This protocol is build upon model a request and replay model! It uses function codes in combination with data section to request/send data!
Modbus function codes and their description:
| Function | Description |
|---|---|
| FC=01 | Read Coil Status |
| FC=02 | Read Input Status |
| FC=03 | Read multiple holding registers |
| FC=04 | Read Input Registers |
| FC=05 | Write Single Coil |
| FC=06 | Write Single Holding Register |
| FC=07 | Read Exception Status |
| FC=08 | Diagnostics |
| FC=11 | Get Comm Event Counter (RTU) |
| FC=12 | Get Comm Event Log (RTU) |
| FC=14 | Read Device Identification |
| FC=15 | Write multiple coils |
| FC=17 | Write multiple holding registers |
| FC=20 | Read file record |
| FC=21 | Write file record |
| FC=22 | Mask Write Register |
| FC=23 | Read/Write Multiple Registers |
| FC=24 | Read FIFO Queue |
| FC=43 | Read Device Identification |
| FC=90 | Implement new function |
Function codes are used to build modbus packet which is going to be send over TCP/IP. The modbus packet have the following format:
Shodan dork: port:502
Output example:
/../cmake-build-debug/Modbus_RAW
-------------
Request RAW: 00 01 00 00 00 06 01 01 00 01 00 0F
Transaction ID: 00 01
Protocol ID : 00 00
Length : 00 06
Unit ID : 01
Function code : 01
Start address : 00 01
Data count : 00 0F
-------------
Response RAW: 00 01 00 00 00 05 01 01 02 FF 7F
Transaction ID: 00 01
Protocol ID : 00 00
Length : 00 05
Unit ID : 01
Function code : 01
Data count : 02 bytes
Process finished with exit code 0
Security perspective of modbus: https://github.com/caffedrine/Tools/tree/master/Pentest/Industrial/Modbus