awesome-connected-things-sec/README.md

# IoT Pentesting 101 && IoT Security 101	![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg) 



## **Approach Methodology** 
  1. Network 
  2. Web (Front & Backend and Web services)
  3. Mobile App(Android & iOS)
  4. Wireless Connectivity 
  5. Firmware Pentesting(Hardware or IoT device OS)
  6. Hardware Level Approach 
  7. Storage Areas

### ***To seen Hacked devices***
1. https://blog.exploitee.rs/2018/10/
2. https://www.exploitee.rs/
3. https://forum.exploitee.rs/
4. [Your Lenovo Watch X Is Watching You & Sharing What It Learns](https://www.checkmarx.com/blog/lenovo-watch-watching-you/)
5. [Your Smart Scale is Leaking More than Your Weight: Privacy Issues in IoT](https://www.checkmarx.com/blog/smart-scale-privacy-issues-iot/)
6. [Smart Bulb Offers Light, Color, Music, and… Data Exfiltration?](https://www.checkmarx.com/blog/smart-bulb-exfiltration/)
7. [Besder-IPCamera analysis](http://blog.0x42424242.in/2019/04/besder-investigative-journey-part-1_24.html)
8. [Smart Lock](https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/)
9. [Subaru Head Unit Jailbreak](https://github.com/sgayou/subaru-starlink-research/blob/master/doc/README.md)
10. [Jeep Hack](http://illmatics.com/Remote%20Car%20Hacking.pdf)

## Contents
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->

### ***Telegram group for IoT Security***

- <https://t.me/iotsecurity1011>

### ***Discord Group for IoT Security and CTF***
- https://discord.gg/EH9dxT9

### ***Books***
- [Android Hacker's Handbook](https://www.amazon.in/Android-Hackers-Handbook-MISL-WILEY-Joshua/dp/812654922X)
- [Hacking the Xbox](https://www.nostarch.com/xboxfree)
- [Car hacker's handbook](http://opengarages.org/handbook)
- [IoT Penetration Testing Cookbook](https://www.packtpub.com/networking-and-servers/iot-penetration-testing-cookbook)
- [Abusing the Internet of Things](https://www.amazon.in/Abusing-Internet-Things-Blackouts-Freakouts-ebook/dp/B013VQ7N36)
- [Hardware Hacking: Have Fun while Voiding your Warranty](https://www.elsevier.com/books/hardware-hacking/grand/978-1-932266-83-2)
- [Linksys WRT54G Ultimate Hacking](https://www.amazon.com/Linksys-WRT54G-Ultimate-Hacking-Asadoorian/dp/1597491667)
- [Linux Binary Analysis](https://www.packtpub.com/networking-and-servers/learning-linux-binary-analysis)
- [Firmware](https://www.amazon.com/Firmware-Handbook-Embedded-Technology/dp/075067606X)

### ***Blogs for iotpentest***
1. http://iotpentest.com/
2. https://blog.attify.com
3. https://payatu.com/blog/
4. http://jcjc-dev.com/
5. https://w00tsec.blogspot.in/
6. http://www.devttys0.com/
7. https://www.rtl-sdr.com/
8. https://keenlab.tencent.com/en/
9. https://courk.cc/
10. https://iotsecuritywiki.com/
11. https://cybergibbons.com/
12. http://firmware.re/
13. https://iotmyway.wordpress.com/
14. http://blog.k3170makan.com/
15. https://blog.tclaverie.eu/
16. http://blog.besimaltinok.com/category/iot-pentest/
17. https://ctrlu.net/
18. https://duo.com/decipher/
19. http://www.sp3ctr3.me
20. http://blog.0x42424242.in/
21. https://dantheiotman.com/
22. https://blog.danman.eu/
23. https://quentinkaiser.be/
24. https://blog.quarkslab.com
25. https://blog.ice9.us/

### ***Awesome Nmap CheatSheet***
- https://github.com/gnebbia/nmap_tutorial

### ***Search Engines for IoT Devices***
1. [Shodan](https://www.shodan.io/)
2. [FOFA](https://fofa.so/?locale=en)
3. [Censys](https://censys.io/)
4. [Zoomeye](https://www.zoomeye.org/about)
5. [ONYPHE](https://www.onyphe.io/)

### ***CTF For IoT's And Embeddded***
1. https://github.com/hackgnar/ble_ctf
2. https://www.microcorruption.com/
3. https://github.com/Riscure/Rhme-2016
4. https://github.com/Riscure/Rhme-2017
5. https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html
6. https://github.com/scriptingxss/IoTGoat

### ***YouTube Channels for IoT Pentesting***
1. [Liveoverflow](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w)
2. [Binary Adventure](https://www.youtube.com/channel/UCSLlgiYtOXZnYPba_W4bHqQ)
3. [EEVBlog](https://www.youtube.com/user/EEVblog)
4. [JackkTutorials](https://www.youtube.com/channel/UC64x_rKHxY113KMWmprLBPA)
5. [Craig Smith](https://www.youtube.com/channel/UCxC8G4Oeed4N0-GVeDdFoSA)
6. [iotpentest [Mr-IoT]](https://www.youtube.com/channel/UCe2mJv2FPRFhYJ7dvNdYR4Q)
7. [Besim ALTINOK - IoT - Hardware - Wireless](https://www.youtube.com/channel/UCnIV7A3kDL4JXJEljpW6TRQ/playlists)
8. [Ghidra Ninja](https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw)


### ***IoT security vulnerabilites checking guides***

- [Reflecting upon OWASP TOP-10 IoT Vulnerabilities](https://embedi.org/blog/reflecting-upon-owasp-top-10-iot-vulnerabilities/)
- [OWASP IoT Top 10 2018 Mapping Project](https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/)

### ***Labs for Practice*** ####
- [IoT Goat](https://github.com/scriptingxss/IoTGoat)

### ***Exploitation Tools & OS***
- [Expliot - IoT Exploitation framework - by Aseemjakhar](https://gitlab.com/expliot_framework/expliot)
- [AttifyOS - IoT Pentest OS - by Aditya Gupta](https://github.com/adi0x90/attifyos)
- [Ubutnu Best Host Linux for IoT's - Use LTS](https://www.ubuntu.com/)
- [A Small, Scalable Open Source RTOS for IoT Embedded Devices](https://www.zephyrproject.org/)
- [Skywave Linux- Software Defined Radio for Global Online Listening](https://skywavelinux.com/)
- [Routersploit (Exploitation Framework for Embedded Devices)](https://github.com/threat9/routersploit)
- [IoTSecFuzz (comprehensive testing for IoT device)](https://gitlab.com/invuls/iot-projects/iotsecfuzz)

### ***Reverse Enginnering Tools***
- [IDA Pro](https://www.youtube.com/watch?v=fgMl0Uqiey8)
- [GDB](https://www.youtube.com/watch?v=fgMl0Uqiey8)
- [Radare2](https://radare.gitbooks.io/radare2book/content/)
- [Ghidra](https://ghidra-sre.org/)


## ***Introduction***

- [Introduction to IoT](https://en.wikipedia.org/wiki/Internet_of_things)
- [IoT Architecture](https://www.c-sharpcorner.com/UploadFile/f88748/internet-of-things-part-2/)
- [IoT attack surface](https://www.owasp.org/index.php/IoT_Attack_Surface_Areas)
- [IoT Protocols Overview](https://www.postscapes.com/internet-of-things-protocols/) 


## ***IoT Protocols Pentesting*** 

### ***MQTT***
- [Introduction](https://www.hivemq.com/blog/mqtt-essentials-part-1-introducing-mqtt)
- [Hacking the IoT with MQTT](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b)
- [thoughts about using IoT MQTT for V2V and Connected Car from CES 2014](https://mobilebit.wordpress.com/tag/mqtt/)
- [Nmap](https://nmap.org/nsedoc/lib/mqtt.html)
- [The Seven Best MQTT Client Tools](https://www.hivemq.com/blog/seven-best-mqtt-client-tools)
- [A Guide to MQTT by Hacking a Doorbell to send Push Notifications](https://youtu.be/J_BAXVSVPVI)


### ***CoAP***
- [Introduction](http://coap.technology/)
- [CoAP client Tools](http://coap.technology/tools.html)
- [CoAP Pentest Tools](https://bitbucket.org/aseemjakhar/expliot_framework)
- [Nmap](https://nmap.org/nsedoc/lib/coap.html)

### ***Automobile***
  CanBus
- [Introduction and protocol Overview](https://www.youtube.com/watch?v=FqLDpHsxvf8)	
- [PENTESTING VEHICLES WITH CANTOOLZ](https://www.blackhat.com/docs/eu-16/materials/eu-16-Sintsov-Pen-Testing-Vehicles-With-Cantoolz.pdf)
- [Building a Car Hacking Development Workbench: Part1](https://blog.rapid7.com/2017/07/11/building-a-car-hacking-development-workbench-part-1/)
- [CANToolz - Black-box CAN network analysis framework](https://github.com/CANToolz/CANToolz)
- [PLAYING WITH CAN BUS](https://blog.danman.eu/playing-with-can-bus/)


### ***Radio IoT Protocols Overview***
- [Understanding Radio](https://www.taitradioacademy.com/lessons/introduction-to-radio-communications-principals/)
- [Signal Processing]()
- [Software Defined Radio](https://www.allaboutcircuits.com/technical-articles/introduction-to-software-defined-radio/)
- [Gnuradio](https://wiki.gnuradio.org/index.php/Guided_Tutorial_GRC#Tutorial:_GNU_Radio_Companion)
- [Creating a flow graph](https://blog.didierstevens.com/2017/09/19/quickpost-creating-a-simple-flow-graph-with-gnu-radio-companion/)
- [Analysing radio signals](https://www.rtl-sdr.com/analyzing-433-mhz-transmitters-rtl-sdr/)
- [Recording specific radio signal](https://www.rtl-sdr.com/freqwatch-rtl-sdr-frequency-scanner-recorder/)
- [Replay Attacks](https://www.rtl-sdr.com/tutorial-replay-attacks-with-an-rtl-sdr-raspberry-pi-and-rpitx/)

### ***Base transceiver station (BTS)***
- [what is base tranceiver station](https://en.wikipedia.org/wiki/Base_transceiver_station)
- [How to Build Your Own Rogue GSM BTS](https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/)

### ***GSM & SS7 Pentesting***
- [Introduction to GSM Security](http://www.pentestingexperts.com/introduction-to-gsm-security/)
- [GSM Security 2 ](https://www.ehacking.net/2011/02/gsm-security-2.html)
- [vulnerabilities in GSM security with USRP B200](https://ieeexplore.ieee.org/document/7581461/)
- [Security Testing 4G (LTE) Networks](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-44con-lte-presentation-2012-09-11.pdf)
- [Case Study of SS7/SIGTRAN Assessment](https://nullcon.net/website/archives/pdf/goa-2017/case-study-of-SS7-sigtran.pdf)
- [Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP](https://github.com/SigPloiter/SigPloit)
- [ss7MAPer – A SS7 pen testing toolkit](https://n0where.net/ss7-pentesting-toolkit-ss7maper)
- [Introduction to SIGTRAN and SIGTRAN Licensing](https://www.youtube.com/watch?v=XUY6pyoRKsg)
- [SS7 Network Architecture](https://youtu.be/pg47dDUL1T0)
- [Introduction to SS7 Signaling](https://www.patton.com/whitepapers/Intro_to_SS7_Tutorial.pdf)
- [Breaking LTE on Layer Two](https://alter-attack.net/)

### ***Zigbee & Zwave***
- [Introduction and protocol Overview](http://www.informit.com/articles/article.aspx?p=1409785)
- [Hacking Zigbee Devices with Attify Zigbee Framework](https://blog.attify.com/hack-iot-devices-zigbee-sniffing-exploitation/)
- [Hands-on with RZUSBstick](https://uk.rs-online.com/web/p/radio-frequency-development-kits/6962415/) 
- [ZigBee & Z-Wave Security Brief](http://www.riverloopsecurity.com/blog/2018/05/zigbee-zwave-part1/)

### ***BLE Intro and Tools***
  - [Step By Step guide to BLE Understanding and Exploiting](https://github.com/V33RU/BLE-NullBlr)
  - [Traffic Engineering in a  Bluetooth Piconet](http://www.diva-portal.org/smash/get/diva2:833159/FULLTEXT01.pdf)
  - [BLE Characteristics](https://devzone.nordicsemi.com/tutorials/b/bluetooth-low-energy/posts/ble-characteristics-a-beginners-tutorial0)
   Reconnaissance (Active and Passive) with HCI Tools
    - [btproxy](https://github.com/conorpp/btproxy)
    - [hcitool & bluez](https://www.pcsuggest.com/linux-bluetooth-setup-hcitool-bluez)
    - [Testing With GATT Tool](https://www.jaredwolff.com/blog/get-started-with-bluetooth-low-energy/)
    - [Cracking encryption](https://github.com/mikeryan/crackle)
    - [bettercap](https://github.com/bettercap/bettercap)
    - [BtleJuice Bluetooth Smart Man-in-the-Middle framework](https://github.com/DigitalSecurity/btlejuice)
    - [gattacker](https://github.com/securing/gattacker)
    - [BTLEjack Bluetooth Low Energy Swiss army knife](https://github.com/virtualabs/btlejack)
### ***BLE Pentesting Tutorials***
  - [Bluetooth vs BLE Basics](https://github.com/V33RU/BLE-NullBlr)
  - [Intel Edison as Bluetooth LE — Exploit box](https://medium.com/@arunmag/intel-edison-as-bluetooth-le-exploit-box-a63e4cad6580)
  - [How I Reverse Engineered and Exploited a Smart Massager](https://medium.com/@arunmag/how-i-reverse-engineered-and-exploited-a-smart-massager-ee7c9f21bf33)
  - [My journey towards Reverse Engineering a Smart Band — Bluetooth-LE RE](https://medium.com/@arunmag/my-journey-towards-reverse-engineering-a-smart-band-bluetooth-le-re-d1dea00e4de2)
  - [Bluetooth Smartlocks](https://www.getkisi.com/blog/smart-locks-hacked-bluetooth-ble)
  - [I hacked MiBand 3](https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-did-it-43d68c272391)
  - [GATTacking Bluetooth Smart Devices](https://securing.pl/en/gattacking-bluetooth-smart-devices-introducing-a-new-ble-proxy-tool/index.html)
  


### ***Mobile security (Android & iOS)***
 - [Android](https://www.packtpub.com/hardware-and-creative/learning-pentesting-android-devices)
 - [Android Pentest Video Course](https://www.youtube.com/watch?v=zHknRia3I6s&list=PLWPirh4EWFpESLreb04c4eZoCvJQJrC6H)
 - [IOS Pentesting](https://web.securityinnovation.com/hubfs/iOS%20Hacking%20Guide.pdf?)

### ***ARM***
- [Azeria Labs](https://azeria-labs.com/)
- [ARM EXPLOITATION FOR IoT](https://www.exploit-db.com/docs/english/43906-arm-exploitation-for-iot.pdf)
- [Static Binary analysis ARMV7](https://github.com/CJHackerz/easy_iotsec-arm)
- [Damn Vulnerable ARM Router (DVAR)](https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html)
- [EXPLOIT.EDUCATION](https://exploit.education/)

### ***Firmware Pentest***
 - [Firmware analysis and reversing](https://www.owasp.org/index.php/IoT_Firmware_Analysis)
 - [Firmware emulation with QEMU](https://www.youtube.com/watch?v=G0NNBloGIvs)
 - [Dumping Firmware using Buspirate](http://iotpentest.com/tag/pulling-firmware/)
 - [Reversing ESP8266 Firmware](https://boredpentester.com/reversing-esp8266-firmware-part-1/)
 
### ***Firmware to pentest***
 - [Download From here](https://firmware.center/)

### ***IoT hardware Overview***
 - [IoT Hardware Guide](https://www.postscapes.com/internet-of-things-hardware/)	
 
### ***Hardware Gadgets to pentest***
  - [Bus Pirate](https://www.sparkfun.com/products/12942)
  - [EEPROM readers](https://www.ebay.com/bhp/eeprom-reader)
  - [Jtagulator / Jtagenum](https://www.adafruit.com/product/1550)
  - [Logic Analyzer](https://www.saleae.com/)
  - [The Shikra](https://int3.cc/products/the-shikra)
  - [FaceDancer21 (USB Emulator/USB Fuzzer)](https://int3.cc/products/facedancer21)
  - [RfCat](https://int3.cc/products/rfcat)
  - [Hak5Gear- Hak5FieldKits](https://hakshop.com/)
  - [Ultra-Mini Bluetooth CSR 4.0 USB Dongle Adapter](https://www.ebay.in/itm/Ultra-Mini-Bluetooth-CSR-4-0-USB-Dongle-Adapter-Black-Golden-with-2-yr-wrnty-/332302813975)
  - [Attify Badge - UART, JTAG, SPI, I2C (w/ headers)](https://www.attify-store.com/products/attify-badge-assess-security-of-iot-devices)
  - [Ubertooth](https://github.com/greatscottgadgets/ubertooth/wiki/Ubertooth-One)
    
### ***Attacking Hardware Interfaces***
   -	[Serial Terminal Basics](https://learn.sparkfun.com/tutorials/terminal-basics/all)
   -  [Reverse Engineering Serial Ports](http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/)
   -  [REVERSE ENGINEERING ARCHITECTURE AND PINOUT OF CUSTOM ASICS](https://sec-consult.com/en/blog/2019/02/reverse-engineering-architecture-pinout-plc/)

### ***UART***
   - [Identifying UART interface](https://www.mikroe.com/blog/uart-serial-communication)
   - [onewire-over-uart](https://github.com/dword1511/onewire-over-uart)
   - [Accessing sensor via UART](http://home.wlu.edu/~levys/courses/csci250s2017/SensorsSignalsSerialSockets.pdf)
   - [Using UART to connect to a chinese IP cam](https://www.davidsopas.com/using-uart-to-connect-to-a-chinese-ip-cam/)
   - [A journey into IoT – Hardware hacking: UART](https://techblog.mediaservice.net/2019/03/a-journey-into-iot-hardware-hacking-uart/)
   
### ***JTAG***
   - [Identifying JTAG interface](https://blog.senr.io/blog/jtag-explained)
   - [NAND Glitching Attack](http://www.brettlischalk.com/posts/nand-glitching-wink-hub-for-root)
   
### ***SideChannel Attacks***
   - [All Attacks](https://yifan.lu/)
   
## ***Vulnerable IoT and Hardware Applications***

  - IoT : https://github.com/Vulcainreo/DVID

  - Safe : https://insinuator.net/2016/01/damn-vulnerable-safe/

  - Router : https://github.com/praetorian-code/DVRF

  - SCADA : https://www.slideshare.net/phdays/damn-vulnerable-chemical-process

  - PI : https://whitedome.com.au/re4son/sticky-fingers-dv-pi/

  - SS7 Network: https://www.blackhat.com/asia-17/arsenal.html#damn-vulnerable-ss7-network

 -  VoIP : https://www.vulnhub.com/entry/hacklab-vulnvoip,40/