Skip to content

Commit

Permalink
Initial
Browse files Browse the repository at this point in the history
  • Loading branch information
TacticalGator committed Dec 3, 2024
0 parents commit 2f0216e
Show file tree
Hide file tree
Showing 12 changed files with 1,399 additions and 0 deletions.
16 changes: 16 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Byte-compiled files
__pycache__/
*.py[cod]

# Virtual environment
venv/
myVenv/

# Build artifacts
build/
dist/
*.egg-info/

# OS files
.DS_Store
Thumbs.db
674 changes: 674 additions & 0 deletions LICENSE

Large diffs are not rendered by default.

223 changes: 223 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,223 @@
# modbuster
![signal-2024-12-02-225241](https://github.com/user-attachments/assets/b8f6a24e-df4a-4a08-9b50-02aac4e9cc4e)
$~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~$ Art by **mel_arts.graphicdesign** <br>

<br>

> Busting ICS/SCADA over modbus
<br>
Modbuster is a pure Python 3 command-line tool, powered by pymodbus, specifically designed for penetration testers, red teamers, and security researchers. It enables precise Modbus TCP interactions, including single and multi-read operations for Coils, Discrete Input Ranges, Input Registers, and Holding Registers, as well as single and multi-write capabilities for Coils and Holding Registers. Beyond these operations, it facilitates enumeration of supported Modbus function codes, aiding in vulnerability assessments and device exploration. With its straightforward interface and advanced features, Modbuster is an essential tool for anyone investigating or auditing Modbus environments.
<br>
<br>
<br>

# INSTALLATION
1. Clone the repository
```sh
git clone https://github.com/TacticalGator/modbuster
```

2. Use pipx to install
```sh
cd modbuster && pipx install .
```
<br>
<br>

## Using pip
1. Clone the repository
```sh
git clone https://github.com/TacticalGator/modbuster
```

2. Set up a virtual environment (Recommended & Optional)
```sh
python3 -m venv myVenv && source ./myVenv/bin/activate
```

3. Install with pip
```sh
cd modbuster && pip3 install .
```
<br>
<br>
<br>

# USAGE
```sh
modbuster <OPTIONAL_FLAGS> {read,write,getfunctions} <HOST> <ADDRESS> <VALUES>
```
<br>


```sh
# modbuster --help
usage: modbuster [-h] [-s SLAVE] [-p PORT] [-v] {read,write,getfunctions}

Busting ICS/SCADA over modbus

Examples:
modbuster read -s 1 127.0.0.1 400001 10
modbuster write 127.0.0.1 300231 11 22 33 44 55
modbuster getfunctions 127.0.0.1

positional arguments:
{read,write,getfunctions}
Command to execute: 'read', 'write', or 'getfunctions'

options:
-h, --help show this help message and exit
-s SLAVE, --slave SLAVE
Slave ID (default: 0)
-p PORT, --port PORT Port to connect to (default: 502)
-v, --verbose Enable verbose output
```
<br>
<br>

## ADDRESS RANGE
```
000001 - 065535: Coil Range
100001 - 165535: Discrete Input Range
300001 - 365535: Input Register Range
400001 - 465535: Holding Register Range
```
<br>

## EXAMPLES
➡️ 3 Verbs are currently supported
<br>
<br>
**IMPORTANT**:<br>
Both read and write operations use **0-based** addressing internally,<br>
However addresses are often represented as **1-based**
<br>
<br>
<br>
## read 📖
➡️ single/multi read across **all 4 address ranges**
<br>
<br>
![image](https://github.com/user-attachments/assets/ca776a29-fb1c-415e-85f6-91a41298b647)\
Reading 3 values of **Input Register**, starting from the address `300001`
<br>
<br>
<br>
![image](https://github.com/user-attachments/assets/e07f64a9-f0d4-4c31-8428-c3b11cf4fb12)\
Reading a single value of **Discrete Input**, at the address `101992`
<br>
<br>
<br>
![image](https://github.com/user-attachments/assets/9054237d-ba8e-45f2-bcf2-e23ff1979cbd)\
Reading 16 values of **Coil**, starting from the address `1`
<br>
<br>
<br>
![image](https://github.com/user-attachments/assets/e3d63694-dccc-4952-bf6d-83d3a871eaaf)\
Reading 10 values of **Holding Register**, starting from the address `400001`
<br>
<br>
<br>
## write ✍🏻
➡️ single/multi write to **coil** and **holding register**
<br>
<br>
![image](https://github.com/user-attachments/assets/e41ee352-7862-4684-8f1f-b531571189e8)\
![{03FAD36C-2A34-4080-9ACD-6FD4CADDF3D3}](https://github.com/user-attachments/assets/2c12264b-8ff6-4d0d-bf28-6ef6fe6fdb1e)\
Writing 10 of `1` to **coil**, starting from the address `1`
<br>
<br>
<br>
![{F6FDB7DB-5D54-49DD-B0F5-E0BA01F67C2E}](https://github.com/user-attachments/assets/be1421d1-1622-469f-8457-56bb8c0bfcbb)\
![{FD76339B-820B-4676-BB19-6EE1C9AC7005}](https://github.com/user-attachments/assets/7caf651c-0691-4e55-942f-13f275ed9642)\
Writing a total of 5 values(`11`, `22`, `33`, `44`, `55`) to **Holding Register**, starting from thee address `400010`
<br>
<br>
<br>
## getfunctions ƒ
➡️ enumerate supported modbus function of a given target
<br>
<br>
![image](https://github.com/user-attachments/assets/e3828fba-4ccb-430f-a1d6-6c5c55fb3442)\
Enumerating supported modbus functions using `getfunctions` verb
<br>
<br>
<br>
## ADVANCED USAGE
![{45924414-A748-41FE-B0A8-953805E328C8}](https://github.com/user-attachments/assets/9babe1c6-99df-4f95-8ca8-9bbe97770a1d)\
It can be combined with other command line tools such as `watch` or `proxychains4`
<br>
<br>
<br>
![{0D477EBD-95A4-4076-B4F7-74EF48DB87D7}](https://github.com/user-attachments/assets/d2c70957-ee09-49fa-9f79-44e2d200e7bd)\
Same goes for the write operation. Above example conduct a continuous write operation
<br>
<br>
<br>
# DISCLAIMER
This tool is provided strictly for educational and research purposes. Its primary objective is to assist security professionals, system administrators, and researchers in identifying and addressing potential vulnerabilities in Modbus-based systems.

The author(s) and contributors of this tool explicitly do not endorse, condone, or assume responsibility for the misuse of this tool for illegal, unethical, or unauthorized activities. By using this tool, you acknowledge, understand, and agree to the following terms:

1. Authorized Use Only
- This tool is to be used only with explicit authorization from the owner or administrator of the target systems or networks.
- Unauthorized access, testing, or any form of use against systems for which you lack proper permissions may constitute a violation of applicable laws and regulations, including but not limited to:
- Computer Misuse Acts
- Hacking or Unauthorized Access Laws
- Industrial Control Systems (ICS) Security Standards
- Privacy and Data Protection Regulations
- You are solely responsible for obtaining the necessary permissions before engaging in any activities involving this tool.

2. Educational and Research Intent
- This tool is intended to:
- Foster understanding of the Modbus protocol and its implementation in industrial systems.
- Aid in identifying and mitigating vulnerabilities within authorized systems.
- Support security education, ethical hacking practices, and secure design in industrial environments.
- It is not designed or intended for:
- Malicious activities such as exploiting vulnerabilities, disrupting operations, or unauthorized surveillance.
- Engaging in activities that violate ethical standards or professional guidelines.

3. No Warranties or Guarantees
- This tool is provided "AS IS" without any express or implied warranties or guarantees. This includes but is not limited to:
- Guarantees of accuracy, reliability, or performance in any environment.
- Compatibility with all Modbus implementations or network setups.
- Protection from unintended consequences, including potential system disruption or data loss.
- Users assume all risks associated with deploying, running, or testing this tool.

4. Limitation of Liability
- The author(s) and contributors disclaim all liability for any damages or losses, whether direct, indirect, incidental, or consequential, arising from the use or misuse of this tool. Examples include but are not limited to:
- Disruption of operational systems or processes.
- Loss of data or financial impacts resulting from testing activities.
- Legal actions taken against users for unauthorized or unethical use.
- Users bear full responsibility for understanding and mitigating any risks involved in using this tool.

5. Ethical and Legal Compliance
- Users of this tool agree to act responsibly, ethically, and in accordance with all applicable laws, regulations, and standards in their jurisdiction.
- Ethical guidelines include, but are not limited to:
- Respecting the rights and privacy of system owners, operators, and users.
- Reporting identified vulnerabilities responsibly, adhering to Coordinated Vulnerability Disclosure (CVD) practices or equivalent frameworks.
- Avoiding activities that cause unnecessary harm, damage, or disruption to any system.

6. Contribution and Redistribution
- Contributions to the development of this tool are welcomed and encouraged. However, contributors must adhere to the same principles outlined in this disclaimer.
- Redistribution, modification, or sharing of this tool (including forks or derivatives) must retain this disclaimer to ensure that future users understand its intended purpose and limitations.

7. Reporting and Disclosure
- If this tool reveals vulnerabilities in a Modbus-based system, the user is strongly encouraged to report these findings to the system owner, vendor, or a relevant security team in a responsible manner.
- Follow industry standards for disclosure, such as:
- Coordinated Vulnerability Disclosure (CVD) protocols.
- Adhering to applicable government or industry frameworks for ICS security.

8. Acknowledgment of Risks
- Users acknowledge that:
- Testing Modbus systems, even with authorization, can carry inherent risks, including potential operational disruptions.
- This tool does not include safeguards to prevent accidental harm to systems during its use. It is the user's responsibility to deploy the tool in a controlled, authorized, and secure manner.
- The improper use of this tool may result in personal, legal, or financial consequences for which the author(s) bear no responsibility.

9. Acceptance of Terms
- By downloading, cloning, or using this tool, you:
- Affirm that you have read, understood, and agreed to this disclaimer.
- Accept all risks and responsibilities associated with its use.
- Agree to use the tool only for lawful, ethical, and authorized purposes.
- If you do not agree to these terms, you are prohibited from using this tool in any capacity.
Empty file added modbuster/__init__.py
Empty file.
75 changes: 75 additions & 0 deletions modbuster/modbuster.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
#!/usr/bin/env python3
import sys
import argparse
from modbuster.verbs import read, write, getfunctions

ASCII_ART = r"""
█ █
███
█ ██ ██
█ █
█ █ ███
█ █
█ █ █████
█ █ ████████ █
█ █ █ █ █
███████████ ████ █ █ ████████ ██████ ███ ███ ██████ ████████ ███████ ███████ █ █
███ ██ ███ ██ █ █ █ ███ ███ ███ ███ ███ ███ ███ ███ █ █ █
███ ███ ██ █ █ █ ███ ███ ███ ███ ████ ███ ██████ ████ █ █
███ █████████ ███ ███████ ███ ███ ███ ███ ████ ███ ███ ███ █
███ ███ ██ █ █ ███ ███ ███ ███ ████ ███ ███ ████ █ ██
███ ███ ██ █ █ █ ███ ████ ███ ███ ███ ███ ███ ████ █
███ ███ ███ █ ██ ███████ ███████ ███████ ██████ ███ ███████ ████ █
█ █
██ █████████████ █ █
█████████████ █
Art by mel_arts.graphicdesign
"""

def main():
parser = argparse.ArgumentParser(
description=ASCII_ART + "\n Busting ICS/SCADA over modbus\n\nExamples:\n"
" modbuster read -s 1 127.0.0.1 400001 10\n"
" modbuster write 127.0.0.1 300231 11 22 33 44 55\n"
" modbuster getfunctions 127.0.0.1",
formatter_class=argparse.RawTextHelpFormatter
)

parser.add_argument('command', choices=['read', 'write', 'getfunctions'], help="Command to execute: 'read', 'write', or 'getfunctions'")
parser.add_argument('-s', '--slave', type=int, default=0, help="Slave ID (default: 0)")
parser.add_argument('-p', '--port', type=int, default=502, help="Port to connect to (default: 502)")
parser.add_argument('-v', '--verbose', action='store_true', help="Enable verbose output")

args, remaining_args = parser.parse_known_args()

if args.command == 'getfunctions':
getfunctions_parser = argparse.ArgumentParser(description="Get supported Modbus function codes")
getfunctions_parser.add_argument('host', help="Modbus server host (IP address or hostname)")
getfunctions_args = getfunctions_parser.parse_args(remaining_args)
args.host = getfunctions_args.host
getfunctions.execute(args)
else:
parser.add_argument('host', help="Modbus server host (IP address or hostname)")
parser.add_argument('address', type=int, help="Modbus address to read/write from")
parser.add_argument('count_or_values', nargs='+', help="Number of registers/coils to read or values to write")
args = parser.parse_args()

if args.command == 'read':
if len(args.count_or_values) != 1:
print("Error: Read command requires a single count value.")
sys.exit(1)
args.count = int(args.count_or_values[0])
read.execute(args)

elif args.command == 'write':
args.values = [int(value) for value in args.count_or_values]
write.execute(args)

if __name__ == "__main__":
main()
Empty file added modbuster/verbs/__init__.py
Empty file.
Loading

0 comments on commit 2f0216e

Please sign in to comment.