{
	"id": "53ab4b32-724b-4be3-acc8-29e9d002b456",
	"created_at": "2026-04-06T01:32:36.566957Z",
	"updated_at": "2026-04-10T03:20:17.400447Z",
	"deleted_at": null,
	"sha1_hash": "f96600f455e2c0a207a54d101328a7b8c7abb047",
	"title": "Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6540044,
	"plain_text": "Man-In-The-Middle Attack Against Modbus TCP Illustrated with\r\nWireshark\r\nBy Created by:Gabriel Sanchez\r\nArchived: 2026-04-06 00:08:44 UTC\r\nDownload File\r\nMan-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark (PDF, 3.46MB)Published: 20 Oct,\r\n2017\r\nThough attacks on the industrial control system (ICS) and their protocols are not a new occurrence, recent years\r\nhave highlighted a growing trend in such attacks. To make matters worse, cyber defenders have also dealt with a\r\nslow migration to more secure ICS protocols due to costs associated with equipment downtime. With the increase\r\nin attacks and the slow migration to more secure ICS protocols, it is crucial for cyber defenders to be able to\r\nquickly set up labs to mimic and observe how potential attacks on the ICS network function so that necessary\r\ndefenses and detection mechanisms can be put in place. This paper lays out how to setup a lab with multiple\r\nvirtual machines and ICS software that can observe a Master workstation controlling a PLC. First, Wireshark will\r\nbe used to illustrate and compare normal Modbus TCP communications between the Master and PLC\r\nworkstations. Wireshark will then be used to demonstrate and compare a MITM attack with an Ettercap filter that\r\nmanipulates the Modbus TCP communications against both workstations.\r\nAdditional resources\r\nRelated courses\r\nSlide 1 of 7\r\nICS515: ICS Visibility, Detection, and Response\r\nICS515Industrial Control Systems Security\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095\r\nPage 1 of 6\n\nGIAC Response and Industrial Defense (GRID)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 22 Hands-On Labs\r\nView course detailsRegister\r\nSlide 2 of 7\r\nICS418: ICS Security Essentials for Leaders\r\nICS418Industrial Control Systems Security\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095\r\nPage 2 of 6\n\n12 CPEs / 12 Hours (Self-Paced)\r\n Labs: 12 Hands-On Labs\r\nView course detailsRegister\r\nSlide 3 of 7\r\nICS613: ICS/OT Penetration Testing \u0026 Assessments\r\nICS613Industrial Control Systems Security\r\n 5 Days (Instructor-Led)\r\n 30 CPEs / 30 Hours\r\n Labs: 27 Hands-On Labs\r\nView course detailsRegister\r\nSlide 4 of 7\r\nICS456: Essentials for NERC Critical Infrastructure Protection\r\nICS456Industrial Control Systems Security\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095\r\nPage 3 of 6\n\nGIAC Critical Infrastructure Protection (GCIP)\r\n 5 Days (Instructor-Led)\r\n 31 CPEs / 31 Hours (Self-Paced)\r\n Labs: 23 Hands-On Labs\r\nView course detailsRegister\r\nSlide 5 of 7\r\nICS310: ICS Cybersecurity Foundations\r\nICS310Industrial Control Systems Security\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095\r\nPage 4 of 6\n\n12 CPEs / 12 Hours (Self-Paced)\r\n Labs: 3 Hands-On Labs\r\nView course detailsRegister\r\nSlide 6 of 7\r\nICS410: ICS/SCADA Security Essentials\r\nICS410Industrial Control Systems Security\r\n GIAC Global Industrial Cyber Security Professional (GICSP)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 15 Hands-On Labs\r\nView course detailsRegister\r\nSlide 7 of 7\r\nICS612: ICS Cybersecurity In-Depth\r\nICS612Industrial Control Systems Security\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095\r\nPage 5 of 6\n\n5 Days (Instructor-Led)\r\n 30 CPEs / 30 Hours\r\n Labs: 31 Hands-On Labs\r\nView course detailsRegister\r\nSource: https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095"
	],
	"report_names": [
		"man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095"
	],
	"threat_actors": [],
	"ts_created_at": 1775439156,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f96600f455e2c0a207a54d101328a7b8c7abb047.pdf",
		"text": "https://archive.orkl.eu/f96600f455e2c0a207a54d101328a7b8c7abb047.txt",
		"img": "https://archive.orkl.eu/f96600f455e2c0a207a54d101328a7b8c7abb047.jpg"
	}
}