BACnet (Building Automation)
aka bms, ics
Building-automation protocol on 47808/udp — HVAC, lighting, access control. Unauthenticated by design; enumerate devices and their objects, read live values, and (with care) write setpoints that affect physical systems.
Ports
| Port | Proto | Notes |
|---|---|---|
47808 | udp | BACnet/IP |
Fingerprint
- nmap bacnet-info returns device ID, vendor, model, firmware
- Who-Is broadcast elicits I-Am responses
Exploitation primitives
- Enumerate devices + object lists (bacnet-info / BACnet-discover-enumerate)
- Read present-value of sensors/setpoints (temperatures, door states)
- Write properties to change building behaviour — DANGEROUS, physical impact
Overview
BACnet on 47808/udp runs building systems (HVAC, lighting, access). It has no authentication, so reachable controllers are fully enumerable — and writable.
Enumeration
Device info:
nmap -sU -p47808 --script bacnet-info <TARGET>Discover + enumerate objects:
python3 BACnet-discover-enumerate.py --target <TARGET>Read / write (writes only with OT authorisation)
Writing setpoints actuates real building equipment — only in a lab or with explicit OT sign-off.
Hardening
Segment the BMS network, put BACnet behind a firewall/secure gateway, and disable internet exposure.