• caglararli@hotmail.com
  • 05386281520

Next movement in IoT pentest when you have restricted information

Çağlar Arlı      -    43 Views

Next movement in IoT pentest when you have restricted information

I am a newbie cyber security engineer working on IoT. Today, a task is given to me. The task was making pentest to a cooker. Because of the privacy, I cannot share the brand of the cooker. The cooker has its own wifi card and connects to wifi. You control the cooker using your mobile phone. There are many recipes in the mobile application and you select one of them to cook, or you can also write your own recipe into the mobile app (for example you give commands as to its temperature, time, vapour pressure etc).

Before the first start, you need to match the cooker and your smartphone. When they match, wifi of both device must be open and they must be in the same network.

My attempt: As I said, I am a newbie and so I am trying to make the pentest as if I am trying to solve CTF. Firstly, I made port scanning using "rustscan","nmap" and "nessus". The only open tcp port was 6668 whose service was "irc" without showing its version. Both vuln library of nmap and nessus could not find any vulnerability. Moreover, there were 3 "open|filtered" UDP ports such that port 67,68 whose service is "dhcps" and port 5353 whose service is "zeroconf" without showing any version number.

When I listen the network using wireshark, i saw that the communication is made using always different ports.For example, if the previous packet has been sent to port 54321, the next one has been sent to 54320, and this process continues consecutively.

I could not see any "mqtt" or any other IoT protocol in wireshark, so it did not give me something.

After those attempts, I am stuck in there. I do not know what I should do. There is not any bin file to make firmware analysis. I thought to make reverse engineering to a mobile application, but they (seniors) do not want it.

If you were me, what would you do? What is the next movement? What can I do using this information (1 tcp and 3 udp ports).

Addentum: How can I examine this irc port, I tried to connect it using netcat "nc 192.168.200.14 6668", but nothing happened. What is your recommendation to inspect this port?