| name | opc-ua-pentesting |
| description | Pentest OPC UA (Open Platform Communications Unified Access) industrial control systems. Use this skill whenever the user mentions OPC UA, industrial protocols, PLCs, SCADA systems, port 4840, or wants to assess OT/ICS security. This skill covers discovery, enumeration, vulnerability assessment, and exploitation of OPC UA servers including legacy security policy attacks and CVE exploitation. |
OPC UA Pentesting Skill
A comprehensive guide for assessing security in OPC UA (Open Platform Communications Unified Access) systems used in Manufacturing, Energy, Aerospace, and Defence.
Quick Start
opalopc -vv opc.tcp://<target_ip>:4840
nmap -sV -Pn -n --open -p 4840,4843,49320,48050,53530,62541 <target>
Discovery & Enumeration
Step 1: Locate OPC UA Transports
OPC UA services often run on non-standard ports. Scan the common port ranges:
nmap -sV -Pn -n --open -p 4840,4843,49320,48050,53530,62541 $TARGET
nmap -sV -Pn -n --open -p- $TARGET | grep -i opc
Common ports by vendor:
4840 - Standard binary opc.tcp4843/443 - HTTPS bindings49320 - KepServerEX62541 - OPC Foundation reference stack48050 - UaGateway53530 - Prosys Simulation Server
Step 2: Fingerprint Endpoints
Use OpalOPC to enumerate security policies and capabilities:
opalopc -vv opc.tcp://$target_ip:$target_port
opalopc -vv opc.tcp://$target_ip:$target_port > findings_$target_ip.json
Key information to capture:
SecurityPolicyUri - What encryption/authentication is supportedSecurityMode - None, Sign, or SignAndEncryptUserTokenType - Anonymous, UserName, Certificate, IssuedToken- Application URI and product strings
- Namespace URIs for vendor-specific NodeIds
Step 3: Walk the Address Space
Start at the ObjectsFolder and browse recursively:
Built-in NodeIds to check:
| NodeId | Purpose |
|---|
i=2253 (0:Server) | ServerArray, vendor/product strings, namespace URIs |
i=2256 (ServerStatus) | Uptime, current state, build info |
i=2267 (ServerDiagnosticsSummary) | Session counts, aborted requests - fingerprint brute-force attempts |
i=85 (ObjectsFolder) | Entry point to device tags, methods, alarms |
What to look for:
- Writable process variables (setpoints, control values)
- Method nodes (StartMotor, Reset, UploadFirmware)
- Historian/log nodes (proprietary recipes, operational data)
ServerStatus.BuildInfo - firmware provenanceServerCapabilities.OperationLimits - resource exhaustion potential
Step 4: Test for Anonymous Access
If anonymous access is allowed, immediately test dangerous operations:
ns=2;s=Reset
ns=2;s=StartMotor
ns=2;s=StopMotor
ns=2;s=UploadRecipe
ns=2;s=DownloadRecipe
ns=2;s=Calibrate
ns=2;s=Reboot
Many vendors forget to bind role permissions to custom methods.
Vulnerability Assessment
Legacy Security Policy Attacks (Basic128Rsa15)
Systems allowing deprecated Basic128Rsa15 are vulnerable to:
- Bleichenbacher-style oracle attacks - Recover server certificate's private key
- Authentication bypass - CVE-2024-42512 in OPC Foundation .NET Standard stack < 1.5.374.158
- Certificate impersonation - Forge high-privilege sessions
Attack workflow:
- Enumerate policies with
GetEndpoints
- Note any
Basic128Rsa15 entries
- Negotiate that policy explicitly in
CreateSession
- Run oracle loop to recover key material
- Forge high-privilege session or act as rogue reverse proxy
Affected products:
- CODESYS Runtime Toolkit < 3.5.21.0 (when compiled with
CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY)
- OPC Foundation .NET Standard stack < 1.5.374.158
- Various vendor products with legacy policy enabled
CVE Exploitation
CVE-2024-53429 - open62541 fuzz_binary_decode
- Affects: open62541 ≤ 1.4.6
- Impact: Pre-auth DoS via oversized
ExtensionObject bodies
- Method: Spam mutated
OpenSecureChannel requests
- Tool: Use Claroty corpus or Boofuzz harness
CVE-2025-7390 - Softing OPC UA C++ SDK
- Affects: edgeConnector, edgeAggregator
- Impact: Certificate replay allows arbitrary authentication
- Method: Mint cert with trusted Common Name, downgrade to Basic128Rsa15
Session Abuse Techniques
- Token reuse - Clone
AuthenticationToken from captured sessions
- Session flooding - Create dozens of inactive sessions to exceed
MaxSessionCount
- Subscription abuse - Bind subscriptions with <50ms intervals to crash scheduler
- Handle starvation -
RegisterNodes without releasing to starve legitimate clients
Exploitation Frameworks
Claroty opcua-exploit-framework
python3 main.py prosys 10.10.10.10 53530 /OPCUA/SimulationServer thread_pool_wait_starvation
python3 main.py open62541 192.168.1.50 4840 / opcua_message_boofuzz_db input_corpus_minimized/opcua.db
Supported targets: Kepware, Ignition, Unified Automation, Softing SIS, Triangle Microworks, Node-OPCUA, Python OPC UA, Milo, open62541
Custom Client Development
Use these libraries for exploit development:
python-opcua / asyncua (Python)node-opcua (Node.js)open62541 (C)
Node abuse checklist:
HistoryRead - Snapshot proprietary recipesTranslateBrowsePathsToNodeIds - Resolve asset names to NodeIdsCall + Method nodes - Trigger maintenance tasksRegisterNodes - Pin nodes and starve legitimate clients
Shodan Reconnaissance
Search queries for asset discovery:
port:4840
port:62541 "OPC UA"
ssl:"urn:opcua"
product:"opc ua"
Combine with vendor strings:
"Ignition OPC UA""KepServerEX""CN=UaServerCert"
Reporting
Key findings to document:
- Anonymous access enabled
- Weak security policies (Basic128Rsa15, None)
- Writable process variables
- Unprotected method nodes
- Certificate validation errors
- CVE matches and versions
- Session limits and resource constraints
Safety Considerations
⚠️ OT/ICS systems control physical processes. Always:
- Get explicit written authorization
- Coordinate with operations teams
- Test during maintenance windows
- Have rollback procedures ready
- Monitor for unintended physical effects
- Document all actions taken
References
