An opcua client scanning for servers in a network. The OPC UA implementation used for this scanner is Eclipse Milo.

This scanner scans a subnet relative to its own IP-address(es) and tries to reach other hosts on the OPC UA default port 4840 (or a specified port). The size of the scanned subnet is determined by a given CIDR-Suffix, an IP Range, a hostname or a mix of these.

Download Latest Build Artifact

Getting Started Video on Asciinema.org

Endpoints are retrieved for all reachable hosts.

For each endpoint, the scanning client tries to connect in several ways, such as anonymously, using common username/password combinations and with expired or not yet valid certificates.

For each successful connection, the client tries to

• read information from the server
• browse the information on the server (and outputs it to xml file)
• write information to the server
• delete information from the server
• call functions on the server if any where detected while browsing

To run the scanner, Java needs to be installed. The build artifact can be used, if you want to use the scanner and only want to change the configuration (see below what can be configured) and do not intend to change the code.

Download the artifact from the link above, make a config.txt if you want to change the configuration, then run it with

java -jar opcua-scanner-jar-with-dependencies.jar opcua-scanner/default_config.txt

To build and run the project, both Maven and Java need to be installed. Run mvn package in the directory containing the pom.xml file. The output will show a message like

[INFO] Building jar: opcua-scanner/target/opcua-scanner-jar-with-dependencies.jar

This jar can be run to use the scanner with a configuration file, here default_config.txt

java -jar opcua-scanner/target/opcua-scanner-jar-with-dependencies.jar opcua-scanner/default_config.txt

The output is written to a csv file offering an overview which privileges (e.g., connecting, reading, writing, deleting) were possible on which server per authentication method. If you execute the scanner as described in the section Execution you find the result here opcua-scanner/target/OPCUAScannerResults.csv

The csv file can be imported to a table using standard office calculation programs, such as Microsoft Excel or LibreOffice Calc. The separator of the data is a ",".

A configuration file can be passed as a command line parameter. There is no need to pass a file, unless you differ from the default options. All options have default values, which are the same as in default_config.txt. The default for ipRanges is applying a cidr suffix of /29 to all own IPv4 addresses.

Configuration options for starting the scanner include:

• writeActivated Whether the client should try write to the server. Beware of the potential consequences for running servers
• deleteActivated Whether the client should try delete from the server. Beware of the potential consequences for running servers
• port The port to scan on.
• outputFileName The file name of the csv file to produce. This should not include the file extension.
• ipRanges The ip addresses to scan, seperated by commas. Can be either:
  • A hostname
  • A single IP address
  • An IP address with a CIDR Suffix (such as 127.0.0.1/29). Hint: CIDR Suffix = Fixed bits of the IP from start on. Used to determine the size of the subnet. The larger the suffix, the smaller the part of the subnet that will be scanned.
  • Or an IP range, for example 127.0.0.1-20 will scan ip addresses 127.0.0.1 through 127.0.0.20. Only the block of the ip addresses the last dot can be configured. If larger ranges should be scanned, this can be done by listing multiple ranges.

More reasonable configuration options could be:

• a file containing (additional?) credentials to test
• whether to retrieve the information model via browsing
• where to output the information model from browsing, i.e., console or file