0

We need to send a message to a remote modbus service listening on por 502 and get as a response the device information, the same way shodan (https://www.shodan.io) does when you search from an IP address running a modbus service. We have read modbus specifications and tried to build a message but we send it to the server over TCP and it never responds. For example, the following message should do the trick but does not work for us:

002B0E0104
00: address, not used.
2B: function code for get information
0E: additional function code for get device information
01: read device ID code
04: object ID.

How should we do to build a correct message and get the device information as a response?

user3289695
  • 740
  • 1
  • 9
  • 20

3 Answers3

1

There's no requirement that a Modbus device actually supports function code 0x2B.

In my experience it's very uncommon.

Kevin Herron
  • 6,500
  • 3
  • 26
  • 35
  • The service I am querying does. I know it because shodan is indeed able to get device information, which is done with function code 43 (2B in hexadecimal). – user3289695 Mar 14 '16 at 16:20
0
  • I have found that modbus protocol has 2 modes of building messages: ASCII and RTU. I was using ASCII but it was bad because I have found that a modbus service over TCP uses RTU mode.
  • Also, when it is over TCP, the modbus messages must not have address byte neither error check byte and I was building the messages with that bytes on it.
  • The third thing I was doing bad was that when modbus is over TCP, its messages must include a 7-byte header at the beginning that I was not inserting.

All of this is described on: https://scadahacker.com/library/Documents/ICS_Protocols/Acromag%20-%20Introduction%20to%20Modbus-TCP.pdf

For example, a well formed message (represented in hexadecimal) could be:

000000000005002B0E0106

At least, server is giving me a readable response. The message must be converted from hexadecimal to binary and then inserted into the data section of a TCP packet which will be sent to the server to the 502 port and over an IP packet which will contain the IP to the server. Linux nc command lets you to send messages inside of TCP packets so you don't have to deal with the OSI layers. My problem was that the messages I was sending to the server were not meeting the modbus/TCP protocol rules.

user3289695
  • 740
  • 1
  • 9
  • 20
0

You can use search.censys.io and inspect the fields services.modbus.mei_response.*. This query finds all services with a model name:

services.modbus.mei_response.objects.model_name: *

Check out the 7.6k hosts the query finds as well as the Censys MODBUS data definitions.

Aidan H
  • 124
  • 9