{{#include ../banners/hacktricks-training.md}}

# 协议信息

**BACnet** 是一种用于建筑自动化和控制（BAC）网络的 **通信协议**，利用 **ASHRAE**、**ANSI** 和 **ISO 16484-5 标准** 协议。它促进建筑自动化和控制系统之间的通信，使 HVAC 控制、照明控制、访问控制和火灾探测系统等应用能够交换信息。BACnet 确保互操作性，并允许计算机化的建筑自动化设备进行通信，无论它们提供的具体服务是什么。

**默认端口：** 47808
```text
PORT      STATE SERVICE
47808/udp open  BACNet -- Building Automation and Control NetworksEnumerate
```
# 枚举

## 手动
```bash
pip3 install BAC0
pip3 install netifaces

import BAC0
import time

myIP = '<Your IP>/<MASK>' #You need to be on the same subnet as the bacnet device. Example: '192.168.1.4/24'
bacnet = BAC0.connect(ip=myIP)
bacnet.whois() #Broadcast request of bacnet devices
time.sleep(5)  #Wait for devices to respond
for i, (deviceId, companyId, devIp, numDeviceId) in enumerate(bacnet.devices):
print(f"-------- Device #{numDeviceId} --------")
print(f"Device:     {deviceId}")
print(f"IP:         {devIp}")
print(f"Company:    {companyId}")
readDevice = bacnet.readMultiple(f"{devIp} device {numDeviceId} all")
print(f"Model Name: {readDevice[11]}")
print(f"Version:    {readDevice[2]}")
# print(readDevice) #List all available info about the device
```
## 自动化
```bash
nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 <IP>
```
该脚本并不尝试作为外部设备加入BACnet网络，而是直接向可通过IP地址访问的设备发送BACnet请求。

## Shodan

- `port:47808 instance`
- `"Instance ID" "Vendor Name"`

{{#include ../banners/hacktricks-training.md}}