book

Practical Hardware Pentesting

Name: Practical Hardware Pentesting
Author: Jean-Georges Valle
ISBN: 9781789619133

by Jean-Georges Valle

April 2021

Beginner to intermediate

382 pages

7h 35m

English

Packt Publishing

Read now

Unlock full access

Practical Hardware Pentesting
ContributorsAbout the authorAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesCode in ActionDownload the color imagesConventions usedGet in touchReviews
Section 1: Getting to Know the Hardware
Chapter 1: Setting Up Your Pentesting Lab and Ensuring Lab Safety
Prerequisites – the basics you will needLanguagesHardware-related skillsSystem configurationSetting up a general lab SafetyApproach to buying test equipmentHome lab versus company labApproaching instrument selectionWhat to buy, what it does, and when to buy itSmall tools and equipmentRenting versus buyingThe component pantryThe pantry itselfThe stockSample labsBeginnerAmateurProSummaryQuestions
Chapter 2: Understanding Your Target
The CPU blockCPU rolesCommon embedded systems architecturesThe storage blockRAMProgram storageStoring dataThe power blockThe power block from a pentesting point of viewThe networking blocksCommon networking protocols in embedded systemsThe sensor blocksAnalog sensorsDigital sensorsThe actuator blocksThe interface blocksSummaryQuestionsFurther reading
Chapter 3: Identifying the Components of Your Target
Technical requirementsHarvesting information – reading the manualTaking a system analysis approachFor our Furby manualHarvesting information — researching on the internetFor the FurbyStarting the system diagramFor our FurbyContinuing system exploration – identifying and putting components in the diagramOpening the FurbyManipulating the systemDismantling the FurbyIdentifying chipsChips in the FurbyIdentifying unmarked/mysterious chipsFurby — the mystery meatThe borders of functional blocksSummaryQuestions
Chapter 4: Approaching and Planning the Test
The STRIDE methodologyFinding the crown jewels in the assessed systemSecurity properties – what do we expect?CommunicationMaintenanceSystem integrity and self-testingProtection of secrets or security elementsReaching the crown jewels – how do we create impacts?STRIDE through the components to compromise propertiesFor the example system – the FurbyPlanning the testBalancing your scenariosSummaryQuestionsFurther reading
Section 2: Attacking the Hardware
Chapter 5: Our Main Attack Platform
Technical requirementsIntroduction to the bluepill boardA board to do what?What is it?Why C and not Arduino?The documentationMemory-projected registersThe toolchainThe compilation processDriving the compilationFlashing the chipPutting it into practice for the bluepillIntroduction to COperatorsTypesThe dreaded pointerPreprocessor directivesFunctionsSummaryQuestionsFurther reading
Chapter 6: Sniffing and Attacking the Most Common Protocols
Technical requirementsHardwareUnderstanding I2CMode of operationSniffing I2CInjecting I2CI2C man in the middleUnderstanding SPIMode of operationSniffing SPIInjecting SPISPI – man in the middleUnderstanding UARTMode of operationSniffing UARTInjecting UARTUART – man in the middleUnderstanding D1WMode of operationSniffing D1WInjecting D1WD1W – man in the middleSummaryQuestions

Chapter 7: Extracting and Manipulating Onboard Storage
Technical requirementsFinding the dataEEPROMsEMMC and NAND/NOR FlashHard drives, SSDs, and other storage mediumsExtracting the dataOn-chip firmwareOnboard storage – specific interfacesOnboard storage – common interfacesUnderstanding unknown storage structuresUnknown storage formatsWell-known storage formatsLet's look for storage in our FurbyMounting filesystemsRepackingSummaryQuestionsFurther reading
Chapter 8: Attacking Wi-Fi, Bluetooth, and BLE
Technical requirementsBasics of networking Networking in embedded systems using Wi-FiSelecting Wi-Fi hardwareCreating our access pointCreating the access point and the basic network servicesNetworking in embedded systems using BluetoothBluetooth basicsDiscovering BluetoothNative Linux Bluetooth tools – looking into the joystick crashSniffing the BT activity on your hostSniffing raw BTBLE SummaryQuestions
Chapter 9: Software-Defined Radio Attacks
Technical requirementsIntroduction to arbitrary radio/SDRUnderstanding and selecting the hardwareLooking into a radio deviceReceiving the signal – a look at antennasLooking into the radio spectrumFinding back the dataIdentifying modulations – a didactic exampleAM/ASKFM/FSKPM/PSKMSKGetting back to our signalDemodulating the signalClock Recovery MMWPCRSending it backSummaryQuestions
Section 3: Attacking the Software
Chapter 10: Accessing the Debug Interfaces
Technical requirementsDebugging/programming protocols – What are they and what are they used for?Legitimate usageUsing JTAG to attack a systemFinding the pinsThe PCB "plays nicely"A bit harderVery hard – JTAGulatingUsing OpenOCDInstalling OpenOCDThe adapter fileThe target filePractical caseSummaryQuestions
Chapter 11: Static Reverse Engineering and Analysis
Technical requirementsExecutable formatsUnderstanding operating system formatsDump formats and memory imagesDump structure – the bluepill as an exampleAnalyzing firmware – introduction to GhidraGetting to know Ghidra with a very simple ARM Linux executableGoing into second gear – Ghidra on raw binaries for the STM32First identification passReversing our target functionSummaryQuestions
Chapter 12: Dynamic Reverse Engineering
Technical requirementsWhat is dynamic reverse engineering and why do it?Leveraging OpenOCD and GDBGDB? But... I know nothing about it!Understanding ARM assembly – a primerGeneral information and syntaxExploring the most useful ARM instructionsUsing dynamic reverse engineering – an exampleFirst Ghidra inspectionReversing the expected passwordOf course, I aced the testSummaryQuestions
Chapter 13: Scoring and Reporting Your Vulnerabilities
Scoring your vulnerabilitiesBeing understandable to everyoneBuilding your report templateUsage of language in a reportReport qualityWhen engineers do not want to re-engineerSummaryQuestions
Chapter 14: Wrapping It Up – Mitigations and Good Practices
Industry good practices – what are they and where to find themOWASP IoT top 10The CIS benchmarksNIST hardware security guidelinesCommon problems and their mitigationsEstablishing a trust relationship between the backend and a deviceStoring secrets and confidential dataCryptographic applications in sensitive applicationsJTAG, bootloaders, and serial/UART interfacesWhat about now? Self-teaching and your first projectClosing words
Assessments
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12Chapter 13
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youLeave a review - let other readers know what you think

Content preview from Practical Hardware Pentesting

Chapter 6: Sniffing and Attacking the Most Common Protocols

Now that we've seen how to program the chip, let's apply it to an application and use it to actually start attacking systems. We will do that by looking into a number of standard protocols that are used to communicate between chips and the outside world. They usually define only the physical layer for chip-to-chip communication and (almost) never go into higher levels of abstractions. In this chapter, we will learn how to operate, sniff, and attack I2C, SPI, UART, and Dallas 1-Wire (D1W).

In this chapter, we will cover the following topics:

Understanding I2C
Understanding, sniffing, and attacking SPI
Understanding, sniffing, and attacking UART
Understanding, sniffing, and attacking ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781789619133

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Practical Hardware Pentesting

by Jean-Georges Valle

Chapter 6: Sniffing and Attacking the Most Common Protocols

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.