Launching Your First Modbus Attack

Welcome back Friends! In our previous labs, we successfully set up our attacker machine with MITRE Caldera and deployed a custom Modbus PLC simulator on our victim machine. Now that our environment is built, the real fun begins. In this section, we are going to use Caldera to launch actual automated attacks against our Modbus target!

Step 1: Pre-Flight Network Check

First, boot up both of your virtual machines:

• VM-A (Attacker): The machine running Caldera.
• VM-B (Victim): The machine with our Modbus simulator.

Before we launch any attacks, we need to verify they can talk to each other. On VM-A, open a terminal and ping the IP address of VM-B.

If the ping is successful (you should see packets transmitted and received without loss), we are clear to proceed!

Step 2: Start the Target and Attacker Services

Next, let's get our services running on both machines.

On VM-B (Victim): Open a terminal, navigate to the Modbus simulator directory, and start the server.

cd ~/Downloads/OT-Protocol-Simulators/Modbus
python3 Modbus-Server.py

On VM-A (Attacker): Since you likely shut down this VM since our last session, we need to restart Caldera. Open a terminal, navigate to your Caldera directory, and fire it up:

cd ~/Downloads/caldera
python3 server.py --insecure

Step 3: Deploy the Sandcat Agent

Open your browser on VM-A and log in to the Caldera web console at http://localhost:8888.

To attack our target, we first need Caldera to establish a foothold. We do this by deploying an agent. For this series, we will be using Sandcat, Caldera's default agent.

1. In Caldera's left pane, click on Agents.
2. Click the + Deploy an agent button.
3. Select sandcat from the dropdown menu.
4. Select Linux as the platform (since our target is an Ubuntu VM).
5. In the app.contact.http field, replace 0.0.0.0 with the actual IP address of your Attacker machine (VM-A). This tells the agent where to report back.
6. Optional: Change the payload name from the default splunkd to something recognizable, like modbus-attacker.

Once that is done, click the Copy button to copy the generated deployment command.

💡 Bonus Lesson: Quick File Transfers with Python

If you have bidirectional clipboards enabled in VirtualBox, you can simply paste that copied command directly into a terminal on VM-B. But if you don't, here is a tip for quickly transferring files between machines using a Python HTTP server.

On VM-A (Attacker):

1. Open a text editor, paste the copied Sandcat agent command, and save the file in your Downloads folder as modbus-attacker.txt.
2. Open a new terminal, navigate to that directory, and start a basic HTTP server:

cd ~/Downloads
python3 -m http.server

On VM-B (Victim):

1. Open a web browser and navigate to the IP of VM-A on port 8000 (e.g., http://192.168.1.35:8000).
2. Click the modbus-attacker.txt file to download it.
3. Open the file, copy the text inside, and run it in a new terminal window!

(Note: If you get a "curl not found" error, simply run sudo apt install curl -y and try again).

If you go back to the Caldera web console on VM-A, check the Agents tab. You should now see one agent alive and checking in!

Step 4: Create a Modbus Adversary Profile

Now we need to create an adversary equipped with specific Modbus attack abilities.

1. In the left pane, click on Adversaries.
2. Caldera does not have a default Modbus profile, so click the New Profile button.
3. Give your new profile a name and description.

Next, we add "abilities" (which are individual attack test cases) to this profile.

1. Click the + Add ability button.
2. Search for "modbus".
3. For our first test, select Modbus - Read Device Information. Be sure to read the description to understand exactly what this attack does!
4. Click the ability to add it to your profile.

Step 5: Configure the Attack Parameters

Before we fire this off, we need to tell the ability exactly where to point the attack.

1. Click on the newly added ability in your profile to edit it.
2. Scroll down. You will notice three identical forms for different operating systems. We only care about the Linux platform, because the command will be executed from our Ubuntu target VM. Feel free to delete the other two by clicking the "x".
3. Edit the command syntax. Update the IP address to match your target VM (VM-B) and ensure the port is set to 5020 (the port our simulator is listening on).

Note on Attack Levels: The "Modbus Read Device Information" ability supports different levels (1–3). We are proceeding with Level 1 for this lab, but you can read more about what the other levels extract in the official documentation here.

Once configured, click Save.

Step 6: Execute the Operation

We are finally ready to launch!

1. In the left pane, click on Operations.
2. Click Create Operation.
3. Give the operation a name, and from the Adversary dropdown, select the Modbus profile you just created.
4. Click Start.

Let the operation run.

Once it finishes successfully, click on the View Output icon.

Analyzing the Results

When you view the output, you will see the information we successfully extracted from the simulated Modbus PLC.

It should look something like this:

• 0 → Manufacturer: Siemens AG
• 1 → Model: 6ES7 214–1AG40–0XB0 (Siemens S7–1200 series PLC)
• 2 → Firmware Version: V4.4.1

By simply querying the device, we successfully enumerated the PLC vendor, model, and firmware. In a real-world red teaming scenario, this banner-grabbing technique is a critical first step for fingerprinting a device and identifying target-specific vulnerabilities.

Hooray! This marks your first successful attack on an OT device using Caldera. Stay tuned for the next part, where we will start manipulating process values and taking control of the simulation.