Work-in-Progress!
IoT Cyber+Physical+Social Security
An encyclopedic compendium of tools, techniques, and practices to defend systems that sit at the intersection of the cyber and physical domains; chiefly building automation systems and the Internet of Things.
1. protecting facility operations in the era of the Internet of Things
mike parks | v0.1.6
last update: 21 september 2020
an encyclopedia compendium of offensive and defensive tools, tactics, techniques, and procedures
cyber,
physical, and
social engineering
attack security
protecting facility operations in the era of the Internet of Things
RELEASED | NOT RELEASED
2. stuff to add.
● https://defpass.com/
● P4wnPi
● HTTP Toolkit
● Open Port Checker
● Postman
● TMACv6
● Advanced IP Scanner
● DiskInternals Linux Reader
● princeton iot inspector
FF Dev Ed
-------------------------------
cliget
cookie-editor
downthemall
foxyproxy
https everywhere
ip address and domain information
IPvFoo
JSONView
LinkGopher
Modify Header Value
RESTClient
Shodan
SixOrNot
SQLite Manager
Uppity
Web Developer
inspectar
easy2boot
--------------
acronis
clonezilla
eset
3. encyclopedia compendium.
● this slide deck is meant to be a quick-look up of ideas, best practices, tools, techniques,
and resources found in the main presentation
● do not read this slide deck alone and grant yourself master status.
● WARNING: This is for educational purposes only. The goal is to help security
professionals understand the threat landscape. Never perform any sort of penetration
test or vulnerability assessment on systems that you do not own and have not been
given explicit permission to test. Prior to any commencing any assessment work,
document the rules of engagement to govern the test in writing. Have the rules signed
by both parties. Always seek to do no harm. Failure to do so could leave in a world of
hurt from a legal liability perspective.
● goal is to make defenders better, not prove how l33t we are
● i am a lifetime student, not an expert. the information contained here is nothing more
than my notebook from my studies. use it as a starting point for your own education.
4. cyber/physical/social security: a team effort
Building Automation
Cyber / Physical / Social
Security Skill Sets
Facility
Management
IT Security
Physical Security
IoT Device Design,
Manufacture,
Install,
Maintenance
(OEMs / Installers /
Service Providers)
Environmental and
Safety
OT Operations and
Security
5. social engineering skills
+
physical access attacks
+
digital hacks
____________________________________________
access, compromise, denial of use, misuse, and destruction
of physical objects and processes that may result in
loss of life, limb, or property.
bottom line: we aren’t just worried about losing bits of data any more.
6. simple truths of a digital world.
● everything is getting on the internet (iot or internet of things) cause its’ cheap
(esp8266) and allows devices to be updated. also provides companies a new
revenue stream through service/subscriptions business models. convenience
will outweigh individual risk. get over it.
● building system equipment is going digital too.
○ usb ports for diagnostics. or perhaps some other serial interface.
○ firmware at minimum. perhaps full blown os+software stack.
● tools that are useful for security professionals to defend are also good for bad
guys to attack. tools are cheap too. some bring their own network interface
(BYON or out-of-band channel)
7. more truth.
● good guys need to defend against every possible attack vector for their
various exposed attack surfaces.
● bad guys need one attack vector on one attack surface.
● it’s highly asymmetric. risk, cost, consequences.
○ Cost of Hack Tools << Cost of Safeguards but Cost of No Safeguards >> Cost of Safeguards
○ Tools have legitimate sysadmin uses too, so elimination is not possible
● weakest link is typically ‘wetware’ (e.g. humans) and is very susceptible to
social engineering.
8. possible outcomes of a cyber-physical attack.
● mal-operating the process
● change set points
● damage ICS components
● damage physical equipment
● suppress safety system and protections
● cause loss of view
● block control
● spoof operators
● modify or even spoof input to logic
9. 4 key first steps for a good defense.
> inventory. inventory. inventory.
If you don’t have a complete inventory of IT/OT assets (hardware
and software), build that first. You cannot defend what you don’t
know you have.
> develop an incident response plan
Attacks are a matter of when, not if. Develop a plan in place on
how to continue operations and recover from an attack.
> it’s gold (images)
Keep gold images of OS, software, and firmware for all systems.
> log all the things (and events)
Ensure that logging is turned on for all systems. Cloud based
logging is even better than local logging.
INVENTORY DATA FIELDS FOR
EVERY DEVICE
Physical
· Location
· Asset Name / Asset ID Number
· Description of Function
· Model/Manufacturer
· Serial Number
Communications
· IP Address
· MAC Address
· Means of connectivity to the network
· Protocol(s) and Ports used
Software
· OS Version / Firmware Version
· Patches Installed
· Configured and active services
Performance and Diagnostics
· Device-level diagnostic and prognostic details
· Performance data
· Event logs
· Baseline Network Traffic
10. next steps in a good defense.
> Remove unauthorized hardware and software from network
> Control use of administrative privileges. Limit 3rd party access to narrow times then shutdown ports after work is done.
call ahead to coordinate
> Implement strong authentication mechanisms and educate your employees on how to protect those credentials.
> Secure all network and internet connections to the control systems and minimize this connectivity wherever possible.
Secure wireless and remote access and minimize who has authorization to use it.
> Secure and harden the hardware and software configurations of mobile devices, laptops, workstations, servers, industrial
networks, endpoints, and control systems
> Increase defense‐in‐depth layers to secure industrial control system (ICS) systems, including network segmentation and
the creation of secure zones, maintaining logging, and controlling who has access (physical and electronic)
> Continuously monitor, assess and respond to change at the endpoints, control system levels, and new vulnerabilities
> Establish, apply, and communicate security policies and then monitor changes against those policies. Increase cyber
security awareness with training and enforce policies with employees, contractors, and visitors to your facilities.
11. types of testing.
> vulnerability assessment: heavy involvement from system developer and/or
operator working alongside security professionals. full access to design
documents. use of standard, ‘noisy’ tools.
> penetration test: minimum involvement from system developer or operator, but
are aware and provide some rules of engagement and or key data (e.g. ip
addresses) but otherwise leave security professionals alone. communication
between parties throughout test. use of standard, ‘noisy’ tools.
> red team: rule of engagement set between security professional and
developer/operator ahead of test. otherwise no contact except for rare exceptions
(e.g. red team finds system has already been hacked) and red team does no
harm. use of custom tools with little noise
12. Cloud
Infrastructure
Desktop, Mobile,
Web Applications
Networking /
Communications Protocols
Firmware
Operating System / Bootloader
Hardware
Installed Environment
Internet
IoT
Attack
Stack
Other IoT Devices
humans
- users
- bad actors
- service techs
IoT: Internet of Things
supply
chain
1010
13. Cloud
Infrastructure
Desktop, Mobile,
Web Applications
Networking /
Communications Protocols
Firmware
Operating System / Bootloader
Hardware
Installed Environment
Internet
IoT
Attack
Stack
Other IoT Devices
humans
“Traditional”
IT
Cybersecurity
Hardware Security
Social
Engineering
Security
Physical Security
supply
chain
1010
Logistics
Security
(credentialing,
inspections,
tamperproof
packaging)
14. unique aspects of iot security testing.
> physical access
attack
- potentially
requires no tech
skills
- easy to damage
or steal
- attacker must be
physically
present, high risk
> traditional i.t. or
network attacks
- requires some tech
skill but many tools
out for non-coders
- not easily detectable
- less risky to attacker,
need not be
physically present
> embedded system
attacks
- requires significant
tech skill
- attacker may or may
not need to be
physically present
- can be almost
impossible to detect
until attacked
15. 1. Weak Guessable, or Hardcoded Passwords
2. Insecure Network Services
3. Insecure Ecosystem Interfaces
4. Lack of Secure Update Mechanism
5. Use of Insecure or Outdated Components
6. Insufficient Privacy Protection
7. Insecure Data Transfer and Storage
8. Lack of Device Management
9. Insecure Default Settings
10. Lack of Physical Hardening
16. IoT Vulnerability Attack Surface Summary
Username Enumeration
•Administrative Interface
•Device Web Interface
•Cloud Interface
•Mobile Application
•Ability to collect a set of valid usernames by
interacting with the authentication mechanism
Weak Passwords
•Administrative Interface
•Device Web Interface
•Cloud Interface
•Mobile Application
•Ability to set account passwords to '1234' or
'123456' for example.
•Usage of pre-programmed default passwords
Account Lockout
•Administrative Interface
•Device Web Interface
•Cloud Interface
•Mobile Application
•Ability to continue sending authentication attempts
after 3 - 5 failed login attempts
Unencrypted Services •Device Network Services
•Network services are not properly encrypted to
prevent eavesdropping or tampering by attackers
Two-factor Authentication
•Administrative Interface
•Cloud Web Interface
•Mobile Application
•Lack of two-factor authentication mechanisms such
as a security token or fingerprint scanner
Poorly Implemented Encryption •Device Network Services
•Encryption is implemented however it is improperly
configured or is not being properly updated, e.g.
using SSL v2
Update Sent Without Encryption •Update Mechanism
•Updates are transmitted over the network without
using TLS or encrypting the update file itself
Update Location Writable •Update Mechanism
•Storage location for update files is world writable
potentially allowing firmware to be modified and
distributed to all users
Denial of Service •Device Network Services
•Service can be attacked in a way that denies
service to that service or the entire device
17. IoT Vulnerability Attack Surface Summary
Removal of Storage Media •Device Physical Interfaces
•Ability to physically remove the storage media from
the device
No Manual Update Mechanism •Update Mechanism
•No ability to manually force an update check for the
device
Missing Update Mechanism •Update Mechanism •No ability to update device
Firmware Version Display and/or Last Update
Date
•Device Firmware
•Current firmware version is not displayed and/or the
last update date is not displayed
Firmware and storage extraction
•JTAG / SWD interface
•In-Situ dumping
•Intercepting a OTA update
•Downloading from the manufacturers web page
•eMMC tapping
•Unsoldering the SPI Flash / eMMC chip and reading
it in a adapter
•Firmware contains a lot of useful information, like
source code and binaries of running services, pre-
set passwords, ssh keys etc.
Manipulating the code execution flow of the
device
•JTAG / SWD interface
•Side channel attacks like glitching
•With the help of a JTAG adapter and gdb we can
modify the execution of firmware in the device and
bypass almost all software based security controls.
•Side channel attacks can also modify the execution
flow or can be used to leak interesting information
from the device
Obtaining console access •Serial interfaces (SPI / UART)
•By connecting to a serial interface, we will obtain full
console access to a device
•Usually security measures include custom
bootloaders that prevent the attacker from entering
single user mode, but that can also be bypassed.
Insecure 3rd party components •Software
•Out of date versions of busybox, openssl, ssh, web
servers, etc.
18. IoT Attack
Surfaces Vulnerability
Ecosystem
(general) Interoperability standards
Data governance
System wide failure
Individual stakeholder risks
Implicit trust between components
Enrollment security
Decommissioning system
Lost access procedures
Device
Memory Sensitive data
Cleartext usernames
Cleartext passwords
Third-party credentials
Encryption keys
Device
Physical
Interfaces Firmware extraction
User CLI
Admin CLI
Privilege escalation
Reset to insecure state
Removal of storage media
Tamper resistance
Debug port
UART (Serial)
JTAG / SWD
Device ID/Serial number exposure
Device Web
Interface
Standard set of web application
vulnerabilities, see:
OWASP Web Top 10
OWASP ASVS
OWASP Testing guide
Credential management
vulnerabilities:
Username enumeration
Weak passwords
Account lockout
Known default credentials
Insecure password recovery
mechanism
Device
Firmware
Sensitive data exposure (See OWASP
Top 10 - A6 Sensitive data exposure):
Backdoor accounts
Hardcoded credentials
Encryption keys
Encryption (Symmetric, Asymmetric)
Sensitive information
Sensitive URL disclosure
Firmware version display and/or last
update date
Vulnerable services (web, ssh, tftp)
Verify for old sw versions and possible
attacks (Heartbleed, Shellshock, old
PHP versions etc)
Security related function API
exposure
Firmware downgrade possibility
Device
Network
Services Information disclosure
User CLI
Administrative CLI
Injection
Denial of Service
Unencrypted Services
Poorly implemented encryption
Test/Development Services
Buffer Overflow
UPnP
Vulnerable UDP Services
DoS
Device Firmware OTA update block
Firmware loaded over insecure
channel (no TLS)
Replay attack
Lack of payload verification
Lack of message integrity check
Credential management
vulnerabilities:
Username enumeration
Weak passwords
Account lockout
Known default credentials
Insecure password recovery
mechanism
19. Network
Traffic LAN
LAN to Internet
Short range
Non-standard
Wireless (WiFi, Z-wave, XBee, Zigbee,
Bluetooth, LoRA)
Protocol fuzzing
Authenticat
ion/Authori
zation
Authentication/Authorization related
values (session key, token, cookie,
etc.) disclosure
Reusing of session key, token, etc.
Device to device authentication
Device to mobile Application
authentication
Device to cloud system
authentication
Mobile application to cloud system
authentication
Web application to cloud system
authentication
Lack of dynamic authentication
Privacy User data disclosure
User/device location disclosure
Differential privacy
Hardware
(Sensors) Sensing Environment Manipulation
Tampering (Physically)
Damage (Physically)
Admin
Interface
Standard set of web application
vulnerabilities, see:
OWASP Web Top 10
OWASP ASVS
OWASP Testing guide
Credential management
vulnerabilities:
Username enumeration
Weak passwords
Account lockout
Known default credentials
Insecure password recovery
mechanism
Security/encryption options
Logging options
Two-factor authentication
Check for insecure direct object
references
Inability to wipe device
Local Data
Storage Unencrypted data
Data encrypted with discovered keys
Lack of data integrity checks
Use of static same enc/dec key
Mobile
Application Implicitly trusted by device or cloud
Username enumeration
Account lockout
Known default credentials
Weak passwords
Insecure data storage
Transport encryption
Insecure password recovery
mechanism
Two-factor authentication
Vendor
Backend
APIs
Inherent trust of cloud or mobile
application
Weak authentication
Weak access controls
Injection attacks
Hidden services
Ecosystem
Comms Health checks
Heartbeats
Ecosystem commands
Deprovisioning
Pushing updates
20. Cloud Web Interface Standard set of web application vulnerabilities, see:
OWASP Web Top 10
OWASP ASVS
OWASP Testing guide
Credential management vulnerabilities:
Username enumeration
Weak passwords
Account lockout
Known default credentials
Insecure password recovery mechanism
Transport encryption
Two-factor authentication
Third-party Backend APIs Unencrypted PII sent
Encrypted PII sent
Device information leaked
Location leaked
Update Mechanism Update sent without encryption
Updates not signed
Update location writable
Update verification
Update authentication
Malicious update
Missing update mechanism
No manual update mechanism
22. o.t. lingo for i.t. people
ICS: industrial control system
SCADA: supervisory control and data
acquisition
PLC: programmable logic controller
DDC: direct digital control
DCS: distributed control system
MTU: master terminal unit
RTU: remote terminal unit
HMI: human-machine interface
Historian
Data Acquisition Server
Data Diode
Ladder Logic
EWS: engineering workstation
BAS: building automation system
BMS: building management systems
PID: proportional, integrative, differential
process variables
set point
Inputs: sensors, switches
Outputs: actuators, electric motors, console
lights, valves and contactors
Popular PLC and HMI Vendors: LSIS,
Mitsubishi, Siemens, Rockwell, Delta,
Fatek, SMA, Weintek
23. i.t. lingo for o.t. people
FTP: file transfer protocol
HTTP: hypertext transfer protocol
MQTT: message queuing telemetry transport
SMTP: simple mail transfer protocol
SSH: secure shell
Telnet: teletype network
NTP: network time protocol
TCP: transmission control protocol
UDP: user datagram protocol
IP: internet protocol
LAN: local area network
WAN: wide area network
VLAN: virtual LAN
ICMP: internet control message protocol
ARP: address resolution protocol
PPP: point-to-point protocol
MAC: media access control
Ethernet
Gateway
Router
Switches
Bridges
Hubs
24. i.t. lingo for o.t. people
5 Layer Transmission Control Protocol/Internet Protocol (TCP/IP) Model
HOST LAYERS
5. Application: FTP, HTTP, MQTT, SMTP, SSH, Telnet, NTP, Modbus, BACnet
(Application Gateway: protocol converter)
4. Transport: TCP, UDP (Transport Layer Gateway: connects dissimilar networks)
MEDIA LAYERS
3. Network: IP address, ICMP, ARP (Router: connects similar networks, subnets)
2. Data Link: Ethernet, PPP, Mac address (Bridges: connect two parts of one network, VLAN)
1. Physical: RF, Cat5, WiFi, RS232, RS485, Fiber (Repeater: Buffers signal)
26. some thoughts on what to learn first.
this is perhaps the most subjective thoughts shared. highly variable on
existing skill level, but assuming no experience at all:
> programming language: C/C++ and Python
> Windows and Linux operating systems
> learn how to get a raspberry pi running Kali, apt-get, update, SSH, SCP
> basic electronics: DC, resistors, capacitors, transistors, Ohm’s Law, power
> networking and network protocols (TCP, IP, HTTP, FTP, MQTT, REST)
> interchip protocols (I2C, SPI, UART)
> basics of radio (AM, FM, PSK, WiFi, Bluetooth/BLE, NFC, SDR)
> working on a team, writing skills, read manuals and spec sheets
27. let’s dig in.
> begin a survey of tools, tactics, techniques, and procedures but warning…
> don’t get sucked into acquiring tools upfront. skills first. tools will you
more efficient after foundational skill acquired
> that said, tool demos are a great way to get organizational leadership to
appreciate the risks. and shows how little adversaries need invest
(especially as opposed to cost of defensive countermeasures) if they intend
to attack.
29. wifi pineapple
Scan: Command the WiFi landscape and direct
attacks from a live recon dashboard, passively
monitoring all devices in the vicinity.
Target: Limit the audit to specified clients and
access points within the scope of engagement and
ensure zero collateral damage.
Intercept: Acquire clients with a comprehensive
suite of WiFi man-in-the-middle tools specializing in
targeted asset collection.
Report: Record and analyze logs, generate emailed
reports at set intervals, and identify vulnerable
devices in your organization.
30. pwnagotchi
Pwnagotchi is an A2C-based “AI” powered by
bettercap and running on a Raspberry Pi Zero W
that learns from its surrounding WiFi environment in
order to maximize the crackable WPA key material
it captures (either through passive sniffing or by
performing deauthentication and association
attacks). This material is collected on disk as PCAP
files containing any form of handshake supported
by hashcat, including full and half WPA handshakes
as well as PMKIDs.
32. lan turtle
The LAN Turtle is a covert Systems Administration and
Penetration Testing tool providing stealth remote access,
network intelligence gathering, and man-in-the-middle
surveillance capabilities through a simple graphic shell.
Housed within a generic "USB Ethernet Adapter" case, the
LAN Turtle’s covert appearance allows it to blend into many
IT environments.
OUT OF BAND REMOTE ACCESS: Bring your own back-
haul with the LAN Turtle 3G. Simply load a SIM card to
provide the LAN Turtle 3G with it's own Internet connection.
Then drop on a target network for an instant reverse shell or
VPN endpoint and completely bypass the perimeter firewall.
Systems Administrators, never fear losing remote access in
the event of a network outage.
Penetration Testers, this is the plug and play reverse shell
you've been waiting for.
33. packet squirrel
The man-in-the-middle that's nuts for
networks
The Packet Squirrel is a stealthy
pocket-sized man-in-the-middle.
This Ethernet multi-tool is designed to
give you covert remote access, painless
packet captures, and secure VPN
connections with the flip of a switch.
34. r00tabaga
combines the functionality of a "Pentest
Drop Box" with the man-in-the-middle
capabilities of "Hot-Spot Honeypot“ into
an integrated battery-powered device.
35. bash bunny
The Bash Bunny by Hak5 is a simple and powerful multi-
function USB attack and automation platform for
penetration testers and systems administrators.
It's easy setup & deployment with a simple "Bunny Script"
language, multi-position attack switch and a centralized
repository of payloads.
It's powerful with multiple attack vectors including HID
keyboard, USB Ethernet, Serial and Mass Storage.
Simultaneously perform keystroke injection attacks, bring-
your-own-network attacks and intelligent exfiltration.
36. usb rubber ducky
Nearly every computing devices accepts human input
from keyboards, hence the ubiquitous HID
specification - or Human Interface Device. Keyboards
announce themselves to computers as HID devices
and are in turn automatically recognized and accepted.
The USB Rubber Ducky delivers powerful payloads in
seconds by taking advantage of the target computers
inherent trust all while deceiving humans by posing as
an ordinary USB drive.
37. flipper zero
Flipper Zero is a portable multi-tool for pentesters and geeks in
Tamagotchi body. It loves to hack digital stuff around such as
radio protocols, access control systems, hardware and more.
Flipper Zero can be used as a versatile tool for hardware hacking,
firmware flashing, debugging and fuzzing. You can connect it to
any piece of hardware using GPIO and run your own code,
control it with buttons and print debug messages to the LCD
display. It can also be used as regular USB to UART/SPI/I2C/etc
adapter connected to PC. It's fully opensource and customizable
so you can extend it in whatever way you like. Some features:
● 433/868 MHz Transceiver
● Signal analyzer
● 125kHz RFID
● NFC
● Bluetooth
● Infrared Transmitter
● BadUSB Mode
● iButton
38. usb ninja
Similar to a rubber ducky, remotely
controlled via bluetooth using hardware
remote or smartphone app.
39. o.mg cable
It is packed with a web server, 802.11 radio,
memory and processing power. Built for covert
field-use by Red Teams, with features that enhance
remote execution, stealth, forensics evasion, all
while being able to quickly and dynamically change
your tooling with minimal effort.
The O.MG Cable allows you to wirelessly execute
almost every feature, and not just creating, saving,
or executing payloads. You can wipe the flash
clean, convert the O.MG Cable to an innocuous
state, "break" the O.MG Cable so it will no longer
pass data, and even flash new firmware.
42. maltronics wifi deauther
A deauther allows you to disconnect
devices from a WiFi network. Even if
you're not connected to that network.
Deauthers take advantage of a
weakness in the 802.11 protocol which
allows the sending of deauthentication
frames by unauthorised devices.
Deauthers come with other features
such as Beacon Spamming (spamming
WiFi network names) and Probe
Spamming
43. poisontap (raspberry pi zero w)
siphons cookies, exposes internal router
& installs web backdoor on locked
computers
44. p4wnp1 (raspberry pi zero w)
Turn a $15 computer into a pentest toolkit with the p4wnp1, a USB attack
platform with following features:
HID covert channel Frontdoor/Backdoor | Get remote shell access to
Windows targets via HID devices)
Windows 10 Lockpicker | Unlock Windows boxes with weak passwords (fully
automated)
Stealing Browser Credentials | Dumps stored Browser Credentials and
copys them to the builtin flashdrive
WiFi Hotspot | SSH access (Pi Zero W only), supports hidden ESSID
Client Mode | Relays USB net attacks over WiFi with internet access (MitM)
USB device | Works with Windows Plug and Play support
47. plunder bug
A pocket-sized LAN Tap that lets you
"bug" Ethernet connections with USB-C
convenience.
Coupled with cross-platform scripts and
an Android root app, this smart network
sniffer enables passive recording or
active scanning.
48. lan trap throwing star
The Throwing Star LAN Tap is a
passive Ethernet tap, requiring no
power for operation. There are active
methods of tapping Ethernet
connections (e.g., a mirror port on a
switch), but none can beat passive taps
for portability. To the target network, the
Throwing Star LAN Tap looks just like a
section of cable, but the wires in the
cable extend to the monitoring ports in
addition to connecting one target port to
the other.
50. key croc / o.mg keylogger
a keylogger armed with pentest tools, remote access and payloads that trigger
multi-vector attacks when chosen keywords are typed. It's the ultimate key-logging
pentest implant.
More than just recording and streaming keystrokes online, it exploits the target
with payloads that trigger when keywords of interest are typed.
By emulating trusted devices like serial, storage, HID and Ethernet, it opens
multiple attack vectors – from keystroke injection to network hijacking.
Imagine capturing credentials and systematically using them to exfiltrate data. Or
pentest from anywhere, live in a web browser with Cloud C2.
It's simple too. A hidden button turns it into a flash drive, where changing settings
is just editing a text file. And with a root shell your favorite pentest tools like nmap,
responder, impacket and metasploit are at the ready
52. signal owl
A signals intelligence platform with a simple payload
system. It's packed with custom utilities and popular
wireless tools - like Aircrack-ng, MDK4, Kismet, and more.
Its low USB power draw and small size make it
convenient for mobile applications, while its discreet form
factor and USB passthrough capabilities make it an ideal
implant. The internal WiFi is optimized for near access
operations, while a number of common transceivers are
supported - such as GPS, SDR and Bluetooth.
Deploy one or more nodes to monitor airspace and track
devices via WiFi, or optionally via Bluetooth and SDR,
and manage remotely via a remote C2 server.
53. screen crab
The Screen Crab by Hak5 is a stealthy video man-
in-the-middle implant.
This covert inline screen grabber sits between
HDMI devices - like a computer and monitor, or
console and television - to quietly capture
screenshots. Perfect for sysadmins, pentesters and
anyone wanting to record what's on a screen.
WiFi enabled to stream screenshots via a remote
C2 server.
54. shark jack
A portable network attack tool optimized for social
engineering engagements and opportunistic wired
network auditing. Out-of-the-box it's armed with an
ultra fast nmap payload, providing quick and easy
network reconnaissance. The simple scripting
language and attack/arming switch make loading
payloads a breeze, and the RGB LED provides
instant feedback on attack stages.
55. rainbow tables
precomputed table for reversing cryptographic
hash functions, usually for cracking password
hashes. Tables are usually used in recovering
a password (or credit card numbers, etc.) up
to a certain length consisting of a limited set of
characters. It is a practical example of a
space–time tradeoff, using less computer
processing time and more storage than a
brute-force attack which calculates a hash on
every attempt, but more processing time and
less storage than a simple lookup table with
one entry per hash. Use of a key derivation
function that employs a salt makes this attack
infeasible.
1. Starting from the hash ("re3xes") in the image below, one
computes the last reduction used in the table and checks
whether the password appears in the last column of the table
(step 1).
2. If the test fails (rambo doesn't appear in the table), one computes
a chain with the two last reductions (these two reductions are
represented at step 2) Note: If this new test fails again, one
continues with 3 reductions, 4 reductions, etc. until the password
is found. If no chain contains the password, then the attack has
failed.
3. If this test is positive (step 3, linux23 appears at the end of the
chain and in the table), the password is retrieved at the beginning
of the chain that produces linux23. Here we find passwd at the
beginning of the corresponding chain stored in the table.
4. At this point (step 4), one generates a chain and compares at
each iteration the hash with the target hash. The test is valid and
we find the hash re3xes in the chain. The current password
(culture) is the one that produced the whole chain: the attack is
successful.
58. magspoof
is a device that can spoof/emulate any
magnetic stripe or credit card. It can
work "wirelessly", even on standard
magstripe/credit card readers, by
generating a strong electromagnetic
field that emulates a traditional
magnetic stripe card.
60. keysy
Keysy allows the user to copy up to four
low frequency (125kHz) RFID
keycards/keyfobs. Keysy can then
emulate these keycards/keyfobs when
placed in front of the RFID reader. In
addition, Keysy has the ability to
duplicate any previously read
keycard/keyfob onto a blank rewritable
keyfob/keycard.
61. proxmark3
The Proxmark3 is a powerful general
purpose RFID test instrument designed to
snoop, listen and emulate everything from
Low Frequency (125kHz) to High Frequency
(13.56MHz) tags.
The Proxmark is the only research and
development platform targeting NFC and
RFID that is capable of both transmitting and
receiving while meeting the timing
requirements of most proximity protocols.
The Proxmark also provides full control over
the radio layer in addition to software support
for several higher-level protocols
62. chameleon mini rfid
The ChameleonMini is a versatile
contactless smartcard emulator
compliant to NFC, ISO 14443 and ISO
15693. It has been designed and
maintained by the Chair for Embedded
Security of the Ruhr-University in
Bochum. The freely programmable
platform can be used to emulate and
virtualize cards (perfect clones including
the UID), for practical penetration
testing.
65. lock bypassing
Instead of picking a lock, sometimes it’s
easier to bypass the locking mechanism
to gain entry into a secured space.
● under door tool
● shims
● thumb lock bypass
● crash bar tool
66. blekey
BLEKey is a Bluetooth Low Energy
(BLE) enabled tap for the Wiegand
protocol, which is the most widespread
protocol for proximity card reader
systems. BLEKey can be installed in a
reader to passively sniff Wiegand data,
and can emulate cards on that reader.
All data can be offloaded to a phone
with BLE support.
67. dji spark drone
tiny drone is good for surveillance,
delivery physical payloads such as a
wifi pineapple.
69. telephone test (butt) set
access analog telephone systems that
are still widely used for phone calls,
security alarm systems, and elevator
emergency system.
with access to a PBX telephone
equipment room, possible to make calls,
receive calls or monitor calls.
71. hackrf one
HackRF One from is a Software Defined
Radio (SDR) peripheral capable of
transmission or reception of radio
signals from 1 MHz to 6 GHz. Designed
to enable test and development of
modern and next generation radio
technologies, HackRF One is an open
source hardware platform that can be
used as a USB peripheral or
programmed for stand-alone operation.
72. limesdr / limesdr mini
LimeSDR is a low cost, open source,
apps-enabled (more on that later)
software defined radio (SDR) platform
that can be used to support just about
any type of wireless communication
standard.
LimeSDR can send and receive UMTS,
LTE, GSM, LoRa, Bluetooth, Zigbee,
RFID, and Digital Broadcasting, to
name but a few.
73. lostik
LoStik is an affordable, easy to use,
LoRaWAN™ compatible device. It lets
IoT (Internet of Things) integrators,
network testers, and hobbyists connect
laptops or Raspberry Pis to a LoRa®
network faster, diagnose network issues
more easily, and build new and exciting
connected devices.
74. yardstick one
YARD Stick One (Yet Another Radio Dongle) can transmit or receive digital
wireless signals at frequencies below 1 GHz.
Capabilities:
●half-duplex transmit and receive
●official operating frequencies: 300-348 MHz, 391-464 MHz, and 782-928
MHz
●unofficial operating frequencies: 281-361 MHz, 378-481 MHz, and 749-
962 MHz
●modulations: ASK, OOK, GFSK, 2-FSK, 4-FSK, MSK
YARD Stick One comes with RfCat firmware installed, courtesy of atlas.
RfCat allows you to control the wireless transceiver from an interactive
Python shell or your own program running on your computer.
76. crazyradio pa
crazyradio PA is a long range open
USB radio dongle from Nordic
Semiconductor. It features a 20dBm
power amplifier, LNA and comes pre-
programmed with Crazyflie compatible
firmware. The power amplifier boosts
the range, giving a range of more than
1km (line of sight).
77. rtl-sdr dongle
RTL-SDR is a very cheap ~$25 USB
dongle that can be used as a computer
based radio scanner for receiving live
radio signals in your area (no internet
required). Depending on the particular
model it could receive frequencies from
500 kHz up to 1.75 GHz. The origins of
RTL-SDR stem from mass produced
DVB-T TV tuner dongles that were
based on the RTL2832U chipset.
78. zigbee sniffer
The Zigbee sniffer allows capture and
display of data frames transmitted
between ZigBee devices. It captures the
data received with a separate radio from
that used by the main system, and can
display low level frames that can be
useful for debugging problems on the
network
80. jtagulator
JTAGulator is an open source hardware tool that
assists in identifying On-chip debug (OCD)
connections from test points, vias, or component
pads on a target device.
OCD interfaces can provide chip-level control of a
target device and are a primary vector used by
engineers, researchers, and hackers to extract
program code or data, modify memory contents, or
affect device operation on-the-fly. Depending on the
complexity of the target device, manually locating
available OCD connections can be a difficult and
time consuming task, sometimes requiring physical
destruction or modification of the device.
81. analog discovery 2
Digilent Analog Discovery 2 is a USB
oscilloscope and multi-function
instrument that allows users to
measure, visualize, generate, record,
and control mixed-signal circuits of all
kinds.
Can perform functions such as arbitrary
function generator, network analyzer,
spectrum analyzer, data logger, protocol
analyzer, impedance analyzer, power
supply.
82. black magic probe
a JTAG and SWD Adapter used for
programming and debugging ARM Cortex
MCUs
83. bus pirate
a troubleshooting tool that communicates
between a PC and any embedded device
over 1-wire, 2-wire, 3-wire, UART, I2C, SPI,
and HD44780 LCD protocols - all at voltages
from 0-5.5VDC. This product eliminates a ton
of early prototyping effort when working with
new or unknown chips.
Working with the Bus Pirate is simple and
effective - type commands into a terminal on
your computer, those commands are
interpreted by the Bus Pirate and sent via the
proper protocol.
84. teensy or arduino micro
roll your own rubber ducky.
The Micro board is similar to the Arduino
Leonardo in that the ATmega32U4 has built-
in USB communication, eliminating the need
for a secondary processor. This allows the
Micro to appear to a connected computer as
a HID device (mouse and keyboard), in
addition to a virtual (CDC) serial / COM port.
It also has other implications for the behavior
of the board; these are detailed on the getting
started page.
85. great fet one
a hardware hacker’s best friend. With an extensible, open source
design, two USB ports, and 100 expansion pins, GreatFET One is
your essential gadget for hacking, making, and reverse engineering.
By adding expansion boards called neighbors, you can turn
GreatFET One into a USB peripheral that does almost anything.
Whether you need an interface to an external chip, a logic analyzer,
a debugger, or just a whole lot of pins to bit-bang, the versatile
GreatFET One is the tool for you. Hi-Speed USB and a Python API
allow GreatFET One to become your custom USB interface to the
physical world.
programmable digital I/O
serial protocols including SPI, I2C, UART, and JTAG
logic analysis
analog I/O (ADC/DAC)
data acquisition
debugging
versatile USB functions including FaceDancer
high-throughput hardware-assisted streaming serial engine
86. attify badge
Attify badge is a hardware tool that allows you to interact with
various hardware interfaces and ports such as UART, SPI, I2C,
JTAG, GPIO and so on.
87. saleae logic analyzer
used by electrical engineers, firmware
developers, enthusiasts, and
engineering students to record,
measure, visualize, and decode the
signals in their electrical circuits.
89. opticspy + tomu
also ultrasonic exfiltration possible with
arduinos and hc-05 ultrasonic sensor
hardware.
90. chip whisperer
● ChipWhisperer is an open source toolchain dedicated
to hardware security research, side-channel power
analysis and glitching attacks.. This toolchain
consists of several layers of open source
components:
● Hardware: The ChipWhisperer uses a capture board
and a target board.
● Firmware: Three separate pieces of firmware are
used on the ChipWhisperer hardware. The capture
board has a USB controller (in C) and an FPGA for
high-speed captures (in Verilog) with open-source
firmware.
● Software: The ChipWhisperer software is made up of
a capture program to control the hardware and
an analyzer program to process captured data.
91. obd2 (automobile interface)
Onboard Diagnostic 2 ports (OBD2) are
standard on all cars since mid-1990s.
USB, wifi, or Bluetooth OBD2 interfaces
let computer or smartphone tap into a
car’s CANbus.
115. nfc apps
tools such as nfc tools and mifare
classic tool can read or write to nfc.
116. wifi pineapple connector
Conveniently manage and share your Internet
connection with the WiFi Pineapple.
Share your Android Internet connection with the
WiFi Pineapple via USB Tethering (without root)
Automatically establish a secure connection to the
WiFi Pineapple web interface.
Setup wizard detects new WiFi Pineapples and
guides you through initial configuration.
Supports 6th generation WiFi Pineapple devices
from Hak5.
117. plunder bug lan tap
The Plunder Bug by Hak5 is a pocket-sized LAN
tap that lets you "bug" Ethernet connections with
USB-C convenience. Requires root permission.
Device detection -- Automatically detects when the
Plunder Bug is connected and ready to use.
Packet capture -- Captures live network traffic and
records it in standard pcap format.
Share -- Exports your packet capture (pcap) files for
packet analysis.
118. hackode
This applications contains different tools with which
you'll be able to carry out:
Reconnaissance actions
Google Hacking
Whois
Port scanning
Ping
Traceroute
DNS and IP searches
Access to Mail Exchange records
Exploits
119. fing
Fing is the #1 Network Scanner: discovers all the devices
connected to your WiFi and identifies them, with our
patented technology used also by router manufacturers and
antivirus companies worldwide. With Fing App’s free tools
and utilities help you can:
• Run WiFi and Cellular internet speed tests, download
speed and upload speed analysis and latency
• Scan networks with Fing’s Wi-Fi & LAN network scanner
and discover all devices connected to any network
• Get the most accurate device recognition of IP address,
MAC address, device name, model, vendor and
manufacturer
• Advanced device analysis of NetBIOS, UPnP, SNMP and
Bonjour names, properties and device types
• Includes port scanning, device ping, traceroute and DNS
lookup
• Receive network security and device alerts to your phone
and email
129. social engineering attacks
1. Phishing Emails/Phonecalls: Seek to obtain personal information, such as names, addresses and social security numbers. Use link
shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate. Incorporates threats, fear and a
sense of urgency to manipulate the user into acting promptly. If targeted, called spear phishing. If a value target also called whaling
attack.
2. Pretexting: Attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’
personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of
information from their target in order to confirm their identity.
3. Baiting: Similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an
item or good that hackers use to entice victims. Baiters may offer users free music or movie downloads, if they surrender their login
credentials to a certain site.
4. Quid Pro Quo: Quid pro quo attacks promise a benefit in exchange for information. This benefit usually assumes the form of a
service, whereas baiting frequently takes the form of a good. One of the most common types of quid pro quo attacks involve
fraudsters who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find.
These attackers offer IT assistance to each and every one of their victims. The fraudsters will promise a quick fix in exchange for the
employee disabling their AV program and for installing malware on their computers that assumes the guise of software updates.
5. Watering Hole: Attack consists of injecting malicious code into the public Web pages of a site that the targets used to visit. The
method of injection is not new, and it is commonly used by cyber criminals and hackers. The attackers compromise websites within a
specific sector that are ordinary visited by specific individuals of interest for the attacks.
6. Tailgating: Another social engineering attack type is known as tailgating or “piggybacking.” These types of attacks involve someone
who lacks the proper authentication following an employee into a restricted area. A bad actor impersonates a delivery driver and
waits outside a building. When an employee gains security’s approval and opens their door, the attacker asks that the employee hold
the door, thereby gaining access off of someone who is authorized to enter the company.
7. Fake Credentials: Bad actor attains credentials of a third-party contractor and impersonates personnel (e.g. telephone service
repairman, HVAC technician, or safety inspector) to gain access to restricted areas.
Based on report from TripWire
133. tips for making iot devices a bit more secure.
●Segment home network, put IoT devices on separate network. In a pinch, use router guest network for IoT home devices.
●Change passwords every now and then.
●Secure by Default
○ No default passwords shared between devices, or weak out of the box passwords. Strong passphrases with numb3rs, LeTtErS, and $pecial ch@rs.
○ All passwords should be randomly created using high quality random number generators.
○ Advanced features used by small percentage of users should be turned off (VPN, Remote Administration, etc.)
●Secure by Design
○ Firmware should be locked down so serial access is not available.
○ Secure Element (SE) or Trusted Protection Modules (TPM) devices should be used to protect access to the firmware and hardware.
○ All GPIO, UART, and JTAG interfaces on the hardware should be disabled for production versions.
○ NAND or other memory/storage mediums should be protected with epoxy, ball sockets (so the memory cannot be removed and dumped), or other
methods to prevent physical attacks.
●Zero Trust Computing
○ The devices should not rely on the network to provide security. Rather, the device's security model should assume the network is compromised and still
maintain protection methods. This can be done with prompts to the users to accept handshakes between devices trying to access other devices on their
networks.
○ Communication between devices should be encrypted to prevent MitM attacks and sniffing/snooping.
●Privacy
○ Consumer PII not shared with manufacturers or partners
○ Usage data on individual consumer is never shared with partners or advertisers.
○ Anonymous data for buckets of users on usage patterns is acceptable as long as it's proven to not be traceable back to the individual consumers.
○ Data collection policy, type of data collected and usage of data is clearly documented on site.
137. laws. policies. guidance.
Family Educational Rights and Privacy Act (FERPA)
Federal Information Security Management Act (FISMA)
Sarbanes-Oxley (SOX)
Health Insurance Portability and Accountability Act (HIPAA)
North American Electric Reliability Corporation (NERC-CIP)
Payment Card Industry Digital Security Standards (PCI-DSS)
Federal Financial Institutions Examination Council (FFIEC)
General Data Protection Regulation (GDPR)
IEEE 15288-2016
NIST SP 800-53 Cybersecurity Framework
NIST SP 800-82 Revision 2: Guide to Industrial Control Systems (ICS) Security
UFC 4-010-06 Cybersecurity of Facility-Related Control Systems
UFC 4-021-02 Electronic Security Systems
Risk Management Framework 2.0 (RMF2.0)
ISA/IEC 62443 Cybersecurity Standard Series
138. where to buy stuff.
sparrowslockpicks.com
shop.riftrecon.com
vigilantgear.com
wallofsheep.com
hackerwarehouse.com
hak5.org
greatscottgadgets.com
1bitsquared.com
ebay.com
tindie.com
crowdsupply.com
139. security podcasts and youtube channels
Security Weekly
Black Hills Podcast
Hak5
Risky Business
The Unsupervised Learning Podcast
Down the Security Rabbithole
Hacker Public Radio
Open Source Security Podcast
SANS StormCast
CyberWire
The Social-Engineer Podcast
DevelopSec
140. good reads.
● Burglars Guide to the City by Geoff Manaugh
● Ghost in the Wires, The Art of Invisibility, The Art of Intrusion, The Art of
Deception by Kevin Mitnick
● Hacking the Xbox by Bunnie Huang
● Hardware Hacker by Bunnie Huang
● Hackers by Stephen Levy
● The Cuckoo’s Egg by Cliff Stoll
● Predictably Irrational by Dan Ariely
● Freakonomics by Steven D. Levitt, Stephen J. Dubner
● Fire in the Valley by Paul Freiberger
● SCADA and Me by Robert M. Lee
141. more good reads.
● RTFM
● BTFM
● Hash Crack
● The Hacker Playbook
● Black Hat Python
● Building Virtual Pentesting Labs for Advanced Penetration Testing
● Hacking Exposed: Industrial Control Systems
142. ctf training labs and ranges.
● https://holidayhackchallenge.com
● https://www.hackthebox.eu/
● https://picoctf.com
143. other skillz
● communicate orally
● write good reports
● translate the business impacts of vulnerabilities