4.1 KiB

Raw Blame History

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

47808/udp - Pentesting BACNet

Protocol Information

BACnet is a communications protocol for Building Automation and Control BAC networks that leverage the ASHRAE, ANSI, and ISO 16484-5 standard[1] protocol.

BACnet was designed to allow communication of building automation and control systems for applications such as heating, ventilating, and air-conditioning control [HVAC](https://en.wikipedia.org/wiki/HVAC), lighting control, access control, and fire detection systems and their associated equipment. The BACnet protocol provides mechanisms for computerized building automation devices to exchange information, regardless of the particular building service they perform.
From Wikipedia

Default port: 47808

PORT      STATE SERVICE
47808/udp open  BACNet -- Building Automation and Control NetworksEnumerate

Enumeration

Manual

pip3 install BAC0
import BAC0
bbmdIP = '<IP>:47808'
bbmdTTL = 900
bacnet = BAC0.connect(bbmdAddress=bbmdIP, bbmdTTL=bbmdTTL) #Connect
bacnet.vendorName.strValue
#I couldn't find how to obtain the same data as nmap with this library or any other
#talk me if you know how please

Automatic

nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 <IP>

This script does not attempt to join a BACnet network as a foreign device, it simply sends BACnet requests directly to an IP addressable device.

Shodan

port:47808 instance
"Instance ID" "Vendor Name"