Understanding

 SCADA's  
Modbus  Protocol  

Jus9n  Searle  
Managing  Partner  -­‐  U9liSec  

Copyright 2015 Justin Searle 1 www.utilisec.com

 Today's  VM:    SamuraiSTFU  
•  Project  site:    hCp://www.samuraisHu.org  
•  Live  DVD  /  VM  for  ICS  penetra9on  tes9ng  
–  Primary  audience  is  electric  asset  owner  and  vendor  security  teams  
–  Secondary  audience  is  security  contractors  
–  Academia  and  independent  researchers  
•  Include  "cream  of  the  crop"  free  and  open  source  tools  for  all  aspects  
of  SG  Pentes9ng  
–  Best  web  pentes9ng  tools    (small  subset  of  SamuraiWTF)  
–  Best  network  pentes9ng  tools    (small  subset  of  Backtrack)  
–  Best  hardware  pentes9ng  tools    (not  currently  included  on  any  distribu9on)  
•  Also  includes  
–  Documenta9on  on  tools,  architecture,  methodology,  and  protocols  
–  Simulated  ICS  systems  for  educa9onal  purposes  
–  Packet  captures  and  data  dumps  for  exercises  

Copyright 2015 Justin Searle 2 www.utilisec.com

 ZIP  based  Course  Virtual  Machine  
•  Make  sure  that  latest  version  of  VMware  Player  
or  Fusion  is  installed  
–  VirtualBox  should  work,  but  no  promises  
•  Copy  course  files  to  your  computer  
•  Unzip  the  SamuraiSTFU  virtual  machine  
•  From  the  "File"  menu  in  VMware,  choose  
"Open"  and  select  the  .vmx  file  in  the  extracted  
folder  
•  Verify  the  virtual  machine  can  communicate  on  
the  network  
Copyright 2015 Justin Searle 3 www.utilisec.com
 Generic  SCADA  Architecture  
Hist.   Usually  with   Runs  RTOS  or  
Field  Tech   Embedded  C  Prog   Monitor  
Historian Interface   Point  
Sensor
Usually  Running   PLC  
Windows  or  Linux   Control  
Programmable Point  
with  Control  
So]ware   Logic Controller HMI   Actuator
Human Machine
Interface Monitor  
MTU   Point  
FEP   Sensor
WAN   IED  
Head Control  
end   Point  
Intelligent
Endpoint Device Actuator
Master Server

O]en  a  Web   Monitor  

Interface  Now   Point  
Sensor
HMI   RTU   PLC  
Control  
Human Machine Remote Terminal Programmable Point  
Interface Unit Logic Controller Actuator

Copyright 2015 Justin Searle 4 www.utilisec.com

 Smart  Grid  Reference   Model  -­‐  
Transmission  
SCADA  
Interfaces  
Distribu9on  
SCADA  

Genera9on  
SCADA  

Source: NIST IR 7628 Vol. 1 - http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf

Copyright 2015 Justin Searle 5 www.utilisec.com
 Substa9on  Network  

Source - http://osgug.ucaiug.org/utilisec/Shared%20Documents/Substation%20Automation
%20Security%20Profile/SA%20Security%20Profile%20-%20v0_15%20-%2020120930.docx !
Copyright 2015 Justin Searle 6 www.utilisec.com
 PLC  Inputs  and  Outputs  

Copyright 2015 Justin Searle 7 www.utilisec.com

 Branch  PLC  Deployment  

Copyright 2015 Justin Searle 8 www.utilisec.com

 Common  ICS  Network  Protocols  
Universal  ICS  Protocols   Building  Automa5on  Specific  Protocols  
-­‐  Modbus  TCP:    TCP/502     -­‐  BACnet/IP:    UDP/47808  
-­‐  OPC  UA:    TCP/4840   -­‐  LonTalk:    UDP/1628,  UDP/1629  
-­‐  OPC  UA  XML:    TCP/80,  TCP/443   -­‐  Fox    (Tridium/Niagara):    TCP/1911  
   
Process  Automa5on  Specific  Protocols   Energy  Sector  Specific  Protocols  
-­‐  EtherCAT:    UDP/34980     -­‐  DNP3:    TCP/20000,  UDP/20000  
-­‐  Ethernet/IP:    TCP/44818,  UDP/ -­‐  DLMS/COSEM:    TCP/4059,  UDP/4059  
2222,44818     -­‐  ICCP:    TCP/102    
-­‐  FL-­‐net:    UDP/55000  to  55003     -­‐  IEC  104:    TCP/102  
-­‐  Fieldbus  HSE:    TCP/1089-­‐1091,  UDP/ -­‐  IEEE  C37.118:    TCP/4712,  UDP/4713  
1089-­‐1091     -­‐  MMS:    TCP/102  
-­‐  HART-­‐IP:    TCP/5094,  UDP/5094    
-­‐  PROFINET:    TCP/34962-­‐34964,  UDP/
34962-­‐34964  

Copyright 2015 Justin Searle 9 www.utilisec.com

 Modbus  TCP  
•  Developed  by  Modicon  in  1979  
•  Widely  accepted  protocol  (implemented  by  hundreds  
of  vendors)  used  in  mul9ple  industries    
•  Master  (HMI/FEP)  to  field  (RTU,  PLC,  IED)  
communica9on  
–  Master  sta9on  must  poll  the  field  device  
–  Field  device  can  not  ini9ate  communica9ons  
–  Only  a  simple  request/response  protocol  
•  Transferred  to  a  founda9on  and  became  an  ‘open’  
protocol  in  the  early  2000s  
•  Security  was  not  a  part  of  the  design  

Copyright 2015 Justin Searle 10 www.utilisec.com

 Modbus  TCP  
7BE3 0000 0006 01 03 08D20002

Transaction ID Protocol ID Length Unit ID Function Function's Data

Name   Length   Func5on  

Transac9on  ID   2  bytes   For  synchroniza9on  between  messages  of  server  &  client  
Protocol  ID   2  bytes   Zero  for  Modbus/TCP  
Length  Field   2  bytes   Number  of  remaining  bytes  in  this  frame  
Unit  ID   1  byte   Slave  Address  (255  if  not  used)  
Func9on  code   1  byte   Func9on  codes  as  in  other  variants  
Data  bytes   n  bytes   Data  as  response  or  commands  

http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf
Copyright 2015 Justin Searle 11 www.utilisec.com
 Modbus  Data  Func9on  Codes  
Func5on  Category   Func5on  Name   Code   (Hex)  
Physical  Discrete  Inputs   Read  Discrete  Inputs   2   0x02  
Bit   Read  Coils   1   0x01  
access   Internal  Bits  or  Physical   Write  Single  Coil   5   0x05  
Coils  
Write  Mul9ple  Coils   15   0x0F  
Physical  Input  Registers   Read  Input  Register   4   0x04  
Read  Holding  Registers   3   0x03  
Data  
Write  Single  Register   6   0x06  
Access   16-­‐bit  
Write  Mul9ple  Registers   16   0x10  
access   Internal  Registers  or  
Physical  Output  Registers   Read/Write  Mul9ple  Registers   23   0x17  
Mask  Write  Register   22   0x16  
Read  FIFO  Queue   24   0x18  
Read  File  Record   20   0x14  
File  Record  Access  
Write  File  Record   21   0x15  

Copyright 2015 Justin Searle 12 www.utilisec.com

 Modbus  Diagnos9c  Func9on  Codes  
 Func5on  Category   Func5on  Name   Code   (Hex)   SubCode   (Hex)  
Read  Excep9on  Status   7   0x07  
00   0x00  
|   |  
Diagnos9c   8   0x08  
18   0x12  
20   0x14  
Diagnos9cs  
Get  Com  Event  Counter   11   0x0B  
Get  Com  Event  Log   12   0x0C  
Report  Slave  ID   17   0x11  
Read  Device  Iden9fica9on   43   0x2B   14   0x0E  
13   0x0D  
Other   Encapsulated  Interface  Transport   43   0x2B  
14   0x0E  

Copyright 2015 Justin Searle 13 www.utilisec.com

 Common  Modbus  Func9ons  
READS: 7bE3 0000 0006 FF 03 08D2 0002

1 (0x01) Read Coils # of bits to read (up to 0x7D0)

2 (0x02) Read Discrete Inputs Start # of bits to read (up to 0x7D0)
Address
3 (0x03) Read Holding Registers (2 byte) # of words to read (up to 0x7D)
4 (0x04) Read Input Registers # of words to read (up to 0x7D)

WRITES: 582F 0000 0006 FF 06 003C BEEF

5 (0x05) Write Single Coil value to write (0x0000 or 0xFF00)

6 (0x06) Write Single Register Start value to write (0x0000 to 0xFFFF)
Address
15 (0x0F) Write Multiple Coil (2 byte) write (0x0000 or 0xFF00) …
16 (0x10) Write Multiple Register write (0x0000 to 0xFFFF) …
Copyright 2015 Justin Searle 14 www.utilisec.com
 Modbus  Capture  Analysis  
•  In  the  Sample  Files,  find  the  network  capture  for  
modbus  and  open  it  in  wireshark  
–  Which  IP  address  is  the  master  on?  
–  How  many  slaves  is  the  master  talking  to?  
–  Is  the  master  wri9ng  any  data  to  the  slaves?  
–  Does  the  traffic  spike  in  the  middle  related  to  modbus?  
•  Capture  Source:  
–  hCps://www.cloudshark.org/captures/76038eaa4a3b  
•  Now  check  out  some  of  the  other  packet  captures  for  
the  other  protocols  

Copyright 2015 Justin Searle 15 www.utilisec.com

 Using  ModbusPal  for  Simula9on  

Copyright 2015 Justin Searle 16 www.utilisec.com

 Create  "InputVoltage"  Automa9on  

Copyright 2015 Justin Searle 17 www.utilisec.com

 Configuring  "Voltage  Regulator"  Slave  

Copyright 2015 Justin Searle 18 www.utilisec.com

 Adding  Coils  to  "Voltage  Regulator"  

Copyright 2015 Justin Searle 19 www.utilisec.com

 Using  mbtget  
samurai@SamuraiSTFU:~$ mbtget -h
usage : mbtget [-hvdsf]
[-u unit_id] [-a address] [-n number_value]
[-r[12347]] [-w5 bit_value] [-w6 word_value]
[-p port] [-t timeout] serveur

command line : (full  list  of  commands  is  redacted  to  fit  in  slide)  
-r1 : read bit(s) (function 1)
-r2 : read bit(s) (function 2)
-r3 : read word(s) (function 3)
-r4 : read word(s) (function 4)
-w5 bit_value : write a bit (function 5)
-w6 word_value : write a word (function 6)
-p port_number : set TCP port (default 502)
-a modbus_address : set modbus address (default 0)
-n value_number : number of values to read

Copyright 2015 Justin Searle 20 www.utilisec.com

 Automa9ng  Enumera9on  
•  You  can  automate  the  mbtget  tool  to  use  for  you  assessment  
with  a  liCle  bit  of  bash  scrip9ng  
•  Enumera9ng  coils  
$ for i in {0..1000}; do mbtget -r1 -a $i -n 1 | grep -v -e
exception -e values | tee -a /tmp/coils.txt; done
•  Enumera9ng  registers  
$ for i in {0..1000}; do mbtget -r3 -a $i -n 1 | grep -v -e
exception -e values | tee -a /tmp/holding-regs.txt; done
•  Polling  values  over  9me  (assuming  register  5  is  changing)  
$ for i in {0..1000}; do echo –n `date +"%Y-%m-%d %T"`;
mbtget -r3 -a 4 -n 1 | grep -v values | tee -a reg-4.txt;
sleep 1; done

Copyright 2015 Justin Searle 21 www.utilisec.com

 Theory  Behind  Random  Input  Fuzzing  
•  Instead  of  enumera9ng  through  known  or  semi-­‐known  values,  
we  can  also  use  random  data  on  inputs  to  find  vulnerabili9es  
•  ACempts  to  make  the  applica9on/service  enter  unstable  states  
–  Freezes  the  process  
–  Stopped  the  process  
–  Restarts  the  process  
–  Provides  some  other  unexpected  output  or  unstable  state  
•  There  are  a  couple  of  ways  to  do  this  
–  Muta9on  based  fuzzers  
–  Genera9on  based  fuzzers  
•  Fuzzers  in  SamuraiSTFU  are:  
–  Peach  Fuzzer    (a  modern,  general  purpose  file/network  based  fuzzer)  
–  Aegis    (a  fuzzer  focusing  on  ICS  network  protocols)  

Copyright 2015 Justin Searle 22 www.utilisec.com

 Peach  Fuzzer  
•  Author:  Michael  Eddington  and  Duja  vu  Security  
•  Site:  peachfuzzer.com  
•  Purpose:  an  advanced  and  extensible  fuzzing  plaHorm  to  find  
vulnerabili9es  in  so]ware  using  automated  genera9ve  and  
muta9onal  methods.    Opensource  with  commercial  support  
op9ons  
•  Language:  C#  .NET/Mono  (Versions  1  &  2  were  in  Python)  
•  Major  Features:  
–  Cross  plaHorm  (Windows,  Linux,  and  Mac)  
–  Muta9onal  and  genera9on  hybrid  fuzzing  
–  Rich  data  and  state  modeling  
–  Pluggable  I/O  adapters  

Copyright 2015 Justin Searle 23 www.utilisec.com

 Request  Data  Model  for  Modbus-­‐TCP  
<DataModel  name="ModbusRequest">  
       <Number  name="TransID"  size="16"  valueType="hex"  value="00  01"  />  
       <Number  name="ProtoID"  size="16"  valueType="hex"  value="00  00"  />  
       <Number  name="Length"  size="16">  
               <Rela9on  type="size"  of="SizedStuff"  />  
       </Number>  
       <Block  name="SizedStuff">  
               <Number  name="UnitID"  size="8"  valueType="hex"  value="01"  />  
               <Number  name="Func9onCode"  size="8"  valueType="hex"  value="03"  />  
               <Number  name="Address"  size="16"  valueType="hex"  value="0000"/>  
               <Number  name="NumBytes"  size="16"  valueType="hex"  value="0000"  />  
       </Block>  
</DataModel>  

Copyright 2015 Justin Searle 24 www.utilisec.com

 Response  Data  Model  for  Modbus  
<DataModel  name="ModbusResponse"  ref="ModbusRequest">  
       <Block  name="SizedStuff">  
               <Number  name="UnitID"  size="8"  valueType="hex"  value="01"  />  
               <Number  name="Func9onCode"  size="8"  valueType="hex"  value="03"  />  
               <Number  name="DataSize"  size="8">  
                       <Rela9on  type="size"  of="Data"  />  
               </Number>  
               <Blob  name="Data"/>  
       </Block>  
</DataModel>  

Copyright 2015 Justin Searle 25 www.utilisec.com

 State  Model  for  Modbus-­‐TCP  
<StateModel  name="TheStateModel"  ini9alState="TheState">  
       <State  name="TheState">  
               <Ac9on  type="output">  
                       <DataModel  ref="ModbusRequest"  />  
               </Ac9on>  
               <Ac9on  type="input">  
                       <DataModel  ref="ModbusResponse"/>  
               </Ac9on>  
       </State>  
</StateModel>  

Copyright 2015 Justin Searle 26 www.utilisec.com

 Agent  for  Modbus-­‐TCP  
<Agent  name="LocalAgent"  >  
       <Monitor  class="Pcap">  
               <Param  name="Device"  value="lo"/>  
               <Param  name="Filter"  value="port  502"/>  
       </Monitor>  
       <Monitor  class="Ping">  
               <Param  name="Host"  value="127.0.0.1"/>  
       </Monitor>  
</Agent>  

Copyright 2015 Justin Searle 27 www.utilisec.com

 Test  for  Modbus-­‐TCP  
<Test  name="Default"  controlItera9on="10">  
       <Agent  ref="LocalAgent"/>  
       <StateModel  ref="TheStateModel"/>  
       <!-­‐-­‐<Publisher  class="TcpClient">-­‐-­‐>  
       <Publisher  class="Tcp">  
               <Param  name="Host"  value="127.0.0.1"  />  
               <Param  name="Port"  value="502"  />  
       </Publisher>  
       <Logger  class="File">  
               <Param  name="Path"  value="/home/samurai/Tool-­‐Output/PeachFuzzer/logs"/>  
       </Logger>  
</Test>  

Copyright 2015 Justin Searle 28 www.utilisec.com

 Fuzzing  with  Peach  Fuzzer  
•  Make  sure  ModbusPal  is  s9ll  running  from  the  previous  lab,  as  
we  will  do  a  simple  test  fuzz  on  it  
•  Open  a  terminal  and  change  to  the  Wordlists/PeachPits  
directory  where  our  Modbus  PeachPit  is  located  
•  Review  the  modbus-­‐tcp.xml  file  to  understand  its  configura9on  
•  Run  the  following  command  to  test  your  fuzzer  
$ sudo peach modbus-tcp.xml -1 --debug
•  If  you  don't  have  any  error  (besides  the  expected  XSD  valida9on  
error  with  is  expected)  go  ahead  and  run  it  for  100  itera9ons  
$ sudo peach modbus-tcp.xml –-range 0,100
•  Did  any  of  the  control  itera9ons  fail?    They  are  the  
packet  IDs  that  start  with  "[C"  followed  by  a    
number  did  peach  make  all  the  way  to    
itera9on  "[100"?  
Copyright 2015 Justin Searle 29 www.utilisec.com
 Aegis  Fuzzer  
•  Author:    Adam  Crain  and  Automatak  
•  Site:    www.automatak.com/aegis/index.html  
•  Purpose:    a  fully  automated  test  tool  that  understands  the  
DNP3  protocol.  It  generates  malformed  or  unexpected  DNP3  
traffic  in  a  very  intelligent  way  for  the  purposes  of  iden9fying  
robustness  issues  in  DNP3  implementa9ons.  This  so]ware  can  
iden9fy  defects  in  both  masters  and  outsta9ons  
•  Language:    C++  
•  Major  Features:  
–  excep9onally  high  code  coverage  (~2.4x  more  lines  of  code  than  a  
leading  commercial  solu9on)  
–  developed  by  people  who  have  wriCen  produc9on  DNP3  code  
–  provable  efficacy  via  publicly  available  research  
–  found  vulnerabili9es  in  systems  that  were  double  tested  by  the  
Wurldtech  and  Mu  appliances  
Copyright 2015 Justin Searle 30 www.utilisec.com
 Running  Aegis  
•  Open  psimulator  from  the  main  menu,  which  we'll  use  
to  simulate  a  DNP3  Outsta9on  
•  Accept  psimulator's  acknowledgements  and  then  load  
Example-­‐Outsta9on.xml  from  Sample-­‐Files/Psimulator-­‐
DNP3-­‐Loads  folder  
•  Now  start  fuzzing  it  with  Aegis  by  running:  
aegis-console -mid dnp3 -pid lfuzz -host 127.0.0.1 -port 20000

•  At  any  point  you  can  stop  Aegis  by  doing  a  CTRL-­‐C  

Copyright 2015 Justin Searle 31 www.utilisec.com

 Contact  Informa9on  

www.u9lisec.com  
[email protected]  

Jus9n  Searle  
personal:    [email protected]  
work:    [email protected]  
cell:    801-­‐784-­‐2052  
twiJer:    @meeas  
Copyright 2015 Justin Searle
 
32 www.utilisec.com