ICS/Modbus - Claus for Concern Day 19 Learn to identify and exploit weaknesses in ICS systems. Practical Overview Room URL: https://tryhackme.com/room/ICS-modbus-aoc2025-g3m6n9b1v4 Difficulty: Medium Category: ICS/Modbus | Scada Date Completed: 12/20/2025 Objectives How SCADA (Supervisory Control and Data Acquisition) systems monitor industrial processes What PLCs (Programmable Logic Controllers) do in automation How the Modbus protocol enables communication between industrial devices How to identify compromised system configurations in industrial systems Techniques for safely remediating compromised control systems Understanding protection mechanisms and trap logic in ICS environments Table of Contents Introduction Walk Through Lessons Learned Resources Introduction This challenge, part of TryHackMe's Advent of Cyber 2024 event, presents a sophisticated industrial control system (ICS) compromise scenario where attackers have weaponized the Modbus protocol to sabotage Christmas deliveries. The challenge falls squarely in the Industrial Control Systems (ICS) / SCADA Security category, simulating a real-world attack pattern similar to the FrostyGoop malware discovered in early 2024. Understanding the Modbus Protocol Modbus, developed in 1979, remains one of the most widely deployed industrial protocols despite having zero built-in security: No authentication : Anyone who can reach port 502 can issue commands No encryption : All communication occurs in plaintext No authorization : No concept of permissions or access control No integrity checking : Beyond basic checksums, no cryptographic validation The protocol organizes data into four types: Coils : Digital outputs (boolean on/off values) Discrete Inputs : Digital inputs (read-only boolean values) Holding Registers : Analog outputs (16-bit integers, writable) Input Registers : Analog inputs (16-bit integers, read-only) Walk Through Initial Reconnaissance nmap -sV -T4 -p- -vv Visual Confirmation http:// Modbus Reconnaissance JuptyerLabsFile Complete Reconnaissance Script Safe Remediation Visual Confirmation Lessons Learned Unauthenticated Network Protocols The Modbus protocol provides no authentication mechanism. Anyone who can reach port 502 can read and write values without proving their identity. This is equivalent to leaving database credentials as "admin/admin" in production—except worse, because there's no concept of credentials at all. Network Segmentation Failure Industrial control systems should operate on isolated networks with strict firewall rules. The TBFC system had its Modbus port directly accessible, violating the principle of defense-in-depth. In a properly architected environment, the PLC would only accept connections from authorized engineering workstations on a separate VLAN. Lack of Change Detection While the attacker implemented their own "protection" mechanism, the legitimate system had no intrusion detection, no baseline monitoring, and no alerting. The compromise went unnoticed until citizens started complaining about wrong deliveries. Insufficient Input Validation The system blindly accepted any value written to registers without validating if those values made logical sense. A properly designed system would reject out-of-range values or require multi-step confirmation for critical changes. Resources TryHackMe SCADA for Beginners ICS Pymodbus