Author: <span class="vcard">elcapitan</span>

Offensive IoT Exploitation Exam – Sniffing BLE traffic with Adafruit

This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course. http://www.securitytube-training.com/online-courses/offensive-internet-of-things- exploitation/index.html Student ID: IoTE-728   I examined a smart light bulb which can be controlled via Bluetooth Low Energy. After I installed the device and installed and configured the mobile phone application of the smart bulb,…


Offensive IoT Exploitation Exam – Analysis of the Android app of the mylink web camera

This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course. http://www.securitytube-training.com/online-courses/offensive-internet-of-things- exploitation/index.html Student ID: IoTE-728   My web camera can be used with MyDLink Lite android application. It can search web cameras on local network, but it can also connect to a cloud service and display a registered…


Offensive IoT Exploitation Exam – Format string vulnerability on ARM architecture

This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course. http://www.securitytube-training.com/online-courses/offensive-internet-of-things- exploitation/index.html Student ID: IoTE-728   During the Offensive IoT Exploitation course I learned the basics of writing buffer overflow exploits on ARM and MIPS architecture. I also learned how to debug and analyze applications on those…


Offensive IoT Exploitation Exam – WPS on TP-Link WR841n v11

This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course. http://www.securitytube-training.com/online-courses/offensive-internet-of-things- exploitation/index.html Student ID: IoTE-728   On the back of my TP-Link router I found some information regarding the device including the default WPS PIN number and SSID. WPS is a fast way of connecting wifi devices…


Offensive IoT Exploitation Exam – Dynamic analysis of a mydlink web camera

This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course. http://www.securitytube-training.com/online-courses/offensive-internet-of-things- exploitation/index.html Student ID: IoTE-728   In my previous post, I examined the firmware of a mydlink web camera with the binwalk tool. In this post I continue the examination of the IoT device with dynamic analysis. I configured…


Offensive IoT Exploitation Exam – Backdooring a firmware

This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course. http://www.securitytube-training.com/online-courses/offensive-internet-of-things- exploitation/index.html Student ID: IoTE-728   In this post I am going to create a backdoored firmware. I am going to use the firmware of my TP-Link WR841n v11 router. The original firmware can be downloaded from here….


Offensive IoT Exploitation Exam – Serial port of TP-Link WR841n v11

This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course. http://www.securitytube-training.com/online-courses/offensive-internet-of-things- exploitation/index.html Student ID: IoTE-728   In my previous post I connected to the serial port of a Netgear WNR1000 v4 router. I decided to do the same on a TP-Link WR841n v11 router. Here are the identified pins:…


Offensive IoT Exploitation Exam – Serial port of Netgear WNR1000 v4

This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course. http://www.securitytube-training.com/online-courses/offensive-internet-of-things- exploitation/index.html Student ID: IoTE-728   I decided to apply what I had learned during the Offensive IoT Exploitation course and connected to the serial port of my Netgear WNR1000 v4 router with an FT232BL Serial-USB converter. Connecting…


Fusion exploit exercises – level01

Level01 of Fusion is very similar to the level00, however we do not know the address of the buffer, and we have ASLR active. I used the python script from the previous exercise with the ret address of “\x42\x42\x42\x42”, started the application in gdb and crashed it, and checked the state of the registers. ESP…


Fusion Exploit exercises – level00

Recently I finished the Protostar exploit exercises. I decided to continue and pass the next level, the Fusion, which teaches bypassing the various modern exploitation prevention systems. It has 15 levels, from level00 to level14. This blog post is the first level, which is a simple stack overflow exercise. Level00 does not have any protection….