- Description
- Installation
- Hello command (discovery)
- Server_config command
- [Read_data command] (#read_data-command)
- [Write_data command] (#write_data-command)
This tool is based on the metasploit module msf-opcua, so we would like to thank their author : Linus Roepert, Markus Dahlmanns, Ina Berenice Fink, Jan Pennekamp and Martin Henze.
During OPC UA security assessments, this tool can be used to detect OPC UA instances, and gather information about the endpoint configurations and on the access control of the nodes.
- If not already installed, install
python3
. - Then, run the command
pip3 install -r requirements.txt
You can either use "python3" or "./" to execute the script.
./opcua_scan.py -h
The hello command sends HEL/ACK messages in order to locate OPC UA instances.
./opcua_scan.py hello -h
One target :
./opcua_scan.py hello -i 127.0.0.1 -p 53530
Multiple ports :
./opcua_scan.py hello -i 127.0.0.1 -p '5060-5065, 53530'
Multiple IPs :
./opcua_scan.py hello -i '127.0.0.1-5, 127.0.0.9' -p 80
You can scan multiple IPs, on multiple ports. IPs are parsed thanks to ipparser, thus, you can use any syntax accepted by this library to choose your targets.
- Name (
-n, --name
) : Configure the name of the server in the URL opc:tcp://IP:PORT/NAME. You can use a file containing a list of names to test (each name separated with a new line)
./opcua_scan.py hello -i '127.0.0.1' -p 4840 -n UADiscovery
./opcua_scan.py hello -i '127.0.0.1' -p 4840 -n /path/to/name_list.txt
- Output (
-o, --output
) : store data about all the server detected in a file. This file can then be parsed by the server_config command
./opcua_scan.py hello -i '127.0.0.1-5' -p 4840 -o ./file_output.json
- Timeout (
-t, --timeout
) : change the timeout to consider a connection as failed in milliseconds (Default: 500)
./opcua_scan.py hello -i 127.0.0.1 -p 53530 -t 200
- Verbose (
-v, --verbose
) : display each target tested, even if there is no OPC UA server detected
./opcua_scan.py hello -i 127.0.0.1 -p '5060-5065' -v
- Table format (
-tfmt, --table_format
) : change the format of the generated summary table (see tabulate documentation for the list of accepted formats, e.g. outline, grid...). Default value is "outline".
./opcua_scan.py hello -i 127.0.0.1 -p '5060-5065' -tfmt plain
The server_config command can be used to gather security related information about OPC UA servers. Some data does not require to be authenticated to be gathered, such as the endpoint descriptions. But an access is required to retrieve information on the server's nodes.
./opcua_scan.py server_config -h
One target :
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer'
Multiple targets :
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer, opc.tcp://127.0.0.1:4840/ServerName'
Targets detected by the hello command :
./opcua_scan.py server_config -t 'path/to/hello_output.json'
- Authentication (
-a, --authentication
) : The authentication method to be used (default: Anonymous)
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Anonymous
- Username (
-u, --username
) and password (-p, --password
) : The username and password for the authentication
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password
- Security mode (
-m, --mode
) and policy (-po, --policy
) : The security mode and associated policy of the targeted endpoint - Certificate (
-c, --certificate
) and private key (-pk, --private_key
) : The certificate and the associated private key for the authentication and/or encryption
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -m SignAndEncrypt -po Basic256Sha256 -c certificate.pem -pk private_key.pem
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Certificate -c certificate.pem -pk private_key.pem
- Find writable nodes (
-nw, nodes_writable
) and executable methods (ne, nodes_executable
) (successful authentication is required) :
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -nw -ne
- Change root node (
-r, root_node
) : the search for writable nodes and executable methods will start from the selected root node
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -nw -ne -r 2253
opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -nw -ne -r 'i=2253'
opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -nw -ne -r 'ns=6;s=MyObjectsFolder'
opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -nw -ne -r 'ns=3;i=1001'c
- Output (
-o, --output
) : store more information about the scanned servers in a file (JSON format)
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -nw -o ./file_output.json
- Retrieves additional node attributes (
-na, node_attributes
) (successful authentication is required, and a file output must be configured). The list of valid attributes that can be retrieved is:- NodeId, NodeClass, BrowseName, DisplayName, Description, WriteMask, UserWriteMask, IsAbstract, Symmetric, InverseName, ContainsNoLoops, EventNotifier, Value, DataType, ValueRank, ArrayDimensions, AccessLevel, UserAccessLevel, MinimumSamplingInterval, Historizing, Executable, UserExecutable, DataTypeDefinition, RolePermissions, UserRolePermissions, AccessRestrictions, AccessLevelEx
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -na Historizing -na Description -o file_output.json
- Servers (
-s, --servers
) : retrieve the application descriptions of the servers known by the targeted server
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -s
- Table format (
-tfmt, --table_format
) : change the format of the generated summary table (see tabulate documentation for the list of accepted formats, e.g. outline, grid...). Default value is "outline".
./opcua_scan.py server_config -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -tfmt latex
This command allows to read data from an OPC-UA server
./opcua_scan.py read_data -h
Read at the root
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer'
Browse a location ('ns=2;s=XXX.YYY') and read data :
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -r 'ns=2;s=XXX.YYY'
Read data at a specific location without browsing :
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -r 'ns=2;s=XXX.YYY' --single True
- Authentication (
-a, --authentication
) : The authentication method to be used (default: Anonymous)
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Anonymous
- Username (
-u, --username
) and password (-p, --password
) : The username and password for the authentication
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password
- Security mode (
-m, --mode
) and policy (-po, --policy
) : The security mode and associated policy of the targeted endpoint - Certificate (
-c, --certificate
) and private key (-pk, --private_key
) : The certificate and the associated private key for the authentication and/or encryption
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -m SignAndEncrypt -po Basic256Sha256 -c certificate.pem -pk private_key.pem
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Certificate -c certificate.pem -pk private_key.pem
- Find writable nodes (
-nw, nodes_writable
) and executable methods (ne, nodes_executable
) (successful authentication is required) :
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -nw -ne
- Change root node (
-r, root_node
) : the search for writable nodes and executable methods will start from the selected root node
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -nw -ne -r 2253
opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -nw -ne -r 'i=2253'
opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -nw -ne -r 'ns=6;s=MyObjectsFolder'
opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -nw -ne -r 'ns=3;i=1001'
- Output (
-o, --output
) : store more information about the scanned servers in a file (JSON format)
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -nw -o ./file_output.json
- Retrieves additional node attributes (
-na, node_attributes
) (successful authentication is required, and a file output must be configured). The list of valid attributes that can be retrieved is:- NodeId, NodeClass, BrowseName, DisplayName, Description, WriteMask, UserWriteMask, IsAbstract, Symmetric, InverseName, ContainsNoLoops, EventNotifier, Value, DataType, ValueRank, ArrayDimensions, AccessLevel, UserAccessLevel, MinimumSamplingInterval, Historizing, Executable, UserExecutable, DataTypeDefinition, RolePermissions, UserRolePermissions, AccessRestrictions, AccessLevelEx
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -na Historizing -na Description -o file_output.json
- Single mode (
--single
) : Just read the data at the address without browsing
./opcua_scan.py read_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -r 'ns=3;i=1001' --single True
This command allows to write data to an OPC-UA server
./opcua_scan.py write_data -h
Browse a location ('ns=2;s=XXX.YYY') and write data (for boolean, no need to specify datatype) :
./opcua_scan.py write_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -r 'ns=2;s=XXX.YYY' --data True
Write integer data (must add -dt or --dtype argument) :
./opcua_scan.py write_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -r 'ns=2;s=XXX.YYY' --data 1 -dt UInt16
- Authentication (
-a, --authentication
) : The authentication method to be used (default: Anonymous)
./opcua_scan.py write_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Anonymous
- Username (
-u, --username
) and password (-p, --password
) : The username and password for the authentication
./opcua_scan.py write_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password
- Security mode (
-m, --mode
) and policy (-po, --policy
) : The security mode and associated policy of the targeted endpoint - Certificate (
-c, --certificate
) and private key (-pk, --private_key
) : The certificate and the associated private key for the authentication and/or encryption
./opcua_scan.py write_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Username -u john -p password -m SignAndEncrypt -po Basic256Sha256 -c certificate.pem -pk private_key.pem
./opcua_scan.py write_data -t 'opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer' -a Certificate -c certificate.pem -pk private_key.pem
- Node address node (
-r, root_node
) : Write at this adress
- Data (
--data
) : Data to be writtenOnly works with BOOL ("True" or "False") at the moment