, at the top left, click splunk.

At the top left, click "Search & Reporting".

In the lower center, click the gray "Data Summary" button.

Click the Sourcetypes tab.

You should see one or more "stream:modbus" events, as shown below.

If you don't, try executing the Read operation in qModMaster again and waiting a few seconds. It took me three tries to capture an event. Also try reading a different number of Coils, like 4.

Flag OT 100.7: Modbus Event (20 pts)

In Splunk, in the "Search & Reporting" dashboard, execute this search: 
sourcetype="stream:modbus"
Examine an event. The flag is covered by a green rectangle in the image below.

Scanning for Active Slaves with Metasploit

In an Administrator Terminal window, execute this command: 
msfconsole
search modbus
use auxiliary/scanner/scada/modbus_findunitid
show options
set RHOSTS 127.0.0.1
set UNIT_ID_TO 10
run
The module correctly finds StationID 2 as the only slave in use, as shown below.

Flag OT 100.8: Modbus Event (10 pts)

In Splunk, in the "Search & Reporting" dashboard, execute this search: 
sourcetype="stream:modbus"
Examine the most recent event. The flag is covered by a green rectangle in the image below.

Note: when I woke my virtual Windows machine from a suspended state, Splunk stopped collecting Stream data. I had to disable and re-enable MODBUS in the Splunk Stream Configuration.

References

Playing around with Apache PLC4X with a virtual Modbus PLC
Modbus-based Industrial Control System Attack
Script modbus-discover
ICS_CTF Discovery Install Splunk Stream on a single instance deployment

Flag 7 added 2-29-24
Flag 8 added 3-2-24