KNX Home Automation Security Auditing: KNXmap

2016-09-23T17:09:07
ID N0WHERE:118918
Type n0where
Reporter N0where
Modified 2016-09-23T17:09:07

Description

KNX Home Automation Security Auditing


A tool for scanning and auditing KNXnet/IP gateways on IP driven networks. KNXnet/IP defines Ethernet as physical communication media for KNX (EN 50090, ISO/IEC 14543). KNXmap also allows to scan for devices on the KNX bus via KNXnet/IP gateways. In addition to scanning, KNXmap supports other modes to interact with KNX gateways like monitor bus messages or write arbitrary values to group addresses.

KNXmap requires Python 3.3 or newer. There are no external dependencies, everything is included in the standard library. Users of Python 3.3 need to install the asyncio module from PyPI .

Install and run KNXmap:

python setup.py install
knxmap.py --help

Or just invoke the script locally:

chmod +x knxmap.py
./knxmap.py --help

Hacking

Enable full debugging and verbosity for development:

PYTHONASYNCIODEBUG=1 knxmap.py -v scan 192.168.178.20 1.1.0-1.1.6 --bus-info

Scanning Modes


KNXmap supports three different scanning modes:

  • Identifying KNX gateways via unicast discovery messages (default scan mode)
  • Scan for bus devices attached to KNX gateways (with optional device fingerprinting)
  • Searching KNX gateways via multicast messages (with --search )

Discovery Mode

This is the default mode of KNXmap. It sends KNX description request to the supplied targets in order to chceck if they are KNXnet/IP gateways.

knxmap.py scan 192.168.1.100

KNXmap supports to scan multiple targets at once by supplying multiple IP addresses separated by a space. Targets can also be defined as networks in CIDR notation:

knxmap.py scan 192.168.1.100 192.168.1.110 192.168.2.0/24

Bus Mode

In addition to the discovery mode, KNXmap also supports to scan for devices on the KNX bus.

knxmap.py scan 192.168.1.100 1.1.5

KNXmap also supports bus address ranges:

knxmap.py scan 192.168.1.100 1.0.0-1.1.255

The default mode is to only check if sending messages to a address returns an error or not. This helps to identify potential devices and alive targets.

Bus Device Fingerprinting

In addition to the default bus scanning KNXmap can also extract basic information from devices for further identification by supplying the --bus-info argument:

knxmap.py scan 192.168.1.100 1.1.5 --bus-info

Search Mode

KNX supports finding devices by sending multicast packets that should be answered by any KNXnet/IP gateway. KNXmap supports gateway searching via the --search flag. It requires the -i / --interface and superuser privileges:

sudo knxmap.py --interface eth1 search

Note : Packet filtering rules might block the response packets. If there are no KNXnet/IP gateways answering their packets might be dropped by netfilter/iptables rules.

Bus Monitoring


KNXmap supports two different monitoring modes:

  • Bus monitoring: prints the raw messages received from the KNX bus.

    knxmap.py monitor 192.168.1.100

  • Group monitoring: prints all group messages received from the KNX bus.

    knxmap.py monitor 192.168.1.100 --group-monitor

These monitoring modes can be useful for debugging communication on the bus. Additionally, they can be used for passive information gathering which allows to identify bus devices without sending messages to any individual or group address. Especially motion sensors or other devices that frequently send messages to the bus can easily be identified via bus monitoring.

Key Bruteforcing

KNXmap supports bruteforcing of authentication keys:

knxmap.py brute 192.168.0.10 1.1.1

Group Messages

KNXmap allows one to write arbitrary values to any group address on the bus. The following example writes the value 1 to the group address 0/0/1 :

knxmap.py write 192.168.1.100 0/0/1 1

KNX Home Automation Security Auditing: KNXmap documentation

KNX Home Automation Security Auditing: KNXmap Download