القائمة
IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.
Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.
Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.
Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.
Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.
Final engagement report generation — executive summary, technical report, findings aggregation, attack path narrative, detection gap matrix, remediation roadmap.
| name | iot-security |
| description | IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting. |
| allowed-tools | Bash Read Write |
| metadata | {"subdomain":"reconnaissance","when_to_use":"IoT security, firmware analysis, embedded devices, protocol identification, default credentials, vulnerability scan, device fingerprinting, MQTT, CoAP, Modbus","tags":"iot, embedded, firmware, reverse-engineering, protocol-analysis, default-credentials, vulnerability-scanning, mqtt, coap, modbus","mitre_attack":"T1592, T1592.001, T1592.002"} |
IoT (Internet of Things) device security reconnaissance focuses on identifying, analyzing, and assessing vulnerabilities in embedded systems and IoT devices. This includes firmware extraction, protocol analysis, default credential verification, and vulnerability identification.
# Discover IoT devices on network
nmap -sn 192.168.1.0/24
# Identify IoT-specific ports and services
nmap -sV --script=iot* -p- <target_ip>
# Shodan search for IoT devices
shodan search "device_type:iot"
# Check common IoT ports
nmap -sV -p 1883,5683,5684,61613,61614,61616,102,502,8080,8443 <target_ip>
# MQTT protocol detection
nc -zv <target_ip> 1883
# CoAP protocol detection
nc -zv -u <target_ip> 5683
# Modbus TCP detection
nc -zv <target_ip> 502
# Extract device information from banners
nc <target_ip> 80
curl -I http://<target_ip>
# Use specialized tools
iot-scanner --target <target_ip>
# Extract firmware via UART
screen /dev/ttyUSB0 115200
# In UART console: check for firmware dump commands
# Extract via SPI flash
flashrom -r firmware.bin
# Extract via JTAG
openocd -f interface/cmsis-dap.cfg -f target/stm32f4x.cfg -c "dump_image firmware.bin 0x08000000 0x200000"
# Download from manufacturer website
wget https://manufacturer.com/support/firmware(device_model)_vX.X.X.bin
# Extract from mobile app (if available)
# Often contains firmware update files
# Identify firmware type
file firmware.bin
# Extract with binwalk
binwalk -e firmware.bin
# Extract squashfs filesystem
unsquashfs squashfs-root
# Mount filesystem
mount -o loop filesystem.ext4 /mnt/firmware
# Check for executable formats
file extracted_binaries/*
# Analyze ARM binaries
readelf -a binary.elf
# Extract strings
strings firmware.bin > strings.txt
# Search for interesting strings
grep -E "(admin|root|password|secret|backdoor|shell|telnet|ssh)" strings.txt
# Try common admin credentials
hydra -L common_usernames.txt -P common_passwords.txt <target_ip> http-post-form "/login:user=^USER^&pass=^PASS^:Invalid" -vV
# Common username/password combinations:
# admin/admin, admin/password, admin/123456
# root/admin, root/password, root/12345
# user/user, user/password
# guest/guest, guest/password
# support/support, support/password
# Check vendor documentation for default credentials
# Many vendors have well-known defaults
# Search for default credentials in extracted firmware
grep -r "default.*password\|password.*default" extracted_firmware/
secrets-collection from cirt DefaultPasswordsrouterpasswd for router-specific defaults# Connect to MQTT broker
mosquitto_sub -h <target_ip> -t "#" -v
# Publish test message
mosquitto_pub -h <target_ip> -t "test" -m "hello" --will-topic "test" --will-payload "disconnected"
# Check for unauthenticated access
mosquitto_sub -h <target_ip> -t "#" -v --username "" --password ""
# Discover CoAP resources
coap-client -m get "coap://<target_ip>/.well-known/core"
# Check for default resources
coap-client -m get "coap://<target_ip>/"
coap-client -m get "coap://<target_ip>/status"
# Read Modbus registers
modbus-read --ip=<target_ip> --port=502 --slave=1 --count=10 --register=0
# Check for common Modbus configurations
nmap --script modbus-discover <target_ip>
# Check for web interface
curl -k https://<target_ip>
# Check common API endpoints
curl -k https://<target_ip>/api
curl -k https://<target_ip>/cgi-bin/
# Check for authentication bypass
curl -k -H "Authorization: Basic $(echo -n 'admin:admin' | base64)" https://<target_ip>
# Discover UPnP devices
upnp-discover
# Check for UPnP vulnerabilities
searchsploit upnp | grep -i iot
# Use IoT-specific vulnerability scanners
iot-vuln-scanner --target <target_ip>
# Check for known CVEs
searchsploit --nmap <nmap_xml_output.xml> -t iot
# Use Metasploit modules
msfconsole -q -x "use auxiliary/scanner/iot/*; set RHOSTS <target_ip>; run"
# Check for shell access via Telnet
nc <target_ip> 23
# Check for shell access via SSH
ssh admin@<target_ip>
# Check for FTP
ftp <target_ip>
# Check for TFTP
atftp <target_ip>
# Zigbee network scanning
zigbee-scan --interface /dev/ttyACM0 --channel 11-26
# Zigbee packet capture
zigbee-capture --interface /dev/ttyACM0 --output zigbee.pcap
# Z-Wave network discovery
zwave-scan --device /dev/ttyACM0
# Z-Wave node enumeration
zwave-nodes --device /dev/ttyACM0
# BLE device discovery
hcitool lescan
# BLE service discovery
bluetoothctl scan on
bluetoothctl info <device_mac>
# Connect to BLE device
bluetoothctl connect <device_mac>
# List IoT things (requires AWS credentials)
aws iot list-things
# Get thing details
aws iot describe-thing --thing-name <thing_name>
# List IoT policies
aws iot list-policies
# List IoT devices (requires Azure credentials)
az iot hub device list --hub-name <hub_name> -g <resource_group>
# If default credentials work
ssh admin@<target_ip> # with default password
# If vulnerable to command injection
curl -k "https://<target_ip>/cgi-bin/;id"
# If vulnerable to buffer overflow
# Use Metasploit or custom exploit
| Tool | Purpose | Required |
|---|---|---|
nmap | Network scanning and service detection | ✅ |
binwalk | Firmware extraction and analysis | ✅ |
strings | String extraction from binaries | ✅ |
hydra | Brute-force credential attacks | ✅ |
mosquitto_sub | MQTT client for testing | ✅ |
coap-client | CoAP protocol testing | ✅ |
screen | Serial terminal emulation | ✅ |
flashrom | SPI flash memory reading | ❌ |
openocd | JTAG debugging | ❌ |
wireshark | Network traffic analysis | ✅ |
tshark | Command-line packet capture | ✅ |
searchsploit | Vulnerability database search | ✅ |
metasploit | Exploitation framework | ❌ |
iot-scanner | IoT-specific scanner | ❌ |