OPC UA
aka opcua
Industrial interoperability protocol on 4840. Servers frequently allow anonymous sessions; connect to browse the node address space, read process values, and (where permitted) write — bridging IT to OT.
Ports
| Port | Proto | Notes |
|---|---|---|
4840 | tcp | OPC UA |
Fingerprint
- GetEndpoints returns security policies + whether Anonymous is allowed
- opcua-client connects on 4840
Exploitation primitives
- Enumerate endpoints / security policies (look for Anonymous + None)
- Browse the node tree and read variable values (sensor/process data)
- Write nodes where the server allows — physical-process impact
Overview
OPC UA on 4840 is the modern OT/IT bridge protocol. Many servers expose an Anonymous + unencrypted endpoint, letting you browse and read the plant’s data.
Enumeration
Check endpoints + auth:
python3 -c "from opcua import Client; c=Client('opc.tcp://<TARGET>:4840'); print(c.connect_and_get_server_endpoints())"Browse nodes:
opcua-client opc.tcp://<TARGET>:4840Scan for known issues:
nmap -p4840 -sV <TARGET>Hardening
Disable the Anonymous endpoint, require Sign&Encrypt with certificates, and segment OT from IT.