IoT Pentesting 101 && IoT Security 101

---

Approach Methodology

1. Network
2. Web (Front & Backend and Web services)
3. Mobile App(Android & iOS)
4. Wireless Connectivity
5. Firmware Pentesting(Hardware or IoT device OS)
6. Hardware Level Approach

---

To seen Hacked devices

1. https://blog.exploitee.rs/2018/10/
2. https://www.exploitee.rs/
3. https://forum.exploitee.rs/
4. Your Lenovo Watch X Is Watching You & Sharing What It Learns
5. Your Smart Scale is Leaking More than Your Weight: Privacy Issues in IoT
6. Smart Bulb Offers Light, Color, Music, and… Data Exfiltration?
7. Besder-IPCamera analysis
8. Smart Lock
9. Subaru Head Unit Jailbreak
10. Jeep Hack

---

Contents

---

Telegram groups for IoT Security

• https://t.me/iotsecurity1011
• https://t.me/hardwareHackingBrasil
• https://t.me/joinchat/JAMxOg5YzdkGjcF3HmNgQw

---

Discord Group for IoT Security and CTF

• https://discord.gg/EH9dxT9

---

Books

• Android Hacker's Handbook
• Hacking the Xbox
• Car hacker's handbook
• IoT Penetration Testing Cookbook
• Abusing the Internet of Things
• Hardware Hacking: Have Fun while Voiding your Warranty
• Linksys WRT54G Ultimate Hacking
• Linux Binary Analysis
• Firmware
• Hardware Hacking Handbook
• inside radio attack and defense

---

Blogs for iotpentest

1. https://payatu.com/blog/
2. http://jcjc-dev.com/
3. https://w00tsec.blogspot.in/
4. http://www.devttys0.com/
5. https://www.rtl-sdr.com/
6. https://keenlab.tencent.com/en/
7. https://courk.cc/
8. https://iotsecuritywiki.com/
9. https://cybergibbons.com/
10. http://firmware.re/
11. https://iotmyway.wordpress.com/
12. http://blog.k3170makan.com/
13. https://blog.tclaverie.eu/
14. http://blog.besimaltinok.com/category/iot-pentest/
15. https://ctrlu.net/
16. http://iotpentest.com/
17. https://blog.attify.com
18. https://duo.com/decipher/
19. http://www.sp3ctr3.me
20. http://blog.0x42424242.in/
21. https://dantheiotman.com/
22. https://blog.danman.eu/
23. https://quentinkaiser.be/
24. https://blog.quarkslab.com
25. https://blog.ice9.us/
26. https://labs.f-secure.com/
27. https://mg.lol/blog/

---

Awesome CheatSheets

• Hardware Hacking
• Nmap

---

Search Engines for IoT Devices

1. Shodan
2. FOFA
3. Censys
4. Zoomeye
5. ONYPHE

---

CTF For IoT's And Embeddded

1. https://github.com/hackgnar/ble_ctf
2. https://www.microcorruption.com/
3. https://github.com/Riscure/Rhme-2016
4. https://github.com/Riscure/Rhme-2017
5. https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html
6. https://github.com/scriptingxss/IoTGoat

---

YouTube Channels for IoT Pentesting

1. Liveoverflow
2. Binary Adventure
3. EEVBlog
4. JackkTutorials
5. Craig Smith
6. iotpentest [Mr-IoT]
7. Besim ALTINOK - IoT - Hardware - Wireless
8. Ghidra Ninja

---

Vehicle Security Resources

• https://github.com/jaredthecoder/awesome-vehicle-security

---

IoT security vulnerabilites checking guides

• Reflecting upon OWASP TOP-10 IoT Vulnerabilities
• OWASP IoT Top 10 2018 Mapping Project

---

IoT Gateway Software

• Webthings by Mozilla - RaspberryPi

Labs for Practice

---

• IoT Goat

---

IoT Pentesting OSes

• Sigint OS- LTE IMSI Catcher
• Instatn-gnuradio OS - For Radio Signals Testing
• AttifyOS - IoT Pentest OS - by Aditya Gupta
• Ubutnu Best Host Linux for IoT's - Use LTS
• Internet of Things - Penetration Testing OS

---

Exploitation Tools

• Expliot - IoT Exploitation framework - by Aseemjakhar
• A Small, Scalable Open Source RTOS for IoT Embedded Devices
• Skywave Linux- Software Defined Radio for Global Online Listening
• Routersploit (Exploitation Framework for Embedded Devices)
• IoTSecFuzz (comprehensive testing for IoT device)

---

Reverse Engineering Tools

• IDA Pro
• GDB
• Radare2
• Ghidra

---

Introduction

• Introduction to IoT
• IoT Architecture
• IoT attack surface
• IoT Protocols Overview

---

MQTT

• Introduction
• Hacking the IoT with MQTT
• thoughts about using IoT MQTT for V2V and Connected Car from CES 2014
• Nmap
• The Seven Best MQTT Client Tools
• A Guide to MQTT by Hacking a Doorbell to send Push Notifications
• Are smart homes vulnerable to hacking

Softwares

• Mosquitto
• HiveMQ
• MQTT Explorer

---

CoAP

• Introduction
• CoAP client Tools
• CoAP Pentest Tools
• Nmap

---

Automobile

CanBus

• Introduction and protocol Overview
• PENTESTING VEHICLES WITH CANTOOLZ
• Building a Car Hacking Development Workbench: Part1
• CANToolz - Black-box CAN network analysis framework
• PLAYING WITH CAN BUS

---

Radio IoT Protocols Overview

• Understanding Radio
• Signal Processing
• Software Defined Radio
• Gnuradio
• Creating a flow graph
• Analysing radio signals
• Recording specific radio signal
• Replay Attacks

---

Base transceiver station (BTS)

• what is base tranceiver station
• How to Build Your Own Rogue GSM BTS

---

GSM & SS7 Pentesting

• Introduction to GSM Security
• GSM Security 2
• vulnerabilities in GSM security with USRP B200
• Security Testing 4G (LTE) Networks
• Case Study of SS7/SIGTRAN Assessment
• Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP
• ss7MAPer – A SS7 pen testing toolkit
• Introduction to SIGTRAN and SIGTRAN Licensing
• SS7 Network Architecture
• Introduction to SS7 Signaling
• Breaking LTE on Layer Two

---

Zigbee & Zwave

• Introduction and protocol Overview
• Hacking Zigbee Devices with Attify Zigbee Framework
• Hands-on with RZUSBstick
• ZigBee & Z-Wave Security Brief

---

BLE Intro and SW & HW Tools

• Step By Step guide to BLE Understanding and Exploiting
• Traffic Engineering in a Bluetooth Piconet
• BLE Characteristics

---

Reconnaissance (Active and Passive) with HCI Tools

• btproxy
• hcitool & bluez
• Testing With GATT Tool
• Cracking encryption
• bettercap
• BtleJuice Bluetooth Smart Man-in-the-Middle framework
• gattacker
• BTLEjack Bluetooth Low Energy Swiss army knife

---

Hardware

• NRFCONNECT - 52840
• EDIMAX
• CSR 4.0
• ESP32 - Development and learning Bluetooth
• Ubertooth
• Sena 100

---

BLE Pentesting Tutorials

• Bluetooth vs BLE Basics
• Intel Edison as Bluetooth LE — Exploit box
• How I Reverse Engineered and Exploited a Smart Massager
• My journey towards Reverse Engineering a Smart Band — Bluetooth-LE RE
• Bluetooth Smartlocks
• I hacked MiBand 3
• GATTacking Bluetooth Smart Devices

---

Mobile security (Android & iOS)

• Android
• Android Pentest Video Course
• IOS Pentesting

---

ARM

• Azeria Labs
• ARM EXPLOITATION FOR IoT
• Static Binary analysis ARMV7
• Damn Vulnerable ARM Router (DVAR)
• EXPLOIT.EDUCATION

---

Firmware Pentest

• Firmware analysis and reversing
• Firmware emulation with QEMU
• Dumping Firmware using Buspirate
• Reversing ESP8266 Firmware

---

Firmware to pentest

• Download From here

---

IoT hardware Overview

• IoT Hardware Guide

---

Hardware Gadgets to pentest

• Bus Pirate
• EEPROM reader/SOIC Cable
• Jtagulator/Jtagenum
• Logic Analyzer
• The Shikra
• FaceDancer21 (USB Emulator/USB Fuzzer)
• RfCat
• Hak5Gear- Hak5FieldKits
• Ultra-Mini Bluetooth CSR 4.0 USB Dongle Adapter
• Attify Badge - UART, JTAG, SPI, I2C (w/ headers)

---

Attacking Hardware Interfaces

• Serial Terminal Basics
• Reverse Engineering Serial Ports
• REVERSE ENGINEERING ARCHITECTURE AND PINOUT OF CUSTOM ASICS

---

UART

• Identifying UART interface
• onewire-over-uart
• Accessing sensor via UART
• Using UART to connect to a chinese IP cam
• A journey into IoT – Hardware hacking: UART

---

JTAG

• Identifying JTAG interface
• NAND Glitching Attack\

---

SideChannel Attacks

• All Attacks

---

Pentesting Guides

• Shodan Pentesting Guide
• Car Hacking Practical Guide 101

---

Vulnerable IoT and Hardware Applications

• IoT : https://github.com/Vulcainreo/DVID

• Safe : https://insinuator.net/2016/01/damn-vulnerable-safe/

• Router : https://github.com/praetorian-code/DVRF

• SCADA : https://www.slideshare.net/phdays/damn-vulnerable-chemical-process

• PI : https://whitedome.com.au/re4son/sticky-fingers-dv-pi/

• SS7 Network: https://www.blackhat.com/asia-17/arsenal.html#damn-vulnerable-ss7-network

• VoIP : https://www.vulnhub.com/entry/hacklab-vulnvoip,40/