{
	"id": "dec4fcdf-5716-4aa0-8504-edb2e92bfb01",
	"created_at": "2026-04-06T00:08:49.583692Z",
	"updated_at": "2026-04-10T03:20:21.510938Z",
	"deleted_at": null,
	"sha1_hash": "0629a5bbdf403a61d12ec6a204a9cc740dadcde7",
	"title": "Discovering and fingerprinting BACnet devices - Help Net Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 874357,
	"plain_text": "Discovering and fingerprinting BACnet devices - Help Net Security\r\nBy Help Net Security\r\nPublished: 2019-07-10 · Archived: 2026-04-05 19:34:56 UTC\r\nBACnet is a communication protocol deployed for building automation and control networks. The most widely\r\naccepted networks include Internet Protocol (BACnet/IP) and the Master-Slave Token-Passing network (BACnet\r\nMS/TP). Generally, routers are required to interconnect BACnet networks while gateways are preferred for\r\nconnecting non-compliant devices to a primary BACnet network.\r\nIt is anticipated that 64% of the building automation industry uses BACnet for effective operations. From a\r\nsecurity perspective, it is essential to fingerprint IoT devices that use BACnet for communication.\r\nBACnet/IP device object\r\nAs per the standard, there should be one BACNet device object associated with the BACnet device. The BACnet\r\nobject constitutes a number of properties related to the device itself in which certain properties are optional.\r\nFrom a fingerprinting perspective, a BACnet/IP device runs a service on UDP ports 47808 and 47809. A well-crafted UDP request sent to the associated service running on the stated UDP port result in information about the\r\nBACnet device. A number of examples of different properties of a BACnet device object is shown below:\r\nDescription property: This property basically contains the information about the device and is optional in nature.\r\nListing 1 shows the description property highlighting the presence of BACnet.\r\nInstance ID: 1\r\nObject Name: Telus_Commercial_1\r\nLocation: unknown\r\nVendor Name: Tridium\r\nApplication Software: Tridium 3.8.111\r\nFirmware: 3.8.111\r\nModel Name: NiagaraAX Station\r\nDescription: Local BACnet Device object\r\nInstance ID: 77000\r\nObject Name: pCOWeb77000\r\nLocation: Unknown\r\nVendor Name: Carel S.p.A.\r\nApplication Software: 2.15.2C\r\nFirmware: A1.5.4 - B1.2.4\r\nModel Name: PCO1000WB0\r\nDescription: Carel BACnet Gateway\r\nhttps://www.helpnetsecurity.com/2019/07/10/bacnet-devices/\r\nPage 1 of 7\n\nApplication software property: This property is required by the BACnet device object so that the client knows\r\nwhich software version is installed on the device. Listing 2 highlights the application software property revealing\r\nthe presence of software running on the targeted BACnet device.\r\nInstance ID: 424242\r\nObject Name: Compass_424242\r\nLocation: unknown\r\nVendor Name: Alerton\r\nApplication Software: 1.5.20170510.1 - BACnet: Tridium 3.8.41.32\r\nFirmware: 3.8.208\r\nModel Name: Compass\r\nDescription: Compass NBT - Internal BACnet device\r\nInstance ID: 250001\r\nObject Name: device250001\r\nLocation: Device Location\r\nVendor Name: Automated Logic Corporation\r\nApplication Software: PRG:vrec_novel_ice_bacnet\r\nFirmware: BOOT(id=0,ver=0.01:001,crc=0x0000) MAIN(id=3,ver=6.00a:054,crc=0xB079)\r\nModel Name: LGR25\r\nDescription: Device Description\r\nModel and firmware properties: The firmware and model name properties are required and could reveal the\r\npresence of a BACnet device. Listing 3 shows that associated properties contain the information about the\r\npresence of BACnet device.\r\nInstance ID: 7020\r\nObject Name: PXCC20\r\nLocation: RTU-20\r\nVendor Name: Siemens Industry Inc., Bldg Tech\r\nApplication Software: BXE1230\r\nFirmware: EPXC V3.2.3 BACnet 4.3g\r\nModel Name: Siemens BACnet Field Panel\r\nDescription: RTU-20\r\nObject name property: This property reflects the name of the object itself. In certain scenarios, the value of this\r\nproperty could reveal the presence of a BACnet device as shown in Listing 4.\r\nInstance ID: 1\r\nObject Name: Bacnet\r\nVendor Name: American Auto-Matrix\r\nApplication Software: R_02_06_01\r\nFirmware: 1.2\r\nhttps://www.helpnetsecurity.com/2019/07/10/bacnet-devices/\r\nPage 2 of 7\n\nModel Name: AAM-Router\r\nDescription: Router\r\nBBMD device property: BACnet/IP Broadcast Management Device (BBMD) is deployed to broadcast and\r\ndistribute messages throughout the BACnet/IP network, which constitutes a number of interconnected TCP/IP sub\r\nnetworks. Once the BACnet/IP messages are sent by the devices in the subnet, the associated BBMD forwards the\r\nsame messages to other peer BBMDs. Once the destination BBMD receives the message, it is then re-broadcasted\r\nto the same subnet. Listing 5 shows the response obtained from the UDP querying which highlight the presence of\r\nBDMD device.\r\nInstance ID: 2210125\r\nObject Name: AS_2210125\r\nVendor Name: Schneider Electric\r\nApplication Software: N/A\r\nFirmware: Server 1.5.0.2307\r\nModel Name: Building Operation Automation Server\r\nBACnet Broadcast Management Device (BBMD):\r\n50.127.108.206:47808\r\nBACnet APDU errors: The Application Protocol Data Units (APDU) constitutes application layer specific\r\nparameters. Generally, protocol data units transfer the information in the form of units among peers in the\r\nassociated network for sharing and processing of information. APDU errors can also be used to validate and verify\r\nthe presence of BACnet devices in the network. Example: the device responds back to the client with notification\r\nerror messages as “BACnet ADPU Type: Error (5)”. As a result, a BACnet device can be detected accordingly.\r\nAdditionally, a number of BACnet device have built-in embedded HTTP web servers that can also be used to\r\ndiscover the devices. A number of scenarios are discussed below:\r\nHTTP response header – WWW-Authenticate Realm: The WWW-Authenticate HTTP response header defines\r\nthe web authentication method supported by the resource on the remote location. This header is primarily used as\r\na response received from the web server or application over HTTP/HTTPS. The header has type and realm\r\nparameters. The type defines the authentication scheme, whereas realm defines the description of the protected\r\nresource. Listing 6 highlights a BACnet/IP resource (or device) running over HTTP and protected with BASIC\r\nauthentication and realm as “UC32.net BACnet(2)”.\r\nHTTP/1.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"UC32.net BACnet(2)\"\r\nContent-Type: text/html\r\nTransfer-Encoding: chunked\r\nServer: Allegro-Software-RomPager/4.01\r\nConnection: close\r\nHTTP/1.1 401 Authorization Required\r\nWWW-Authenticate: Basic realm=\"EasyBAC BACnet Device WebSetup\"\r\nhttps://www.helpnetsecurity.com/2019/07/10/bacnet-devices/\r\nPage 3 of 7\n\nServer: Cimetrics Eplus Web Server v.1.2\r\nConnection: Close\r\nHTTP response header-server: The embedded web server present in BACnet devices can also be queried via\r\nHTTP to detect the presence of a BACnet device. Listing shows that HTTP response header “Server” discloses the\r\npresence of a BACnet device. Additionally, certain embedded web servers also reveal information about “BACnet\r\nNetwork” via HTTP/1.0 request acceptance as shown in Listing 7.\r\nHTTP/1.0 200 OK\r\nConnection: keep-alive\r\nServer: SB-BACnet\r\nContent-Length: 2960\r\nAccess-Control-Allow-Origin: *\r\nContent-Type: text/html; charset=iso-8859-\r\nHTTP/1.0 200 BACnet Network\r\nServer: BACnet4Linux\r\nContent-Type: text/html\r\nContent-Length: 599\r\nConnection: close\r\nWeb HTML elements: A number of HTML web elements can also disclose the presence of a BACnet device.\r\nWhen a client sends a HTTP GET/POST request to an embedded web server, the web page contents are returned\r\nin addition to the HTTP response header. The elements present in the web page can reveal the information about\r\nthe BACnet. Listing 8 shows that “title” element in the web page disclosing the same.\r\nHTTP/1.1 200 OK\r\nServer: Boa/0.94.14rc21\r\nAccept-Ranges: bytes\r\nConnection: Keep-Alive\r\nKeep-Alive: timeout=10, max=1000\r\nContent-Length: 145\r\nLast-Modified: Mon, 27 May 2019 02:06:13 GMT\r\nContent-Type: text/html\r\n\u003chtml\u003e\u003chead\u003e\u003ctitle\u003eACP BACnet\u003c/title\u003e\u003c/head\u003e\r\nApart from the UDP querying and HTTP traffic analysis, NetBIOS can also be used to detect the presence of\r\nBACnet devices. A similar scenario is discussed below.\r\nNetBIOS traffic: NetBIOS over TCP/IP is used for obtaining information about nameservice listening on the\r\nremote target. Generally, the query is sent to UDP port 137, the server responds with the details of all the services\r\nas part of a NetBIOS response. There is a name code (number) associated with the response as shown in Listing 9\r\nbelow. The numeric code “0x1e” shows the usage of browser service elections on the domain BACnet. This\r\ninformation highlights the presence of BACnet devices on the network.\r\nhttps://www.helpnetsecurity.com/2019/07/10/bacnet-devices/\r\nPage 4 of 7\n\nNetBIOS Response\r\nServername: LAZNAS\r\nNames:\r\nLAZNAS \u003c0x0\u003e\r\nLAZNAS \u003c0x3\u003e\r\nLAZNAS \u003c0x20\u003e\r\nBACNET \u003c0x0\u003e\r\nBACNET \u003c0x1e\u003e\r\nExperiment\r\nUsing the indicators discussed above, we conducted a small analytical experiment to obtain the model numbers\r\nand type of devices supporting the BACnet protocol for communication. We designed our own custom script to\r\ntrigger fast scanning. However, Nmap provides an associated script to perform the same activity. Figure 1 and\r\nFigure 2 show samples of the BACnet devices collected from the output retrieved from the conducted experiment.\r\nFigure 1: Model names of devices supporting the BACnet protocol\r\nhttps://www.helpnetsecurity.com/2019/07/10/bacnet-devices/\r\nPage 5 of 7\n\nFigure 2: Model names of devices supporting the BACnet protocol\r\nA number of indicators have been presented in this article to highlight the different ways to fingerprint BACnet\r\ndevices on the Internet. Fingerprinting of BACnet devices is necessary to obtain visibility into the nature of the\r\ndevice that is required to map the complete security posture of the device.\r\nhttps://www.helpnetsecurity.com/2019/07/10/bacnet-devices/\r\nPage 6 of 7\n\nContributing author: Srinivas Akella, CTO, WootCloud.\r\nSource: https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/\r\nhttps://www.helpnetsecurity.com/2019/07/10/bacnet-devices/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/"
	],
	"report_names": [
		"bacnet-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1775434129,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0629a5bbdf403a61d12ec6a204a9cc740dadcde7.pdf",
		"text": "https://archive.orkl.eu/0629a5bbdf403a61d12ec6a204a9cc740dadcde7.txt",
		"img": "https://archive.orkl.eu/0629a5bbdf403a61d12ec6a204a9cc740dadcde7.jpg"
	}
}