Modbus Traffic Analysis | SANS ICS Concepts

Показать описание

This SANS ICS concept overview covers capturing network traffic to a SE M221 program logic controller and analyzing it using Wireshark and Tshark. This analysis provides insight to the Modbus protocol and how the tools can be used to identify specific types of interactions between the PLC and other systems on the network.

References:

SANS ICS Training:

Рекомендации по теме

Комментарии

Wow! Outstanding in deep video on Modbus packets analysis and Wireshark. Thank you so much. :-)

alexchiosso

I am a student looking for home lab projects. Do you think one could write (say) a Python script to automate the application of the TShark commands and output to CSV files? Is that a thing that people in forensics would do?

shaunnasworkshop

No need to change the capture settings in wireshark to display Modbus tcp protocol?

andrevangijsel

Hey Don, wanted to ask you about your lab. At the beginning you described showing switch, cables and software in the 2 different laptops but could you please extend on that, for instance in the engineer laptop you mentioned 2 pieces of software, one HMI I guess and the other specific of the PLC I guess which could understand it because for sure is to manage remotely the PLC but that HMI piece and the graphic of “pumps” you can turn on and on, is that software an emulator, which software it is, how you deploy it, are the pumps real or virtual ... if yes, why the 2 red cables, what is in the other side of those cables because you showed only the netgear switch side, also that switch has the capability of configuring one port as span? Appreciated for all the details you could add in your lab deployment and mention specific software you used ... looking to emulate it. Thanks and great videos sir!

Xrsc

Hi Don, thanks for putting these video's together. I really enjoy them and they are giving me lots of ideas of at home projects I do to build my skill. I have 2 questions for you when you have a chance. 1) Can you recommend an resource that it is a little more entry level to Modbus? I have some familiarity, but when you were discussing the flags in the video I realized I could definitely use more background on the standard. 2) I was curious if you were going to do similar videos with DNP3 or IEEE 2030.5 (SEP2)? I don't know what the appetite from real OT professionals is for those two standards but I was just curious and wanted to throw the idea out these. Thanks again and I look forward to more videos in the future.

jasonallnutt

Modbus Traffic Analysis | SANS ICS Concepts

Modbus Traffic Analysis | SANS ICS Concepts

Modbus Traffic Capture | SCADA Security Tutorial | PenTest Magazine

Modbus Man-In-The-Middle | SANS ICS Concepts

Modbus Enumeration | SANS ICS Concepts

0x2 Modbus Security - Modbus Detection

Modbus analyzer

A Modbus Traffic Generator for Evaluating the SCADA systems

0x5 Modbus Security - Modbus and IOT MiTM

0x1 Modbus Security - Modbus Fundamentals

Do We Have Logs for That? When Network Traffic Analysis Falls Short

ModbusTCP troubleshooting by Wireshark

Introduction to Network Analysis Workshop - SANS Cyber Camp

Demonstration of OT Network & Modbus Attack

MODBUS Plugins: readtcp and writetcp | EXPLIoT: IoT Security Testing and Exploitation Framework

SMOD Tool MODBUS Penetration Testing Framework | TOD-111 | Briskinfosec

ICS Network Traffic Capture Options: 5-Tuple & Full Packet | SANS ICS Security Brief

DISC-SANS ICS Virtual Conference: Assessing and Exploiting Control Systems Analyzing

Network Traffic Analysis with Malcolm (Seth Grover - CISA)

Network Traffic Analysis (Online gaming)

DEF CON 29 ICS Village - Seth Grove - Network Traffic Analysis with Malcolm

4-port RS485 + 4-port 10/100Base-T(X) Modbus Gateway-MW2044G

All Your Network Traffic Are Belong to Us — VPNFilter Malware and Implications for ICS

Configuring Live Data From a Modbus TCP Slave

ICS Network Traffic Visibility: North/South vs East/West | SANS ICS Security Brief