glaslos
commented
9 years ago Have you checked if we pass the wrong data to the bacpypes decoder?
Closed TanyaTie closed 7 years ago
glaslos
commented
9 years ago Have you checked if we pass the wrong data to the bacpypes decoder?
TanyaTie
commented
9 years ago but I use the same namp scan to the internet, can get the result like that:
nmap --script bacnet-info -sU -p 47808 -Pn
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-21 21:15
Nmap scan report for
Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds
I also use whois command of "bacnet tools", the APDU Type is "8" too. and wireshark can analysis the traffic right.
glaslos
commented
9 years ago So for some reason bacpypes can't handle the type. I'll try to have a look next week.
katkad
commented
9 years ago Hi, I had commit in testing which fixed this exception @TanyaTie thank you for reproducer
commit is now in master https://github.com/glastopf/conpot/commit/7a9b0e961b47e2918cc27e9c281531a7b7f5d641, and logs now look like this: 2015-06-23 12:56:43,929 DecodingError: invalid APDU type:8 2015-06-23 12:56:43,930 PDU: <PDU None -> None : 0A.00.11.01.04.00.05.01.0C.0C.02.3F.FF.FF.19.4B>
so you can see what is sent. It corresponds to function send_query in https://svn.nmap.org/nmap/scripts/bacnet-info.nse
This commit doesn't resolve APDU Type issue though, just is usefull for debugging it.
TanyaTie
commented
9 years ago @katkad Thank you very mach. I will look the debug info.
glaslos
commented
9 years ago @TanyaTie did you had a chance to look into this?
TanyaTie
commented
8 years ago @glaslos I found out that origin python source file read wrong place to decode the APDU Type. So I analysis the pcap file by wireshark, and refer to analysis.py file in bacpypes. And I finally decode the data. So far, I only get the ReadProperty Service run, it's hard to understand whole bacpypes.
glaslos
commented
8 years ago Could you elaborate a bit on your findings?
TanyaTie
commented
8 years ago @glaslos First, I add a method --"decodeBacnetUdp" in class BacnetServer. This method will decode the udp data from "handle" method. Method "decodeBacnetUdp" refer to decode_packet(data) method of analysis.py file in bacpypes, which can return a decoded apdu data. And then, in handle method of class BacnetServer, I use the decoded apdu to do "bacnet_app.indication" and "bacnet_app.response". However, the bacnet services defined in bacnet_app.py file should be modified a little. I have modified Whois-IAM service and readProperty service. I am still working on other services.
yurushao
commented
7 years ago This is a decoding bug in BACpypes, see here: https://github.com/JoelBender/bacpypes/issues/105
Upgrading to BACpypes 0.16.1 fixes the issue.
creolis
commented
7 years ago Fixed with PR #335
Rajeswara-Muthyala
commented
3 years ago @yurushao @TanyaTie I still see the issue on the latest version. It appears to me that conpot code needs an change here.
WARNING:conpot.protocols.bacnet.bacnet_server:DecodingError - PDU: <PDU None -> None : 0a.00.11.01.04.00.05.01.0c.0c.02.3f.ff.ff.19.4b> 2021-11-03 10:46:44,151 DecodingError - PDU: <PDU None -> None : 0a.00.11.01.04.00.05.01.0c.0c.02.3f.ff.ff.19.4b>
The above error is with latest conpot version. requirements.txt points to bacpypes==0.17.0
I am work on ICS honeypot using bacnet protocol in conpot. I setup conpot, when I test bacnet using nmap (nmap --script bacnet-info -sU -p 47808 ipaddr), got follow errors:
actually, APDU type would be 0. I think APDU is checked by wrong start index. How can I fix it?