Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OPC UA TCP service detection #2791

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add OPC UA TCP service detection #2791

wants to merge 2 commits into from
+22 −2

Conversation

ValtteriL
Copy link

Add OPC UA TCP service detection

Send HEL message with invalid EndpointURI and expect either ACK or ERR as response [1].
Ports are default ports on popular OPC UA software [2].
Rarity based on gut feeling.

References:

  1. https://reference.opcfoundation.org/Core/Part6/v104/docs/7
  2. https://claroty.com/team82/research/opc-ua-deep-dive-series-a-one-of-a-kind-opc-ua-exploit-framework

@ValtteriL
Add OPC UA TCP probe and match
5b518af 
Send HEL message with invalid EndpointURI and expect either ACK or ERR as response [1].
Ports are default ports on popular OPC UA software [2].
Rarity based on gut feeling.

References:
1. https://reference.opcfoundation.org/Core/Part6/v104/docs/7
2. https://claroty.com/team82/research/opc-ua-deep-dive-series-a-one-of-a-kind-opc-ua-exploit-framework
@f0rw4rd
Copy link

f0rw4rd commented Mar 5, 2024

Adding multiple ports is a good idea :-)
I have a similar PR pending #2730, maybe we can merge the ideas?

@ValtteriL
Copy link
Author

Indeed we should! You seem to have a more complete solution with error codes and all. With added ports it would be best of both worlds? :)

Can you add the ports to your PR? I can then try yours against my test systems and then proceed to close this one in favor of yours.

@f0rw4rd
Copy link

f0rw4rd commented Apr 2, 2024

Sorry for the late response. You wrote such a nice blog article about on how to add custom services probes and I would like to support this by closing my PR. Could you include the error code detection from my PR ?

@ValtteriL
Copy link
Author

I decreased the rarity by one and added the ports to the OPC UA probe. Otherwise kept your changes. Worked well on my systems. 💪

valtteri@t490:~/development/nmap/my-dir$ sudo nmap -T4 -n -sV --open -Pn --datadir . -p 53530 echo.koti.kontu
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-07 20:19 EEST
Nmap scan report for echo.koti.kontu (172.16.1.8)
Host is up (0.0027s latency).

PORT      STATE SERVICE VERSION
53530/tcp open  opcua   OPC UA Binary Connection Protocol (Error 2156068864 Bad_TcpEndpointUrlInvalid (code=0x80830000, description="The server does not recognize the QueryString ...)

Read from .: nmap-service-probes.
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.53 seconds

@f0rw4rd f0rw4rd mentioned this pull request Apr 22, 2024
Closed
@f0rw4rd
Copy link

f0rw4rd commented Apr 22, 2024

Looks good, closed my PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ValtteriL @f0rw4rd