// Use when the engagement target is IoT, embedded Linux, RTOS, or any device reachable via UART/JTAG/SWD or by extracting its firmware. Covers firmware acquisition, binwalk extraction, filesystem mounting, default-credential hunting, bootloader attacks, wireless protocol sidebands (BLE, Zigbee, Z-Wave, LoRaWAN, sub-GHz).
Use when the engagement target is an Android (APK / AAB) or iOS (IPA) application. Covers static analysis (jadx, apktool, class-dump), dynamic instrumentation via Frida and Objection, SSL-pinning bypass, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported-component attacks, IPC redirection, WebView vulnerabilities, and biometric / Face ID / Touch ID bypass.
Use to close the Offensive Vaccine loop on the defender side. The Detector agent produces Sigma / YARA rules from offensive operations; this catalog validates those rules against real memory dumps, event logs, and forensic artifacts using Volatility 3, plaso, and sigma-cli. Without this catalog, detection rules are theoretical.
Use when the target is an industrial control system or operational technology network running Modbus, BACnet, S7Comm/S7Comm Plus, DNP3, OPC-UA, or any PLC/HMI/SCADA stack. Engagements MUST set RoE flag industrial_safety_critical=true; this catalog gates every write-scope operation behind explicit operator confirmation regardless of HITL middleware.
Use when the engagement requires passive reconnaissance only — no packets to the target's authoritative infrastructure. Splits off from the Recon agent so bug-bounty and pre-engagement work can run with outbound-only network policy. Maltego, Shodan, Censys, Hunter.io, breach-data lookups, GitHub code search, Wayback Machine archives, certificate transparency, BGP/ASN mapping.
Use ONLY when the engagement's ConOps explicitly declares phishing_engagement=true. Covers GoPhish campaign management, Evilginx2 reverse-proxy MFA bypass, Modlishka live credential capture, and the deconfliction handshake with SOC / incident response.
Use when the engagement scope includes supply-chain attack simulation — typosquatted package publication, dependency confusion, GitHub Actions secret mining, internal mirror poisoning, OAuth-app impersonation, or vendor portal credential abuse.
| name | iot-overview |
| description | Use when the engagement target is IoT, embedded Linux, RTOS, or any device reachable via UART/JTAG/SWD or by extracting its firmware. Covers firmware acquisition, binwalk extraction, filesystem mounting, default-credential hunting, bootloader attacks, wireless protocol sidebands (BLE, Zigbee, Z-Wave, LoRaWAN, sub-GHz). |
| metadata | {"subdomain":"iot","tags":"iot, firmware, embedded, binwalk, uart, jtag, ble, zigbee","mitre_attack":"T1542, T1542.005, T1601, T1499.004"} |
This catalog covers the surface area between hardware reconnaissance and runtime exploitation of IoT and embedded targets. Wireless sidebands (BLE / Zigbee / Z-Wave / LoRaWAN / sub-GHz) live alongside firmware-level attacks because IoT engagements routinely chain across both.
| Skill | Use for |
|---|---|
/skills/standard/iot/firmware-acquisition/SKILL.md | Vendor portals, OTA capture, SPI flash dump, eMMC chip-off |
/skills/standard/iot/binwalk-extract/SKILL.md | binwalk + firmware-mod-kit extraction; squashfs / jffs2 mount |
/skills/standard/iot/hardcoded-creds/SKILL.md | Strings, shadow, busybox httpd, telnet logs |
/skills/standard/iot/bootloader-uboot/SKILL.md | U-Boot console interrupt; environment variables; secure-boot bypass |
/skills/standard/iot/dev-mem/SKILL.md | /dev/mem, /dev/kmem, MTD writes on embedded Linux |
/skills/standard/iot/ble-gatt/SKILL.md | GATT enumeration, characteristic read/write without auth, pairing downgrade |
/skills/standard/iot/zigbee-touchlink/SKILL.md | Touchlink commissioning abuse, well-known transport key, ZCL command abuse |
/skills/standard/iot/z-wave/SKILL.md | S0 derivation flaw, S2 ECDH analysis, replay on unauthenticated nodes |
/skills/standard/iot/lorawan-otaa/SKILL.md | OTAA join, frame-counter replay, downlink injection |
/skills/standard/iot/sub-ghz/SKILL.md | 433/868/915 MHz capture + replay (HackRF, Flipper Zero, RTL-SDR) |
binwalk -eM <fw.bin>, then mount squashfs / jffs2 / ubifs.IoT engagements often touch consumer devices that the operator owns but
that have shared cloud accounts (vendor telemetry). RoE must enumerate
which clouds may be probed. ConOps blue_team field should declare the
vendor IR contact when in scope so a fail-safe trip can be reported.