Last week Stephen made a minor, but very helpful, update to the Redpoint script that identifies and enumerates BACnet gateways and devices. All publicly available Redpoint scripts are on our GitHub, and some of the scripts have been integrated into the nmap download.
The latest version has the option to pull the Foreign Device Table (FDT) and the Broadcast Distribution Table (BDT). Both are helpful in enumerating BACnet devices on different, and possibly inaccessible to scanning, subnets.
Imagine the case where you have a BACnet device on the corporate network that is used by the team to view the status of an otherwise segmented building management system from their corporate computers. The BDT and FDT may help you identify those non-accessible devices.
Any time a BACnet network consists of more than one subnet, each subnet must have a BACnet Broadcast Management Device (BBMD). Each BBMD in the BACnet network has an identical Broadcast Distribution Table (BDT) that lists all of the BBMD’s in the network. So by recovering the BDT you will learn all the subnets that have BACnet devices in the BACnet network.
Well, not quite. There is another way for a BACnet device on a different subnet to join a BACnet network … by registering as a foreign device. To fully participate in the BACnet network the foreign device should register with a BBMD. However the foreign device can register with any device that supports foreign devices, and most BACnet gateways do.
So the Redpoint script can also pull the Foreign Device Table (FDT), which is useful in identifying BACnet devices and possibly even attackers.
Each entry in the FDT is suppose to have a Time-To-Live for each registered foreign device, and then erase foreign devices that don’t re-register in that time period. In practice we have found that many foreign device entries never time out.
Let’s look at a practical example from Redpoint output: [Read more…]