maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/47808-udp-bacnet.md

48 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{{#include ../banners/hacktricks-training.md}}
# 协议信息
**BACnet** 是一种用于建筑自动化和控制BAC网络的 **通信协议**,利用 **ASHRAE**、**ANSI** 和 **ISO 16484-5 标准** 协议。它促进建筑自动化和控制系统之间的通信,使 HVAC 控制、照明控制、访问控制和火灾探测系统等应用能够交换信息。BACnet 确保互操作性,并允许计算机化的建筑自动化设备进行通信,无论它们提供的具体服务是什么。
**默认端口:** 47808
```text
PORT STATE SERVICE
47808/udp open BACNet -- Building Automation and Control NetworksEnumerate
```
# 枚举
## 手动
```bash
pip3 install BAC0
pip3 install netifaces
import BAC0
import time
myIP = '<Your IP>/<MASK>' #You need to be on the same subnet as the bacnet device. Example: '192.168.1.4/24'
bacnet = BAC0.connect(ip=myIP)
bacnet.whois() #Broadcast request of bacnet devices
time.sleep(5) #Wait for devices to respond
for i, (deviceId, companyId, devIp, numDeviceId) in enumerate(bacnet.devices):
print(f"-------- Device #{numDeviceId} --------")
print(f"Device: {deviceId}")
print(f"IP: {devIp}")
print(f"Company: {companyId}")
readDevice = bacnet.readMultiple(f"{devIp} device {numDeviceId} all")
print(f"Model Name: {readDevice[11]}")
print(f"Version: {readDevice[2]}")
# print(readDevice) #List all available info about the device
```
## 自动化
```bash
nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 <IP>
```
该脚本并不尝试作为外部设备加入BACnet网络而是直接向可通过IP地址访问的设备发送BACnet请求。
## Shodan
- `port:47808 instance`
- `"Instance ID" "Vendor Name"`
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink