hacktricks/network-services-pentesting/4840-pentesting-opc-ua.md

# 4840 - Pentesting OPC UA

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

## Basic Information

OPC UA stands for Open Platform Communications Unified Access. It is a long-standing open-source protocol for data exchange, telemetry collection, and control of industrial equipment. It is very widely used in industrial settings including Manufacturing, Energy, Aerospace, and Defence. It is the only standardized way of communicating with PLCs and allows the equipment of different vendors to communicate with each other.

OPC UA is very flexible in terms of configuration. It can be configured to be extremely secure, or insecure. Many times the security features are disabled to allow communication with older devices. Testing the configuration for weaknesses can therefore reveal easy entry to critical systems.

Network scanners do not recognize OPC UA, thus discovery may require some work if nonstandard ports are used.

**Default port:** 4840

```text
PORT     STATE SERVICE REASON
4840/tcp open  unknown syn-ack
```

## Pentesting OPC UA

To reveal security issues in OPC UA servers, scan it with [OpalOPC](https://opalopc.com/).

```bash
opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port
```

### Exploiting vulnerabilities

**⚠️ Warning ⚠️**: Poking around without knowing what you are doing may cause serious health hazards to people and monetary losses to your client

If authentication bypass vulnerabilities are found, you can configure an [OPC UA client](https://www.prosysopc.com/products/opc-ua-browser/) accordingly and see what you can access. This may allow anything from merely reading process values to actually operating heavy-duty industrial equipment.

To get a clue of the device you have access to, read the "ServerStatus" node values in the address space and google for a usage manual.

## Shodan

* `port:4840`

## References

* https://opalopc.com/how-to-hack-opc-ua/

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Add 4840-pentesting-opc-ua 2024-01-14 19:54:55 +00:00			`# 4840 - Pentesting OPC UA`

			`<details>`

			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Other ways to support HackTricks:`

			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`

			`</details>`

			`## Basic Information`

			`OPC UA stands for Open Platform Communications Unified Access. It is a long-standing open-source protocol for data exchange, telemetry collection, and control of industrial equipment. It is very widely used in industrial settings including Manufacturing, Energy, Aerospace, and Defence. It is the only standardized way of communicating with PLCs and allows the equipment of different vendors to communicate with each other.`

			`OPC UA is very flexible in terms of configuration. It can be configured to be extremely secure, or insecure. Many times the security features are disabled to allow communication with older devices. Testing the configuration for weaknesses can therefore reveal easy entry to critical systems.`

			`Network scanners do not recognize OPC UA, thus discovery may require some work if nonstandard ports are used.`

			`Default port: 4840`

			```text
			`PORT STATE SERVICE REASON`
			`4840/tcp open unknown syn-ack`
			```

			`## Pentesting OPC UA`

			`To reveal security issues in OPC UA servers, scan it with [OpalOPC](https://opalopc.com/).`

			```bash
			`opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port`
			```

			`### Exploiting vulnerabilities`

			`⚠️ Warning ⚠️: Poking around without knowing what you are doing may cause serious health hazards to people and monetary losses to your client`

			`If authentication bypass vulnerabilities are found, you can configure an [OPC UA client](https://www.prosysopc.com/products/opc-ua-browser/) accordingly and see what you can access. This may allow anything from merely reading process values to actually operating heavy-duty industrial equipment.`

			`To get a clue of the device you have access to, read the "ServerStatus" node values in the address space and google for a usage manual.`

			`## Shodan`

			* `port:4840`

			`## References`

			`* https://opalopc.com/how-to-hack-opc-ua/`

			`<details>`

			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Other ways to support HackTricks:`

			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`

			`</details>`