Redpoint: Discover & Enumerate BACnet Devices

Redpoint - BACnetDigital Bond has had an internal research project to develop tools that discover and enumerate ICS applications and devices. We call this project Redpoint, and we use the growing list of tools with care on ICS security assessments and other projects for our clients. They often begin as quick and dirty Python scripts, but the goal is to move as many as possible to Nmap scripts and make the most useful scripts generally available.

So let’s start with BACnet-discover-enumerate.nse, that you can download now from our GitHub Redpoint repository.

BACnet is widely used in building automation systems that monitor and control HVAC, lighting, fire detection, building security, … and of course it is insecure by design.

The discovery is more than just port scanning UDP/47808. The script sends a BACnet request to the port. Newer devices will respond with some helpful information; older devices send back a BACnet error message. Either way you know it is a BACnet device.

If the device is an IP BACnet Router you can often join the BACnet network as a foreign device. This slide from BACnet.org gives you some ideas on how helpful that would be in enumerating all of the devices, including serial connected devices, on a BACnet network. Those extensions and other more intrusive capabilities we keep in house.

If it is a device compliant with the BACnet specification post 2004, the script will pull some very helpful information as you see in the second and third examples in the screen shot.

  • Knowing the Object Identifier and having a BACnet client will usually allow you to issue commands to the BACnet device such as change setpoint, change schedule, or change program based on the capabilities of the BACnet device.
  • Vendor, Firmware and Software versions would be helpful in identifying default settings, device information and known vulnerabilities, although you really don’t need a vulnerability. We find it most helpful in telling the client what is where when an unknown building automation system is found accessible to everyone on the corporate network.
  • Where is the discovered device? The object name and location can give you a clue or very specific information if the asset owner or integrator used these fields. Again, take a look at the examples in the screen shot. This can be very helpful in an inventory effort or assessment.

Redpoint

We want to be clear on what this is script is not. It is not a discovery of a new protocol or protocol implementation vulnerability. It is using documented features of an insecure by design protocol. The “big hack” we did to create the script was read the specification.

We chose to start the publicly available version of Redpoint with BACnet because building automation systems are so widely deployed on corporate networks, and yes you will find many Internet accessible BACnet devices.

This BACnet script was a team effort with Michael Toecker digging into the protocol and generating some Python scripts and sample pcaps and Stephen Hilt wrote the parsing code and converted some of initial Python efforts into an Nmap script.

Stayed tuned for additional Redpoint releases, or even better add your ICS discovery and enumeration tool to Redpoint.

Image by Dru!

3 comments to Redpoint: Discover & Enumerate BACnet Devices

  • DC Milwaukee

    OPC UA is the better choice.

    BACnet is extremely slow to adapt and ASHRAE instructed specifiers largely don’t pay any attention to network security in design.

  • Would you mind sharing some guidance on how you would approach using this script against larger network ranges? The combination of a UDP port (with timeouts) and an NSE script can add a lot of time overhead to the scan. Thanks!

  • Good question, There are a few ways you can speed up the scan results while using the BACNet NSE that was developed

    1) Use only the BACNet port i.e -p 47808
    2) Speed up the timing of the packets and for the “Insane” mode -T5
    3) Use the –host-timeout option such as –host-timeout 10
    4) Disable DNS lookup by doing a -n

    nmap -sU -p 47808 -n -T5 –host-timeout 10

    Also using a linux/unix host will give you better results we have determined based off binding to a single UDP port for receiving packets.

    A good reference for scanning large subnets or even the internet is Fyodor’s 2008 talk about scanning the Internet http://nmap.org/presentations/BHDC08/bhdc08-slides-fyodor.pdf

Leave a Reply