Home Page Icon
Home Page
Table of Contents for
Practical Hardware Pentesting
Close
Practical Hardware Pentesting
by
Practical Hardware Pentesting
Practical Hardware Pentesting
Contributors
About the author
About the reviewers
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
Section 1: Getting to Know the Hardware
Chapter 1: Setting Up Your Pentesting Lab and Ensuring Lab Safety
Prerequisites – the basics you will need
Languages
Hardware-related skills
System configuration
Setting up a general lab
Safety
Approach to buying test equipment
Home lab versus company lab
Approaching instrument selection
What to buy, what it does, and when to buy it
Small tools and equipment
Renting versus buying
The component pantry
The pantry itself
The stock
Sample labs
Beginner
Amateur
Pro
Summary
Questions
Chapter 2: Understanding Your Target
The CPU block
CPU roles
Common embedded systems architectures
The storage block
RAM
Program storage
Storing data
The power block
The power block from a pentesting point of view
The networking blocks
Common networking protocols in embedded systems
The sensor blocks
Analog sensors
Digital sensors
The actuator blocks
The interface blocks
Summary
Questions
Further reading
Chapter 3: Identifying the Components of Your Target
Technical requirements
Harvesting information – reading the manual
Taking a system analysis approach
For our Furby manual
Harvesting information — researching on the internet
For the Furby
Starting the system diagram
For our Furby
Continuing system exploration – identifying and putting components in the diagram
Opening the Furby
Manipulating the system
Dismantling the Furby
Identifying chips
Chips in the Furby
Identifying unmarked/mysterious chips
Furby — the mystery meat
The borders of functional blocks
Summary
Questions
Chapter 4: Approaching and Planning the Test
The STRIDE methodology
Finding the crown jewels in the assessed system
Security properties – what do we expect?
Communication
Maintenance
System integrity and self-testing
Protection of secrets or security elements
Reaching the crown jewels – how do we create impacts?
STRIDE through the components to compromise properties
For the example system – the Furby
Planning the test
Balancing your scenarios
Summary
Questions
Further reading
Section 2: Attacking the Hardware
Chapter 5: Our Main Attack Platform
Technical requirements
Introduction to the bluepill board
A board to do what?
What is it?
Why C and not Arduino?
The documentation
Memory-projected registers
The toolchain
The compilation process
Driving the compilation
Flashing the chip
Putting it into practice for the bluepill
Introduction to C
Operators
Types
The dreaded pointer
Preprocessor directives
Functions
Summary
Questions
Further reading
Chapter 6: Sniffing and Attacking the Most Common Protocols
Technical requirements
Hardware
Understanding I2C
Mode of operation
Sniffing I2C
Injecting I2C
I2C man in the middle
Understanding SPI
Mode of operation
Sniffing SPI
Injecting SPI
SPI – man in the middle
Understanding UART
Mode of operation
Sniffing UART
Injecting UART
UART – man in the middle
Understanding D1W
Mode of operation
Sniffing D1W
Injecting D1W
D1W – man in the middle
Summary
Questions
Chapter 7: Extracting and Manipulating Onboard Storage
Technical requirements
Finding the data
EEPROMs
EMMC and NAND/NOR Flash
Hard drives, SSDs, and other storage mediums
Extracting the data
On-chip firmware
Onboard storage – specific interfaces
Onboard storage – common interfaces
Understanding unknown storage structures
Unknown storage formats
Well-known storage formats
Let's look for storage in our Furby
Mounting filesystems
Repacking
Summary
Questions
Further reading
Chapter 8: Attacking Wi-Fi, Bluetooth, and BLE
Technical requirements
Basics of networking
Networking in embedded systems using Wi-Fi
Selecting Wi-Fi hardware
Creating our access point
Creating the access point and the basic network services
Networking in embedded systems using Bluetooth
Bluetooth basics
Discovering Bluetooth
Native Linux Bluetooth tools – looking into the joystick crash
Sniffing the BT activity on your host
Sniffing raw BT
BLE
Summary
Questions
Chapter 9: Software-Defined Radio Attacks
Technical requirements
Introduction to arbitrary radio/SDR
Understanding and selecting the hardware
Looking into a radio device
Receiving the signal – a look at antennas
Looking into the radio spectrum
Finding back the data
Identifying modulations – a didactic example
AM/ASK
FM/FSK
PM/PSK
MSK
Getting back to our signal
Demodulating the signal
Clock Recovery MM
WPCR
Sending it back
Summary
Questions
Section 3: Attacking the Software
Chapter 10: Accessing the Debug Interfaces
Technical requirements
Debugging/programming protocols – What are they and what are they used for?
Legitimate usage
Using JTAG to attack a system
Finding the pins
The PCB "plays nicely"
A bit harder
Very hard – JTAGulating
Using OpenOCD
Installing OpenOCD
The adapter file
The target file
Practical case
Summary
Questions
Chapter 11: Static Reverse Engineering and Analysis
Technical requirements
Executable formats
Understanding operating system formats
Dump formats and memory images
Dump structure – the bluepill as an example
Analyzing firmware – introduction to Ghidra
Getting to know Ghidra with a very simple ARM Linux executable
Going into second gear – Ghidra on raw binaries for the STM32
First identification pass
Reversing our target function
Summary
Questions
Chapter 12: Dynamic Reverse Engineering
Technical requirements
What is dynamic reverse engineering and why do it?
Leveraging OpenOCD and GDB
GDB? But... I know nothing about it!
Understanding ARM assembly – a primer
General information and syntax
Exploring the most useful ARM instructions
Using dynamic reverse engineering – an example
First Ghidra inspection
Reversing the expected password
Of course, I aced the test
Summary
Questions
Chapter 13: Scoring and Reporting Your Vulnerabilities
Scoring your vulnerabilities
Being understandable to everyone
Building your report template
Usage of language in a report
Report quality
When engineers do not want to re-engineer
Summary
Questions
Chapter 14: Wrapping It Up – Mitigations and Good Practices
Industry good practices – what are they and where to find them
OWASP IoT top 10
The CIS benchmarks
NIST hardware security guidelines
Common problems and their mitigations
Establishing a trust relationship between the backend and a device
Storing secrets and confidential data
Cryptographic applications in sensitive applications
JTAG, bootloaders, and serial/UART interfaces
What about now? Self-teaching and your first project
Closing words
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you
Leave a review - let other readers know what you think
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Practical Hardware Pentesting
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset