During a penetration test of a manufacturing plant's OT network, you confirm that several programmable logic controllers communicate with the SCADA server over Modbus/TCP. To gather vendor, firmware, and device identification with minimal risk of disrupting operations, which Nmap command-line approach should you use, and on which default port will the probe be sent?
Execute nmap -sS --script enip-info -p 44818 <target> to probe the controller's EtherNet/IP service.
Execute nmap -sU --script dnp3-enum-enip -p 20000 <target> to enumerate devices over DNP3 on UDP port 20000.
Execute nmap -sV --script modbus-discover -p 502 <target> to query the Modbus service on its default port 502.
Run nmap -A -p- <target> to aggressively scan every TCP port for possible Modbus endpoints.
The safest way to enumerate a Modbus/TCP device is to run Nmap with its purpose-built modbus-discover NSE script against the protocol's well-known TCP port 502 while enabling version detection. The script issues only the Read Device Identification (function code 43/14) request, which is read-only and therefore unlikely to alter PLC state. Scanning other ports such as 44818 (EtherNet/IP) or 20000 (DNP3), or using a full aggressive scan across all 65 535 ports, would either miss the Modbus service or introduce unnecessary traffic that could interfere with sensitive industrial processes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Modbus/TCP?
Open an interactive chat with Bash
Why is the modbus-discover NSE script considered minimal risk for PLC devices?
Open an interactive chat with Bash
What are the risks of scanning all TCP/UDP ports in an OT network?
Open an interactive chat with Bash
What is Modbus/TCP, and why is it used in industrial networks?
Open an interactive chat with Bash
What does the Nmap modbus-discover NSE script do?
Open an interactive chat with Bash
What are some risks of using aggressive Nmap scans on OT networks?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Mobile Platform, IoT, and OT Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .