hacktricks/network-services-pentesting/47808-udp-bacnet.md
2022-09-09 13:28:04 +02:00

80 lines
4.1 KiB
Markdown

<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
# Protocol Information
**BACnet** is a [communications protocol](https://en.wikipedia.org/wiki/Communications_protocol) for Building Automation and Control \(BAC\) networks that leverage the [ASHRAE](https://en.wikipedia.org/wiki/ASHRAE), [ANSI](https://en.wikipedia.org/wiki/ANSI), and [ISO](https://en.wikipedia.org/wiki/International_Organization_for_Standardization) 16484-5 standard[\[1\]](https://en.wikipedia.org/wiki/BACnet#cite_note-1) protocol.
BACnet was designed to allow communication of [building automation](https://en.wikipedia.org/wiki/Building_automation) and control systems for applications such as heating, ventilating, and air-conditioning control \([HVAC](https://en.wikipedia.org/wiki/HVAC)\), lighting control, access control, and fire detection systems and their associated equipment. The BACnet protocol provides mechanisms for computerized building automation devices to exchange information, regardless of the particular building service they perform.
From [Wikipedia](https://en.wikipedia.org/wiki/BACnet)
**Default port:** 47808
```text
PORT STATE SERVICE
47808/udp open BACNet -- Building Automation and Control NetworksEnumerate
```
# Enumeration
## Manual
```bash
pip3 install BAC0
import BAC0
bbmdIP = '<IP>:47808'
bbmdTTL = 900
bacnet = BAC0.connect(bbmdAddress=bbmdIP, bbmdTTL=bbmdTTL) #Connect
bacnet.vendorName.strValue
#I couldn't find how to obtain the same data as nmap with this library or any other
#talk me if you know how please
```
## Automatic
```bash
nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 <IP>
```
This script does not attempt to join a BACnet network as a foreign device, it simply sends BACnet requests directly to an IP addressable device.
## Shodan
* `port:47808 instance`
* `"Instance ID" "Vendor Name"`
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>