iT邦幫忙

2019 iT 邦幫忙鐵人賽

0
Security

資安動手做系列 第 33

IOT Security-Burpsuite

Burpsuite,用來做Web漏洞掃描,因為有Proxy設計,所以Iot設備只要能裝上CA,Proxy至Burpsuite,我們就可以收到解密後的明文資訊,即可分析對外連線是否有安全上問題。

https://ithelp.ithome.com.tw/upload/images/20181116/20077752Jwqbcot6E4.jpg

因為是運行在Java上,可以在windows及Linux下運行
https://portswigger.net/burp

程式啟動預設建立porxy 127.0.0.1:8080
https://ithelp.ithome.com.tw/upload/images/20181116/20077752aWOfJdhuUt.jpg

下載憑證
https://ithelp.ithome.com.tw/upload/images/20181116/20077752ZDM8uyIn7n.jpg

瀏覽器安裝憑證(每個瀏覽器操作方式不同)
https://ithelp.ithome.com.tw/upload/images/20181116/20077752tjPt73ma6d.jpg
https://ithelp.ithome.com.tw/upload/images/20181116/20077752CbiYyZsa5v.jpg

設定Proxy
https://ithelp.ithome.com.tw/upload/images/20181116/200777528nxcPoIiDf.jpg
https://ithelp.ithome.com.tw/upload/images/20181116/2007775216zwqbLzgo.jpg

側錄瀏覽內容
https://ithelp.ithome.com.tw/upload/images/20181116/20077752mG3EhLT4Kw.jpg

手機安裝憑證並設定proxy(在同一wifi環境),也可以收集到,做法可以參考下面這篇
https://www.slideshare.net/catcat1027/burp-suite-52974795

依照OWASP建議逐步檢查
OWASP Internet of Things Project
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

exploit-db查看是否有人已經揭露弱點
https://www.exploit-db.com/

IoTSecurity101
https://github.com/V33RU/IoTSecurity101

The search engine for the Internet of Things
https://www.shodan.io/

Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
https://github.com/ReFirmLabs/binwalk


上一篇
Security Onion -Alienvault
系列文
資安動手做33

尚未有邦友留言

立即登入留言