Discovers and enumerates BACNet Devices collects device information based off standard requests. In some cases, devices may not strictly follow the specifications, or may comply with older versions of the specifications, and will result in a BACNET error response. Presence of this error positively identifies the device as a BACNet device, but no enumeration is possible.
Note: Requests and responses are via UDP 47808, ensure scanner will receive UDP 47808 source and destination responses.
nmap --script bacnet-info -sU -p 47808 <host>
47808/udp open bacnet | bacnet-discover: | Vendor ID: BACnet Stack at SourceForge (260) | Vendor Name: BACnet Stack at SourceForge | Instance Number: 260001 | Firmware: 0.8.2 | Application Software: 1.0 | Object Name: SimpleServer | Model Name: GNU | Description: server |_ Location: USA
License: Same as Nmap--See https://nmap.org/book/man-legal.html
- action (host, port)
Action Function that is used to run the NSE. This function will send the initial query to the host and port that were passed in via nmap. The initial response is parsed to determine if host is a BACNet device. If it is then more actions are taken to gather extra information.
- Host that was scanned via nmap
- port that was scanned via nmap