| name | iot-security |
| description | IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting. |
| allowed-tools | Bash Read Write |
| metadata | {"subdomain":"reconnaissance","when_to_use":"IoT security, firmware analysis, embedded devices, protocol identification, default credentials, vulnerability scan, device fingerprinting, MQTT, CoAP, Modbus","tags":"iot, embedded, firmware, reverse-engineering, protocol-analysis, default-credentials, vulnerability-scanning, mqtt, coap, modbus","mitre_attack":"T1592, T1592.001, T1592.002"} |
IoT Device Security Reconnaissance Knowledge Base
IoT (Internet of Things) device security reconnaissance focuses on identifying, analyzing, and assessing vulnerabilities in embedded systems and IoT devices. This includes firmware extraction, protocol analysis, default credential verification, and vulnerability identification.
1. Device Discovery and Identification
Network Scanning
nmap -sn 192.168.1.0/24
nmap -sV --script=iot* -p- <target_ip>
shodan search "device_type:iot"
Protocol Identification
nmap -sV -p 1883,5683,5684,61613,61614,61616,102,502,8080,8443 <target_ip>
nc -zv <target_ip> 1883
nc -zv -u <target_ip> 5683
nc -zv <target_ip> 502
Device Fingerprinting
nc <target_ip> 80
curl -I http://<target_ip>
iot-scanner --target <target_ip>
2. Firmware Extraction
From Device
screen /dev/ttyUSB0 115200
flashrom -r firmware.bin
openocd -f interface/cmsis-dap.cfg -f target/stm32f4x.cfg -c "dump_image firmware.bin 0x08000000 0x200000"
From Manufacturer
wget https://manufacturer.com/support/firmware(device_model)_vX.X.X.bin
Firmware Archive Sources
- Manufacturer websites
- Third-party firmware repositories
- Device backup files
- OTA (Over-The-Air) update packages
3. Firmware Analysis
File System Extraction
file firmware.bin
binwalk -e firmware.bin
unsquashfs squashfs-root
mount -o loop filesystem.ext4 /mnt/firmware
Binary Analysis
file extracted_binaries/*
readelf -a binary.elf
strings firmware.bin > strings.txt
grep -E "(admin|root|password|secret|backdoor|shell|telnet|ssh)" strings.txt
4. Default Credential Checking
Common Default Credentials
hydra -L common_usernames.txt -P common_passwords.txt <target_ip> http-post-form "/login:user=^USER^&pass=^PASS^:Invalid" -vV
Vendor-Specific Credentials
grep -r "default.*password\|password.*default" extracted_firmware/
Credential Databases
- Use
secrets-collection from cirt DefaultPasswords
- Use
routerpasswd for router-specific defaults
- Check CIRCL default password list
5. Protocol-Specific Analysis
MQTT (Message Queuing Telemetry Transport)
mosquitto_sub -h <target_ip> -t "#" -v
mosquitto_pub -h <target_ip> -t "test" -m "hello" --will-topic "test" --will-payload "disconnected"
mosquitto_sub -h <target_ip> -t "#" -v --username "" --password ""
CoAP (Constrained Application Protocol)
coap-client -m get "coap://<target_ip>/.well-known/core"
coap-client -m get "coap://<target_ip>/"
coap-client -m get "coap://<target_ip>/status"
Modbus
modbus-read --ip=<target_ip> --port=502 --slave=1 --count=10 --register=0
nmap --script modbus-discover <target_ip>
HTTP/REST APIs
curl -k https://<target_ip>
curl -k https://<target_ip>/api
curl -k https://<target_ip>/cgi-bin/
curl -k -H "Authorization: Basic $(echo -n 'admin:admin' | base64)" https://<target_ip>
UPnP
upnp-discover
searchsploit upnp | grep -i iot
6. Vulnerability Scanning
Common IoT Vulnerabilities
- Default/weak credentials
- Hardcoded backdoors
- Unauthenticated access
- Command injection
- Buffer overflow
- Memory corruption
- Firmware update vulnerabilities
- Insecure communication (cleartext protocols)
Automated Scanning
iot-vuln-scanner --target <target_ip>
searchsploit --nmap <nmap_xml_output.xml> -t iot
msfconsole -q -x "use auxiliary/scanner/iot/*; set RHOSTS <target_ip>; run"
Manual Verification
nc <target_ip> 23
ssh admin@<target_ip>
ftp <target_ip>
atftp <target_ip>
7. Wireless IoT Analysis
Zigbee
zigbee-scan --interface /dev/ttyACM0 --channel 11-26
zigbee-capture --interface /dev/ttyACM0 --output zigbee.pcap
Z-Wave
zwave-scan --device /dev/ttyACM0
zwave-nodes --device /dev/ttyACM0
BLE (Bluetooth Low Energy)
hcitool lescan
bluetoothctl scan on
bluetoothctl info <device_mac>
bluetoothctl connect <device_mac>
8. Cloud IoT Analysis
AWS IoT
aws iot list-things
aws iot describe-thing --thing-name <thing_name>
aws iot list-policies
Azure IoT Hub
az iot hub device list --hub-name <hub_name> -g <resource_group>
9. Security Hardening Checks
Password Complexity
- Check if device enforces strong passwords
- Check for password recovery mechanisms
- Check for password change requirements
Network Segmentation
- Check if IoT devices are on isolated VLAN
- Check for firewall rules protecting IoT devices
- Check for network access controls
Update Mechanism
- Check for secure firmware update process
- Check for signed updates
- Check for update verification
Logging and Monitoring
- Check if device logs security events
- Check if logs are accessible
- Check for remote logging capabilities
10. Exploitation and Post-Exploitation
Note: Only perform with explicit authorization
Gaining Access
ssh admin@<target_ip>
curl -k "https://<target_ip>/cgi-bin/;id"
Privilege Escalation
- Check for root shell access
- Check for sudo/su configuration
- Check for setuid binaries
Persistence
- Add SSH keys
- Modify startup scripts
- Install backdoors
Lateral Movement
- Pivot to other devices on the same network
- Access cloud management interfaces
- Exfiltrate data to external servers
Tools Summary
| Tool | Purpose | Required |
|---|
nmap | Network scanning and service detection | ✅ |
binwalk | Firmware extraction and analysis | ✅ |
strings | String extraction from binaries | ✅ |
hydra | Brute-force credential attacks | ✅ |
mosquitto_sub | MQTT client for testing | ✅ |
coap-client | CoAP protocol testing | ✅ |
screen | Serial terminal emulation | ✅ |
flashrom | SPI flash memory reading | ❌ |
openocd | JTAG debugging | ❌ |
wireshark | Network traffic analysis | ✅ |
tshark | Command-line packet capture | ✅ |
searchsploit | Vulnerability database search | ✅ |
metasploit | Exploitation framework | ❌ |
iot-scanner | IoT-specific scanner | ❌ |