Testing a attack on a sample application running on a modbus enabled Wago PLC.
The simulator presented here is the Tofino SCADA Security Simulator (TSSS) that is used on the Tofino Security Appliance demonstrations and on training that we lesson at TISafe.
The Tofino suite was NOT tested and it was disabled during tests. Why? Because I’m not testing it, I’m testing the application and modbus itself.
1. A fake modbus slave (synchronous-server.py) is run in python (under pymodbus module) with the same TAG range as the TSSS (12288-12388)
2. The HMI is ARP-poisoned so it thinks my MAC address is the one corresponding to the PLC’s IP. At this moment I have a half-duplex MITM running and I’m just routing traffic.
3. A custom built python script, tsss-clone.py, is used to copy data from the real modbus slave (the PLC) to the fake modbus slave (synchronous-server.py)
4. Another script, tsss-record.py, reads data each specified time interval (1sec in this case) and writes down the value into a dump file
5. With the aid of some IPtables magic, I redirect all traffic coming from the HMI destinated to the real modbus slave (PLC) to my fake modbus slave. Then I shut down routing (ip_forward = 0) so requests no longer gets to its intended destination
6. HMI now sees the fake data on my fake slave instead of real data from the real slave
7. Finally, another script, tsss-replay.py encapsulated into a “while true; do” bash sentence, keeps replaying from the file to the fake slave, tricking the operators into thinking this is live data.
8. Operators now see fake data on the HMI thinking it’s real.
Tools linux, python, pymodbus, bash, arpspoof, brain
Presented on my Hackers to Hackers Conference 10th edition talk about SCADA Hacking at October 5 2021.
View the presentation at