Script bacnet-info

Script types: portrule
Categories: discovery, version

Script Summary

Discovers and enumerates BACNet Devices collects device information based off standard requests. In some cases, devices may not strictly follow the specifications, or may comply with older versions of the specifications, and will result in a BACNET error response. Presence of this error positively identifies the device as a BACNet device, but no enumeration is possible.

Note: Requests and responses are via UDP 47808, ensure scanner will receive UDP 47808 source and destination responses.

Example Usage

nmap --script bacnet-info -sU -p 47808 <host>

Script Output

47808/udp open  bacnet
| bacnet-discover:
|   Vendor ID: BACnet Stack at SourceForge (260)
|   Vendor Name: BACnet Stack at SourceForge
|   Instance Number: 260001
|   Firmware: 0.8.2
|   Application Software: 1.0
|   Object Name: SimpleServer
|   Model Name: GNU
|   Description: server
|_  Location: USA



  • Stephen Hilt
  • Michael Toecker

License: Same as Nmap--See


action (host, port)

Action Function that is used to run the NSE. This function will send the initial query to the host and port that were passed in via nmap. The initial response is parsed to determine if host is a BACNet device. If it is then more actions are taken to gather extra information.


Host that was scanned via nmap
port that was scanned via nmap