4840 - Pentesting OPC UA

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

OPC UA, inayomaanisha Open Platform Communications Unified Access, ni itifaki muhimu ya chanzo wazi inayotumika katika sekta mbalimbali kama Utengenezaji, Nishati, Anga, na Ulinzi kwa kubadilishana data na kudhibiti vifaa. Inaruhusu kwa kipekee vifaa vya wauzaji tofauti kuwasiliana, hasa na PLCs.

Usanidi wake unawezesha hatua kali za usalama, lakini mara nyingi, kwa sababu ya ulinganifu na vifaa vya zamani, hatua hizi hupunguzwa, na kufungua mifumo kwa hatari. Zaidi ya hayo, kupata huduma za OPC UA inaweza kuwa ngumu kwa kuwa skana za mtandao zinaweza zisiziwashe kugundua ikiwa ziko kwenye bandari zisizo za kawaida.

Default port: 4840 (binary opc.tcp). Wauzaji wengi huweka endpoints za discovery tofauti (/discovery), HTTPS bindings (4843/443), au bandari za kusikiliza za muuzaji kama 49320 (KepServerEX), 62541 (OPC Foundation reference stack) na 48050 (UaGateway). Tarajia endpoints nyingi kwa kila mwenyeji, kila moja ikitangaza transport profile, security policy na user-token support.

Built-in NodeIdKwa nini ni muhimu
i=2253 (0:Server)Inashikilia ServerArray, vendor/product strings na namespace URIs.
i=2256 (ServerStatus)Inaonyesha uptime, hali ya sasa, na kwa hiari taarifa za ujenzi (build info).
i=2267 (ServerDiagnosticsSummary)Inaonyesha idadi za session, aborted requests, n.k. Nzuri kwa fingerprinting brute-force attempts.
i=85 (ObjectsFolder)Sehemu ya kuingia ya kutembea tag za kifaa zilizo wazi, methods na alarms.
 
PORT     STATE SERVICE REASON
4840/tcp open  unknown syn-ack

Pentesting OPC UA

Ili kufunua matatizo ya usalama kwenye seva za OPC UA, skeni kwa kutumia OpalOPC.

opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port

Mpango wa Ugunduzi na Uorodheshaji

  1. Tafuta njia zote za usafirishaji za OPC UA
nmap -sV -Pn -n --open -p 4840,4843,49320,48050,53530,62541 $TARGET

Rudia kwenye anwani za kikundi za UDP ikiwa mazingira yanatumia ugunduzi wa multicast wa LDS-ME.

  1. Tambua endpoints
  • Imba FindServers/GetEndpoints juu ya kila transport ili kunasa SecurityPolicyUri, SecurityMode, UserTokenType, application URI na product strings.
  • Orodhesha namespaces ili uweze kutatua vendor-specific NodeIds; tumia namespace collisions kuwafanya clients waletee schemas zinazodhibitiwa na mshambuliaji.
  1. Pitia address space
  • Anza kwenye ObjectsFolder (i=85) na kwa kurudia-rudia Browse/Read ili kupata writable process variables, Method nodes na historian/log nodes.
  • Uliza ServerStatus.BuildInfo kuelewa asili ya firmware, na ServerCapabilities.OperationLimits kupima jinsi ilivyo rahisi kumaliza rasilimali za server.
  • Ikiwa anonymous access imeruhusiwa, jaribu mara moja Call kwenye maintenance methods (mfano, ns=2;s=Reset, ns=2;s=StartMotor). Wauzaji wengi husahau kufunga role permissions kwenye custom methods.
  1. Session abuse
  • Tumia tena au clone AuthenticationToken values kutoka vikao vingine (viliyokamatwa kupitia MITM au kufichuliwa kwa diagnostics) ili hijack subscriptions zilizopo.
  • Lazimisha server kwa SessionDiagnostics flooding kwa kuunda vikao vingi visivyo hai; baadhi ya stacks huzima mara tu kikomo cha MaxSessionCount kinapovuka.

Tathmini ya moja kwa moja na OpalOPC

  • Scanner inaweza kukimbia kwa mtiririko wa interactive au headless, ambayo ni muhimu kwa OT baselines za CI/CD. Pipa matokeo yake yanayoweza kusomeka na mashine ndani ya pipeline yako ya kuripoti ili kubainisha anonymous logins, weak policies, matatizo ya certificate validation na writable variables ndani ya dakika.
  • Changanya OpalOPC output na browsing ya mkono: ingiza orodha ya endpoints iliyogunduliwa tena kwenye zana zako za kawaida, kisha chagua kwa uangalifu ku-weaponize nodes zenye athari kubwa (mfano, MotorControl/StartStop, RecipeManager/Upload).

Attacking legacy security policies (Basic128Rsa15)

  • Bleichenbacher-style oracle: Systems ambazo bado zinaruhusu policy iliyopitwa na wakati Basic128Rsa15 (mara nyingi iliyowezeshwa kupitia build flags kama CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY) leak tofauti za validation za padding. Tumia hili kwa kufurika CreateSession / OpenSecureChannel handshakes na PKCS#1 v1.5 blobs zilizotengenezwa ili kurecover private key ya server, kisha jihusishe kama server au decryp traffic.
  • Authentication bypass: OPC Foundation’s .NET Standard stack kabla ya 1.5.374.158 (CVE-2024-42512) na bidhaa zinazotegemea zinawaacha attackers wasioidhinishwa kulazimisha sera hiyo ya zamani na kisha kuruka authentication ya kiwango cha application. Mara tu unapomiliki key material unaweza kuwasilisha UserIdentityTokens yoyote, replay signed ActivateSession requests, na kuendesha plant kama engineering workstation iliyothibitishwa.
  • Mtiririko wa operesheni:
  1. Orodhesha policies kwa GetEndpoints na taja yoyote Basic128Rsa15 iliyoonekana.
  2. Negotiate sera hiyo wazi (SecurityPolicyUri katika CreateSession), kisha endesha oracle loop yako hadi key iliyopatikana ithibike.
  3. Tumia key hiyo kutengeneza session yenye privilege kubwa, badilisha roles, au downgrade silently clients wengine kwa kufanya kama rogue reverse proxy.
  • CODESYS Runtime Toolkit (<3.5.21.0) iliwarudisha Basic128Rsa15 kila wakati integrators wanapochomeka na CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY. Badilisha flag hiyo, rerun oracle workflow hapo juu, na unaweza leak private key ya runtime ili kujifanya engineering workstations zinazoaminika hadi level ya patch 3.5.21.0 au baadaye itakaposanikishwa.
  • OPC Foundation kwa wakati mmoja ilichapisha CVE-2024-42513 kwa HTTPS bindings. Hata kama target yako inadai TLS, hakikisha haipishwi kimya kimya hadi Basic128Rsa15 kwa binary transport nyuma ya proxy.

2024-2025 exploit watchlist

  • open62541 fuzz_binary_decode (CVE-2024-53429): SecureChannel chunks zinazoeleza oversized ExtensionObject bodies zinafanya decoder kureference memory iliyofutwa, hivyo attacker asiyethibitishwa anaweza repeatedly ku-crash UA servers ambazo zina embed open62541 ≤1.4.6. Tumia Claroty corpus (opcua_message_boofuzz_db) au tengeneza Boofuzz harness yako ku-spam mutated OpenSecureChannel requests hadi watchdog iue process, kisha re-enumerate kwa sababu integrators wengi hurudi kwenye anonymous mode baada ya reboot.
  • Softing OPC UA C++ SDK / edgeConnector / edgeAggregator (CVE-2025-7390): TLS client-auth pipeline inakubali certificate yoyote inayoripia Common Name yenye kuaminika, hivyo unaweza kutengeneza cert ya muda mfupi, nakili CN kutoka kwa plant engineer, na ingia kwa UserNameIdentityToken au IssuedIdentityToken yoyote. Changanya hili na downgrade hadi Basic128Rsa15 ili kuondoa integrity checks na kujifanya operators kwa njia ya kudumu hadi trustlists zirekebishwe.

Crafting OPC UA clients for exploitation

  • Custom clients: Drop-in libraries (python-opcua/asyncua, node-opcua, open62541) zinakuwezesha kuendesha exploit logic wewe mwenyewe. Daima weka force target namespace index ili kuepuka kuandika kwa makosa kwa mpaka wa namespaces zinaporatibishwa tena baada ya firmware updates.
  • Node abuse checklist:
  • HistoryRead kwenye production tags ili kuchukua snapshot za recipes za biashara.
  • TranslateBrowsePathsToNodeIds kutatua majina ya mali yanayosomwa na binadamu kuwa NodeIds ambayo yanaweza kutumiwa na gadgets kama Claroty’s framework.
  • Call + Method nodes kuanzisha maintenance tasks (firmware upload, calibration, device reboots).
  • RegisterNodes mis-use kuweka nodes zinazotumiwa mara kwa mara kisha ku-starve clients halali kwa kutowatoa handles.
  • Session hardening tests: Jaribu kufunga subscriptions nyingi zenye publishing intervals za chini sana (chini ya 50 ms) pamoja na oversized monitored-item queues. Stacks nyingi zinakosa hesabu RevisedPublishingInterval na kuzimwa kutokana na scheduler overflows.

Fuzzing & exploit development tooling

Claroty Team82 ilitoa chanzo huria opcua-exploit-framework ambayo inapakua utafiti wa Pwn2Own ndani ya modules zinazoweza kutumika tena:

  • Modes: sanity (kusoma/browse kwa kiasi), attacks (mfano, thread pool starvation, file upload DoS), corpus (replay fuzzing payloads), server (rogue OPC UA server ya kuweka backdoor kwa clients).
  • Usage pattern:
# Run a DoS attack against a Prosys Simulation Server endpoint
python3 main.py prosys 10.10.10.10 53530 /OPCUA/SimulationServer thread_pool_wait_starvation

# Replay an entire Boofuzz corpus against open62541
python3 main.py open62541 192.168.1.50 4840 / opcua_message_boofuzz_db input_corpus_minimized/opcua.db
  • Rogue server scenario: Server iliyojumuishwa kwa asyncua inakuwezesha kulenga client software kwa kutumikia address spaces zenye hatari (kwa mfano, responses zenye oversized ExtensionObjects kuamsha parsing bugs katika UA Expert clones).
  • Target coverage: Profiles zilizojengwa zinaendana na Kepware, Ignition, Unified Automation, Softing SIS, Triangle Microworks, Node-OPCUA, Python OPC UA, Milo, open62541, n.k., hivyo unaweza kubadilisha kati ya stacks haraka bila kuandika payloads upya.
  • Integration tips: Chain output yake na fuzzers zako—spray corpus payloads kwanza, kisha tumia OpalOPC ku-verify ikiwa crash ilizaa insecure defaults (anonymous login, setpoint write access, n.k.).

Exploiting authentication bypasses

Ikiwa authentication bypass vulnerabilities zikapatikana, unaweza kusanidi OPC UA client ipasavyo na kuona unachoweza kufikia. Hii inaweza kuruhusu chochote kutoka kusoma process values hadi kuendesha vifaa vya uzito viwandani.

Ili kupata dalili ya kifaa unachoweza kufikia, soma thamani za “ServerStatus” node katika address space na tafuta kwenye google manual ya matumizi.

Shodan

  • port:4840
  • port:62541 "OPC UA"
  • ssl:"urn:opcua"
  • product:"opc ua"

Changanya utafutaji na vendor strings ("Ignition OPC UA", "KepServerEX") au certificates ("CN=UaServerCert") ili kuipa kipaumbele assets zenye thamani kabla ya kuanza upimaji wa kuvuruga.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks