Skip to content

Getting started

Jump to bottom
scriptingxss edited this page Mar 29, 2020 · 1 revision

How to get started

Several methods exist to get started with hacking IoTGoat depending on your testing approach.

  1. For those looking to extract the filesystem, analyze configurations and binaries statically, download the latest precompiled firmware release from https://github.com/scriptingxss/IoTGoat/releases.

Refer to OWASP's Firmware Security Testing Methodology for toolset recommendations and assistance with identifying embedded vulnerabilities.

  1. For dynamic web testing and binary runtime analysis, the quickest way to get started is downloading the latest "IoTGoat-x86.vmdk" (VMware) and create a custom virtual machine using the IoTGoat disk image. Once launched, IoTGoat is configured to obtain an IP address via DHCP using the NAT interface by default.
BusyBox v1.28.4 () built-in shell (ash)

                                                           .--,\\\__
 ██████╗ ██╗    ██╗ █████╗ ███████╗██████╗                  `-.    a`-.__
██╔═══██╗██║    ██║██╔══██╗██╔════╝██╔══██╗                   |         ')
██║   ██║██║ █╗ ██║███████║███████╗██████╔╝                  / \ _.-'-,`;
██║   ██║██║███╗██║██╔══██║╚════██║██╔═══╝                  /     |   { /
╚██████╔╝╚███╔███╔╝██║  ██║███████║██║                      /     |   { /
 ╚═════╝  ╚══╝╚══╝ ╚═╝  ╚═╝╚══════╝╚═╝            ..-"``~"-'      ;    )
                                           ╦┌─┐╔╦╗╔═╗┌─┐┌─┐┌┬┐   ;'    `
                                           ║│ │ ║ ║ ╦│ │├─┤ │   ;'    `
                                           ╩└─┘ ╩ ╚═╝└─┘┴ ┴ ┴  ;'    `
 ------------------------------------------------------------ ;'
 GitHub: https://github.com/OWASP/IoTGoat
 ------------------------------------------------------------
root@IoTGoat:~# ifconfig br-lan
br-lan    Link encap:Ethernet  HWaddr 00:0C:29:00:AC:E7
          inet addr:172.16.100.213  Bcast:172.16.100.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe00:ace7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:470 errors:0 dropped:0 overruns:0 frame:0
          TX packets:589 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:48798 (47.6 KiB)  TX bytes:186562 (182.1 KiB)

root@IoTGoat:~#

Refer to OWASP's Web Security Testing Guide and ASVS projects for additional guidance on identifying web application vulnerabilities.

  1. Emulate firmware with open-source tools (e.g. Firmadyne and FAT) that leverage QEMU to virtualize IoTGoat locally. Use this option to get a feel of how IoTGoat behaves as if it running on a real device. Navigate the filesystem to analyze application and network services.

Note: Virtual network interfaces may have issues when accessing IoTGoat and performing UPnP as well as Dnsmasq exercises.

                               __           _
                              / _|         | |
                             | |_    __ _  | |_
                             |  _|  / _` | | __|
                             | |   | (_| | | |_
                             |_|    \__,_|  \__|

                Welcome to the Firmware Analysis Toolkit - v0.3
    Offensive IoT Exploitation Training http://bit.do/offensiveiotexploitation
                  By Attify - https://attify.com  | @attifyme
    
[+] Firmware: IoTGoat-rpi-2.img
[+] Extracting the firmware...
[+] Image ID: 1
[+] Identifying architecture...
[+] Architecture: armel
[+] Building QEMU disk image...
[+] Setting up the network connection, please standby...
[+] Network interfaces: [('eth0', '192.168.1.1')]
[+] Using qemu-system-arm from /home/embedos/tools/firmware-analysis-toolkit/qemu-builds/2.5.0
[+] All set! Press ENTER to run the firmware...
[+] When running, press Ctrl + A X to terminate qemu
[+] Command line: /home/embedos/tools/firmware-analysis-toolkit/firmadyne/scratch/2/run.sh
Creating TAP device tap2_0...
Set 'tap2_0' persistent and owned by uid 0
Bringing up TAP device...
embeddedappsec
Adding route to 192.168.1.1...
Starting firmware emulation... use Ctrl-a + x to exit
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 4.1.17+ (vagrant@vagrant-ubuntu-trusty-64) (gcc version 5.3.0 (GCC) ) #1 Thu Feb 18 01:05:21 UTC 2016
[    0.000000] CPU: ARMv7 Processor [412fc0f1] revision 1 (ARMv7), cr=10c5387d
...
[   11.579244] device eth0 entered promiscuous mode
[   11.603238] br-lan: port 1(eth0) entered forwarding state
BusyBox v1.28.4 () built-in shell (ash)

                                                           .--,\\\__         
 ██████╗ ██╗    ██╗ █████╗ ███████╗██████╗                  `-.    a`-.__    
██╔═══██╗██║    ██║██╔══██╗██╔════╝██╔══██╗                   |         ')   
██║   ██║██║ █╗ ██║███████║███████╗██████╔╝                  / \ _.-'-,`;    
██║   ██║██║███╗██║██╔══██║╚════██║██╔═══╝                  /     |   { /    
╚██████╔╝╚███╔███╔╝██║  ██║███████║██║                      /     |   { /    
 ╚═════╝  ╚══╝╚══╝ ╚═╝  ╚═╝╚══════╝╚═╝            ..-"``~"-'      ;    )     
                                           ╦┌─┐╔╦╗╔═╗┌─┐┌─┐┌┬┐   ;'    `     
                                           ║│ │ ║ ║ ╦│ │├─┤ │   ;'    `      
                                           ╩└─┘ ╩ ╚═╝└─┘┴ ┴ ┴  ;'    `       
 ------------------------------------------------------------ ;'             
 GitHub: https://github.com/OWASP/IoTGoat                                                
 ------------------------------------------------------------   
root@IoTGoat:/#
  1. Use the IoTGoat-raspberry-pi2-sysupgrade.img firmware to flash on a Raspberry Pi 2 (BRCM2708 & BRCM2709).

Additional guidance and exercise walkthroughs will be posted when available. We welcome all contributions from volunteers.

Clone this wiki locally