Module 18: IoT and OT Hacking

Objective

The objective of the lab is to perform IoT and OT platform hacking and other tasks that include, but are not limited to:

• Performing IoT and OT device footprinting

• Capturing and analyzing traffic between IoT devices

Overview of IoT and OT Hacking

Using the IoT and OT hacking methodology, an attacker acquires information using techniques such as information gathering, attack surface area identification, and vulnerability scanning, and uses such information to hack the target device and network.

The following are the various phases of IoT and OT device hacking:

• Information gathering

• Vulnerability scanning

• Launch attacks

• Gain remote access

• Maintain access

Lab 1: Perform Footprinting using Various Footprinting Techniques

Overview of Footprinting Techniques

Footprinting techniques are used to collect basic information about the target IoT and OT platforms to exploit them. Information collected through footprinting techniques includes IP address, hostname, ISP, device location, banner of the target IoT device, FCC ID information, certification granted to the device, etc.

Task 1: Gather Information using Online Footprinting Tools

The information regarding the target IoT and OT devices can be acquired using various online sources such as Whois domain lookup, advanced Google hacking, and Shodan search engine. The gathered information can be used to scan the devices for vulnerabilities and further exploit them to launch attacks.

In this task, we will focus on performing footprinting on the MQTT protocol, which is a machine-to-machine (M2M)/“Internet of Things” connectivity protocol. It is useful for connections with remote locations where a small code footprint is required and/or network bandwidth is at a premium.

Whois Domain Lookup

• https://www.whois.com/whois/

Oasis is an organization that has published the MQTT v5.0 standard, which represents a significant leap in the refinement and capability of the messaging protocol that already powers IoT.

Google Hacking Database

• https://www.exploit-db.com/google-hacking-database

Google Dorks

• login" intitle:"scada login

Advanced Google hacking refers to the art of creating complex search engine queries by employing advanced Google operators to extract sensitive or hidden information about a target company from the Google search results.

Shodan Tool

• https://account.shodan.io/login

• port:1883 -- type in the address bar

Port 1883 is the default MQTT port; 1883 is defined by IANA as MQTT over TCP.

Similarly, you can gather additional information on a target device using the following Shodan filters:

• Search for Modbus-enabled ICS/SCADA systems:

  port:502

• Search for SCADA systems using PLC name:

  “Schneider Electric”

• Search for SCADA systems using geolocation:

  SCADA Country:"US"

Lab 2: Capture and Analyze IoT Device Traffic

Overview of IoT and OT Traffic

Many IoT devices such as security cameras host websites for controlling or configuring cameras from remote locations. These websites mostly implement the insecure HTTP protocol instead of the secure HTTPS protocol and are, hence, vulnerable to various attacks. If the cameras use the default factory credentials, an attacker can easily intercept all the traffic flowing between the camera and web applications and further gain access to the camera itself. Attackers can use tools such as Wireshark to intercept such traffic and decrypt the Wi-Fi keys of the target network.

Task 1: Capture and Analyze IoT Traffic using Wireshark

Wireshark is a free and open-source packet analyzer. It facilitates network troubleshooting, analysis, software and communications protocol development, and education. It is used to identify the target OS and sniff/capture the response generated from the target machine to the machine from which a request originates.

MQTT is a lightweight messaging protocol that uses a publish/subscribe communication pattern. Since the protocol is meant for devices with a low-bandwidth, it is considered ideal for machine-to-machine (M2M) communication or IoT applications. We can create virtual IoT devices over the virtual network using the Bevywise IoT simulator on the client side and communicate these devices to the server using the MQTT Broker web interface. This interface collects data and displays the status and messages of connected devices over the network.

Note: After establishing a successful connection with the MQTT broker, the MQTT client can publish messages. The headers in the Publish Message packet are given below:

• Header Flags: Contains information regarding the MQTT control packet type.

• DUP flag: If the DUP flag is 0, it indicates the first attempt at sending this PUBLISH packet; if the flag is 1, it indicates a possible re-attempt at sending the message.

• QoS: Determines the assurance level of a message.

• Retain Flag: If the retain flag is set to 1, the server must store the message and its QoS, so it can cater to future subscriptions matching the topic.

• Topic Name: Contains a UTF-8 string that can also include forward slashes when it needs to be hierarchically structured.

• Message: Contains the actual data to be transmitted.

• Payload: Contains the message that is being published.

Note: A Publish Release (PUBREL) packet is the response to a Publish Received (PUBREC) packet.

---

Note: The Publish Complete (PUBCOMP) packet is the response to a Publish Release (PUBREL) packet.

Hacker's Mantra:Data, Creativity, Curiosity - Andrew Chen