: ./data/Sysssec IoT Device.ova: POSIX tar archive
** Run device
I import the ~Syssec IoT Device.ova~ file into VirtualBox, which resulted in multiple errors.
- Network Error
#+begin_example
Could not start the machine Sysssec IoT Device because the following physical network interfaces Ire not found:
vboxnet0 (adapter 1)
You can either change the machine's network settings or stop the machine.
#+end_example
To fix this error I had to attatch a virtual networking device to the Virtual Machine (VM), I chose Network address translation (NAT).
- USB Error
After fixing the previous error a new error occured
#+begin_example
Implementation of the USB 2.0 controller not found!
Because the USB 2.0 controller state is part of the saved VM state, the VM cannot be started. To fix this problem, either install the 'Oracle VM VirtualBox Extension Pack' or disable USB 2.0 support in the VM settings.
Note! This error could also mean that an incompatible version of the 'Oracle VM VirtualBox Extension Pack' is installed (VERR_NOT_FOUND).
#+end_example
The error message instructs us to install the ~Oracle VM VirtualBox Extension Pack~, lead the the same error.
So I tried to disable USB 2.0 support as the error message suggests, which made it possible to boot up the VM.
** Obtain IP address
Obtaining the devices IP address proved difficult as I had no ~vboxnet0~ interface.
To do this I had to add a network interface on the Virtual Box management interface.
After doing that I got the necessary network interface.
| [***]Successfully Connected to IoTGoat's Backdoor[***]
| GenericLines:
| [***]Successfully Connected to IoTGoat's Backdoor[***]
| found
| found
| GetRequest:
| [***]Successfully Connected to IoTGoat's Backdoor[***]
| GET: not found
| found
| HTTPOptions, RTSPRequest:
| [***]Successfully Connected to IoTGoat's Backdoor[***]
| OPTIONS: not found
| found
| Help:
| [***]Successfully Connected to IoTGoat's Backdoor[***]
| HELP
| found
| Kerberos:
| [***]Successfully Connected to IoTGoat's Backdoor[***]
| found
| RPCCheck:
| [***]Successfully Connected to IoTGoat's Backdoor[***]
| syntax error: unexpected word (expecting ")")
| TLSSessionReq:
| [***]Successfully Connected to IoTGoat's Backdoor[***]
| random1random2random3random4
| found
| TerminalServerCookie:
| [***]Successfully Connected to IoTGoat's Backdoor[***]
|_ Cookie:: not found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
: Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
:
: Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-30 18:45:45
: [DATA] max 4 tasks per 1 server, overall 4 tasks, 60 login tries (l:1/p:60), ~15 tries per task
: [STATUS] attack finished for 192.168.56.101 (valid pair found)
: 1 of 1 target successfully completed, 1 valid password found
: Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-30 18:45:51
Another way would have been to get the ~/etc/shadow~ entry of ~iotgoatuser~ and cracking it localy with john to circumvent
any restrictions given by ~ssh~ like ~fail2ban~ etc. (even though restrictions like that are unlikly on an IoT device).
** Man-in-the-middle Attack
When visiting the webinterface of the IoT device we are greeted with =Warning: Potential Security Risk Ahead=, when using Firefox
#+begin_example
Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to 192.168.56.101. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
#+end_example
When pressing on =Advanced...= we get some additional information about the error.
#+begin_example
192.168.56.101 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
#+end_example
*** Why do you get this warning message?
The reason why the warning message is shown is:
#+begin_example
The certificate is not trusted because it is self-signed.
#+end_example
as stated in the error message.
*** What could be done to +get+ prevent this message?
One could simply ignore the error by pressing =Accept the Risk and Continue=
*** Why is it in general hard to fix this problem for IoT devices?
The vendor would have to create an individual certificate for each of his devices.
Additionally each IoT device would need to regularily update it's certificate before it expires.
*** Analysis
Trying to login with the previously obtained credentials:
#+begin_example
user: iotgoatuser
password: 7ujMko0vizxv
#+end_example
unfortunatly didn't work.
**** Burp Suite
Firing up Burp and utilizing its internal chromium browser we try to login again.