The SCADAfence engineering team has contributed a new module to the widely used Metasploit framework as a “pay it forward” program that will allow pentesters and asset owners to use a new set of uniquely tuned ICS scanners. One of them is specifically for BACnet protocols to perform OTasset discovery.

SCADAfence aims to enrich the ICS cyber security community by providing Blue, Red and Purple Teams' with modules that they will be able to quickly utilize for testing their environment. The BACnet module will allow security teams to gather vital information about BACnet devices that are internally connected to their network. This is SCADAfence’s first of what is expected to be a series of contributions to the Metasploit framework.

Shortage of Metasploit SCADA Modules

Metasploit, Rapid7’s open source pentesting tool is used for finding networks’ weak and vulnerable spots, and to simulate real world attacks by malicious threat actors. Although the framework contains 2,300 exploits and 3,300 total modules, of those 5,600 elements there are only about 70 that specifically target OT networks. The reason for this is that OT networks and devices require specific knowledge in the world of process and hardware engineering. They also require researchers to obtain physical access to expensive devices. SCADAfence maintains a fully equipped lab of ICS devices for ongoing research.

SCADAfence’s team of researchers are constantly testing devices and protocols used in smart building automation, to ensure their safety. They’ve developed this module in order to provide additional assistance to security teams responsible for maintaining building safety and security.

BACnet Is A Vulnerable Protocol

BACnet (Building Automation Control network) is a data communication protocol originally developed under the auspices of the American Society of Heating, Refrigeration and Air Conditioning Engineers (ASHRAE). It is the standard used in over 30 countries, including the United States, and most of Europe. It is estimated that over 60% of the global market for building automation relies on the BACnet standard. It is used to monitor and control HVAC, building security, fire alarms, automated lighting and other critical systems in smart buildings.

The BACnet protocol was originally developed in 1995 and was designed to enable communication between building devices and systems. Although BACnet is a widely adopted standard, it is insecure by design and has no built-in default protections against threat actors.

Data and information traffic between BACnet devices travels across the network unencrypted. This means that malicious actors who gain access to the network will be able to read any data they intercept. BACnet also doesn’t require authorization to join the network, so devices on the same network can communicate with each other with no restrictions. 

If they are not properly deployed, BACnet networks can be vulnerable to spoofing attacks, DDOS attacks, and more. Since these are physical systems, successful attacks can cause damage to innocent lives and to property. Therefore, proper pentesting of them is vital to building security. 

SCADAfence’s New Metasploit Module Makes BACnet Networks Safer

The new auxiliary module developed by SCADAfence, allows users to quickly discover BACnet devices hanging off the network by who-is messages, followed by get-property enumeration. This will then allow the pentester to identify the exact model, firmware version and application version that will allow them to run uniquely crafted exploits to prove vulnerable assets live inside an organization network. Asset owners can scan their network to find unpatched devices using the information they’ve gathered. This will help them better secure their network.

One of the main issues with BACnet is the traditional “Security by Obscurity” approach whereby organizations will continually push off projects to replace supposedly vulnerable equipment because there is little to no quantitative evidence to justify budgets. 

Utilizing SCADAfence’s BACnet module, security teams, asset owners, and pentesters will now have the ability to generate a detailed report of risk and exposure due to the detected BACnet devices.

Pentesters/Security teams wanting to use the new module, can access it directly from the Metasploit framework. It is part of Metasploit GA release (6.2.11)  For additional information,  contact our research team at