Reconnaissance
Theory
Testing a hardware device over Ethernet helps assess network vulnerabilities, intercept sensitive data, and identify exposed services or misconfigurations. This is especially useful for hardware devices that connect to the network, like IoT devices, routers, and industrial equipment.
Usage
Check open ports with nmap:
A simple Nmap scan can show what services are running on the device:
nmap <device-ip> # often devices have a static ip check manual
Example Output:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-10 14:23 Nmap scan report for 192.168.1.100 Host is up (0.00045s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https
You can also use appropriate flags like:
-sV
: Version Detection-sC
: Default Script Scan-A
: Aggressive Scan-p-
: Scan All Ports-sU
: UDP Scan--script vuln
: Runs a vulnerability check
Try common credentials like: admin/admin etc. also google default creds!
Webserver available?
Use common tools like
burbsuite
,gobuster
ornikto
to identify hidden content or vulnerabilitiesThere are enough websites who showcase web-pentests, like hacktricks.xzy. Check them out!
You can change configurations?
Explore and experiment, always aiming to enhance access to advanced
Firmware Updates!
This is also a very interesting field, as we get the chance to intercept the firmware
Setup:
Setup Wireshark to intercept all traffic from the target device
Start the firmware update
If the firmware is not encrypted, we can recover it from the Wireshark capture
If the firmware is uploaded via FTP, there could be a race condition, where we can download the firmware before it gets deleted from the FTP share
Try to investigate how the firmware update works, and think of how you can intercept it!
Once captured, we can extract password or sensitive data from it
Resources
Last updated
Was this helpful?