When I was preparing my talk for TROOPERS I noticed that there aren't a lot of ressources on penetration testing for IoT devices that's why I wrote this short todo list in the speaker’s lounge. Use it as a checklist. ;-)
- Check what services are running on the device, nmap it! Enumerate the attack surface!
- Is a ssh/telnet server running? Get a list of common user names & passwords, bruteforce it!
- Does it use Bluetooth? Intercept the traffic!
- How's the session management working? Is basic access authentication used? Are you able to bypass it?
- Does the device use weak default credentials? Does it use rate limiting?
- What web server is used? GoAhead?
- Check for common web vulnerabilities (e.g. command injections, local/remote file inclusions, XSS, CSRF, path traversal).
- Is there an auto-update feature? If so, play man-in-the-middle!
- Prepare an unsigned malicious firmware and try to update it.
- Look at the firmware, binwalk it!
- binwalk - Quick Start Guide
- Look for juicy files e.g. private keys, cleartext passwords, password hashes etc.
- Basic access authentication? Search for .htpasswd files. Backdoor accounts are more common than you might think!