Some IoT Pentesting hints -- keep on update


A. Collect the information about the device
    i.data sheets
    ii.product features
    iii.installation guide and user manual download from the vendor
    website or use google dorks to get the data

 B. as per device name and model number or hardware information check for publicly available exploits -exploit db , or exploit search engines useful search engines for the exploits
    https://sploitus.com/
    https://vulmon.com/
    http://www.exploitsearch.com/
    https://www.nmmapper.com/searchindex/s/

     There are special search engines for IoT which helps us to find the more insecure devices which is publicly available
     i. shodan
     ii. censys
     iii.zoomeye
     iv. onphye

C. Making a detailed list
    i. Write all features list of the device
    ii. Make list publicly available exploits
    iii.Start making your own method to pentest it -
    before that understand device more clearly

 D. Common approach for the IoT Pentesting Methodology
     i.Network
     ii.embedded applications
     iii.mobile apps Android and ios
     iv.wireless communications
     v.firmware reversing
     vi.hardware exploitation
     vii.Side channel attacks
     viii. radio communication attacks



A little more information 



I.Network:

There is a much difference between the network pentesting in the IoT World until new protocol is added.

1. scan for the open ports and services version 
2. easy one we can search for the already available as per the running services version 
3. internal connected device connected to any other network outside use "netstat -antp" but we need a telnet access for this 
4. FTP anon is a common bug in many IoT devices 
5. search in firmware any network service related binary or script which help us lead the find a bug 
6. debug the all network services (from extracted firmware)

II. Embedded Applications:

1. Do not think SQL injection until we got to know that device is communicating to a db with help of SQL 
2. Most we need to look for the Command Injection and RCE 
3. XSS(Stored high chances) Input locations always there to configure some of the settings which saves data
4. Mostly hardening is the solutions to fix the broken security configurations like authentication and authorization 
5. Bruteforce on auth pages
6. Finding the parameters and access them without auth directly 
7. Surely we will get more logical bugs than the technical bugs 
8. all depends web technologies what they use 
9. CSRF can always possible to depends on the Options enabled and account creation or settings pages
10. Webservices CoAP, REST Api
and MQTTweb configurations for auth issues encrypted communication  
10. Useful tools 
    i. Burpsuite ( with plugins) & ZAP Proxy 
    ii. Wireshark 
    iii. Postman 
    

III.Mobile APPS android and iOS:

For Android:
i. use dex2jar to convert the apk to jar file a
2. manually check for the data and look for write data service working exposure
3. check for the data is going to communicate with the device encrypted way or not 

Usefultools
    1. MobSF - Static analysis
    2. Frida , burpsuite, apktool, dex2jar
    3. OS- android tamer or Moblexer or IoT-PT 
For iOS:
(will write soon)

IV.Wireless Communications:

1. Wireless communications -  WiFi (ClientSide), ZigBee, Zwave, Bluetooth,LoRA
WiFi(Wireless Fidility):


V.Firmware Reversing:

1. basic checks for hardcoded credentials and private certificates 
2. services exploits - running services binaries - like (ipv4, telnetd, ssh services , FTPD, encrypted binaries , authentication related binaries , decryption related binary/scripts 
and search for more services and features and config files 
3. check for syslinks will give an idea for the working way or services saving files one folder saving or communication will update here
4. Tools which helps you: 
    1. binwalk - extractor and many more 
    2. FACT tool - static analysis 
    3. Firmware Mod Kit
    4. Fwanalyzer 
    5. Qemu - dynamic analysis
    6. Qiling - for dynamic analysis
    7. FAT - Firmware analysis tool 

Comments

Post a Comment

Popular posts from this blog

VR Model P1 - 360 degree camera

Image
This article is one of my very old assessment for fun i did (and it is done 2017) got it by recovering hard disk and assigned CVE ID - (CVE-2020-23512) . Here my target to  test 360 degree camera which trending in the IP camera world recently, what we going test model P1 VR camera. What is VR camera..? In photography, an omnidirectional camera (from "Omni", meaning all) is a camera with a 360-degree field of view in the horizontal plane, or with a visual field that covers (approximately) the entire sphere. Omnidirectional cameras are important in areas where large visual field coverage is needed, such as in panoramic photography and robotics. VR CAM P1 Proxy Eye Fisheye Camera IP 3D Vr 360 Degree Panoramic 960P Wi-Fi CCTV Camera With Sd Memory Card Slot Multi Viewing Mode Features of this VR CAMERA:    Brand VR CAM Model P1 Product Dimension 15 x 15 x 5 cm Resolution 960p Android/iOS Devices Additional Featur
Read more

Buspirate v3.6 firmware upgrade from USB

Image
Buspirate:  The Bus Pirate v3.6a, created by Ian Lesnet, is a troubleshooting tool that communicates between a PC and any embedded device over 1-wire, 2-wire, 3-wire, UART, I2C, SPI, and HD44780 LCD protocols - all at voltages from 0-5.5VDC. This product eliminates a ton of early prototyping effort when working with new or unknown chips. Upgrading Firmware: buspirate will not come with new firmware so it has to be change by us. buspirate v4 : Supports firmware version 7  buspirate v3.x:  Supports firmware version 6&7 (note : firmware version 7 may hurt the device hardware not fully tested from my side doit in your won risk) Requirements: Buspirate firmware and loader : https://github.com/DangerousPrototypes/Bus_Pirate/tree/master/BPv3-bootloader ICSP pins. in these pins there are two of them which is  PGD and PGC   helps us to load the firmware into it . T he PGC and PGD pins with a jumper cable. When you are in the bootloader, the MODE LED of the Bus Pirate will stay on connect th
Read more

Dumping the Firmware from the device Using buspirate - SPI

Image
One of the best way to get the firmware from the hardware While doing penetration testing there are scenarios in which we need to dump the firmware from the devices.This method is typically used when there are no firmware’s available from vendor site. Today we are going to show you how to dump the firmware from an Wireless router Binatone DT 850W Software and hardware Requirements: Buspirate Ubuntu 16.04 or any other Linux machine Flashrom tool SOIC cable pin 8 Buspirate connectors               This is a Wireless router from Binatone DT 850W which will be used as an example for dumping the firmware. Let’s us Analyze the Inside Device.You can see IC chips like  EEPROM, UART  pins and Ralink  CPU  and also some Other   IC  chips Let us focus mainly on the  EEPROM chip (winbond W25Q16). What is EEPROM : EEPROM (also written E2PROM and pronounced “e-e-prom”, “double-e-prom” or “e-squared-prom”) stands for electrically erasable program
Read more