Modbus TCP/IP is a communication protocol used for transmitting information by many SCADA devices. It is considered one of the most popular open protocols and it is possible to find valid slave IDs and obtain information about the device and software remotely.
This recipe shows you how to enumerate Modbus Slave IDs (SIDs) with Nmap.
Open your terminal and enter the following Nmap command:
$ nmap -Pn -sT -p502 --script modbus-discover <target>
By default, the script modbus-discover
will obtain the first slave ID device information, as shown next. The information displayed depends on the device's response:
PORT STATE SERVICE 502/tcp open modbus | modbus-discover: | sid0x0: |_ Slave ID data: \xB4\xFFLMB3.0.3
The modbus-discover
script enumerates Modbus devices and their slave ID information. It was written by Alexander Rudakov to improve the well-known tool, Modscan (https://code.google.com/archive/p/modscan...