OpenSkillIndex← back to search

Hacktricks-skills opc-ua-pentesting

Pentest OPC UA (Open Platform Communications Unified Access) industrial control systems. Use this skill whenever the user mentions OPC UA, industrial protocols, PLCs, SCADA systems, port 4840, or wants to assess OT/ICS security. This skill covers discovery, enumeration, vulnerability assessment, and exploitation of OPC UA servers including legacy security policy attacks and CVE exploitation.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/4840-pentesting-opc-ua/SKILL.MD
source content

OPC UA Pentesting Skill

A comprehensive guide for assessing security in OPC UA (Open Platform Communications Unified Access) systems used in Manufacturing, Energy, Aerospace, and Defence.

Quick Start

# Basic scan with OpalOPC
opalopc -vv opc.tcp://<target_ip>:4840

# Nmap port discovery
nmap -sV -Pn -n --open -p 4840,4843,49320,48050,53530,62541 <target>

Discovery & Enumeration

Step 1: Locate OPC UA Transports

OPC UA services often run on non-standard ports. Scan the common port ranges:

# Primary OPC UA ports
nmap -sV -Pn -n --open -p 4840,4843,49320,48050,53530,62541 $TARGET

# Full port scan if needed
nmap -sV -Pn -n --open -p- $TARGET | grep -i opc

Common ports by vendor:

  • 4840
    - Standard binary 
    opc.tcp
  • 4843/443
    - HTTPS bindings
  • 49320
    - KepServerEX
  • 62541
    - OPC Foundation reference stack
  • 48050
    - UaGateway
  • 53530
    - Prosys Simulation Server

Step 2: Fingerprint Endpoints

Use OpalOPC to enumerate security policies and capabilities:

# Detailed endpoint analysis
opalopc -vv opc.tcp://$target_ip:$target_port

# Save findings for reporting
opalopc -vv opc.tcp://$target_ip:$target_port > findings_$target_ip.json

Key information to capture:

  • SecurityPolicyUri
    - What encryption/authentication is supported
  • SecurityMode
    - None, Sign, or SignAndEncrypt
  • UserTokenType
    - Anonymous, UserName, Certificate, IssuedToken
  • Application URI and product strings
  • Namespace URIs for vendor-specific NodeIds

Step 3: Walk the Address Space

Start at the ObjectsFolder and browse recursively:

Built-in NodeIds to check:

NodeIdPurpose
i=2253
(
0:Server
)		ServerArray, vendor/product strings, namespace URIs
i=2256
(
ServerStatus
)		Uptime, current state, build info
i=2267
(
ServerDiagnosticsSummary
)		Session counts, aborted requests - fingerprint brute-force attempts
i=85
(
ObjectsFolder
)		Entry point to device tags, methods, alarms

What to look for:

  • Writable process variables (setpoints, control values)
  • Method nodes (StartMotor, Reset, UploadFirmware)
  • Historian/log nodes (proprietary recipes, operational data)
  • ServerStatus.BuildInfo
    - firmware provenance
  • ServerCapabilities.OperationLimits
    - resource exhaustion potential

Step 4: Test for Anonymous Access

If anonymous access is allowed, immediately test dangerous operations:

# Common maintenance method patterns to test
ns=2;s=Reset
ns=2;s=StartMotor
ns=2;s=StopMotor
ns=2;s=UploadRecipe
ns=2;s=DownloadRecipe
ns=2;s=Calibrate
ns=2;s=Reboot

Many vendors forget to bind role permissions to custom methods.

Vulnerability Assessment

Legacy Security Policy Attacks (Basic128Rsa15)

Systems allowing deprecated 

Basic128Rsa15
are vulnerable to:

  1. Bleichenbacher-style oracle attacks - Recover server certificate's private key
  2. Authentication bypass - CVE-2024-42512 in OPC Foundation .NET Standard stack < 1.5.374.158
  3. Certificate impersonation - Forge high-privilege sessions

Attack workflow:

  1. Enumerate policies with 
    GetEndpoints
  2. Note any 
    Basic128Rsa15
    entries
  3. Negotiate that policy explicitly in 
    CreateSession
  4. Run oracle loop to recover key material
  5. Forge high-privilege session or act as rogue reverse proxy

Affected products:

  • CODESYS Runtime Toolkit < 3.5.21.0 (when compiled with 
    CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY
    )
  • OPC Foundation .NET Standard stack < 1.5.374.158
  • Various vendor products with legacy policy enabled

CVE Exploitation

CVE-2024-53429 - open62541 

fuzz_binary_decode

  • Affects: open62541 ≤ 1.4.6
  • Impact: Pre-auth DoS via oversized 
    ExtensionObject
    bodies
  • Method: Spam mutated 
    OpenSecureChannel
    requests
  • Tool: Use Claroty corpus or Boofuzz harness

CVE-2025-7390 - Softing OPC UA C++ SDK

  • Affects: edgeConnector, edgeAggregator
  • Impact: Certificate replay allows arbitrary authentication
  • Method: Mint cert with trusted Common Name, downgrade to Basic128Rsa15

Session Abuse Techniques

  1. Token reuse - Clone 
    AuthenticationToken
    from captured sessions
  2. Session flooding - Create dozens of inactive sessions to exceed 
    MaxSessionCount
  3. Subscription abuse - Bind subscriptions with <50ms intervals to crash scheduler
  4. Handle starvation - 
    RegisterNodes
    without releasing to starve legitimate clients

Exploitation Frameworks

Claroty opcua-exploit-framework

# DoS attack against Prosys Simulation Server
python3 main.py prosys 10.10.10.10 53530 /OPCUA/SimulationServer thread_pool_wait_starvation

# Replay Boofuzz corpus against open62541
python3 main.py open62541 192.168.1.50 4840 / opcua_message_boofuzz_db input_corpus_minimized/opcua.db

# Modes available:
# - sanity: lightweight reads/browses
# - attacks: thread pool starvation, file upload DoS
# - corpus: replay fuzzing payloads
# - server: rogue OPC UA server to backdoor clients

Supported targets: Kepware, Ignition, Unified Automation, Softing SIS, Triangle Microworks, Node-OPCUA, Python OPC UA, Milo, open62541

Custom Client Development

Use these libraries for exploit development:

  • python-opcua
    / 
    asyncua
    (Python)
  • node-opcua
    (Node.js)
  • open62541
    (C)

Node abuse checklist:

  • HistoryRead
    - Snapshot proprietary recipes
  • TranslateBrowsePathsToNodeIds
    - Resolve asset names to NodeIds
  • Call
    + 
    Method
    nodes - Trigger maintenance tasks
  • RegisterNodes
    - Pin nodes and starve legitimate clients

Shodan Reconnaissance

Search queries for asset discovery:

port:4840
port:62541 "OPC UA"
ssl:"urn:opcua"
product:"opc ua"

Combine with vendor strings:

  • "Ignition OPC UA"
  • "KepServerEX"
  • "CN=UaServerCert"

Reporting

Key findings to document:

  1. Anonymous access enabled
  2. Weak security policies (Basic128Rsa15, None)
  3. Writable process variables
  4. Unprotected method nodes
  5. Certificate validation errors
  6. CVE matches and versions
  7. Session limits and resource constraints

Safety Considerations

⚠️ OT/ICS systems control physical processes. Always:

  • Get explicit written authorization
  • Coordinate with operations teams
  • Test during maintenance windows
  • Have rollback procedures ready
  • Monitor for unintended physical effects
  • Document all actions taken

References