Digital Bond has had an internal research project to develop tools that discover and enumerate ICS applications and devices. We call this project Redpoint, and we use the growing list of tools with care on ICS security assessments and other projects for our clients. They often begin as quick and dirty Python scripts, but the goal is to move as many as possible to Nmap scripts and make the most useful scripts generally available.
So let’s start with BACnet-discover-enumerate.nse, that you can download now from our GitHub Redpoint repository.
BACnet is widely used in building automation systems that monitor and control HVAC, lighting, fire detection, building security, … and of course it is insecure by design.
The discovery is more than just port scanning UDP/47808. The script sends a BACnet request to the port. Newer devices will respond with some helpful information; older devices send back a BACnet error message. Either way you know it is a BACnet device.
If the device is an IP BACnet Router you can often join the BACnet network as a foreign device. This slide from BACnet.org gives you some ideas on how helpful that would be in enumerating all of the devices, including serial connected devices, on a BACnet network. Those extensions and other more intrusive capabilities we keep in house.
If it is a device compliant with the BACnet specification post 2004, the script will pull some very helpful information as you see in the second and third examples in the screen shot.
- Knowing the Object Identifier and having a BACnet client will usually allow you to issue commands to the BACnet device such as change setpoint, change schedule, or change program based on the capabilities of the BACnet device.
- Vendor, Firmware and Software versions would be helpful in identifying default settings, device information and known vulnerabilities, although you really don’t need a vulnerability. We find it most helpful in telling the client what is where when an unknown building automation system is found accessible to everyone on the corporate network.
- Where is the discovered device? The object name and location can give you a clue or very specific information if the asset owner or integrator used these fields. Again, take a look at the examples in the screen shot. This can be very helpful in an inventory effort or assessment.
We want to be clear on what this is script is not. It is not a discovery of a new protocol or protocol implementation vulnerability. It is using documented features of an insecure by design protocol. The “big hack” we did to create the script was read the specification.
We chose to start the publicly available version of Redpoint with BACnet because building automation systems are so widely deployed on corporate networks, and yes you will find many Internet accessible BACnet devices.
This BACnet script was a team effort with Michael Toecker digging into the protocol and generating some Python scripts and sample pcaps and Stephen Hilt wrote the parsing code and converted some of initial Python efforts into an Nmap script.
Stayed tuned for additional Redpoint releases, or even better add your ICS discovery and enumeration tool to Redpoint.
Image by Dru!