Hiya HN,

A client in the automation sector was looking for a tool to test the security of their OPC UA servers. All I could find was either mere PoCs or otherwise hard to grasp and use for an OT person in a corporate setting [0-3].

Therefore I set to create one myself. First, I invented different things to check in servers, categorized them, and approximated a CVSS score for each. Then I created an easy-to-use scanner program that does the checking and outputs a pretty HTML report.

The scanner contains both GUI and CLI. It is free for non-commercial use and for commercial use if your organization's yearly turnover is less than $1M.

It is still early in development, and I got multiple new checks and other things to add to it. There may be bugs lurking in there as well.

You can try it on a practice target I setup for that purpose (Try not to hammer on the server too hard): opc.tcp://scanme.opalopc.com:53530

All feedback welcome and encouraged. Thanks! :)

[0] https://github.com/scy-phy/OPC-UA-attacks-POC [1] https://github.com/abirke/opcuapen [2] https://github.com/secure-software-engineering/opcua-scanner [3] https://github.com/COMSYS/msf-opcua

Nmap was a source of inspiration for the CLI version.