hacktricks/network-services-pentesting/47808-udp-bacnet.md

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


# Información del Protocolo

**BACnet** es un **protocolo de comunicaciones** para redes de Automatización y Control de Edificios (BAC) que aprovecha el **ASHRAE**, **ANSI** y el protocolo estándar **ISO 16484-5**. Facilita la comunicación entre sistemas de automatización y control de edificios, permitiendo que aplicaciones como control de HVAC, control de iluminación, control de acceso y sistemas de detección de incendios intercambien información. BACnet asegura la interoperabilidad y permite que dispositivos de automatización de edificios computarizados se comuniquen, independientemente de los servicios específicos que proporcionen.

**Puerto por defecto:** 47808
```text
PORT      STATE SERVICE
47808/udp open  BACNet -- Building Automation and Control NetworksEnumerate
```
# Enumeración

## Manual
```bash
pip3 install BAC0
pip3 install netifaces

import BAC0
import time

myIP = '<Your IP>/<MASK>' #You need to be on the same subnet as the bacnet device. Example: '192.168.1.4/24'
bacnet = BAC0.connect(ip=myIP)
bacnet.whois() #Broadcast request of bacnet devices
time.sleep(5)  #Wait for devices to respond
for i, (deviceId, companyId, devIp, numDeviceId) in enumerate(bacnet.devices):
print(f"-------- Device #{numDeviceId} --------")
print(f"Device:     {deviceId}")
print(f"IP:         {devIp}")
print(f"Company:    {companyId}")
readDevice = bacnet.readMultiple(f"{devIp} device {numDeviceId} all")
print(f"Model Name: {readDevice[11]}")
print(f"Version:    {readDevice[2]}")
# print(readDevice) #List all available info about the device
```
## Automático
```bash
nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 <IP>
```
Este script no intenta unirse a una red BACnet como un dispositivo extranjero, simplemente envía solicitudes BACnet directamente a un dispositivo direccionable por IP.

## Shodan

* `port:47808 instance`
* `"Instance ID" "Vendor Name"`


{% hint style="success" %}
Aprende y practica Hacking en AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprende y practica Hacking en GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Apoya a HackTricks</summary>

* Revisa los [**planes de suscripción**](https://github.com/sponsors/carlospolop)!
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Comparte trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.

</details>
{% endhint %}
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Translated ['network-services-pentesting/10000-network-data-management-p 2024-01-05 23:02:46 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`<details>`
Translated ['network-services-pentesting/10000-network-data-management-p 2024-01-05 23:02:46 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`<summary>Support HackTricks</summary>`
Translated ['network-services-pentesting/10000-network-data-management-p 2024-01-05 23:02:46 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Translated ['network-services-pentesting/10000-network-data-management-p 2024-01-05 23:02:46 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`{% endhint %}`
Translated ['network-services-pentesting/10000-network-data-management-p 2024-01-05 23:02:46 +00:00

f 2023-06-05 18:33:24 +00:00			`# Información del Protocolo`

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			BACnet es un protocolo de comunicaciones para redes de Automatización y Control de Edificios (BAC) que aprovecha el ASHRAE, ANSI y el protocolo estándar ISO 16484-5. Facilita la comunicación entre sistemas de automatización y control de edificios, permitiendo que aplicaciones como control de HVAC, control de iluminación, control de acceso y sistemas de detección de incendios intercambien información. BACnet asegura la interoperabilidad y permite que dispositivos de automatización de edificios computarizados se comuniquen, independientemente de los servicios específicos que proporcionen.
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`Puerto por defecto: 47808`
f 2023-06-05 18:33:24 +00:00			```text
			`PORT STATE SERVICE`
			`47808/udp open BACNet -- Building Automation and Control NetworksEnumerate`
			```
			`# Enumeración`

			`## Manual`
			```bash
			`pip3 install BAC0`
Translated ['network-services-pentesting/47808-udp-bacnet.md'] to es 2024-02-14 10:08:32 +00:00			`pip3 install netifaces`

f 2023-06-05 18:33:24 +00:00			`import BAC0`
Translated ['network-services-pentesting/47808-udp-bacnet.md'] to es 2024-02-14 10:08:32 +00:00			`import time`

			`myIP = '<Your IP>/<MASK>' #You need to be on the same subnet as the bacnet device. Example: '192.168.1.4/24'`
			`bacnet = BAC0.connect(ip=myIP)`
			`bacnet.whois() #Broadcast request of bacnet devices`
			`time.sleep(5) #Wait for devices to respond`
			`for i, (deviceId, companyId, devIp, numDeviceId) in enumerate(bacnet.devices):`
			`print(f"-------- Device #{numDeviceId} --------")`
			`print(f"Device: {deviceId}")`
			`print(f"IP: {devIp}")`
			`print(f"Company: {companyId}")`
			`readDevice = bacnet.readMultiple(f"{devIp} device {numDeviceId} all")`
			`print(f"Model Name: {readDevice[11]}")`
			`print(f"Version: {readDevice[2]}")`
			`# print(readDevice) #List all available info about the device`
f 2023-06-05 18:33:24 +00:00			```
			`## Automático`
			```bash
			`nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 <IP>`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`Este script no intenta unirse a una red BACnet como un dispositivo extranjero, simplemente envía solicitudes BACnet directamente a un dispositivo direccionable por IP.`
f 2023-06-05 18:33:24 +00:00
			`## Shodan`

Translated ['network-services-pentesting/11211-memcache/memcache-command 2024-02-08 22:27:35 +00:00			* `port:47808 instance`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			* `"Instance ID" "Vendor Name"`
f 2023-06-05 18:33:24 +00:00


Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`{% hint style="success" %}`
			`Aprende y practica Hacking en AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprende y practica Hacking en GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`<details>`
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`<summary>Apoya a HackTricks</summary>`
f 2023-06-05 18:33:24 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`* Revisa los [planes de suscripción](https://github.com/sponsors/carlospolop)!`
			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Comparte trucos de hacking enviando PRs a los [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.`
f 2023-06-05 18:33:24 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 04:39:11 +00:00			`{% endhint %}`