Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to modbusclient.rb to use modbus read functions 2 and 4 #12295

Merged
merged 2 commits into from Sep 19, 2019

Conversation

@AstroZombieSG
Copy link

commented Sep 8, 2019

The existing modbus client only reads coils and holding registers (function codes 1 and 3)
Per the modbus standard, there are two additional registers you can read.
01 (0x01) Read Coils
02 (0x02) Read Discrete Inputs
03 (0x03) Read Holding Registers
04 (0x04) Read Input Registers

Copied existing code for reading coils/registers and added function codes 2 and 4.

Verification
Running OPENPLCPROJECT on a raspberry pi, setup test values for each function call

Start msfconsole
use auxiliary/scanner/scada/modbusclient
show actions
READ_COILS Read bits from several coils
READ_DISCRETE_INPUTS Read bits from several DISCRETE INPUTS
READ_HOLDING_REGISTERS Read words from several HOLDING registers
READ_INPUT_REGISTERS Read words from several INPUT registers
set RHOSTS <IP Add of your Modbus PLC)
set DATA_ADDRESS 0 
set ACTION 
run

msf5 auxiliary(scanner/scada/modbusclient) > run
[*] Running module against 192.168.1.124

[] 192.168.1.124:502 - Sending READ HOLDING REGISTERS...
[+] 192.168.1.124:502 - 1 register values from address 0 :
[+] 192.168.1.124:502 - [2222]
[] Auxiliary module execution completed
msf5 auxiliary(scanner/scada/modbusclient) > set ACTION READ_DISCRETE_INPUTS
ACTION => READ_DISCRETE_INPUTS
msf5 auxiliary(scanner/scada/modbusclient) > run
[*] Running module against 192.168.1.124

[] 192.168.1.124:502 - Sending READ DISCRETE INPUTS...
[+] 192.168.1.124:502 - 1 DISCRETE INPUT values from address 0 :
[+] 192.168.1.124:502 - [1]
[] Auxiliary module execution completed
msf5 auxiliary(scanner/scada/modbusclient) > set ACTION READ_COILS
ACTION => READ_COILS
msf5 auxiliary(scanner/scada/modbusclient) > run
[*] Running module against 192.168.1.124

[] 192.168.1.124:502 - Sending READ COILS...
[+] 192.168.1.124:502 - 1 coil values from address 0 :
[+] 192.168.1.124:502 - [1]
[] Auxiliary module execution completed
msf5 auxiliary(scanner/scada/modbusclient) > set ACTION READ_INPUT_REGISTERS
ACTION => READ_INPUT_REGISTERS
msf5 auxiliary(scanner/scada/modbusclient) > run
[*] Running module against 192.168.1.124

[] 192.168.1.124:502 - Sending READ INPUT REGISTERS...
[+] 192.168.1.124:502 - 1 register values from address 0 :
[+] 192.168.1.124:502 - [1111]
[] Auxiliary module execution completed
msf5 auxiliary(scanner/scada/modbusclient) >
AZSG added 2 commits Sep 7, 2019
AZSG AZSG
AZSG AZSG
@busterb

This comment has been minimized.

Copy link
Member

commented Sep 19, 2019

Sure, this looks reasonable. Thanks @AstroZombieSG

@busterb

This comment has been minimized.

Copy link
Member

commented Sep 19, 2019

BTW, nice hint on the OpenPLC project. https://www.openplcproject.com/

bcook-r7 pushed a commit that referenced this pull request Sep 19, 2019
@bcook-r7 bcook-r7 merged commit a990191 into rapid7:master Sep 19, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Sep 19, 2019
@busterb

This comment has been minimized.

Copy link
Member

commented Sep 19, 2019

Release Notes

This extends the modbus client module to be able to read functions 2 and 4 on a PLC device.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.