Modbus (ICS/SCADA)
aka scada, ics, plc
Industrial control protocol on 502, with no authentication or encryption by design. You can read and write coils/registers directly — which in OT means reading sensor state and actuating physical equipment.
Ports
| Port | Proto | Notes |
|---|---|---|
502 | tcp | Modbus TCP |
Fingerprint
- nmap modbus-discover enumerates unit/slave IDs
- Device responds to function-code 0x2B (read device ID)
Exploitation primitives
- Enumerate slave/unit IDs and device info (modbus-discover)
- Read coils / discrete inputs / holding registers (current process state)
- Write coils/registers to change physical outputs — DANGEROUS, can damage equipment
Overview
Modbus on 502 is an OT/ICS protocol with zero security — any reachable client can read and write a PLC’s I/O. Treat writes with extreme caution: this controls physical processes.
Enumeration
Discover unit IDs + device info:
nmap -p502 --script modbus-discover <TARGET>Read process state
Read holding registers from unit 1:
modbus read -s 1 -p 502 <TARGET> %MW0 10Metasploit reader:
use auxiliary/scanner/scada/modbusdetectWrite (only with explicit authorisation)
Writing coils/registers actuates real equipment. Only do this against a lab/with written OT authorisation — it can cause physical damage or safety incidents.
modbus write -s 1 -p 502 <TARGET> %MW0 1Hardening
Segment OT from IT, put Modbus behind a data diode/firewall, and use a gateway that enforces read-only/authenticated access.