Tulsa Modbus Scanner
From SCADApedia
The University of Tulsa Center for Information Security developed a Modbus TCP active scanner as part of the 2005/2006 I3P program. They refer to this as the active scanner because they have also have a Modbus TCP and DNP3 passive scanner and other tools as part of their Security Services Suite (SecSS).
Contents |
Active Scanner
The active scanner sends a Modbus request with function codes 0 to 127 in an effort to determine what functions are implemented in the Modbus server. Since many vendors implement proprietary function codes this information can help fingerprint the controller.
The active scanner then attempts to read the coils, discrete inputs, holding registers and input registers to determine what points are used in the controller. For efficiency the scanner uses a search algorithm to determine the final configured address in each category rather than reading all possible addresses.
Finally the scanner runs a series of Function Code 8 diagnostic commands to gather information about the controller.
The active scanner is a command line tool with minimal help files. However there is little to configure beyond the IP address of the scanning target so it is relatively simple to run.
The active scanner can provide a number of false negatives - - that is it can fail to identify function codes or values in coils or registers. This is more likely in systems with a slower response time, such as a distant SCADA link. False negatives can also occur due to packet fragmentation.
Passive Scanner
The passive scanner performs a similar function to the Modbus TCP IDS Signatures and DNP3 IDS Signatures found in most commercial IDS and available for the Snort open source IDS. The passive scanner will identify rogue clients and servers, protocol violations, and requests that have a high probability to be associated with an attack.
Status and Availability
Work continues on the active and passive scanners as part of the SecSS. Phase II of the I3P program may provide additional funds for this development.
The Modbus active and passive scanners are not generally available for download or purchase. The University is pursuing technology transfers opportunities.
