Port 3250: HICP — The Industrial Gateway Whisperer

What Port 3250 Is

Port 3250 carries HICP: the Host IP Configuration Protocol, a proprietary protocol created by HMS Networks for their Anybus line of industrial communication gateways.

HICP has one job: find Anybus devices on a network and configure their IP settings. When you run the Anybus IPconfig utility, it broadcasts UDP packets on port 3250 and listens for responses from any HMS device that hears them. The device answers with its current IP, MAC address, and configuration state. You can then push a new IP to it — no password required, unless someone explicitly set one.

This isn't a flaw in the sense that it surprised anyone. It's the intended behavior. HICP was designed for factory networks where devices arrive unconfigured and need to be provisioned quickly.

The Range It Belongs To

Port 3250 sits in the registered ports range (1024–49151). These ports aren't freely claimable like the ephemeral range, but they're also not as strictly controlled as well-known ports (0–1023). IANA maintains a registry for this range — but port 3250 has no official IANA assignment. HMS Networks simply chose it for their product and documented it in their own manuals.

That's common in industrial software. A vendor picks a port, builds it into firmware shipped across thousands of devices, and the port becomes "theirs" through installed base rather than formal registration.

The Security Reality

HICP is unencrypted. Authentication is disabled by default. A security researcher at SensePost documented in 2024 that you can discover, identify, and reconfigure Anybus devices using nothing but crafted UDP packets to port 3250 — no credentials, no handshake.¹

HMS does offer SHICP (Secure HICP), which adds authentication. But it requires someone to configure it. On factory networks that were never designed to be Internet-facing, it often isn't.²

If you see port 3250 open on a device you didn't put there, you're looking at an HMS Anybus gateway. That's a meaningful thing to know.

How to Check What's Listening

On Linux or macOS:

# Check if anything is bound to port 3250
sudo lsof -i :3250
sudo ss -ulnp | grep 3250

On Windows:

netstat -ano | findstr :3250

To scan your network for devices broadcasting on this port:

# Passive: listen for HICP broadcasts
sudo tcpdump -n udp port 3250

# Active: use nmap to find listeners
nmap -sU -p 3250 192.168.1.0/24

If you find something, it's almost certainly an HMS Anybus device. Check the MAC address — HMS Networks OUIs will confirm it.

Why Unassigned Ports Matter

The registered port range has 48,128 slots. IANA has formally assigned only a fraction of them. The rest are used informally by vendors, developers, and protocols that grew through deployment rather than standardization.

Port 3250 is a clean example of how this works in practice: a protocol exists, it has a specific port, thousands of industrial devices use it, security researchers study its vulnerabilities — and yet IANA's registry shows nothing. The port is both anonymous and well-known, depending entirely on whether you know what to look for.