Last week Stephen made a minor, but very helpful, update to the Redpoint script that identifies and enumerates BACnet gateways and devices. All publicly available Redpoint scripts are on our GitHub, and some of the scripts have been integrated into the nmap download.

The latest version has the option to pull the Foreign Device Table (FDT) and the Broadcast Distribution Table (BDT). Both are helpful in enumerating BACnet devices on different, and possibly inaccessible to scanning, subnets.

Imagine the case where you have a BACnet device on the corporate network that is used by the team to view the status of an otherwise segmented building management system from their corporate computers. The BDT and FDT may help you identify those non-accessible devices.

Any time a BACnet network consists of more than one subnet, each subnet must have a BACnet Broadcast Management Device (BBMD). Each BBMD in the BACnet network has an identical Broadcast Distribution Table (BDT) that lists all of the BBMD’s in the network. So by recovering the BDT you will learn all the subnets that have BACnet devices in the BACnet network.

Well, not quite. There is another way for a BACnet device on a different subnet to join a BACnet network … by registering as a foreign device. To fully participate in the BACnet network the foreign device should register with a BBMD. However the foreign device can register with any device that supports foreign devices, and most BACnet gateways do.

So the Redpoint script can also pull the Foreign Device Table (FDT), which is useful in identifying BACnet devices and possibly even attackers.

Each entry in the FDT is suppose to have a Time-To-Live for each registered foreign device, and then erase foreign devices that don’t re-register in that time period. In practice we have found that many foreign device entries never time out.

Let’s look at a practical example from Redpoint output:

BACnet Enumeration

The BDT shows that the BACnet network spans many subnets. Some of those are internal subnets (RFC 1918) and others are subnets with public / Internet routable addresses (grayed out to protect the guilty).

The FDT is relatively small, with only two foreign devices registered. Again the public addresses have been grayed out. Imagine if one or both of those addresses were not from your organization.

One final note on usage of the Redpoint script. The FDT and BDT can be quite large so we made this output optional. You need to add the –script-args full=yes to return the FDT and BDT.

nmap -sU -p 47808 --script BACnet-discover-enumerate --script-args full=yes <host>