Getting started
Several methods exist to get started with hacking IoTGoat depending on your testing approach.
- For those looking to extract the filesystem, analyze configurations and binaries statically, download the latest precompiled firmware release from https://github.com/OWASP/IoTGoat/releases.
Refer to OWASP's Firmware Security Testing Methodology for toolset recommendations and assistance with identifying embedded vulnerabilities. A live version of FSTM is also available on GitBook https://scriptingxss.gitbook.io/firmware-security-testing-methodology/.
- For dynamic web testing and binary runtime analysis, the quickest way to get started is downloading the latest "IoTGoat-x86.vmdk" and create a custom virtual machine using the IoTGoat disk image. Once launched, IoTGoat is configured to obtain an IP address via DHCP using the NAT interface by default. The following demonstrates creating a custom virtual machine in VMWare Fusion.
VirtualBox users must select the following operating system details Type: Linux Version: Linux 2.6 / 3.x / 4.x (32-bit) and Enable PAE/NX (See image below) in virtual machine settings. Both the .vmdk and .vdi have been tested in the latest VirtualBox release (April 2020) for Windows 10, Ubuntu 18.04 LTS, and MacOS Mojave.
Refer to OWASP's Web Security Testing Guide and ASVS projects for additional guidance on identifying web application vulnerabilities.
- Emulate firmware with open-source tools (e.g. Firmadyne and FAT) that leverage QEMU to virtualize IoTGoat locally. Use this option to get a feel of how IoTGoat behaves as if it running on a real device. Navigate the filesystem to analyze application and network services.
Note: Virtual network interfaces may have issues when accessing IoTGoat and performing UPnP as well as Dnsmasq exercises.
__ _
/ _| | |
| |_ __ _ | |_
| _| / _` | | __|
| | | (_| | | |_
|_| \__,_| \__|
Welcome to the Firmware Analysis Toolkit - v0.3
Offensive IoT Exploitation Training http://bit.do/offensiveiotexploitation
By Attify - https://attify.com | @attifyme
[+] Firmware: IoTGoat-rpi-2.img
[+] Extracting the firmware...
[+] Image ID: 1
[+] Identifying architecture...
[+] Architecture: armel
[+] Building QEMU disk image...
[+] Setting up the network connection, please standby...
[+] Network interfaces: [('eth0', '192.168.1.1')]
[+] Using qemu-system-arm from /home/embedos/tools/firmware-analysis-toolkit/qemu-builds/2.5.0
[+] All set! Press ENTER to run the firmware...
[+] When running, press Ctrl + A X to terminate qemu
[+] Command line: /home/embedos/tools/firmware-analysis-toolkit/firmadyne/scratch/2/run.sh
Creating TAP device tap2_0...
Set 'tap2_0' persistent and owned by uid 0
Bringing up TAP device...
embeddedappsec
Adding route to 192.168.1.1...
Starting firmware emulation... use Ctrl-a + x to exit
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Linux version 4.1.17+ (vagrant@vagrant-ubuntu-trusty-64) (gcc version 5.3.0 (GCC) ) #1 Thu Feb 18 01:05:21 UTC 2016
[ 0.000000] CPU: ARMv7 Processor [412fc0f1] revision 1 (ARMv7), cr=10c5387d
...
[ 11.579244] device eth0 entered promiscuous mode
[ 11.603238] br-lan: port 1(eth0) entered forwarding state
BusyBox v1.28.4 () built-in shell (ash)
.--,\\\__
██████╗ ██╗ ██╗ █████╗ ███████╗██████╗ `-. a`-.__
██╔═══██╗██║ ██║██╔══██╗██╔════╝██╔══██╗ | ')
██║ ██║██║ █╗ ██║███████║███████╗██████╔╝ / \ _.-'-,`;
██║ ██║██║███╗██║██╔══██║╚════██║██╔═══╝ / | { /
╚██████╔╝╚███╔███╔╝██║ ██║███████║██║ / | { /
╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚══════╝╚═╝ ..-"``~"-' ; )
╦┌─┐╔╦╗╔═╗┌─┐┌─┐┌┬┐ ;' `
║│ │ ║ ║ ╦│ │├─┤ │ ;' `
╩└─┘ ╩ ╚═╝└─┘┴ ┴ ┴ ;' `
------------------------------------------------------------ ;'
GitHub: https://github.com/OWASP/IoTGoat
------------------------------------------------------------
root@IoTGoat:/#
- Use the
IoTGoat-raspberry-pi2-sysupgrade.imgfirmware to flash on a Raspberry Pi 2 (BRCM2708 & BRCM2709).
Additional guidance and exercise walkthroughs will be posted when available. See the Challenge solutions page for more details.