Distributions such as Kali Linux make it easier for us to carry out our penetration tests, vulnerability assessments, digital forensics gigs and wireless assessments. However, there are very few tools on such distributions that help you test the security of Internet of Things (IoT) devices as it needs bit of a customization. We now have AttifyOS to fill in the gap and help us test IoT security.
What is AttifyOS?
AttifyOS is a pre-configured Lubuntu 14.04 based distribution having tools required during Internet of Things (IoT) security assessments or penetration tests. Gone are the days when you install a tool only to know that another tool is still needed to complete your IoT security assessment. These are the tools included in AttifyOS:
Attify Badge tool
Firmware and Software:
Firmware Analysis Toolkit (FAT)
KillerBee / Attify ZigBee Framework
In addition to these, additional tools such as the free version of Burp Suite and jefferson, the JFFS2 filesystem extraction tool. I found the IoT exploitation distro simple to use. It helps you perform the following:
- Extract and analyze device firmware
- Debug and disassemble binaries
- Exploit UART, SPI, I2C and JTAGs
- JTAG debugging and exploitation
- Dump firmware through various techniques
- Debug hardware and the related software
- Analyze security of MQTT, CoAP and M2MXML protocols
- Attack cloud and mobile component of an IoT device
- Sniff, Replay, MITM and attack radio communications
- BLE and Zigbee exploitation
- ARM and MIPS reversing
- Side Channel Attacks (Clock, VCC glitching, breaking crypto)
However, the first boot gave me the following error:
Implementation of the USB 2.0 controller not found!
Because the USB 2.0 controller state is part of the saved VM state, the VM cannot be started. To fix this problem, either install the ‘Oracle VM VirtualBox Extension Pack’ or disable USB 2.0 support in the VM settings.
Note! This error could also mean that an incompatible version of the ‘Oracle VM VirtualBox Extension Pack’ is installed (VERR_NOT_FOUND).
So, I simply went to the settings and removed USB support for the initial boot. Post this AttifyOS boot normally and even asked for an upgrade that was available. This I gladly performed, installed Oracle VM Extension Pack and continued using it. All in all a promising IoT exploitation distribution.
You can download the current version of AttifyOS 1.3 (AttifyOS1.3.ova) here.
My initial post about this advanced XSS detection and exploitation suite was almost an year ago! Three days ago, an update – XSStrike 3.1.2 was released. This is a post that documents these changes. What is XSStrike? XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator,