An opcua client scanning for servers in a network. The OPC UA implementation used for this scanner is Eclipse Milo.
This scanner scans a subnet relative to its own IP-address(es) and tries to reach other hosts on the OPC UA default port 4840 (or a specified port). The size of the scanned subnet is determined by a given CIDR-Suffix, an IP Range, a hostname or a mix of these.
Download Latest Build Artifact
Getting Started Video on Asciinema.org
Endpoints are retrieved for all reachable hosts.
For each endpoint, the scanning client tries to connect in several ways, such as anonymously, using common username/password combinations and with expired or not yet valid certificates.
For each successful connection, the client tries to
- read information from the server
- browse the information on the server (and outputs it to xml file)
- write information to the server
- delete information from the server
- call functions on the server if any where detected while browsing
To run the scanner, Java needs to be installed. The build artifact can be used, if you want to use the scanner and only want to change the configuration (see below what can be configured) and do not intend to change the code.
Download the artifact from the link above, make a config.txt if you want to change the configuration, then run it with
java -jar opcua-scanner-jar-with-dependencies.jar opcua-scanner/default_config.txt
To build and run the project, both Maven and Java need to be installed. Run
mvn package
in the directory containing the pom.xml file. The output will show a message like
[INFO] Building jar: opcua-scanner/target/opcua-scanner-jar-with-dependencies.jar
This jar can be run to use the scanner with a configuration file, here default_config.txt
java -jar opcua-scanner/target/opcua-scanner-jar-with-dependencies.jar opcua-scanner/default_config.txt
The output is written to a csv file offering an overview which
privileges (e.g., connecting, reading, writing, deleting) were
possible on which server per authentication method.
If you execute the scanner as described in the section Execution you find the result here
opcua-scanner/target/OPCUAScannerResults.csv
The csv file can be imported to a table using standard office calculation programs, such as Microsoft Excel or LibreOffice Calc. The separator of the data is a ",".
A configuration file can be passed as a command line parameter. There is no need to pass a file, unless you differ from the default options. All options have default values, which are the same as in default_config.txt. The default for ipRanges is applying a cidr suffix of /29 to all own IPv4 addresses.
Configuration options for starting the scanner include:
writeActivatedWhether the client should try write to the server. Beware of the potential consequences for running serversdeleteActivatedWhether the client should try delete from the server. Beware of the potential consequences for running serversportThe port to scan on.outputFileNameThe file name of the csv file to produce. This should not include the file extension.ipRangesThe ip addresses to scan, seperated by commas. Can be either:- A hostname
- A single IP address
- An IP address with a CIDR Suffix (such as 127.0.0.1/29). Hint: CIDR Suffix = Fixed bits of the IP from start on. Used to determine the size of the subnet. The larger the suffix, the smaller the part of the subnet that will be scanned.
- Or an IP range, for example 127.0.0.1-20 will scan ip addresses 127.0.0.1 through 127.0.0.20. Only the block of the ip addresses the last dot can be configured. If larger ranges should be scanned, this can be done by listing multiple ranges.
More reasonable configuration options could be:
- a file containing (additional?) credentials to test
- whether to retrieve the information model via browsing
- where to output the information model from browsing, i.e., console or file