Nmap bacnet-info NSE Script
This page contains detailed information about how to use the bacnet-info NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
| Select: |
|---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/bacnet-info.nse
Script categories: discovery, version
Target service / protocol: bacnet, tcp, udp
Target network port(s): 47808
List of CVEs: -
Script Description
The bacnet-info.nse script discovers and enumerates BACNet Devices collects device information based off standard requests. In some cases, devices may not strictly follow the specifications, or may comply with older versions of the specifications, and will result in a BACNET error response. Presence of this error positively identifies the device as a BACNet device, but no enumeration is possible.
Note: Requests and responses are via UDP 47808, ensure scanner will receive UDP 47808 source and destination responses.
Bacnet-info NSE Script Arguments
The bacnet-info.nse script does not have any arguments.
Bacnet-info NSE Script Example Usage
Here's an example of how to use the bacnet-info.nse script:
nmap --script bacnet-info -sU -p 47808 <host>
Bacnet-info NSE Script Example Output
Here's a sample output from the bacnet-info.nse script:
47808/udp open bacnet
| bacnet-discover:
| Vendor ID: BACnet Stack at SourceForge (260)
| Vendor Name: BACnet Stack at SourceForge
| Instance Number: 260001
| Firmware: 0.8.2
| Application Software: 1.0
| Object Name: SimpleServer
| Model Name: GNU
| Description: server
|_ Location: USA
Bacnet-info NSE Script Example XML Output
Here's a sample XML output from the bacnet-info.nse script produced by providing the -oX <file> Nmap option:
<elem key="Vendor ID">BACnet Stack at SourceForge (260)</elem>
<elem key="Vendor Name">BACnet Stack at SourceForge</elem>
<elem key="Object-identifier">260001</elem>
<elem key="Firmware">0.8.2</elem>
<elem key="Application Software">1.0</elem>
<elem key="Object Name">SimpleServer</elem>
<elem key="Model Name">GNU</elem>
<elem key="Description">server</elem>
<elem key="Location">USA</elem>
Authors
- Stephen Hilt
- Michael Toecker
References
- https://nmap.org/nsedoc/scripts/bacnet-info.html
- https://github.com/nmap/nmap/tree/master/scripts/bacnet-info.nse
- http://digitalbond.com
- http://www.bacnet.org/VendorID/BACnet%20Vendor%20IDs.htm
See Also
Visit Nmap NSE Library for more scripts.
The bacnet-info.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
Socket error sending query: %s
Here is a relevant code snippet related to the "Socket error sending query: %s" error message:
1379: assert(query) -- table lookup must not fail.
1380:
1381: --try to pull the information
1382: local status, result = send_query(socket, query)
1383: if(status == false) then
1384: stdnse.debug1("Socket error sending query: %s", result)
1385: return nil
1386: end
1387: -- receive packet from response
1388: local rcvstatus, response = socket:receive()
1389: if(rcvstatus == false) then
Socket error receiving: %s
Here is a relevant code snippet related to the "Socket error receiving: %s" error message:
1385: return nil
1386: end
1387: -- receive packet from response
1388: local rcvstatus, response = socket:receive()
1389: if(rcvstatus == false) then
1390: stdnse.debug1("Socket error receiving: %s", response)
1391: return nil
1392: end
1393: -- validate valid BACNet Packet
1394: if( string.byte(response, 1) == 0x81 ) then
1395: -- Lookup byte 7 (packet type)
Error receiving: BACNet Error
Here is a relevant code snippet related to the "Error receiving: BACNet Error" error message:
1398: if( value ~= 0x50) then
1399: --collect information by looping thru the packet
1400: return field_size(response)
1401: -- if it was an error packet, set the string to error for later purposes
1402: else
1403: stdnse.debug1("Error receiving: BACNet Error")
1404: return nil
1405: end
1406: -- else ERROR
1407: else
1408: stdnse.debug1("Error receiving Vendor ID: Invalid BACNet packet")
Error receiving Vendor ID: Invalid BACNet packet
Here is a relevant code snippet related to the "Error receiving Vendor ID: Invalid BACNet packet" error message:
1403: stdnse.debug1("Error receiving: BACNet Error")
1404: return nil
1405: end
1406: -- else ERROR
1407: else
1408: stdnse.debug1("Error receiving Vendor ID: Invalid BACNet packet")
1409: return nil
1410: end
1411:
1412: end
1413: ---
Socket error sending vendor query: %s
Here is a relevant code snippet related to the "Socket error sending vendor query: %s" error message:
1423: assert(vendor_query)
1424:
1425: --send the vendor information
1426: local status, result = send_query(socket, vendor_query)
1427: if(status == false) then
1428: stdnse.debug1("Socket error sending vendor query: %s", result)
1429: return nil
1430: end
1431: -- receive vendor information packet
1432: local rcvstatus, response = socket:receive()
1433: if(rcvstatus == false) then
Socket error receiving vendor query: %s
Here is a relevant code snippet related to the "Socket error receiving vendor query: %s" error message:
1429: return nil
1430: end
1431: -- receive vendor information packet
1432: local rcvstatus, response = socket:receive()
1433: if(rcvstatus == false) then
1434: stdnse.debug1("Socket error receiving vendor query: %s", response)
1435: return nil
1436: end
1437: -- validate valid BACNet Packet
1438: if( string.byte(response, 1) == 0x81 ) then
1439: local value = string.byte(response, 7)
Error receiving Vendor ID: BACNet Error
Here is a relevant code snippet related to the "Error receiving Vendor ID: BACNet Error" error message:
1441: if( value ~= 0x50) then
1442: -- read values for byte 18 in the packet data
1443: -- this value determines if vendor number is 1 or 2 bytes
1444: value = string.byte(response, 18)
1445: else
1446: stdnse.debug1("Error receiving Vendor ID: BACNet Error")
1447: return nil
1448: end
1449: -- if value is 21 (byte 18)
1450: if( value == 0x21 ) then
1451: -- convert hex to decimal
Error receiving Vendor ID: Invalid BACNet packet
Here is a relevant code snippet related to the "Error receiving Vendor ID: Invalid BACNet packet" error message:
1458: local vendornum = string.unpack(">I2", response, 19)
1459: -- look up vendor name from table
1460: return vendor_lookup(vendornum)
1461: else
1462: -- set return value to an Error if byte 18 was not 21/22
1463: stdnse.debug1("Error receiving Vendor ID: Invalid BACNet packet")
1464: return nil
1465: end
1466: end
1467:
1468: end
Error establishing a UDP connection for %s - %s
Here is a relevant code snippet related to the "Error establishing a UDP connection for %s - %s" error message:
1490: stdnse.debug1("Couldn't bind to %s/udp. Continuing anyway, results may vary", port.number)
1491: end
1492: -- connect to the remote host
1493: local constatus, conerr = sock:connect(host, port)
1494: if not constatus then
1495: stdnse.debug1('Error establishing a UDP connection for %s - %s', host, conerr)
1496: return nil
1497: end
1498: -- send the original query to see if it is a valid BACNet Device
1499: local sendstatus, senderr = send_query(sock, orig_query)
1500: if not sendstatus then
Error sending BACNet request to %s:%d - %s
Here is a relevant code snippet related to the "Error sending BACNet request to %s:%d - %s" error message:
1496: return nil
1497: end
1498: -- send the original query to see if it is a valid BACNet Device
1499: local sendstatus, senderr = send_query(sock, orig_query)
1500: if not sendstatus then
1501: stdnse.debug1('Error sending BACNet request to %s:%d - %s', host.ip, port.number, senderr)
1502: return nil
1503: end
1504:
1505: -- receive response
1506: local rcvstatus, response = sock:receive()
Receive error: %s
Here is a relevant code snippet related to the "Receive error: %s" error message:
1503: end
1504:
1505: -- receive response
1506: local rcvstatus, response = sock:receive()
1507: if(rcvstatus == false) then
1508: stdnse.debug1("Receive error: %s", response)
1509: return nil
1510: end
1511:
1512: -- if the response starts with 0x81 then its BACNet
1513: if( string.byte(response, 1) == 0x81 ) then
nBACNet ADPU Type: Error (5) nt
Here is a relevant code snippet related to the "nBACNet ADPU Type: Error (5) nt" error message:
1516: --
1517: if( value == 0x50) then
1518: -- set the nmap output for the port and version
1519: set_nmap(host, port)
1520: -- return that BACNet Error was received
1521: to_return = "\nBACNet ADPU Type: Error (5) \n\t" .. stdnse.tohex(response)
1522: --else pull the InstanceNumber and move onto the pulling more information
1523: --
1524: else
1525: to_return = stdnse.output_table()
1526: -- set the nmap output for the port and version
Version
This page has been created based on Nmap version 7.92.
Go back to menu.
