ICS/Modbus - Claus for Concern
Day 19
Learn to identify and exploit weaknesses in ICS systems.
Practical
Overview
Room URL: https://tryhackme.com/room/ICS-modbus-aoc2025-g3m6n9b1v4
Difficulty: Medium
Category: ICS/Modbus | Scada
Date Completed: 12/20/2025
Objectives
- How SCADA (Supervisory Control and Data Acquisition) systems monitor industrial processes
- What PLCs (Programmable Logic Controllers) do in automation
- How the Modbus protocol enables communication between industrial devices
- How to identify compromised system configurations in industrial systems
- Techniques for safely remediating compromised control systems
- Understanding protection mechanisms and trap logic in ICS environments
Table of Contents
Introduction
Walk Through
Lessons Learned
Resources
Introduction
This challenge, part of TryHackMe's Advent of Cyber 2024 event, presents a sophisticated industrial control system (ICS) compromise scenario where attackers have weaponized the Modbus protocol to sabotage Christmas deliveries. The challenge falls squarely in the Industrial Control Systems (ICS) / SCADA Security category, simulating a real-world attack pattern similar to the FrostyGoop malware discovered in early 2024.
Understanding the Modbus Protocol
Modbus, developed in 1979, remains one of the most widely deployed industrial protocols despite having zero built-in security:
- No authentication: Anyone who can reach port 502 can issue commands
- No encryption: All communication occurs in plaintext
- No authorization: No concept of permissions or access control
- No integrity checking: Beyond basic checksums, no cryptographic validation
The protocol organizes data into four types:
- Coils: Digital outputs (boolean on/off values)
- Discrete Inputs: Digital inputs (read-only boolean values)
- Holding Registers: Analog outputs (16-bit integers, writable)
- Input Registers: Analog inputs (16-bit integers, read-only)
Walk Through
- Initial Reconnaissance
nmap -sV -T4 -p- -vv <targetip>
- Visual Confirmation
http://<targetip>
- Modbus Reconnaissance JuptyerLabsFile
- Complete Reconnaissance Script
- Safe Remediation
- Visual Confirmation
Lessons Learned
- Unauthenticated Network Protocols The Modbus protocol provides no authentication mechanism. Anyone who can reach port 502 can read and write values without proving their identity. This is equivalent to leaving database credentials as "admin/admin" in production—except worse, because there's no concept of credentials at all.
- Network Segmentation Failure Industrial control systems should operate on isolated networks with strict firewall rules. The TBFC system had its Modbus port directly accessible, violating the principle of defense-in-depth. In a properly architected environment, the PLC would only accept connections from authorized engineering workstations on a separate VLAN.
- Lack of Change Detection While the attacker implemented their own "protection" mechanism, the legitimate system had no intrusion detection, no baseline monitoring, and no alerting. The compromise went unnoticed until citizens started complaining about wrong deliveries.
- Insufficient Input Validation The system blindly accepted any value written to registers without validating if those values made logical sense. A properly designed system would reject out-of-range values or require multi-step confirmation for critical changes.